A RISK BASED APPROACH FOR SELECTING SERVICES IN BUSINESS PROCESS EXECUTION

The vision of automated business processes within a service-oriented paradigm includes the flexible orchestration of IT services. Whenever alternative services are available for activities in an ITsupported business process, an automated decision is worth aspiring to. According to valueoriented management, this decision should be motivated economically and also requires taking account of risk. This paper presents a novel approach for assessing the risk of IT services, based on vulnerability information as can be obtained in the form of publicly available Common Vulnerability Scoring System (CVSS) data

Outsourcing and acquisition models comparison related to IT supplier selection decision analysis

This paper presents a comparison of acquisition models related to decision analysis of IT supplier selection. The main standards are: Capability Maturity Model Integration for Acquisition (CMMI-ACQ), ISO / IEC 12207 Information Technology / Software Life Cycle Processes, IEEE 1062 Recommended Practice for Software Acquisition, the IT Infrastructure Library (ITIL) and the Project Management Body of Knowledge (PMBOK) guide. The objective of this paper is to compare the previous models to find the advantages and disadvantages of them for the future development of a decision model for IT supplier selection

Stochastic Privacy

Online services such as web search and e-commerce applications typically rely on the collection of data about users, including details of their activities on the web. Such personal data is used to enhance the quality of service via personalization of content and to maximize revenues via better targeting of advertisements and deeper engagement of users on sites. To date, service providers have largely followed the approach of either requiring or requesting consent for opting-in to share their data. Users may be willing to share private information in return for better quality of service or for incentives, or in return for assurances about the nature and extend of the logging of data. We introduce \emph{stochastic privacy}, a new approach to privacy centering on a simple concept: A guarantee is provided to users about the upper-bound on the probability that their personal data will be used. Such a probability, which we refer to as \emph{privacy risk}, can be assessed by users as a preference or communicated as a policy by a service provider. Service providers can work to personalize and to optimize revenues in accordance with preferences about privacy risk. We present procedures, proofs, and an overall system for maximizing the quality of services, while respecting bounds on allowable or communicated privacy risk. We demonstrate the methodology with a case study and evaluation of the procedures applied to web search personalization. We show how we can achieve near-optimal utility of accessing information with provable guarantees on the probability of sharing data

Threats Management Throughout the Software Service Life-Cycle

Software services are inevitably exposed to a fluctuating threat picture. Unfortunately, not all threats can be handled only with preventive measures during design and development, but also require adaptive mitigations at runtime. In this paper we describe an approach where we model composite services and threats together, which allows us to create preventive measures at design-time. At runtime, our specification also allows the service runtime environment (SRE) to receive alerts about active threats that we have not handled, and react to these automatically through adaptation of the composite service. A goal-oriented security requirements modelling tool is used to model business-level threats and analyse how they may impact goals. A process flow modelling tool, utilising Business Process Model and Notation (BPMN) and standard error boundary events, allows us to define how threats should be responded to during service execution on a technical level. Throughout the software life-cycle, we maintain threats in a centralised threat repository. Re-use of these threats extends further into monitoring alerts being distributed through a cloud-based messaging service. To demonstrate our approach in practice, we have developed a proof-of-concept service for the Air Traffic Management (ATM) domain. In addition to the design-time activities, we show how this composite service duly adapts itself when a service component is exposed to a threat at runtime.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Planning and Scheduling of Business Processes in Run-Time: A Repair Planning Example

Over the last decade, the efficient and flexible management of business processes has become one of the most critical success aspects. Furthermore, there exists a growing interest in the application of Artificial Intelligence Planning and Scheduling techniques to automate the production and execution of models of organization. However, from our point of view, several connections between both disciplines remains to be exploited. The current work presents a proposal for modelling and enacting business processes that involve the selection and order of the activities to be executed (planning), besides the resource allocation (scheduling), considering the optimization of several functions and the reach of some objectives. The main novelty is that all decisions (even the activities selection) are taken in run-time considering the actual parameters of the execution, so the business process is managed in an efficient and flexible way. As an example, a complex and representative problem, the repair planning problem, is managed through the proposed approach.Ministerio de Ciencia e Innovación TIN2009-13714Junta de Andalucía P08-TIC-0409