Designing business continuity response

Die rasch ändernden Risikobedingungen, mit denen sich Unternehmen heutzutage konfrontiert sehen, stellen Business Continuity und Resilience Verantwortliche vor neue Herausforderungen. Durch die zunehmende Abhängigkeit von Lieferanten und Geschäftspartnern sowie steigende Verfügbarkeitsanforderungen von Services wird es immer bedeutsamer, eine effektive und effiziente Reaktion auf Störungen und Ausfälle zur Verfügung zu stellen, um Ruf und Marke zu schützen sowie finanzielle Ziele zu erreichen. Da die Vorbereitung und Planung einer Reaktion auf unvorhergesehene Ereignisse äußerst kostenintensiv sein kann, ist es notwendig, die Vorteile eines effizienten Notfallmanagements (Business Continuity Managements) nachvollziehbar zu begründen. Der in dieser Arbeit vorgestellte Ansatz erweitert das Konzept des Risk-Aware Business Process Managements, um Auswirkungen von Workarounds und dynamischen Ressourcenzuweisungen zu analysieren. Die Ergebnisse dieser Analyse dienen als signifikanter Input für die Notfallplanung. Für die Evaluierung des Ansatzes wurde ein Simulink Prototyp entwickelt. Zusätzlich wird ein Metamodell zur Abbildung und Erfassung von Business Continuity Anforderungen, welches auf Basis der OpenModels Plattform umgesetzt worden ist, vorgestellt.Companies are increasingly confronted with fast-changing risk-situations, leading to substantial challenges for business continuity and resilience professionals. Furthermore, the growing availability needs and the dependence on providers and suppliers demand an effective and eficient response to disruptions and interruptions in order to protect the brand, reputation and financial objectives of an organization. As the preparation for ’expecting the unexpected’ can be very costly, it is essential to highlight the benefits and advantages brought by proper business continuity planning. This thesis contributes to current research ambitions by presenting a formal approach extending the capabilities of risk-aware business process management. Risk aware business process management in general bridges the gap between the business process management, risk management and business continuity management domain. The presented extension within the thesis enables the consideration of resource allocation aspects within the risk-aware business process modeling and simulation. Through this extension it is possible to evaluate the effects of workarounds and resource re-allocations which is one crucial part in business continuity plans. In order to test the feasibility we implemented a prototype of our formal model using Simulink. Additionally, in this work, we introduce a business continuity meta-model which is capable to capture essential business continuity requirements. The meta-model was implemented as a project within the OpenModels Initative

Mixed structural models for decision making under uncertainty using stochastic system simulation and experimental economic methods: application to information security control choice

This research is concerned with whether and to what extent information security managers may be biased in their evaluation of and decision making over the quantifiable risks posed by information management systems where the circumstances may be characterized by uncertainty in both the risk inputs (e.g. system threat and vulnerability factors) and outcomes (actual efficacy of the selected security controls and the resulting system performance and associated business impacts). Although ‘quantified security’ and any associated risk management remains problematic from both a theoretical and empirical perspective (Anderson 2001; Verendel 2009; Appari 2010), professional practitioners in the field of information security continue to advocate the consideration of quantitative models for risk analysis and management wherever possible because those models permit a reliable economic determination of optimal operational control decisions (Littlewood, Brocklehurst et al. 1993; Nicol, Sanders et al. 2004; Anderson and Moore 2006; Beautement, Coles et al. 2009; Anderson 2010; Beresnevichiene, Pym et al. 2010; Wolter and Reinecke 2010; Li, Parker et al. 2011) The main contribution of this thesis is to bring current quantitative economic methods and experimental choice models to the field of information security risk management to examine the potential for biased decision making by security practitioners, under conditions where information may be relatively objective or subjective and to demonstrate the potential for informing decision makers about these biases when making control decisions in a security context. No single quantitative security approach appears to have formally incorporated three key features of the security risk management problem addressed in this research: 1) the inherently stochastic nature of the information system inputs and outputs which contribute directly to decisional uncertainty (Conrad 2005; Wang, Chaudhury et al. 2008; Winkelvos, Rudolph et al. 2011); 2) the endogenous estimation of a decision maker’s risk attitude using models which otherwise typically assume risk neutrality or an inherent degree of risk aversion (Danielsson 2002; Harrison, Johnson et al. 2003); and 3) the application of structural modelling which allows for the possible combination and weighting between multiple latent models of choice (Harrison and Rutström 2009). The identification, decomposition and tractability of these decisional factors is of crucial importance to understanding the economic trade-offs inherent in security control choice under conditions of both risk and uncertainty, particularly where established psychological decisional biases such as ambiguity aversion (Ellsberg 1961) or loss aversion (Kahneman and Tversky 1984) may be assumed to be endemic to, if not magnified by, the institutional setting in which these decisions take place. Minimally, risk averse managers may simply be overspending on controls, overcompensating for anticipated losses that do not actually occur with the frequency or impact they imagine. On the other hand, risk-seeking managers, where they may exist (practitioners call them ‘cowboys’ – they are a familiar player in equally risky financial markets) may be simply gambling against ultimately losing odds, putting the entire firm at risk of potentially catastrophic security losses. Identifying and correcting for these scenarios would seem to be increasingly important for now universally networked business computing infrastructures. From a research design perspective, the field of behavioural economics has made significant and recent contributions to the empirical evaluation of psychological theories of decision making under uncertainty (Andersen, Harrison et al. 2007) and provides salient examples of lab experiments which can be used to elicit and isolate a range of latent decision-making behaviours for choice under risk and uncertainty within relatively controlled conditions versus those which might be obtainable in the field (Harrison and Rutström 2008). My research builds on recent work in the domain of information security control choice by 1) undertaking a series of lab experiments incorporating a stochastic model of a simulated information management system at risk which supports the generation of observational data derived from a range of security control choice decisions under both risk and uncertainty (Baldwin, Beres et al. 2011); and 2) modeling the resulting decisional biases using structural models of choice under risk and uncertainty (ElGamal and Grether 1995; Harrison and Rutström 2009; Keane 2010). The research contribution consists of the novel integration of a model of stochastic system risk and domain relevant structural utility modeling using a mixed model specification for estimation of the latent decision making behaviour. It is anticipated that the research results can be applied to the real world problem of ‘tuning’ quantitative information security risk management models to the decisional biases and characteristics of the decision maker (Abdellaoui and Munier 1998