3 research outputs found
Designing business continuity response
Die rasch Àndernden Risikobedingungen, mit denen sich Unternehmen heutzutage
konfrontiert sehen, stellen Business Continuity und Resilience Verantwortliche vor
neue Herausforderungen. Durch die zunehmende AbhÀngigkeit von Lieferanten und
GeschĂ€ftspartnern sowie steigende VerfĂŒgbarkeitsanforderungen von Services wird es
immer bedeutsamer, eine effektive und effiziente Reaktion auf Störungen und AusfÀlle zur
VerfĂŒgung zu stellen, um Ruf und Marke zu schĂŒtzen sowie finanzielle Ziele zu erreichen.
Da die Vorbereitung und Planung einer Reaktion auf unvorhergesehene Ereignisse
Ă€uĂerst kostenintensiv sein kann, ist es notwendig, die Vorteile eines effizienten
Notfallmanagements (Business Continuity Managements) nachvollziehbar zu begrĂŒnden.
Der in dieser Arbeit vorgestellte Ansatz erweitert das Konzept des Risk-Aware
Business Process Managements, um Auswirkungen von Workarounds und dynamischen
Ressourcenzuweisungen zu analysieren. Die Ergebnisse dieser Analyse dienen als
signifikanter Input fĂŒr die Notfallplanung. FĂŒr die Evaluierung des Ansatzes wurde ein
Simulink Prototyp entwickelt.
ZusÀtzlich wird ein Metamodell zur Abbildung und Erfassung von Business Continuity
Anforderungen, welches auf Basis der OpenModels Plattform umgesetzt worden ist,
vorgestellt.Companies are increasingly confronted with fast-changing risk-situations, leading to
substantial challenges for business continuity and resilience professionals. Furthermore,
the growing availability needs and the dependence on providers and suppliers demand an
effective and eficient response to disruptions and interruptions in order to protect the brand,
reputation and financial objectives of an organization.
As the preparation for âexpecting the unexpectedâ can be very costly, it is essential to
highlight the benefits and advantages brought by proper business continuity planning. This
thesis contributes to current research ambitions by presenting a formal approach extending
the capabilities of risk-aware business process management. Risk aware business process
management in general bridges the gap between the business process management, risk
management and business continuity management domain. The presented extension within
the thesis enables the consideration of resource allocation aspects within the risk-aware
business process modeling and simulation. Through this extension it is possible to evaluate
the effects of workarounds and resource re-allocations which is one crucial part in business
continuity plans. In order to test the feasibility we implemented a prototype of our formal
model using Simulink.
Additionally, in this work, we introduce a business continuity meta-model which
is capable to capture essential business continuity requirements. The meta-model was
implemented as a project within the OpenModels Initative
Recommended from our members
Mixed structural models for decision making under uncertainty using stochastic system simulation and experimental economic methods: application to information security control choice
This research is concerned with whether and to what extent information security managers may be biased
in their evaluation of and decision making over the quantifiable risks posed by information management
systems where the circumstances may be characterized by uncertainty in both the risk inputs (e.g. system
threat and vulnerability factors) and outcomes (actual efficacy of the selected security controls and the
resulting system performance and associated business impacts). Although âquantified securityâ and any
associated risk management remains problematic from both a theoretical and empirical perspective (Anderson 2001; Verendel 2009; Appari 2010), professional practitioners in the field of information security continue to advocate the consideration of quantitative models for risk analysis and management wherever possible because those models permit a reliable economic determination of optimal operational control decisions (Littlewood, Brocklehurst et al. 1993; Nicol, Sanders et al. 2004; Anderson and Moore 2006; Beautement, Coles et al. 2009; Anderson 2010; Beresnevichiene, Pym et al. 2010; Wolter and Reinecke 2010; Li, Parker et al. 2011) The main contribution of this thesis is to bring current quantitative economic methods and experimental choice models to the field of information security risk management to examine the potential for biased decision making by security practitioners, under conditions where
information may be relatively objective or subjective and to demonstrate the potential for informing decision makers about these biases when making control decisions in a security context. No single quantitative security approach appears to have formally incorporated three key features of the security risk management problem addressed in this research: 1) the inherently stochastic nature of the information system inputs and outputs which contribute directly to decisional uncertainty (Conrad 2005; Wang, Chaudhury et al. 2008; Winkelvos, Rudolph et al. 2011); 2) the endogenous estimation of a decision makerâs risk attitude using models which otherwise typically assume risk neutrality or an inherent degree of risk aversion (Danielsson 2002; Harrison, Johnson et al. 2003); and 3) the application of structural modelling which allows for the possible combination and weighting between multiple latent models of choice (Harrison and Rutström 2009). The identification, decomposition and tractability of these decisional factors is of crucial importance to understanding the economic trade-offs inherent in security control choice under conditions of both risk and uncertainty, particularly where established psychological decisional biases such as ambiguity aversion (Ellsberg 1961) or loss aversion (Kahneman and Tversky 1984) may be assumed to be endemic to, if not magnified by, the institutional setting in which these
decisions take place. Minimally, risk averse managers may simply be overspending on controls, overcompensating
for anticipated losses that do not actually occur with the frequency or impact they imagine. On the other hand, risk-seeking managers, where they may exist (practitioners call them âcowboysâ â they are a familiar player in equally risky financial markets) may be simply gambling against ultimately losing odds, putting the entire firm at risk of potentially catastrophic security losses. Identifying and correcting for these scenarios would seem to be increasingly important for now universally networked business computing infrastructures.
From a research design perspective, the field of behavioural economics has made significant and recent
contributions to the empirical evaluation of psychological theories of decision making under uncertainty (Andersen, Harrison et al. 2007) and provides salient examples of lab experiments which can be used to
elicit and isolate a range of latent decision-making behaviours for choice under risk and uncertainty within
relatively controlled conditions versus those which might be obtainable in the field (Harrison and Rutström 2008). My research builds on recent work in the domain of information security control choice by 1) undertaking a series of lab experiments incorporating a stochastic model of a simulated information management system at risk which supports the generation of observational data derived from a range of security control choice decisions under both risk and uncertainty (Baldwin, Beres et al. 2011); and 2) modeling the resulting decisional biases using structural models of choice under risk and uncertainty (ElGamal and Grether 1995; Harrison and Rutström 2009; Keane 2010). The research contribution consists of the novel integration of a model of stochastic system risk and domain relevant structural utility modeling using a mixed model specification for estimation of the latent decision making behaviour. It is anticipated that the research results can be applied to the real world problem of âtuningâ quantitative information security risk management models to the decisional biases and characteristics of the decision maker (Abdellaoui and Munier 1998