A reference model for process-oriented IT risk management

16th European Conference on Information Systems, ECIS 2008

Volumn , Issue , 2008, Pages

  Sackmann, Stefan ^a  

^a UNIVERSITY OF FREIBURG   (Germany)

Author keywords

IT risk; IT risk management; IT risk reference model; Risk oriented business process management

Indexed keywords

BUSINESS PROCESS; BUSINESS PROCESS MANAGEMENT; PROCESS-ORIENTED; REFERENCE MODELS; RISK MANAGEMENT PROCESS; SYSTEMATIC MODELING;

ENTERPRISE RESOURCE MANAGEMENT; INFORMATION SYSTEMS; MODELS; RISK ASSESSMENT; RISK MANAGEMENT;

INFORMATION MANAGEMENT;

EID: 84870648762     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (39)

1. Baker, W.H., Rees, L.P., and Tippett, P.S. (2007). Necessary Measures: Metric-driven Information Security Risk Assessment and Decision Making. Communications of the ACM, 50 (10), 101-106.
2. Basel Committee on Banking Supervision (2001). Regulatory Treatment of Operational Risk. Working Paper 8, September 2001. URL: http://www.bis.org/publ/ bcbs-wp8.pdf (2008-03-28).
3. Basin, D., Mödersheim, S., and Vigano, L. (2003). An On-The-Fly Model-Checker for Security Protocol Analysis. In Proceedings of the ESORICS 2003, Lecture Notes in Computer Science, 2808, pp. 253-270, Springer, Berlin.
4. Bishop, M.A. (2004). Introduction to Computer Security. Addison-Wesley Longman, Amsterdam.
5. Boehm, B.W. (1989). Software risk management. IEEE Computer Society Press, Washington, D.C.
6. BSI - Federal Office for Information Security (2005). IT-Grundschutz Manual. URL: http://www.bsi.de/english/gshb/manual/download/pdfversion.zip (2007-11-30).
7. Cavusoglu, H., Mishra, B., and Raghunathan, S. (2004). A Model for Evaluating IT Security Investments. Communications of the ACM, 47 (7), 87-92.
8. Cruz, M.G. (2002). Modelling, Measuring and Hedging Operational Risk. John Wiley & Sons, New York, Chichester.
9. Curbera, F., Khalaf, R., Mukhi, N., Tai, S., and Weerawarana, S. (2003). The Next Step in Web Services. Communications of the ACM, 46 (10), 29-35.
10. Ellis, C. A. (1999). Workflow Technology. In Computer Supported Co-operative Work (Beaudouin-Lafon, M. Ed.), pp. 29-54, John Wiley & Sons, Chichester.
11. Faisst, U. and Prokein, O. (2005). An Optimization Model for the Management of Security Risks in Banking Companies. In Proceedings of the Seventh IEEE International Conference on ECommerce Technology (CEC'05), pp. 266-273.
12. Finne, T. (1998). A conceptual framework for information security management. Computers & Security, 17 (4), 303-307.
13. Giaglis, G.M. (2001). A taxonomy of business process modelling and information systems modelling techniques. International Journal of Flexible Manufacturing Systems, 13 (2), 209-228.
14. Gordon, L.A. and Loeb, M.P. (2002). The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5 (4), 438-457.
15. Gordon, L.A., Loeb, M.P., Lucyshyn, W., and Richardson, R. (2006). CSI/FBI Computer Crime and Security Survey 2006. Computer Security Institute.
16. Harmon, P. (2003). Business process change. A manager's guide to improving, redesigning, and automating processes. Morgan Kaufmann Publ., Amsterdam.
17. Holton, G.A. (2003). Value-at-Risk: Theory and Practice. Academic Press, San Diego.
18. Howard, J. and Longstaff, T. (1998). A Common Language for Computer Security Incidents. Sandia National Laboratories Report SAND98-8667.
19. ISO/IEC (2005). ISO/IEC 15408-1: Information technology - Security techniques - Evaluation criteria for IT security. JTC1/SC27.
20. Jaisingh, J. and Rees, J. (2001). Value at risk: A methodology for information security risk assessment. In Proceedings of the INFORMS Conference on Information Systems and Technology 2001, Miami.
21. Kletz, T. (1992). HAZOP and HAZAN: Identifying and Assessing Process Industry Standards. 3rd Edition, Hemisphere Publishers, Washington D.C.
22. Krafzig, D., Banke, K., and Slama, D. (2005). Enterprise SOA. Prentice Hall, Upper Saddle River.
23. McNeil, A., Frey, R., and Embrechts, P. (2005). Quantitative Risk Management: Concepts Techniques and Tools. Princeton University Press, Princeton.
24. Mills, S. (2007). The future of business - Aligning business and IT to create an enduring impact on industry. IBM, Thought leadership paper. URL: ftp://ftp.software.ibm.com/software/soa/pdf/future-of-business.pdf (2008-03-28).
25. Muehlen, M. zur and Rosemann, M. (2005). Integrating Risks in Business Process Models. In Proceedings of the 16th Australasian Conference on Information Systems (ACIS 2005), 30.11.-02.12.2005, Sydney, Australia.
26. Müller, G. and Rannenberg, K. (1999). Multilateral Security in Communications, Vol. 3: Technology, Infrastructure, Economy. Addison Wesley Longman, New York.
27. Palm, J. (2003). Analysing Business Processes. Risk, March 2003, 23-25.
28. Parker, D.B. (2007). Risks of risk-based security. Communications of the ACM, 50 (3), 120.
29. Rappaport, A. (1998). Creating Shareholder Value: The New Standard for Business Performance. 2nd Edition, Simon & Schuster, New York.
30. Sackmann, S. and Strüker, J. (2005). Electronic Commerce Enquête 2005. Konradin IT-Verlag, Leinfelden.
31. Sackmann, S. (2008). Assessing the effects of IT changes on IT risk - A business process-oriented view. In Multikonferenz Wirtschaftsinformatik MKWI'08 (Bichler, M. et al. (Eds.), pp. 1137-1148, GITO, Berlin.
32. Sanchez, R. (1995). Strategic Flexibility in Product Competition. Strategic Management Journal, 16, 135-159.
33. Scheer, A.W. (2000). ARIS - business process modeling. 3rd Edition, Springer, Berlin.
34. Schneier, B. (1999). Attack Trees. Dr. Dobb's Journal, December 1999, 24 (12), 21-29.
35. Schneider, F.B., Morrisett, G., and Harper, R. (2001). A Language-Based Approach to Security. Lecture Notes in Computer Science, 2000, 86-101.
36. Tanenbaum, A.S. (1979). Structured Computer Organization. Prentice-Hall, Englewood Cliffs, New Jersey.
37. Tarantino, A. (2006). Manager's Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies. John Wiley & Sons, Hoboken.
38. Vesely, W.E., Goldberg, F.F., Roberts, N.H., and Haasl, D.F. (1981). Fault Tree Handbook. U.S. Nuclear Regulatory Commission. NUREG-0492, Washington, D.C.
39. Whitman, M. (2003). Enemy at the gate: Threats to information security. Communications of the ACM, 46 (8), 91-95.