“Security Concern” as a Metric for Enterprise Business Processes

Abstract

Measuring the security of business processes of enterprises has become essential in the wake of different threat scenarios. During the last two decades, a lot of research has been done on metrics for the network security, software system security, attack severity, situation assessment, etc. In the process level, business impact analysis models and security maturity models, as well as well-established risk analysis methods, exist. With the all-pervasive IT implementation of business processes, it has become imperative for the chief information security officers to come up with metrics for the security of business processes in the context of the relevant threat scenario. This paper introduces a novel security metric to assess the business process security, viz., Security Concern. The metric quantitatively measures the “concern” due to various attributes of the security of a business process in the context of the threat scenario and asset sensitivity. We present the model of the business process, its assets, their dependencies, exploits, and impacts on assets in a top–down fashion. Based on the model, security concern as a metric has been defined. The bottom–up method of the computation of the metric is explained. It is also demonstrated how the proposed metric can be of practical utility for the horizontal and temporal comparison of the business process security.