The complexity of enterprise architectures and the associated IT security risks are constantly increasing. Traditional approaches to IT risk management operate in silos and make it difficult to obtain a company-wide view of existing threats. The objective of this thesis is to develop an assessment framework that enables an automated comprehensive view of existing IT security risks within the enterprise architecture. For this purpose, concepts of IT risk management are extended with principles of enterprise architecture management. Based on a research approach according to the design science research paradigm, an artifact, the so-called Enterprise Architecture Management Risk Assessment (ERA) framework, will be developed based on a problem analysis and requirements gathering from practice and science. The ERA framework will be prototypically implemented and evaluated as a dashboard solution in a case study with a German bank. The evaluation will take place in two iterations, qualitative by means of expert interviews and quantitative by means of a survey. The evaluation of the ERA framework artifact and its prototypical dashboard implementation confirms its usefulness, usability and non-triviality. Furthermore, possible extension and improvement possibilities of the artifact are disclosed. The designed evaluation framework contributes to research at the interface of IT security and enterprise architecture management as well as to the solution of a practical relevant problem.

Extrait

1 Introduction

2 Theoretical Foundations

2.1 Enterprise Architecture Management

2.2 IT Security

2.3 Information Security Risk Management

2.4 Common Vulnerability Scoring System

2.5 Intersection of Risk Management and Enterprise Architecture

3 Research Design

3.1 Design Science Research

3.2 Literature Review

3.3 Case Study

3.4 Expert Interview

3.5 Unified Modeling Language

3.6 Artifact Evaluation

3.7 Summary of the Research Design

4 Requirements Analysis

4.1 Regulatory Environment in Germany

4.2 Derivations from Literature

4.3 Requirements from Expert Interviews

5 Conception of the ERA Framework

5.1 ERA Process

5.2 ERA Model

5.3 Use Case Scenarios

6 Case Study: Dashboard Artifact for TestBank Inc.

6.1 Development of the Dashboard Artifact

6.2 First Iteration of the Evaluation

6.3 Second Iteration of the Evaluation

7 Conclusion

7.1 Summary of the Results

7.2 Limitations

7.3 Future Research

Objectives & Research Topics

The objective of this thesis is to develop an assessment framework that enables an automated, comprehensive view of existing IT security risks within the enterprise architecture, thereby reducing the complexity of traditional, silo-based risk management approaches.

Design and implementation of the Enterprise Architecture Management Risk Assessment (ERA) framework.
Integration of IT security risk management with enterprise architecture management principles.
Prototypical development of an interactive dashboard solution for risk visualization.
Empirical evaluation using expert interviews and usability surveys within a banking sector case study.

Excerpt from the Book

5.2.6 Aggregate values to ERA scores on each layer (2b)

Finally, the risk values are aggregated at the respective levels to so-called ERA scores in order to obtain a comprehensive view of the risks within the enterprise.

To determine the ERA score for assets at the technology level, each technology is assigned the maximum value of the CVSS base score of its existing vulnerabilities. In addition, for each technology, the total number of vulnerabilities that threaten this asset is displayed. The formula for the calculation of the ERA score on technology level is: ∀ Technology x ∈ Model: E(x) = max( ∀ v ∈ V(x): C(v) ) (With: E(x) = ERA score of technology x; C(v) = CVSS base score of vulnerability v; V(x) = vulnerabilities of technology x)

To compute the ERA scores for assets at application and process level, the ERA score is multiplied by the impact score for each asset on which an asset x is dependent. The maximum of these multiplications forms the Interim ERA score for the asset x. The formula for the calculation of the interim ERA score on application level or process level is: ∀ Asset x ∈ Model: E’(x) = max( ∀ y ∈ Y ∧ d(x,y) == true: E(y) * IS(x,y) ) (With: E’(x) = interim ERA score of asset x; IS(x,y) = impact score from y on x; d(x,y) = x is dependent on y; Y = list of all applications and processes)

To determine the ERA score for assets at application or process level, the interim ERA score of the asset x must be multiplied by a multiplier for protection needs. This multiplier is 1.0 for standard protection needs, 1.25 for high protection needs and 1.5 for very high protection needs. The ERA score must not exceed 10. The formula for the calculation of the ERA score on application level or process level is: ∀ Asset x ∈ Model: E(x) = min( E’(x) * M(x), 10) (With: E(x) = ERA score of asset x; E’(x) = interim ERA score of asset x; M(x) = multiplier for protection requirements)

Summary of Chapters

1 Introduction: Discusses the motivation for integrating enterprise architecture and risk management to mitigate complex IT security threats, stating the research objective and thesis structure.

2 Theoretical Foundations: Provides an overview of enterprise architecture management, IT security, information security risk management, and the CVSS industry standard.

3 Research Design: Introduces the Design Science Research (DSR) paradigm as the foundation for the thesis, outlining methods like literature review, case studies, and expert interviews.

4 Requirements Analysis: Identifies legal requirements in Germany and gathers functional and non-functional requirements for the proposed artifact through expert input.

5 Conception of the ERA Framework: Details the proposed ERA framework, including its process model (top-down modeling and bottom-up assessment) and its calculation model.

6 Case Study: Dashboard Artifact for TestBank Inc.: Describes the prototypical implementation of the ERA framework in a banking environment, including system design and two iterations of evaluation.

7 Conclusion: Summarizes the thesis findings, discusses limitations regarding the framework's scope, and suggests directions for future research.

Keywords

Enterprise Architecture Management, IT Security, Risk Management, Risk Assessment, ERA Framework, Dashboard Prototype, Design Science Research, CVSS, Cybersecurity, Enterprise Architecture, Information Security, Vulnerability Assessment, IT Risk, Case Study, Banking Sector

Frequently Asked Questions

What is the core focus of this research?

The research focuses on overcoming the limitations of silo-based IT risk management by integrating it with enterprise architecture management (EAM) to achieve a comprehensive, automated view of organizational IT security risks.

What are the primary thematic fields covered?

The work covers enterprise architecture management, IT security frameworks, information security risk assessment, and the design and implementation of dashboard-based software artifacts.

What is the main objective of the thesis?

The primary goal is to develop an automated assessment framework (the ERA framework) that enables stakeholders to identify, monitor, and assess IT security risks across different layers of an enterprise architecture.

Which research methodology is applied?

The thesis utilizes the Design Science Research (DSR) paradigm, employing iterative development and evaluation through literature reviews, expert interviews, and a real-world case study.

What does the main body of the work address?

The main body details the theoretical background, the requirements gathering process, the specific design of the ERA framework, and the technical development of a dashboard prototype validated through two evaluation cycles.

Which keywords define this work?

Key terms include Enterprise Architecture Management, IT security risk assessment, ERA framework, DSR, dashboard development, vulnerability analysis, and EAM-based risk integration.

How does the ERA framework calculate risk?

The framework uses an automated, bottom-up aggregation logic based on CVSS scores of technologies, multiplied by dependency impact scores and adjusted by organizational protection requirement multipliers.

What is the significance of the dashboard prototype?

The prototype demonstrates the practical utility and feasibility of the ERA framework, providing a visual tool for stakeholders to analyze interdependencies and risk scores within their IT landscape.

Fin de l'extrait de 86 pages - haut de page

Résumé des informations

Titre: A conceptual framework for the automated assessment of IT security risks based on enterprise architecture
Université: Free University of Berlin
Note: 1.0
Auteur: Tim Huse (Auteur)
Année de publication: 2020
Pages: 86
N° de catalogue: V1117635
ISBN (ebook): 9783346482037
Langue: anglais
mots-clé: Enterprise Architecture IT Risk Management IT Security ERA Framework
Sécurité des produits: GRIN Publishing GmbH

Citation du texte: Tim Huse (Auteur), 2020, A conceptual framework for the automated assessment of IT security risks based on enterprise architecture, Munich, GRIN Verlag, https://www.grin.com/document/1117635

A conceptual framework for the automated assessment of IT security risks based on enterprise architecture