An integrated conceptual model for information system security risk management supported by enterprise architecture management

Risk management is today a major steering tool for any organisation wanting to deal with information system (IS) security. However, IS security risk management (ISSRM) remains a difficult process to establish and maintain, mainly in a context of multi-regulations with complex and inter-connected IS. We claim that a connection with enterprise architecture management (EAM) contributes to deal with these issues. A first step towards a better integration of both domains is to define an integrated EAM-ISSRM conceptual model. This paper is about the elaboration and validation of this model. To do so, we improve an existing ISSRM domain model, i.e. a conceptual model depicting the domain of ISSRM, with the concepts of EAM. The validation of the EAM-ISSRM integrated model is then performed with the help of a validation group assessing the utility and usability of the model

Model driven validation approach for enterprise architecture and motivation extensions

As the endorsement of Enterprise Architecture (EA) modelling continues to grow in diversity and complexity, management of its schema, artefacts, semantics and relationships has become an important business concern. To maintain agility and flexibility within competitive markets, organizations have also been compelled to explore ways of adjusting proactively to innovations, changes and complex events also by use of EA concepts to model business processes and strategies. Thus the need to ensure appropriate validation of EA taxonomies has been considered severally as an essential requirement for these processes in order to exert business motivation; relate information systems to technological infrastructure. However, since many taxonomies deployed today use widespread and disparate modelling methodologies, the possibility to adopt a generic validation approach remains a challenge. The proliferation of EA methodologies and perspectives has also led to intricacies in the formalization and validation of EA constructs as models often times have variant schematic interpretations. Thus, disparate implementations and inconsistent simulation of alignment between business architectures and heterogeneous application systems is common within the EA domain (Jonkers et al., 2003). In this research, the Model Driven Validation Approach (MDVA) is introduced. MDVA allows modelling of EA with validation attributes, formalization of the validation concepts and transformation of model artefacts to ontologies. The transformation simplifies querying based on motivation and constraints. As the extended methodology is grounded on the semiotics of existing tools, validation is executed using ubiquitous query language. The major contributions of this work are the extension of a metamodel of Business Layer of an EAF with Validation Element and the development of EAF model to ontology transformation Approach. With this innovation, domain-driven design and object-oriented analysis concepts are applied to achieve EAF model’s validation using ontology querying methodology. Additionally, the MDVA facilitates the traceability of EA artefacts using ontology graph patterns

Enterprise architecture for small and medium-sized enterprises : CHOOSE

Enterprise architecture (EA) is a coherent whole of principles, methods, and models that are used in the design and realization of an enterprise’s organizational structure, business processes, information systems, and IT infrastructure. EA is used as a holistic approach to keep things aligned in a company. Some emphasize the use of EA to align IT with the business, others see it broader and use it to also keep the processes aligned with the strategy. Recent research indicates the need for EA in small and medium-sized enterprises (SMEs), important drivers of the economy, as they struggle with problems related to a lack of structure and overview of their business. However, existing EA frameworks are perceived as too complex and, to date, none of the EA approaches are sufficiently adapted to the SME context. Therefore, in this PhD, we present the CHOOSE approach for EA for SMEs. The approach consists of four artifacts: a metamodel, a method, software tool support, and a visualization. The approach is kept simple so that it may be applied in an SME context and is based on the essential dimensions of EA frameworks. Five steps were taken: first, the problem of EA in SMEs was extensively analyzed. Next, the CHOOSE metamodel was developed during action research in SMEs. Then, action research in six companies was used to develop an adequate method (consisting of guidelines, a roadmap, and stop criteria) and to further refine this CHOOSE metamodel, while different types of software tools (PC, iPad, Android, ...) were developed to enable the evaluation rounds. Finally, a proper visualization was established

Systems Theory Based Architecture Framework for Complex System Governance

The purpose of this research was to develop a systems theory based framework for complex system governance using grounded theory approach. Motivation for this research includes: 1) the lack of research that identifies modeling characteristics for complex system governance, 2) the lack of a framework rooted in systems theory to support performance of complex system governance functions for maintaining system viability. This research focused on answering: What systems theoretic framework can be developed to inform complex system governance and enable articulation of governance function performance? The grounded theory research approach utilized three phases. First, the literature in systems theory, management cybernetics, governance and enterprise architecture was synthesized and open-coded to generalize main themes using broad analysis in NVivo software, researcher note taking in EndNote, and cataloging in Excel spreadsheets. Second, the literature underwent axial-coding to identify interconnections and relevance to systems theory and complex system governance, primarily using Excel spreadsheets. Finally, selective coding and interrelationships were identified and the complex system governance architecture framework was shaped, reviewed, and validated by qualified experts. This research examined a grounded theory approach not traditionally used in systems theory research. It produced a useful systems theory based framework for practical application, bridging the gap between theory and practice in the emerging field of complex system governance. Theoretical implications of this research include identifying the state of knowledge in each literature domain and the production of a unique framework for performing metasystem governance functions that is analytically generalizable. Management cybernetics, governance, and systems theory are expanded through a testable tool for meta-level organizational and system governance theories. Enterprise architecture is advanced with a multi-disciplinary framework that coherently presents and facilitates new use for architecture at the metasystem level. Methodological implications of this research include using grounded theory approach for systems theory research, where it is atypical. Although a non-traditional method, it provides an example for conducting fruitful research that can contribute knowledge. Practical implications of this research include a useable framework for complex system governance which has never before existed and a living structure adaptable to evolutionary change coming from any related domain or future practical application feedback

Generic analysis support for understanding, evaluating and comparing enterprise architecture models

Enterprise Architecture Management (EAM) is one mean to deal with the increasing complexity of today’s IT landscapes. Architectural models are used within EAM to describe the business processes, the used applications, the required infrastructure as well as the dependencies between them. The creation of those models is expensive, since the whole organization and therewith a large amount of data has to be considered. It is important to make use of these models and reuse them for planning purposes and decision making. The models are a solid foundation for various kinds of analyses that support the understanding, evaluation and comparisons of them. Analyses can approximate the effects of the retirement of an application or of a server failure. It is also possible to quantify the models using metrics like the IT coverage of business processes or the workload of a server. The generation of views sets the focus on a specific aspect of the model. An example is the limitation to the processes and applications of a specific organization unit. Architectural models can also be used for planning purposes. The development of a target architecture is supported by identifying weak points and evaluating planning scenarios. Current approaches for EAM analysis are typically isolated ones, addressing only a limited subset of the different analysis goals. An integrated approach that covers the different information demands of the stakeholders is missing. Additionally, the analysis approaches are highly dependent on the utilized meta model. This is a serious problem since the EAM domain is characterized by a large variety of frameworks and meta models. In this thesis, we propose a generic framework that supports the different analysis activities during EAM. We develop the required techniques for the specification and execution of analyses, independently from the utilized meta model. An analysis language is implemented for the definition and customization of the analyses according to the current needs of the stakeholder. Thereby, we focus on reuse and a generic definition. We utilize a generic representation format to be able to abstract from the great variety of used meta models in the EAM domain. The execution of the analyses is done with Semantic Web Technologies and data-flow based model analysis. The framework is applied for the identification of weak points as well as the evaluation of planning scenarios regarding consistency of changes and goal fulfillment. Two methods are developed for these tasks, as well as respective analysis support is identified and implemented. These are, for example, a change impact analysis, specific metrics or the scoping of the architectural model according to different aspects. Finally, the coverage of the framework regarding existing EA analysis approaches is determined with a scenario-based evaluation. The applicability and relevance of the language and of the proposed methods is proved within three large case studies

Factors Affecting the Quality of Enterprise Architecture Models

We start our research by introducing the subject of Enterprise Architecture (EA), its content and purpose, as well as discussing what we mean by a ‘model’, and ‘quality’, building on concepts from semiotics and in particular on conceptual model quality. We set out to answer three questions. The first deals with how we measure the quality of a set of Enterprise Architecture models, and to answer this we produce a mathematical framework and then test it using a case study. This extends the conceptual model quality work done by Lindland and Krogstie into the realm of Enterprise Architecture, adding new aspects related to completeness of sets of models, modelling maturity as well as conditions for increasing quality. This incorporates mathematical concepts, including set theory and calculus, and proposes three specific metrics for the quality of sets of models (related to truthfulness, syntax and completeness). This uses a simple case study, based upon purely quantitative data, sampling the contents of an existing Enterprise Architecture repository. The second deals with how we measure the effectiveness of the language used in Enterprise Architecture models. We again use mathematical techniques to construct metrics, this time related to comprehension and utility: the former incorporating a triangulation technique based upon Kvanvig’s concept of moderate factivity of objectual understanding, and the latter being a more subjective measure (i.e. self-assessment). From these two metrics we provide a new conceptual visualisation of the effectiveness of language concepts. We then test this framework using a mixed-mode case study, carrying out 68 interviews, based mostly upon quantitative data again but with additional elements of qualitative data. Although the conceptual framework is independent of any particular language, in order to test it we actually need to select an Enterprise Architecture framework, or more specifically, the modelling language within such a framework; the framework we choose for this purpose is ArchiMate. Through the use of alternative modelling notations in the survey process, we gain insights not just into the understanding and utility of various ArchiMate concepts, as perceived by respondents, we also gain insights into the effect of understanding and utility of using the specific notation provided by ArchiMate through the use of differential analysis of the result sets thus obtained. The final question we address is more practically focused and deals with how we can specify and automate various kinds of changes to Enterprise Architecture models based upon the previous research. We construct a conceptual framework illustrating the kinds of transformations that may be required, given what we have learnt in the previous chapters, demonstrate that these can be deterministic and finally demonstrate, by use of a specific Enterprise Architecture modelling tool (BiZZdesign), that they can be implemented in software, and thus automated. vii In the course of our research, we deliver reusable methodologies and frameworks that will assist future researchers into Enterprise Architecture and related frameworks, as well as Enterprise Architecture practitioners

Method support for enterprise architecture management capabilities

"What can our EA organization do and/or what should it be capable of?". In order to answer this questions, a capability-based method is developed, which assists in the identification, structuring and management of capabilities. The approach is embedded in a process comprising four building blocks providing appropriated procedures, concepts and supporting tools evolved from theory and practical use cases. The guide represents a flexible method for capability newcomers and experienced audiences to optimize enterprises’ economic impacts of EAM supporting the alignment of business and IT.„Was muss unser UAM leisten können?“ Als Grundlage für die Beantwortung dieser Frage sollen Konzepte aus dem Fähigkeitenmanagement genutzt werden. Im Rahmen dieser Arbeit wird eine fähigkeitenbasierte Methode entwickelt, welche Unternehmen bei der Identifikation, Strukturierung und Verwaltung von UAM-Fähigkeiten unterstützt. Der Ansatz ist in einen Prozess eingegliedert, welcher vier Hauptbestandteile beinhaltet und die für die Durchführung notwendigen Vorgehen, Konzepte und Hilfsmittel beschreibt, welche wiederrum in Kooperationen mit der Praxis getestet wurden

Enterprise architecture in practice : from IT concept towards enterprise architecture leadership

Informaatioteknologia (Information Technology, IT) on kaikkialla ja liiketoimintakriittisesti välttämätön osa yritysten nykytoimintaa, viestintää ja tulevaisuuden strategioita (Nolan 2012). Informaatiota tarvitaan ihmisten ja organisaatioiden hyvinvointiin, kasvuun ja selviytymiseen. IT muuttaa liiketoimintaa, työtä ja työnjakoa nopeammin ja laajemmin kuin mikään aikaisempi tekninen keksintö. Teknologiaa käytetään informaation hankkimiseen, hallintaan ja jakamiseen. Teknologioiden, tietojärjestelmien (Information Systems, IS) ja informaation hallinta vaativat uutta ajattelua, konsepteja ja välineitä työn organisointiin (Orlikowski 2007). Tämä opinnäytetyö tutkii kokonaisarkkitehtuurin (Enterprise Architecture, EA) mahdollisuuksia hallita teknologioita ja digitalisaatiota osana nykyaikaista liiketoimintaa. EA-käsitteellä ei ole vakiintunutta määritelmää. Burgess, Ramakrishnan, Salmans ja Kappelman (2010, 252) raportoi 10 erilaista tapaa määritellä EA-käsite, joista korkeimman abstraktiotason määritelmä on “kaikki tietämys yrityksestä”. EA-käsitteen moniselitteisyys johtuu osittain informaatioteknologian nopeasta kehityksestä ja hyvin teknisestä näkökulmasta. Viimeisen 20 vuoden aikana kokonaisarkkitehtuurin hallinnan (EA management; EAM) idea on kasvanut tietotekniikasta ja IT-arkkitehtuureista kohti hallinnollista innovaatiota, jolla ohjataan organisaation rahan käyttöä (Luftman & Ben-Zvi 2011, 206), tietojärjestelmien kehitystä (Makiya 2012, 6) ja strategian toteutusta (Simon, Fischbach & Schoder 2014). EAM on uusi käsite, joka lupaa moninaisia hyötyjä, mutta sisältää samalla ristiriitaisia odotuksia ja monimutkaisia systeemisiä ja sosiaalisia haasteita mahdollisten hyötyjen realisoimiseksi. Tämä työ tarkastelee kokonaisarkkitehtuuria IT-käsitteenä ja monimutkaisena sosioteknisenä ilmiönä. Etenemme EA:n tietoteknisistä juurista, arkkitehtuureista, liiketoiminnan ja tietotekniikan samansuuntaisuuden (alignment) kautta kokonaisarkkitehtuurin hallintaan. Kokonaisarkkitehtuurin hallinnasta jatkamme toiminnan teorian (Vygotsky 1978, Leontiev 1978, 1981; Engeström 1987), toimijaverkostoteorian (Actor-Network Theory, ANT: Latour 1999a; Monteiro 2000), strukturaatioteorian (Giddens 1984) ja sosiomateriaalisuuden (Orlikowski 2007) avulla kohti kokonaisarkkitehtuurin johtamista (EA leadership). Teoriaosuudessa esittelemme kolme viitekehystä ja näkökulman analysoida organisaation tietotekniikan, kokonaisarkkitehtuurin ja tietämyksen hallinnan sosiomaterialistista kokonaisuutta. Opinnäytetyön kokeellinen osuus on tapaustutkimus kohdeyrityksemme kokonaisarkkitehtuurin kehittymisestä. Teoriaosuuden viitekehyksiä testataan analysoimalla kohdeyrityksen kokonaisarkkitehtuurin kehityksestä tehtyjä etnografisia havaintoja vuosilta 1996-2011. Seitsemän lyhyttä kuvausta (vignettes) kertovat kohdeyrityksen kokonaisarkkitehtuurin kehitystarinoita, joita arvioidaan IT, EA, EAM ja tietämyksen hallinnan näkökulmista. Tämä työ osoittaa kokonaisarkkitehtuurin hallinnan mahdollisuuksia parantaa informaatiotekniikan tuottavuutta integroimalla liiketoiminnan, prosessien ja tietojärjestelmien/tekniikan kehittämistä. Kokonaisarkkitehtuurin hallinta vaatii lisää systeemistä ymmärrystä miten sosiomateriaalisia rakenteita ja käytäntöjä tulisi (uudelleen)määrittää ja sovittaa yrityksen tietämyksen ja muutoksen hallinnan tehostamiseksi. Tutkimuksessa esitettyjä viitekehyksiä voidaan jatkossa käyttää pyrittäessä kohti reflektoivia kokonaisarkkitehtuurin hallinnan ja johtamisen käytäntöjä

Safety and Reliability - Safe Societies in a Changing World

The contributions cover a wide range of methodologies and application areas for safety and reliability that contribute to safe societies in a changing world. These methodologies and applications include: - foundations of risk and reliability assessment and management - mathematical methods in reliability and safety - risk assessment - risk management - system reliability - uncertainty analysis - digitalization and big data - prognostics and system health management - occupational safety - accident and incident modeling - maintenance modeling and applications - simulation for safety and reliability analysis - dynamic risk and barrier management - organizational factors and safety culture - human factors and human reliability - resilience engineering - structural reliability - natural hazards - security - economic analysis in risk managemen