Extensibility of Enterprise Modelling Languages

Die Arbeit adressiert insgesamt drei Forschungsschwerpunkte. Der erste Schwerpunkt setzt sich mit zu entwickelnden BPMN-Erweiterungen auseinander und stellt deren methodische Implikationen im Rahmen der bestehenden Sprachstandards dar. Dies umfasst zum einen ganz konkrete Spracherweiterungen wie z. B. BPMN4CP, eine BPMN-Erweiterung zur multi-perspektivischen Modellierung von klinischen Behandlungspfaden. Zum anderen betrifft dieser Teil auch modellierungsmethodische Konsequenzen, um parallel sowohl die zugrunde liegende Sprache (d. h. das BPMN-Metamodell) als auch die Methode zur Erweiterungsentwicklung zu verbessern und somit den festgestellten Unzulänglichkeiten zu begegnen. Der zweite Schwerpunkt adressiert die Untersuchung von sprachunabhängigen Fragen der Erweiterbarkeit, welche sich entweder während der Bearbeitung des ersten Teils ergeben haben oder aus dessen Ergebnissen induktiv geschlossen wurden. Der Forschungsschwerpunkt fokussiert dabei insbesondere eine Konsolidierung bestehender Terminologien, die Beschreibung generisch anwendbarer Erweiterungsmechanismen sowie die nutzerorientierte Analyse eines potentiellen Erweiterungsbedarfs. Dieser Teil bereitet somit die Entwicklung einer generischen Erweiterungsmethode grundlegend vor. Hierzu zählt auch die fundamentale Auseinandersetzung mit Unternehmensmodellierungssprachen generell, da nur eine ganzheitliche, widerspruchsfreie und integrierte Sprachdefinition Erweiterungen überhaupt ermöglichen und gelingen lassen kann. Dies betrifft beispielsweise die Spezifikation der intendierten Semantik einer Sprache

Investigating business process elements: a journey from the field of Business Process Management to ontological analysis, and back

Business process modelling languages (BPMLs) typically enable the representation of business processes via the creation of process models, which are constructed using the elements and graphical symbols of the BPML itself. Despite the wide literature on business process modelling languages, on the comparison between graphical components of different languages, on the development and enrichment of new and existing notations, and the numerous definitions of what a business process is, the BPM community still lacks a robust (ontological) characterisation of the elements involved in business process models and, even more importantly, of the very notion of business process. While some efforts have been done towards this direction, the majority of works in this area focuses on the analysis of the behavioural (control flow) aspects of process models only, thus neglecting other central modelling elements, such as those denoting process participants (e.g., data objects, actors), relationships among activities, goals, values, and so on. The overall purpose of this PhD thesis is to provide a systematic study of the elements that constitute a business process, based on ontological analysis, and to apply these results back to the Business Process Management field. The major contributions that were achieved in pursuing our overall purpose are: (i) a first comprehensive and systematic investigation of what constitutes a business process meta-model in literature, and a definition of what we call a literature-based business process meta-model starting from the different business process meta-models proposed in the literature; (ii) the ontological analysis of four business process elements (event, participant, relationship among activities, and goal), which were identified as missing or problematic in the literature and in the literature-based meta-model; (iii) the revision of the literature-based business process meta-model that incorporates the analysis of the four investigated business process elements - event, participant, relationship among activities and goal; and (iv) the definition and evaluation of a notation that enriches the relationships between activities by including the notions of occurrence dependences and rationales

Influence of diagram layout and scrolling on understandability of BPMN processes: an eye tracking experiment with BPMN diagrams

Business process modeling is an important activity for developing software systems—especially within digitization projects and when realizing digital business models. Specifying requirements and building executable workflows is often done by using BPMN 2.0 process models. Although there are several style guides available for BPMN, e.g., by Silver and Richard (BPMN method and style, vol 2, Cody-Cassidy Press, Aptos, 2009), there has not been much empirical research done into the consequences of the diagram layout. In particular, layouts that require scrolling have not been investigated yet. The aim of this research is to establish layout guidelines for business process modeling that help business process modelers to create more understandable business process diagrams. For establishing benefits and penalties of different layouts, a controlled eye tracking experiment was conducted, in which data of 21 professional software developers was used. Our results show that horizontal layouts are less demanding and that as many diagram elements as possible should be put on the initially visible screen area because such diagram elements are viewed more often and longer. Additionally, diagram elements related to the reader’s task are read more often than those not relevant to the task. BPMN modelers should favor a horizontal layout and use a more complex snake or multi-line layout whenever the diagrams are too large to fit on one page in order to support BPMN model comprehension

An Adaptive Mediation Framework for Workflow Management in the Internet of Things

Tärkavad värkvõrksüsteemid koosnevad arvukast hulgast heterogeensetest füüsilistest seadmetest, mis ühenduvad Internetiga. Need seadmed suudavad pidevalt ümbritseva keskkonnaga suhelda ja osana lõppkasutaja rakendusestest edendada valdkondi nagu tark kodu, e-tervis, logistika jne. Selleks, et integreerida füüsilisi seadmeid värkvõrgu haldussüssteemidega, on töövoo haldussüsteemid kerkinud esile sobiva lahendusena. Ent töövoo haldussüsteemide rakendamine värkvõrku toob kaasa reaalajas teenuste komponeerimise väljakutseid nagu pidev teenusavastus ja -käivitus. Lisaks kerkib küsimus, kuidas piiratud resurssidega värkvõrgu seadmeid töövoo haldussüsteemidega integreerida ning kuidas töövooge värkvõrgu seadmetel käivitada. Tööülesanded (nagu pidev seadmeavastus) võivad värkvõrgus osalevatele piiratud arvutusjõudluse ja akukestvusega seadmetele nagu nutitelefonid koormavaks osutuda. Siinkohal on võimalikuks lahenduseks töö delegeerimine pilve. Käesolev magistritöö esitleb kontekstipõhist raamistikku tööülesannete vahendamiseks värkvõrgurakendustes. Antud raamistikus modelleeritakse ning käitatakse tööülesandeid kasutades töövoogusid. Raamistiku prototüübiga läbi viidud uurimus näitas, et raamistik on võimeline tuvastama, millal seadme avastusülesannete pilve delegeerimine on kuluefektiivsem. Vahel aga pole töövoo käitamistarkvara paigaldamine värkvõrgu seadmetele soovitav, arvestades energiasäästlikkust ning käituskiirust. Käesolev töö võrdles kaht tüüpi töövookäitust: a) töövoo mudeli käitamine käitusmootoriga ning b) töövoo mudelist tõlgitud programmikoodi käitamine. Lähtudes katsetest päris seadmetega, võrreldi nimetatud kahte meetodit silmas pidades süsteemiressursside- ning energiakasutust.Emerging Internet of Things (IoT) systems consist of great numbers of heterogeneous physical entities that are interconnected via the Internet. These devices can continuously interact with the surrounding environment and be used for user applications that benefit human life in domains such as assisted living, e-health, transportation etc. In order to integrate the frontend physical things with IoT management systems, Workflow Management Systems (WfMS) have gained attention as a viable option. However, applying WfMS in IoT faces real-time service composition challenges such as continuous service discovery and invocation. Another question is how to integrate resource-contained IoT devices with the WfMS and execute workflows on the IoT devices. Tasks such as continuous device discovery can be taxing for IoT-involved devices with limited processing power and battery life such as smartphones. In order to overcome this, some tasks can be delegated to a utility Cloud instance. This thesis proposes a context-based framework for task mediation in Internet of Things applications. In the framework, tasks are modelled and executed as workflows. A case study carried out with a prototype of the framework showed that the proposed framework is able to decide when it is more cost-efficient to delegate discovery tasks to the cloud. However, sometimes embedding a workflow engine in an IoT device is not beneficial considering agility and energy conservation. This thesis compared two types of workflow execution: a) execution of workflow models using an embedded workflow engine and b) execution of program code translations based on the workflow models. Based on experiments with real devices, the two methods were compared in terms of system resource and energy usage

Design of Data-Driven Decision Support Systems for Business Process Standardization

Increasingly dynamic environments require organizations to engage in business process standardization (BPS) in response to environmental change. However, BPS depends on numerous contingency factors from different layers of the organization, such as strategy, business models (BMs), business processes (BPs) and application systems that need to be well-understood (“comprehended”) and taken into account by decision-makers for selecting appropriate standard BP designs that fit the organization. Besides, common approaches to BPS are non-data-driven and frequently do not exploit increasingly avail-able data in organizations. Therefore, this thesis addresses the following research ques-tion: “How to design data-driven decision support systems to increase the comprehen-sion of contingency factors on business process standardization?”. Theoretically grounded in organizational contingency theory (OCT), this thesis address-es the research question by conducting three design science research (DSR) projects to design data-driven decision support systems (DSSs) for SAP R/3 and S/4 HANA ERP systems that increase comprehension of BPS contingency factors. The thesis conducts the DSR projects at an industry partner within the context of a BPS and SAP S/4 HANA transformation program at a global manufacturing corporation. DSR project 1 designs a data-driven “Business Model Mining” system that automatical-ly “mines” BMs from data in application systems and represents results in an interactive “Business Model Canvas” (BMC) BI dashboard to comprehend BM-related BPS con-tingency factors. The project derives generic design requirements and a blueprint con-ceptualization for BMM systems and suggests an open, standardized reference data model for BMM. The project implements the software artifact “Business Model Miner” in Microsoft Azure / PowerBI and demonstrates technical feasibility by using data from an educational SAP S/4 HANA system, an open reference dataset, and three real-life SAP R/3 ERP systems. A field evaluation with 21 managers at the industry partner finds differences between tool results and BMCs created by managers and thus the po-tential for a complementary role of BMM tools to enrich the comprehension of BMs. A further controlled laboratory experiment with 142 students finds significant beneficial impacts on subjective and objective comprehension in terms of effectiveness, efficiency, and relative efficiency. Second, DSR project 2 designs a data-driven process mining DSS “KeyPro” to semi-automatically discover and prioritize the set of BPs occurring in an organization from log data to concentrate BPS initiatives on important BPs given limited organizational resources. The project derives objective and quantifiable BP importance metrics from BM and BPM literature and implements KeyPro for SAP R/3 ERP and S/4 HANA sys-tems in Microsoft SQL Server / Azure and interactive PowerBI dashboards. A field evaluation with 52 managers compares BPs detected manually by decision-makers against BPs discovered by KeyPro and reveals significant differences and a complemen-tary role of the artifact to deliver additional insights into the set of BPs in the organiza-tion. Finally, a controlled laboratory experiment with 30 students identifies the dash-boards with the lowest comprehension for further development. Third, OCT requires organizations to select a standard BP design that matches contin-gencies. Thus, DSR project 3 designs a process mining DSS to select a standard BP from a repository of different alternative designs based on the similarity of BPS contin-gency factors between the as-is process and the to-be standard processes. DSR project 3 thus derives four different process model variants for representing BPS contingency factors that vary according to determinant factors of process model comprehension (PMC) identified in PMC literature. A controlled laboratory evaluation with 150 stu-dents identifies significant differences in PMC. Based on laboratory findings, the DSS is implemented in the BPM platform “Apromore” to select standard BP reference mod-els from the SAP Best Practices Explorer for SAP S/4 HANA and applied for the pur-chase-to-pay and order-to-cash process of a manufacturing company

Vulnerability Identification Errors in Security Risk Assessments

At present, companies rely on information technology systems to achieve their business objectives, making them vulnerable to cybersecurity threats. Information security risk assessments help organisations to identify their risks and vulnerabilities. An accurate identification of risks and vulnerabilities is a challenge, because the input data is uncertain. So-called ’vulnerability identification errors‘ can occur if false positive vulnerabilities are identified, or if vulnerabilities remain unidentified (false negatives). ‘Accurate identification’ in this context means that all vulnerabilities identified do indeed pose a risk of a security breach for the organisation. An experiment performed with German IT security professionals in 2011 confirmed that vulnerability identification errors do occur in practice. In particular, false positive vulnerabilities were identified by participants. In information security (IS) risk assessments, security experts analyze the organisation’s assets in order to identify vulnerabilities. Methods such as brainstorming, checklists, scenario-analysis, impact-analysis, and cause-analysis (ISO, 2009b) are used to identify vulnerabilities. These methods use uncertain input data for vulnerability identification, because the probabilities, effects and losses of vulnerabilities cannot be determined exactly (Fenz and Ekelhart, 2011). Furthermore, business security needs are not considered properly; the security checklists and standards used to identify vulnerabilities do not consider company-specific security requirements (Siponen and Willison, 2009). In addition, the intentional behaviour of an attacker when exploiting vulnerabilities for malicious purposes further increases the uncertainty, because predicting human behaviour is not just about existing vulnerabilities and their consequences (Pieters and Consoli, 2009), rather than preparing for future attacks. As a result, current approaches determine risks and vulnerabilities under a high degree of uncertainty, which can lead to errors. This thesis proposes an approach to resolve vulnerability identification errors using security requirements and business process models. Security requirements represent the business security needs and determine whether any given vulnerability is a security risk for the business. Information assets’ security requirements are evaluated in the context of the business process model, in order to determine whether security functions are implemented and operating correctly. Systems, personnel and physical parts of business processes, as well as IT processes, are considered in the security requirement evaluation, and this approach is validated in three steps. Firstly, the systematic procedure is compared to two best-practice approaches. Secondly, the risk result accuracy is compared to a best-practice risk-assessment approach, as applied to several real-world examples within an insurance company. Thirdly, the capability to determine risk more accurately by using business processes and security requirements is tested in a quasi-experiment, using security professionals. This thesis demonstrates that risk assessment methods can benefit from explicit evaluation of security requirements in the business context during risk identification, in order to resolve vulnerability identification errors and to provide a criterion for security