Towards Automated Attack Simulations of BPMN-based Processes

Process digitization and integration is an increasing need for enterprises, while cyber-attacks denote a growing threat. Using the Business Process Management Notation (BPMN) is common to handle the digital and integration focus within and across organizations. In other parts of the same companies, threat modeling and attack graphs are used for analyzing the security posture and resilience. In this paper, we propose a novel approach to use attack graph simulations on processes represented in BPMN. Our contributions are the identification of BPMN's attack surface, a mapping of BPMN elements to concepts in a Meta Attack Language (MAL)-based Domain-Specific Language (DSL), called coreLang, and a prototype to demonstrate our approach in a case study using a real-world invoice integration process. The study shows that non-invasively enriching BPMN instances with cybersecurity analysis through attack graphs is possible without much human expert input. The resulting insights into potential vulnerabilities could be beneficial for the process modelers.Comment: Submitted for review to EDOC 202

Discovering and Assessing Enterprise Architecture Debts

The term Enterprise Architecture (EA) Debts has been coined to grasp the difference between the actual state of the EA and its hypothetical, optimal state. So far, different methods have been proposed to identify such EA Debts in organizations. However, these methods either are based on the transfer of known concepts from other domains to EA or are time and resource intensive. To overcome these shortcomings, we propose an approach that uses an interview format to identify EA Debts in enterprises and a method that allows a qualitative assessment of identified EA Debts. The proposed approach is supported by the designed framework that consists of an interview format and a process for determining thresholds of certain EA Smells

Towards Cybersecurity by Design: A multi-level reference model for requirements-driven smart grid cybersecurity

This paper provides a first step towards a reference model for end-to-end cybersecurity by design in the electricity sector. The envisioned reference model relies, among others, on the integrated consideration of two currently fragmented, but complementary, reference models: NISTIR 7628 and powerLang. As an underlying language architecture of choice, we rely on multi-level modeling, specifically on the Flexible Meta Modeling and Execution Language (FMMLx), as multi-level modeling supports a natural integration across different abstraction levels inherent to reference models. This paper’s contributions are a result of one full consideration of Wieringa’s engineering cycle: for problem investigation, we describe the problems the reference model should address; for treatment design, we contribute the requirements the reference model should fulfill; for treatment implementation, we provide reference model’s fragments implemented in an integrated modeling and programming environment. Finally, for treatment evaluation, we perform expert interviews to check, among others, the artefact’s relevance and utility

Why Phishing Works on Smartphones: A Preliminary Study

Phishing is a form of fraud where an attacker attempts to acquire sensitive information from a target by posing as trustworthy. One strategy to fool the target is spoofing of a legitimate website. But why do people fall for phishing, and what security indicators are utilized or not utilized when deciding the legitimacy of a website? Hitherto, two studies have been conducted in 2006 and 2015. As time has passed since then, we like to check if people are meanwhile more certain in identifying spoofed websites. Therefore, 20 participants were observed when they analyzed and classified websites as legitimate or spoofed. On average participants had a success rate of 69 %, like previous studies’ results. The URL was used as an indicator by most of the participants (80 %), indicating user behavior and ease of identifying spoofed and legitimate websites is not very different on a smartphone compared to a desktop. Almost all participants used the content of the website at least once when deciding if a website was spoofed or legitimate. These findings will be used to conduct a bigger study to create more resilient results

Improving the quality of enterprise architecture models : processes and techniques

Information technology (IT) pervades organizations more and more and becomes increasingly important for their business models. It has evolved from a purely supportive role to an important strategic pillar in many organizations. Even more, it is important that IT is aligned to the needs of the organization. Approaches that realize this are often subsumed under the term ``business-IT-alignment''. One instrument for achieving business-IT-alignment is Enterprise Architecture (EA). EAs provide a holistic perspective on the structure of the organization and provide a set of techniques to guide and steer the evolution of the organization to a desired goal state. A key artifact of EA is the EA model. It abstracts the elements and their relationships to an understandable and manageable measure. Usually enterprise architects model business processes, applications, hardware components, data models and customer relationships. Based on the information stored in the EA model, the organization's management makes important decisions regarding future focus. Contrary, also on the operational level, the model can provide important information, for example which application is used in which business environment and exchanges data with other applications. In order to be able to derive meaningful decisions from the EA model, their quality is of crucial importance. Therefore, this work is elaborates on developing different processes and techniques that ensure the quality of the EA model. First, we present a process to ensure the quality of the EA model, where model maintenance is understood as a continuous evolution. For this purpose, we define different steps, which have to be considered in such a process. This process will serve as foundation for a continuous delivery pipeline that will help automate as many of these steps as possible. Next, we present an approach that allows storing contrary information in EA models. In addition to the aforementioned processes, we developed also several techniques to improve the quality of EA models. However, for improvement, we need a method to evaluate the quality, which we also introduce within this work. Subsequently, we facilitate machine-learning techniques to support the modeler reuse existing elements of the model. In addition, we compare the performance of different algorithms to determine the best on in a certain situation. Additionally, we present a method to identify unnecessary elements in the model

Towards an Enterprise Architecture Model Evolution

QC 20190812</p