Using Value Models for Business Risk Analysis in e-Service Networks

Dan Ionita; Roelf J. Wieringa; Lars Wolos; Jaap Gordijn; Wolter Pieters

doi:10.1007/978-3-319-25897-3_16

Using Value Models for Business Risk Analysis in e-Service Networks

Dan Ionita, Roelf J. Wieringa, Lars Wolos, Jaap Gordijn, Wolter Pieters

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

6 Citations (Scopus)

3 Downloads (Pure)

Abstract

Commercially provided electronic services commonly operate on top of a complex, highly-interconnected infrastructure, which provides a multitude of entry points for attackers. Providers of e-services also operate in dynamic, highly competitive markets, which provides fertile ground for fraud. Before a business idea to provide commercial e-services is implemented in practice, it should therefore be analysed on its fraud potential. This analysis is a risk assessment process, in which risks are ordered on severity and the unacceptable ones are mitigated. Mitigations may consist of changes in the e-service network to reduce the attractiveness of fraud for the fraudster, or changes in coordination process steps or IT architecture elements to make fraud harder or better detectable. We propose to use e3value business value models for the identification and quantification of risks associated with e-service packages. This allows for impact estimation as well as understanding the attacker’s business cases. We show how the e3value ontology — with minimal extensions – can be used to analyse known telecommunication fraud scenarios. We also show how the approach can be used to quantify infrastructure risks. Based on the results, as well as feedback from practitioners, we discuss the scope and limits of generalizability of our approach.

Original language	Undefined
Title of host publication	8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015
Editors	Jolita Ralyté, Sergio España, Oscar Pastor
Place of Publication	Berlin
Publisher	Springer
Pages	239-253
Number of pages	15
ISBN (Print)	978-3-319-25896-6
DOIs	https://doi.org/10.1007/978-3-319-25897-3_16
Publication status	Published - 12 Nov 2015
Event	8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015 - Valencia, Spain Duration: 10 Nov 2015 → 12 Nov 2015 Conference number: 8

Publication series

Name	Lecture Notes in Business Information Processing
Publisher	Springer Verlag
Volume	235
ISSN (Print)	1865-1348

Conference

Conference	8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015
Abbreviated title	PoEM
Country/Territory	Spain
City	Valencia
Period	10/11/15 → 12/11/15

Keywords

SCS-Cybersecurity
EWI-26389
EC Grant Agreement nr.: FP7/2007-2013
EC Grant Agreement nr.: FP7/318003
Governance and control
IR-97943
Value modelling
E-Services
Fraud
METIS-312745
Risk

Access to Document

10.1007/978-3-319-25897-3_16

http://eprints.eemcs.utwente.nl/secure2/26389/01/chp%253A10.1007%252F978-3-319-25897-3_16.pdf

6 Citations
1 PhD Thesis - Research UT, graduation UT

Model-Driven Information Security Risk Assessment of Socio-Technical Systems
Ionita, D., 8 Mar 2018, Enschede: University of Twente. 156 p.
Research output: Thesis › PhD Thesis - Research UT, graduation UT

Open Access
File
1018 Downloads (Pure)

Cite this

Ionita, D., Wieringa, R. J., Wolos, L., Gordijn, J., & Pieters, W. (2015). Using Value Models for Business Risk Analysis in e-Service Networks. In J. Ralyté, S. España, & O. Pastor (Eds.), 8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015 (pp. 239-253). (Lecture Notes in Business Information Processing; Vol. 235). Springer. https://doi.org/10.1007/978-3-319-25897-3_16

@inproceedings{1846fd0ca72340e6a35a7169e5dafddb,

title = "Using Value Models for Business Risk Analysis in e-Service Networks",

abstract = "Commercially provided electronic services commonly operate on top of a complex, highly-interconnected infrastructure, which provides a multitude of entry points for attackers. Providers of e-services also operate in dynamic, highly competitive markets, which provides fertile ground for fraud. Before a business idea to provide commercial e-services is implemented in practice, it should therefore be analysed on its fraud potential. This analysis is a risk assessment process, in which risks are ordered on severity and the unacceptable ones are mitigated. Mitigations may consist of changes in the e-service network to reduce the attractiveness of fraud for the fraudster, or changes in coordination process steps or IT architecture elements to make fraud harder or better detectable. We propose to use e3value business value models for the identification and quantification of risks associated with e-service packages. This allows for impact estimation as well as understanding the attacker{\textquoteright}s business cases. We show how the e3value ontology — with minimal extensions – can be used to analyse known telecommunication fraud scenarios. We also show how the approach can be used to quantify infrastructure risks. Based on the results, as well as feedback from practitioners, we discuss the scope and limits of generalizability of our approach.",

keywords = "SCS-Cybersecurity, EWI-26389, EC Grant Agreement nr.: FP7/2007-2013, EC Grant Agreement nr.: FP7/318003, Governance and control, IR-97943, Value modelling, E-Services, Fraud, METIS-312745, Risk",

author = "Dan Ionita and Wieringa, {Roelf J.} and Lars Wolos and Jaap Gordijn and Wolter Pieters",

note = "Foreground = 100%;Type of activity = conference;Main leader = UT;Type of audience = scientific community;Size of audience =25;Countries addressed = International;; 8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015 ; Conference date: 10-11-2015 Through 12-11-2015",

year = "2015",

month = nov,

day = "12",

doi = "10.1007/978-3-319-25897-3_16",

language = "Undefined",

isbn = "978-3-319-25896-6",

series = "Lecture Notes in Business Information Processing",

publisher = "Springer",

pages = "239--253",

editor = "Jolita Ralyt{\'e} and Sergio Espa{\~n}a and Oscar Pastor",

booktitle = "8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015",

address = "Germany",

}

Ionita, D, Wieringa, RJ, Wolos, L, Gordijn, J & Pieters, W 2015, Using Value Models for Business Risk Analysis in e-Service Networks. in J Ralyté, S España & O Pastor (eds), 8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015. Lecture Notes in Business Information Processing, vol. 235, Springer, Berlin, pp. 239-253, 8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015, Valencia, Spain, 10/11/15. https://doi.org/10.1007/978-3-319-25897-3_16

Using Value Models for Business Risk Analysis in e-Service Networks. / Ionita, Dan; Wieringa, Roelf J.; Wolos, Lars et al.
8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015. ed. / Jolita Ralyté; Sergio España; Oscar Pastor. Berlin: Springer, 2015. p. 239-253 (Lecture Notes in Business Information Processing; Vol. 235).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Using Value Models for Business Risk Analysis in e-Service Networks

AU - Ionita, Dan

AU - Wieringa, Roelf J.

AU - Wolos, Lars

AU - Gordijn, Jaap

AU - Pieters, Wolter

N1 - Conference code: 8

PY - 2015/11/12

Y1 - 2015/11/12

N2 - Commercially provided electronic services commonly operate on top of a complex, highly-interconnected infrastructure, which provides a multitude of entry points for attackers. Providers of e-services also operate in dynamic, highly competitive markets, which provides fertile ground for fraud. Before a business idea to provide commercial e-services is implemented in practice, it should therefore be analysed on its fraud potential. This analysis is a risk assessment process, in which risks are ordered on severity and the unacceptable ones are mitigated. Mitigations may consist of changes in the e-service network to reduce the attractiveness of fraud for the fraudster, or changes in coordination process steps or IT architecture elements to make fraud harder or better detectable. We propose to use e3value business value models for the identification and quantification of risks associated with e-service packages. This allows for impact estimation as well as understanding the attacker’s business cases. We show how the e3value ontology — with minimal extensions – can be used to analyse known telecommunication fraud scenarios. We also show how the approach can be used to quantify infrastructure risks. Based on the results, as well as feedback from practitioners, we discuss the scope and limits of generalizability of our approach.

AB - Commercially provided electronic services commonly operate on top of a complex, highly-interconnected infrastructure, which provides a multitude of entry points for attackers. Providers of e-services also operate in dynamic, highly competitive markets, which provides fertile ground for fraud. Before a business idea to provide commercial e-services is implemented in practice, it should therefore be analysed on its fraud potential. This analysis is a risk assessment process, in which risks are ordered on severity and the unacceptable ones are mitigated. Mitigations may consist of changes in the e-service network to reduce the attractiveness of fraud for the fraudster, or changes in coordination process steps or IT architecture elements to make fraud harder or better detectable. We propose to use e3value business value models for the identification and quantification of risks associated with e-service packages. This allows for impact estimation as well as understanding the attacker’s business cases. We show how the e3value ontology — with minimal extensions – can be used to analyse known telecommunication fraud scenarios. We also show how the approach can be used to quantify infrastructure risks. Based on the results, as well as feedback from practitioners, we discuss the scope and limits of generalizability of our approach.

KW - SCS-Cybersecurity

KW - EWI-26389

KW - EC Grant Agreement nr.: FP7/2007-2013

KW - EC Grant Agreement nr.: FP7/318003

KW - Governance and control

KW - IR-97943

KW - Value modelling

KW - E-Services

KW - Fraud

KW - METIS-312745

KW - Risk

U2 - 10.1007/978-3-319-25897-3_16

DO - 10.1007/978-3-319-25897-3_16

M3 - Conference contribution

SN - 978-3-319-25896-6

T3 - Lecture Notes in Business Information Processing

SP - 239

EP - 253

BT - 8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015

A2 - Ralyté, Jolita

A2 - España, Sergio

A2 - Pastor, Oscar

PB - Springer

CY - Berlin

T2 - 8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015

Y2 - 10 November 2015 through 12 November 2015

ER -

Ionita D, Wieringa RJ, Wolos L, Gordijn J, Pieters W. Using Value Models for Business Risk Analysis in e-Service Networks. In Ralyté J, España S, Pastor O, editors, 8th IFIP WG 8.1. Working Conference on the Practice of Enterprise Modelling, PoEM 2015. Berlin: Springer. 2015. p. 239-253. (Lecture Notes in Business Information Processing). doi: 10.1007/978-3-319-25897-3_16

Using Value Models for Business Risk Analysis in e-Service Networks

Abstract

Publication series

Conference

Keywords

Access to Document

Research output

Model-Driven Information Security Risk Assessment of Socio-Technical Systems

Cite this