Enterprise Modeling

Enterprise Modelling

Analyzing, developing, using and managing business information systems is a challenging task that requires the active participation of stakeholders with different professional backgrounds. Hence, there is need to effectively reduce complexity, to provide a foundation for implementing software and to coordinate the contributions of different stakeholders. Enterprise modelling has evolved as an approach to address these challenges by enhancing conceptual models of information systems (e.g. an object model) with those of the respective action systems (e.g. business process models or strategy models).

My research at the department of Information Systems and Enterprise Modelling at the University of Duisburg-Essen focuses on three aspects of enterprise modeling:

Multi-Perspective Enterprise Modelling (MEMO)

MEMO includes a high-level conceptual framework that represents a “ball park view” on an enterprise. It is composed of three generic perspectives (i.e. strategy, organization, information system) each of which can be further detailed into various aspects (e.g. resource, structure, process, goal). The framework serves as a starting point for identifying perspectives that require further attention. To allow for more elaborate analysis, each selected perspective is associated with a set of diagram types. Each diagram type is associated with a domain specific modeling language (DSML). Different from general purpose modelling languages like the ERM or the UML, a DSML includes domain-specific concepts and features a domain-specific graphical notation. Thus, it promises to increase modelling productivity, to improve model integrity and to foster the comprehensibility of models.

Currently, MEMO includes DSMLs for resource modelling, IT infrastructures modelling, organization structure and business process modelling and for modelling strategic aspects. MEMO is supported by MEMO Center, a framework for the creation of enterprise models and also for the definition of new DSMLs, defined in MML (Meta-modelling language). Figure 1 shows key notational elements and principal levels of analysis supported by MEMO family of modelling languages.

In our research we extend MEMO in two directions:

1. We extend its metamodel so that DSMLs that are created with MEMO are more powerful (e.g. we are currently extending MEMO to support a novel capability that allows model types to interact with runtime system instances);

2. We enrich existing enterprise DSMLs with new concepts and also create new DSMLs (e.g. a DSML for the IT security).

Multi Perspective IT Security Modelling

The relevance of information technology (IT) security is undisputed in research and practice. It is assumed that the importance of this topic as well as the attention that it experiences in the public will continue to increase mainly as a result of the many threats caused by Internet connectivity and the extensive use of communication and distribution of software services, but also with the increased pressure to follow respective laws and regulations.

Effectively protecting information systems is a pivotal responsibility of (IT) management, which faces many challenges in recent years:

• Increasing technical complexity as a result of more distributed computing, cloud computing and frequent technological changes. This stresses the need for solutions that are general and not unique for specific technology

• Increasing risks by the further upgrading of criminal attackers, who become more sophisticates with time. Apart from criminal attackers, unsatisfied employees as well as careless or insufficiently trained employees may also cause damages intentionally or unintentionally.

• Increasing organizational complexity: as more business processes as well as financial transactions become automated, a growing number of stakeholders (employees, customers, etc.) receive access to digitized resources and new dangers arise from incorrect use or misuse of systems.

• Increasing pressure to justify the costs associated with IT security: IT management is required to perform both technical evaluation of alternative solutions and evaluation of their impact on the business competitiveness.

• Communication and cooperation barriers: language barriers between technical (e.g. IT professionals) and business (e.g. corporate governance) perspectives makes communicating IT security measures more difficult.

• Dealing with conflicting requirements: high levels of security vs. low levels of costs, high levels of flexibility vs. robust solutions and so forth.

These different challenges require simultaneously accounting for technical, organizational, business and behavioral aspects as well as the involvement of different stakeholders. In order to provide a comprehensive solution for IT security design and management, all these aspects should be considered.

An analysis of the state of the art shows that there is a considerable amount of research streams on various aspects of IT security. However, each one of these streams is isolated from the others and focuses on single aspects only. So far there seems to be no approach which aims at supporting a holistic view that integrates all the various aspects (although there are some papers that call for such approach) . Also, the majority of respective research is focused on technical aspects. There are only few approaches that consider human factors or economic aspects.

Against this background, our research is aimed at a holistic method that integrates the aforementioned technical, organizational, business and behavioral aspects. We propose Multi-Perspective Enterprise Modelling (MEMO) as a foundation for such a method. MEMO serves as an obvious choice for this purpose since it provides a common conceptual framework that covers technical, business and social aspects.

In our research we extend the different perspective of MEMO with IT-security concepts that will allow mastering the following tasks:

1. Assessing and reducing risks that originate both from within the organization (unsatisfied, careless or untrained employees) and from its outside.

2. Overcoming the increasing technical and organizational complexities using different levels of abstraction, intuitive graphical representations, and integration between concepts from different perspectives

3. Fostering the participation of non-technical stakeholders (e.g. managers, users)

4. Relating IT security to business, for example, by allowing the analysis of the impact of IT security on business and by allowing cost-benefit analysis.

5. Designing and implementing IS security infrastructures, for example, using automatic creation of security related policies and code fragments.

We have already performed a thorough requirement analysis in which we identified requirement that an IT security modelling language should satisfy. The identified requirements were verified with potential users and with researchers from the security modelling community. They are presented in the following paper:

• Goldstein & Frank U. (2012) A method for Multi-Perspective Modelling of IT Security: Objectives and Analysis of Requirements. SBP-2012, Tallinn, Estonia. Available at: http://www.inf.unibz.it/sbp12/papers/P1-Goldstein.pdf

A second paper focuses on specific requirements that the language should satisfy in order to support the automtic creation of security related code:

• Goldstein & Frank U. (2012) Augmented Enterprise Models as a Foundation for Generating Security-Related Software: Requirements and Prospects. MDSec-2012, Innsbruck, Austria. Available at:http://mdsec2012.pst.ifi.lmu.de/accepted_papers/mdsec2012_submission_12.pdf

The Components of the IT security Modelling methods are defined in:

• Goldstein & Frank U. (2013): Components of a Method for Multi-Perspective IT-Security Management. (working paper)

Currently we are developing a metamodel for the IT security modeling language that will satisfy the identified requirements. In addition to that we develop process models which guide the use of the method in different problem scenarios, as well as a suitable modelling tool. Once a prototype of the modelling method is ready, we intend to validate its applicability with prospective users.