Title: Risk analysis of information systems by event process chains

Authors: Ralf Mock, Maurizio Corvo

Addresses: Laboratory for Safety Analysis, Swiss Federal Institute of Technology, ETH Zentrum, HG, Ramistrasse 101, CH-8092, Zurich, Switzerland. ' Department of Computer Science, University of Applied Sciences Zurich, Lagerstrasse 45, CH-8021 Zurich, Switzerland

Abstract: Information and Communication Technology (ICT) has an important impact on critical infrastructure operation. However, the current use of risk analysis techniques has reached its limits when analysing these systems at least in practical terms. The application of extended event process chains (EPC) bypasses some of the difficulties, as they model business processes within an information system instead of much more complex hardware architectures and software interactions. The methodology described in this paper integrates ARIS (Architecture Integrated Information Systems) and FMEA (Failure Mode and Effects Analysis), i.e., a business modelling method based on EPCs and a risk assessment technique which are well established in their areas of application and branches of competence. A novel risk representation is discussed. The practicability of the methodology is demonstrated by a feasibility study.

Keywords: risk analysis; information systems; FMEA; ARIS; event process chains; critical infrastructures; failure mode and effects analysis; architecture integrated information systems; business modelling; risk assessment; ICT; information technology; communications.

DOI: 10.1504/IJCIS.2005.006121

International Journal of Critical Infrastructures, 2005 Vol.1 No.2/3, pp.247 - 257

Published online: 06 Feb 2005 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article