A conceptual framework for the automated assessment of IT security risks based on enterprise architecture

Table of Contents

List of Figures

List of Tables

List of Abbreviations

1 Introduction

2 Theoretical Foundations
2.1 Enterprise Architecture Management
2.2 IT Security
2.3 Information Security Risk Management
2.4 Common Vulnerability Scoring System
2.5 Intersection of Risk Management and Enterprise Architecture

3 Research Design
3.1 Design Science Research
3.2 Literature Review
3.3 Case Study
3.4 Expert Interview
3.5 Unified Modeling Language
3.6 Artifact Evaluation
3.7 Summary of the Research Design

4 Requirements Analysis
4.1 Regulatory Environment in Germany
4.2 Derivations from Literature
4.3 Requirements from Expert Interviews

5 Conception of the ERA Framework
5.1 ERA Process
5.2 ERA Model
5.3 Use Case Scenarios

6 Case Study: Dashboard Artifact for TestBank Inc
6.1 Development of the Dashboard Artifact
6.2 First Iteration of the Evaluation
6.3 Second Iteration of the Evaluation

7 Conclusion
7.1 Summary of the Results
7.2 Limitations
7.3 Future Research

References

Appendix

List of Figures

Figure 3.1: Design Science Research Process Model (following Peffers et al., 2007)

Figure 3.2: Framework for Systematic Literature Reviews (following Vom Brocke et al., 2009)

Figure 3.3: Agile Approach of the Thesis

Figure 5.1: ERA Process

Figure 5.2: Build the Enterprise Structure and Derive Dependencies

Figure 5.3: Define Impact Scores

Figure 5.4: Define Protection Requirements

Figure 5.5: Detect Vulnerabilities and Aggregate Values to ERA Scores

Figure 6.1: UML Component Diagram of Dashboard Prototype

Figure 6.2: UML Class Diagram of ERA Framework Generator (Module A)

Figure 6.3: UML Activity Diagram of ERA Framework Generator (Module A)

Figure 6.4: UML Class Diagram of ERA Framework Dashboard (Module B)

Figure 6.5: UML Activity Diagram of ERA Framework Dashboard (Module B)

Figure 6.6: Main View of Dashboard Prototype after First Iteration

Figure 6.7: Main View of Dashboard Prototype after Second Iteration

Figure 6.8: Further Functionalities of Dashboard Prototype after Second Iteration

Figure 6.9: Aggregated Usability Rating per User Group

Figure 6.10: UEQ Results per Category (following Hinderks et al., 2020)

List of Tables

Table 3.1: Structure of the Evaluation

Table 3.2: Research Design of the Thesis

Table 4.1: Aggregated Overview of Requirements

List of Abbreviations

Abbildung in dieser Leseprobe nicht enthalten

Abstract

The complexity of enterprise architectures and the associated IT security risks are constantly increasing. Traditional approaches to IT risk management operate in silos and make it difficult to obtain a company-wide view of existing threats. The objective of this thesis is to develop an assessment framework that enables an automated comprehensive view of existing IT security risks within the enterprise architecture. For this purpose, concepts of IT risk management are extended with principles of enterprise architecture management. Based on a research approach according to the design science research paradigm, an artifact, the so-called Enterprise Architecture Management Risk Assessment (ERA) framework, will be developed based on a problem analysis and requirements gathering from practice and science. The ERA framework will be prototypically implemented and evaluated as a dashboard solution in a case study with a German bank. The evaluation will take place in two iterations, qualitative by means of expert interviews and quantitative by means of a survey. The evaluation of the ERA framework artifact and its prototypical dashboard implementation confirms its usefulness, usability and non-triviality. Furthermore, possible extension and improvement possibilities of the artifact are disclosed. The designed evaluation framework contributes to research at the interface of IT security and enterprise architecture management as well as to the solution of a practical relevant problem.

Abstract

Die Komplexität von Unternehmensarchitekturen und damit verbundene IT-Sicherheitsrisiken steigen stetig an. Bisherige Ansätze des IT-Risikomanagements arbeiten in Silos und erschweren eine unternehmensweite Sicht auf existierende Bedrohungen. Das Ziel dieser Arbeit ist es, ein Bewertungsframework zu entwickeln, das eine automatisierte, übergreifende Sicht auf bestehende IT-Sicherheitsrisiken innerhalb der Unternehmensarchitektur ermöglicht. Hierzu werden Konzepte des IT-Risikomanagements mit Prinzipien des Enterprise Architecture Managements erweitert. Anhand eines Forschungsvorgehens nach dem Design Science Research Ansatz wird nach einer Problemanalyse und Anforderungserhebung aus Praxis und Wissenschaft ein Artefakt, das sogenannte Enterprise Architecture Management Risk Assessment (ERA) Framework, entwickelt. Das ERA Framework wird im Rahmen einer Fallstudie mit einer deutschen Bank prototypisch als Dashboardlösung implementiert und evaluiert. Die Evaluation findet dabei in zwei Iterationen qualitativ mittels Experteninterviews und quantitativ mittels einer Umfrage statt. Die Evaluation des ERA Framework Artefaktes sowie dessen prototypischer Dashboard-Implementierung bestätigt deren Nützlichkeit, Usability und Nicht-Trivialität. Des Weiteren werden mögliche Erweiterungs- und Verbesserungsmöglichkeiten des Artefaktes offengelegt. Das konzipierte Bewertungsframework liefert sowohl einen Beitrag für die Forschung an der Schnittstelle von IT-Sicherheit und Enterprise Architecture Management als auch für die Lösung eines praxisrelevanten Problems.

1 Introduction

Existing vulnerabilities in information technology (IT) systems that may be exploited can be disastrous for organizations due to both damage to customer perception and monetary damage (Goode et al., 2017). At the time, the 2011 hacker attack on the company Sony was the largest ever recorded data breach (Reynolds, 2011). Sensitive personal and financial data of more than 77 million users worldwide was compromised (Richmond & Williams, 2011), resulting in direct costs of around U.S. $170 million, without including reputation loss (Hachmann, 2011). It is assumed that the systems that Sony had in operation were obsolete. The technological vulnerabilities that made the attack possible were already known and could have been fixed (Chirgwin, 2011).

Operational IT risk management approaches are becoming increasingly unsuitable for the needs of organizations (Mayer et al., 2019) as the complexity of organizations and the associated risks have been increasing (Proper, 2013). Most risk management approaches operate in silos, which are narrowly focused and consist of disjointed activities. This leads to fragmented views on risks, which makes a holistic view on risks organization-wide difficult (Barateiro et al., 2012). The main challenges that companies face as a result are monetary and reputational loss (as seen in the example of Sony) as well as the increased effort involved in managing risk-related regulations (e.g., International Organization for Standardization, 2008). In order to build bridges and support different stakeholders, for whom the risk management of the company is relevant in the processing of their tasks, security-relevant information must be provided at the right level of abstraction (Innerhofer-Oberperfler & Breu, 2006).

The objective of this thesis is to develop an assessment framework that provides an automated comprehensive view of existing IT security risks across the entire enterprise architecture of companies applying enterprise architecture management (EAM) principles. The framework is designed to identify threats on a technological layer according to the security goals of the company and to assess the risks to risk scores on the different layers of the company based on an aggregation logic. The introduction of such an assessment framework should help to reduce the complexity of IT risk management approaches and provide companies with a company-wide view of their existing threats in the IT landscape. Since the concept should support automatic modeling, manual effort for generating the risk model is minimized. The designed framework will be implemented prototypical as a dashboard solution and will reveal the usefulness of the artifact. The solution will present the elaborated framework graphically in an easily understandable way for different stakeholder groups (e.g., Chief Risk Officer, CIO, Professor, EAM expert). To ensure the comprehensibility of the artifact, the right level of abstraction and idealization is explored (Woods & Rosales, 2010).

Some research has already covered the interface between IT risk management and enterprise architecture management. However, these pursue rather one-sided goals. Frequently, the research is intended to create initial foundations, e.g., by establishing domain meta models (Almeida et al., 2019; Mayer et al., 2019). Furthermore, XML-based languages have been designed (e.g., Barateiro & Borbinha, 2011). A holistic concept that focuses on the identification and assessment of IT risks and displays the relevant content in an easily understandable format for stakeholders has not yet been developed.

This thesis addresses the identified research gap and aims to answer the following research question:

How should an assessment framework and an associated dashboard solution be designed to support the identification and assessment of IT security risks applying aspects of enterprise architecture management?

The remainder of the work is structured as follows: In chapter two, the theoretical fundamentals in the areas of EAM and Information Security Risk Management are disclosed. In addition, a systematic literature search is conducted, which explores the interface between EAM and risk management. In chapter three, the research design of the thesis is explained. The basic framework of the research design, design science research, as well as other methodologies applied are discussed. In chapter four, the requirements for the evaluation framework to be developed are collected. For this purpose, legal conditions in Germany will be considered in the context of the thesis, interviews with experts will be conducted, and derivations will be drawn from the scientific literature. In chapter five, the proposed evaluation framework, the artifact of this thesis, is presented. It consists of a process and an assessment model. Furthermore, use case scenarios are outlined in which the framework can be employed. Chapter six presents a case study in which a dashboard solution for the assessment framework is prototypically developed and evaluated for the German bank TestBank Inc. The framework is iteratively evaluated in two steps by means of expert interviews and a usability survey. Finally, chapter seven summarizes the results, reveals limitations of the research work and provides points for future research.

2 Theoretical Foundations

This chapter forms the theoretical basis of this thesis. It reveals fundamental concepts and definitions that are necessary for the understanding of this thesis. In the initial sections the scientific concepts enterprise architecture management, IT security and information security risk management are presented. In the fourth section an industry standard is presented with which IT security vulnerabilities can be quantitatively assessed. In the last section, a systematic literature review is conducted to investigate the intersection between enterprise architecture and risk management in science.

2.1 Enterprise Architecture Management

Ahlemann et al. define EAM as “a management practice that establishes, maintains and uses a coherent set of guidelines, architecture principles and governance regimes that provide direction for and practical help with the design and the development of an enterprise’s architecture in order to achieve its vision and strategy“ (2012, p. 20). This definition illustrates well that EAM follows a holistic approach, which is a paradigm rather than a specific methodology. EAM serves as a control instrument in order to identify the current state of the enterprise (as-is-model), to describe alternative states for the future (to-be-model) and to support the coordination between the different aspects of an enterprise such as business processes and their applications (Lankhorst et al., 2017).

EAM provides the means to manage businesses and enable them to make informed decisions. An existing business situation can be described, the strategic direction can be defined and expressed, gaps can be analyzed, tactical and operational planning can be carried out and architectural design can be developed (Op’t Land et al., 2009). EAM therefore no longer consists only of modeling and documentation, but should be seen much more as a management philosophy, which should be considered by top management as well as by other stakeholders (Ahlemann et al., 2012, pp. 19–21). In an environment where enterprise architectures are becoming increasingly complex, EAM can help to address the loss of visibility, increased complexity costs, and elevated risks through increased architectural visibility, a documented architectural vision, and architectural guidelines and principles (Ahlemann et al., 2012, pp. 5–11).

Over time, various EAM frameworks have developed that address EAM in science and practice to varying degrees and utilizing different tools and processes. The oldest and one of the most established frameworks is the Zachmann Framework. It presents a matrix whose cells are filled with various models. The result describes an enterprise architecture (Zachman, 1987). Another widely used framework is The Open Group Architecture Framework (TOGAF), which was published by the Open Group in 1995 and has been further developed since then. TOGAF is a tool independent framework for developing technical architectures. TOGAF consists of seven main parts, of which the architecture development method is the main component. The architecture development method represents a process model for the design of enterprise architecture (Matthes, 2011, pp. 188–199). Furthermore, there are pure modeling languages that address EAM. An established modeling language is ArchiMate, which is based on TOGAF and is also developed by the Open Group. With ArchiMate main elements and their dependencies within the architecture can be described. ArchiMate introduces a service-oriented architecture concept which implements three layers (Business Layer, Application Layer, Technology Layer). Higher layers consume services that are created at lower levels (Lankhorst et al., 2017, pp. 73–78).

2.2 IT Security

Information security can be defined as the collection of properties and activites for the protection of information and IT systems. The aim is to prevent and avoid unauthorized access or manipulation of data and thus eliminate the resulting economic damage. IT security is a subarea of information security, which is specialized in the protection of electronically stored information and its processing. This also includes functional security meaning error-free operation and reliability of IT systems (Hanschke, 2019, pp. 1–2).

The three principles of confidentiality, integrity and availability are usually referred to as the primary aims of IT security, also known as security goals or abbreviated to CIA triad. The objective of confidentiality is to ensure that information is only accessible to persons who have the right to access it. To ensure confidentiality, procedures and measures are needed to control physical and technical access to information. Examples of such measures are the management of user profiles and access rights as well as password policies. Integrity refers to the requirement that information remains intact and unaltered. An example of the compromised integrity of information can be any modification of customer data by a bank employee to commit fraud or by accident. Availability describes the assurance that people who have a right to access information can have access to that information at any time when it is needed. Rejecting access to information is a popular method of attack, for example through denial of service attacks. However, availability can also be threatened by accidents or natural disasters. To ensure availability, backup procedures, business continuity management and disaster recovery management are required (Cabric, 2015, pp. 185–186).

A further component of IT security is the determination of protection requirements. This determines which protection is sufficient and appropriate for enterprise assets, such as business processes or information processed in a business process. To determine the protection requirements, all relevant assets of the company (e.g., business processes or IT systems) must be inventoried. The protection requirement of an asset is based on the extent of damage that can occur if its functionality is affected. Assets whose destruction, compromise or impairment could pose a threat to the existence of the company and which have an enhanced risk potential in relation to the security goals have an increased need for protection. Extended security measures should be defined for assets with increased protection requirements (Hanschke, 2019, pp. 60–65).

2.3 Information Security Risk Management

Risk management can be defined as a “method of managing that concentrates on identifying and controlling the areas or events that have a potential of causing unwanted change… it is no more and no less than informed management” (Caver, 1985). The objective of risk management is to define preventive actions and control mechanisms to address risks to valuable assets (Barateiro et al., 2012). The term information security risk management describes the application of risk management in the information security context. The International Organization for Standardization (ISO) regards information security risk management as a systematic approach to identifying organizational needs in relation to information security requirements (International Organization for Standardization, 2008).

In order to understand the information security risk management methodology, the terms risk, vulnerability and threat must be defined. Within the ISO Guide 73:2009, risk is described as the connection of the likelihood of a threat and its consequences when exploiting any vulnerability (International Organization for Standardization, 2009). If a threat affects one or more security goals of an organization, it is referred to as IT risk (Prokein, 2008, pp. 11–12), information security risk (International Organization for Standardization, 2008) or IT security risk (Yue et al., 2007). Since in this thesis the IT security environment (electronically stored information) is focused, the term IT security risk is used. A threat is an event that can potentially affect assets through attacks such as destruction, data modification or denial of service, which may result in harm to an organization. A vulnerability is an existing weakness (e.g., a design error) of an asset or asset group that can lead to an undesirable event that attacks the security of a computer system, network, application or protocol (International Organization for Standardization, 2004). Publicly known IT security vulnerabilities can be maintained in a standardized way with the Common Vulnerabilities and Exposures (CVE) system and be provided with an identifier (ID) (MITRE Corporation, 2020).

There are different ways to classify IT security risks. Internal risks (internal factors which can be directly influenced by the company) and external risks (external factors that cannot be directly influenced) can be distinguished (Cabric, 2015, pp. 89–125). Internal risks can themselves be divided into personnel risks (e.g., fraud by employees, human error), process risks (e.g., errors in the payment system, interruptions in business processes) and technological risks (e.g., programming errors, failure of IT systems) (Prokein, 2008, pp. 10–11). This thesis focuses primarily on technological risks.

According to ISO guideline 27005:2008, the information security risk management process is divided into the following phases: context establishment, risk assessment, risk treatment, risk acceptance. In addition, risk communication and risk monitoring activities are permanently performed in parallel. As risk assessment is considered in this thesis, it is described in detail. Risk assessment “quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness or other established criteria” (International Organization for Standardization, 2008, p. 10). Risk assessment consists of the three steps risk identification, risk estimation and risk evaluation. Risk identification determines what could happen that would cause a loss. This involves identifying assets, threats, vulnerabilities and existing controls. The aim is to gain insights into how, where and why a loss could occur. In risk estimation, a risk is determined as a combination of the likelihood of an event and its consequences. The estimate can be qualitative or quantitative. In the risk evaluation phase, the estimates obtained about risks are prioritized with respect to the security objectives of the organization (International Organization for Standardization, 2008).

2.4 Common Vulnerability Scoring System

The Common Vulnerability Scoring System (CVSS) is an industry standard for evaluating IT security vulnerabilities. CVSS has the benefits of delivering standardized scores, providing an open framework, and enabling risk prioritization (FIRST.Org Inc., 2020b). CVSS is owned and administered by FIRST.Org, Inc. a non-profit U.S. organization whose mission is to assist organizations with computer security incidents worldwide. The current version of the CVSS is v3.1 (FIRST.Org Inc., 2020c). The National Vulnerability Database (NVD) provides CVSS scores for a variety of known vulnerabilities connected to their CVE ID. The NVD is published and administered by the U.S. National Institue of Standards and Technology (National Institute of Standards and Technology, 2020b). Since version 3.0 of CVSS was released in 2015 (FIRST.Org Inc., 2020a) and vulnerabilities older than 2015 are also of interest in this research, version 2.0 is used in this thesis when talking about CVSS.

CVSS distinguishes between three types of groups, each representing a set of metrics: base, temporal, environmental. The metrics of the base group represent fundamental characteristics of a vulnerability that are consistent over time. The temporal metrics represent the characteristics of a vulnerability that evolve over time. Environmental metrics represent the characteristics of a vulnerability that are relevant and unique to the specific user's environment. Each metrics group generates a numerical score from 0 to 10 representing the severity of the vulnerability and a corresponding vector reflecting the values used to derive the score (FIRST.Org Inc., 2020b).

As temporal and environmental metrics are currently not maintained in public databases such as the NVD (National Institute of Standards and Technology, 2020a). Only the base group metrics are relevant for this thesis, therefore, these are explained in more detail. The metrics authentication, access vector and access complexity capture how the vulnerability is exploited and whether additional requirements are required for utilization or not. The three impact metrics availability impact, integrity impact and confidentiality impact measure how a vulnerability, when exploited, is related to the degree of loss of confidentiality, integrity and availability. The impact metrics can have the values none, partial and complete. These base group metrics are combined into sub-scores that determine the exploitability and impact of the vulnerability. Both the exploitability and the impact sub-score are included in the calculation of the CVSS base score (0.0 - 3.9 = ‘ Low ’, 4.0 - 6.9 = ‘ Medium ’, 7.0 - 10.0 = ‘ High ’) (FIRST.Org Inc., 2020b).

2.5 Intersection of Risk Management and Enterprise Architecture

EAM is one possibility to counteract the increasing complexity in organizations. EAM can help to decrease invisibility in organizations and reduce information security risks (Ahlemann et al., 2012, pp. 5–11). Since the interaction of EAM and IT security risk management is a promising area, it is relevant to evaluate the information systems (IS) research conducted in this field. For this purpose, a systematic literature review¹ was executed. Search queries were conducted in four selected literature databases using previously defined key terms. 483 articles were retrieved. After analyzing the hits and narrowing them down using defined inclusion criteria, 18 articles were identified which are relevant for this thesis.²

The majority of the research papers employ frameworks as a methodology for their work. The approach of the work is mainly design science research.³ Three papers conduct reviews (Oda et al., 2009; Mayer & Feltus, 2017; Diefenbach et al., 2019). So far, there are no papers that apply a behavioural science approach. In the bulk of the work the research deals with the topics enterprise architecture and risk management to the same extent, two papers focus implicitly on risk management (Marosin et al., 2014; Oda et al., 2009). In many cases, an entire view of IT risk management is the object of the research (e.g., Almeida et al., 2019; Barateiro et al., 2011; Grandry et al., 2013). Only a few papers focus specifically on the process of risk assessment, that is, risk identification, risk estimation and risk evaluation (Sembiring & Siregar, 2013; Oda et al., 2009; Innerhofer-Oberperfler & Breu, 2006). In the literature, risk management in connection with EAM was mostly considered holistically. The focus of risk management was placed on the IT security risk in only a few exceptions (Mayer et al., 2019; Barateiro & Borbinha, 2011; Barateiro et al., 2011).

The introduced frameworks can be divided into different groups. Some papers have published domain metamodels. Almeida et al. map the EAM modeling language ArchiMate to the risk man-agement standard ISO 31000 in order to ease the use of the standard for organizations (2019). Mayer et al. introduce the so-called Integrated EAM-ISSRM Conceptual Model, which is based on the previously published ISSRM domain metamodel. It provides definitions in the domain (IT Security Risk Management in conjunction with EAM) (2019). In another paper, Mayer and Feltus aimed to illustrate the model graphically with ArchiMate's extension Risk and Security Overlay, but recommend not to use this approach in the end (2017). Grandry, Feltus and Dubois map the metamodels of the two concepts studied, namely ArchiMate (as representative for EAM) with the model ISSRM presented from Mayer et al. (as representative for IT risk management) (2013). Further, Jonkers et al. and Larno et al. have developed frameworks that use ArchiMate to support IT security and risk management (Jonkers & Quartel, 2016; Larno et al., 2019). Hensel et al. establish another domain metamodel, which concentrates on information security management systems (2010).

Rather than establishing a domain metamodel, Barateiro and colleagues explored the connection between EAM, risk management and IT governance to develop an XML-based language that brings the concepts together. They designed a mapping system as well to connect the concepts (Barateiro et al., 2011; Barateiro & Borbinha, 2011; Barateiro et al., 2012). Further work pursues the approach of using attack defense trees (ADT) to analyze risks using EAM. They combine ADTs with goal-oriented modeling. The nodes map targets instead of attacks (Sousa et al., 2013). Marosin et al. additional attempt to promote collaboration in risk management by means of ADTs (2014). ADTs usually handle single attacks and these are modeled manually. Therefore, the concept is not viable if comprehensive risks have to be illustrated.

Apart from ADTs, which quantitatively evaluate specific risk scenarios, little attention has been paid as of yet to how risk management and EAM can be used in combination to assess risks both qualitatively and quantitatively. Assessment processes have also only been considered to a limited extent in this environment. Innerhofer-Oberperfler and Breu addressed this topic by publishing their own metamodel and a process (so-called Security Management Process), which is supposed to assess IT risks using EAM. For this purpose, they use dependency graphs to map dependencies on IT artifacts within the EAM. The evaluation is quantitative, the results are aggregated on higher layers of the EAM to reduce the complexity of the risk assessment (2006). Alshammari introduced a model for the quantitative evaluation of enterprise architectures. This allows an overall evaluation of IT security, it is not focused on risk management and does not deal with individual threats (2017). In addition, there are other works that pursue completely isolated approaches. Sembiring and Siregar focus on risk management for disaster recovery (2013). Cholez and Feltus published a position paper that addresses a new topic and calls for further research. The topic addressed is a so-called systemic risk management approach, in which the risks of a company influence other companies and are to be managed inter-company (2014).

In summary, it can be said that several papers have been published at the intersection of IT risk management and EAM. However, research has been rather one-sided so far. Many papers try to develop basic research, e.g., to establish domain metamodels. For example, there are no behavioural science research papers on this topic yet. Risk assessment, risk identification as well as risk treatment have had minimal investigation to date. There is little work trying to establish measurement values and systems. Thus, there are still many research gaps in this rather new field.

With this thesis, a part of the research gap will be addressed, by establishing an IT security risk assessment model, which uses concepts of enterprise architecture to achieve a comprehensive view of operational risk management within the enterprise. The thesis will focus on risk assessment in relationship to EAM. It will be the first work in this field to apply a real case study with a partner company and will provide the foundation for further behavioural science research.

3 Research Design

This chapter presents the underlying research design of this thesis. First, the design science research paradigm is introduced, which forms the basis for the research design of this thesis. In the following sections, further methods are presented, which are embedded in the concept of design science research. The last section summarizes the research design.

3.1 Design Science Research

The design science research (DSR) paradigm provides the basic foundation for this research work. DSR is one of the two main research streams of IS research, alongside the behavioral science approach, which deals with theories describing organizational behavior. In the DSR approach, knowledge and understanding of a problem and its solution is achieved through the development of an artifact. An IT artifact can be an instantiation, a construct, a model or a method that can be used in information systems. It addresses an existing problem within an organization. To implement and use the artifact in a domain, it must be described effectively (Hevner et al., 2004). Based on Simon, the complexity in DSR is reduced by the development of an artifact. The inner environment and its associated phenomena do not need to be understood. It is enough to understand the outer environment and develop an artifact to let the inner environment interact with the outer environment (Simon, 1996). DSR can be understood as a composition of three inherent research cycles. Through added requirements and field tests, the Relevance Cycle connects the contextual environment with the DSR activities. The Rigor Cycle bridges scientific expertise in the knowledge base with DSR activities through grounding theories. In the center of this so-called Three Cycle View is the Design Cycle, which iterates between the design and the evaluation of artifacts. To successfully manage a DSR project, all three cycles must be identifiable (Hevner, 2007).

The artifacts developed in DSR can be positioned in different ways to highlight the contribution to research. Gregor and Hevner distinguish between three types of contributions for DSR. Level one is a situational implementation of an artifact and rather specific and without mature knowledge. Artifacts created in this level are instantiations (e.g., software products). Level two produces more abstract artifacts. These are emerging design theories. In this phase e.g., constructs, methods, models, design principles or technological rules are released as artifacts. The third level brings together more complete, abstract knowledge. Well developed design theories about embedded phenomena are worked out on this level. In addition to the types of contributions, Gregor and Hevner presented a so-called DSR Knowledge Contribution Framework (2013, pp. 343–348), which makes it possible to position the contribution of a paper to research in three groups. An improvement is a contribution which provides new solutions for known problems. In turn, an exaptation expands existing solutions used in other domains into new problem areas. An invention is a completely new solution to a new problem (Gregor & Hevner, 2013, pp. 345–347).

Peffers et al. have developed a research process that provides a general model for DSR. It is illustrated in Figure 3.1. The process includes following steps: Identify the problem and motivate the research (1); Define objectives of a solution (2); Design and Development of an artifact (3); Demonstration of an artifact (4); Evaluation of an artifact (5) and Communication of the research (6) (Peffers et al., 2007).

Abbildung in dieser Leseprobe nicht enthalten

Figure 3.1: Design Science Research Process Model (following Peffers et al., 2007)

The development of the IT artifact in this thesis is structured along the process according to Peffers et al. The artifact, which is designed in this work, consists of two components: A risk assessment framework which establishes an assessment model and a dashboard prototype which implements this framework prototypically. Figure 3.1 shows, that there can be several iterations between the design of an artifact and its evaluation (Peffers et al., 2007), which is why this thesis employs an agile approach of several iterations. The evaluation will examine both components of the artifact. Since the artifact evaluation is very crucial for the success of the DSR process, it will be elaborated in an extra chapter 3.6.

According to the process from Peffers et al. the designed dashboard is a problem-centered initiation (2007) (see Figure 3.1) and as the dashboard is a specific implementation of an artifact, it can be categorized as a Level 1 contribution according to the contribution types by Gregor and Hevner (2013). Furthermore, the dashboard developed within this thesis can be positioned within the DSR Knowledge Contribution Framework by Gregor and Hevner as exaptation (2013, p. 347). Existing solutions (like dashboards, risk assessment measures, EAM modeling) have been brought to a new problem domain. For artifacts in this quadrant, it is important to point out that extending the known solution in a new problem area is non-trivial, useful and interesting (Gregor & Hevner, 2013). Therefore, the problem is highlighted in the problem identification, requirements are collected through expert interviews and an evaluation is carried out. These activities are intended to demonstrate the usefulness and the non-triviality of the artifact.

3.2 Literature Review

A systematic literature review is a method for obtaining a comprehensive overview of research outcomes in a subject area. The literature review accesses various sources, such as journal articles, books and websites. Relevant resources are identified and localized by the literature review (Rowley & Slack, 2004). In this thesis the literature review is used to examine the current state of research in the field of IS with respect to the intersection of EAM and risk management in IT. The concept of the systematic literature review conducted in this thesis is inspired by Vom Brocke et al. The authors provide guidelines for the performance of literature searches and reviews in the field of IS research. The introduced framework consists of the definition of the scope, the conceptualization of the topic, the literature search and the literature analysis (Vom Brocke et al., 2009). The framework is shown in Figure 3.2.

Abbildung in dieser Leseprobe nicht enthalten

Figure 3.2: Framework for Systematic Literature Reviews (following Vom Brocke et al., 2009)

In a first step, the scope of the literature search is defined. For this purpose, the taxonomy for literature searches established by Cooper is applied. It classifies the focus, goal, organisation, perspective, target group and coverage of a literature review (Cooper, 1988). The second step represents the conceptualization of the topic. A conceptual map is created which shows relevant key terms and their connection as well as their synonyms for the literature search. The third step is the literature search. The literature search comprises the journal search, database search, keyword search, backward and forward search as well as ongoing evaluation of sources. In the fifth step, the collected literature is analyzed and synthesized. A concept matrix is developed which categorizes topic-related concepts. The identified literature is arranged in this matrix and discussed and analyzed in a summarized form (Vom Brocke et al., 2009). The last step of the framework by Vom Brocke et al. (research agenda) is not applied in this thesis.

3.3 Case Study

The case study research is an instrument of empirical research that can be regarded as a research strategy rather than a specific research method (Stoecker, 1991). A suitable definition is provided by Yin, who defines a case study as “an empirical inquiry that investigates a contemporary phenomenon within its real-life context, especially when the boundaries between phenomenon and context are not clearly evident” (Yin, 2003, p. 13). The definition emphasizes that a case study contributes to theory building and its verification (Tomczak, 1992, p. 84). Case study research can be regarded as a quantitative as well as qualitative research method (Yin, 2003; Stake, 1995; Stoecker, 1991) which employs several data sources such as interviews, archival records or participant observations (Yin, 2003, p. 86).

The case study method has the distinct benefit compared to other scientific methods that it enables opportunities for discovery (Shaughnessy et al., 2000). The case study can provide a significant contribution to knowledge when little theoretical knowledge exists in a subject area. Furthermore, it is a useful method when there is a need to explore a problem or when the object of knowledge is strongly influenced by human behaviour (e.g., phenomena of management) (Baumgarth et al., 2009, p. 83). Since the situations mentioned above apply to the state of research of this thesis, the case study is applied in this thesis to develop and evaluate an artifact based on the case of an example company applying the DSR procedure.

Before the case study can be conducted, design decisions must be made. It must be defined which type of case study is selected, which data is collected and how the results are evaluated (Salkind, 2010, pp. 116–118). Out of various approaches for case studies (See Eisenhardt, 1989; Stake, 1995; Burawoy, 1998), the explorative case study based on Yin is applied in this thesis (2003, p. 5). An explorative case study is intended to identify the questions and hypotheses of the following study or to assess the feasibility of the desired research procedures (Yin, 2003, p. 5). In this thesis the case is analyzed holistically, which means that the case is viewed comprehensively, which is different from an embedded approach (Yin, 2003, pp. 42–43). The procedure is carried out according to Yin as a single case study. A single situation provides the empirical basis for theoretical statements (Yin, 2003, pp. 39–53).

The case study partner is TestBank Inc., a company from the banking sector based in Germany. TestBank Inc. is a public savings bank that serves two million customers with around 3,500 employees. It offers comprehensive financial services for private and corporate customers. Since TestBank Inc. operates in the financial sector, it is subject to increased requirements for information security in Germany. Contact points at TestBank Inc. are departments in focusing on EAM and IT Compliance. Data from different information sources of TestBank Inc. are gathered in this case study. Expert interviews with specialists from the TestBank Inc. will be conducted to collect qualitative data for the development of the artifact, to gather requirements for the artifact and to evaluate the proposed framework and artifact. Quantitative data sets on the enterprise architecture of the case study partner will be collected to develop the dashboard artifact.

3.4 Expert Interview

The expert interview is a survey method of empirical social research (Töpfer, 2012, p. 240) and is applied in this thesis to gather information about the current situation of an area of work as well as expectations of the future conditions from the perspective of experts from the cooperating case study company (Böhm, 2005, p. 32). The term expert is to be regarded relationally since it depends on the field of research. An expert can be defined as a person who is in some way responsible for the design, implementation or control of a problem solution and has privileged access to information about groups of people or processes (Meuser & Nagel, 1991). When selecting the interviewee, this definition must be considered, as well as his or her attitude towards the field of interest. The interview partner acts as an eyewitness, emotional connections to the field of interest must be clarified and excluded in advance (Lehmann, 2004, p. 11).

To ensure the success of the expert interview, the interview process must be clarified in addition to the choice of the interview partner. In this thesis, the interview process is based on the guideline-based interview process according to Meuser and Nagel, to enable orientation during the conversation (Meuser & Nagel, 1991). The guidelines used for these interviews are unstandardized, which means that they only provide a thematic framework and do not require any pre-structuring, in order to collect qualitative data and allow the expert to bring in his own ideas on the subject area (Gläser & Laudel, 2012, p. 41). The expert interview is also reviewed according to the approach of Meuser & Nagel. The transcribed conversation is paraphrased in own words, consolidated and categorized on the basis of thematically coherent statements. The chronological order of the statements is irrelevant; what counts is the arrangement of information that belongs together in terms of content. For reasons of clarity, headings are assigned to the thematic units. Further evaluation steps of the procedure described by Meuser and Nagel are not used (Meuser & Nagel, 1991).⁴

3.5 Unified Modeling Language

Unified Modeling Language (UML) is a graphical modeling language of software engineering that is used to specify, design, document and visualize artifacts of software systems (Object Management Group, 2015, p. 1). UML can be employed throughout the entire software development process and uses various techniques and notations (Seemann & Gudenberg, 2006, p. 3). UML distinguishes between two groups of diagrams: structural diagrams and behavioral diagrams. Structural diagrams model a static picture of information carriers of a system, while behavioral diagrams capture dynamic behavior and changes of information carriers of a system over time (Object Management Group, 2015, p. 13). UML is developed and standardized by the Object Management Group. The current version is 2.5 (Staud, 2019, p. 10).

In this thesis, three different types of diagrams are utilized to specify the software system of the dashboard artifact and to support the software development process: component diagrams, class diagrams and activity diagrams. The component diagram is a structural diagram which is used for modeling component-based software systems. It describes components (logical and physical artifacts), their interfaces and the dependencies between different components of the system (Staud, 2019, pp. 121–136). Class diagrams are structural diagrams that can be employed from the analysis phase of the software system through to its implementation. They graphically display classes, interfaces and relationships between different classes of the system. They visualize the structure of the software system in detail (Staud, 2019, pp. 43–78). Activity diagrams belong to the behavioral diagrams. They specify procedures with control and data flows and can be used for modeling business processes, among other things (Staud, 2019, pp. 27–41).⁵

3.6 Artifact Evaluation

The evaluation of an artifact is very crucial in the DSR process in order to rigorously demonstrate its relevance in practice (Sonnenberg & Vom Brocke, 2012). It connects possible representations (e.g., models, design theories or instantiations) from the solution space with existing problems within the problem space (Vom Brocke et al., 2020). As mentioned in chapter 3.1, the artifact is regarded as an exaptation within the DSR Knowledge Contribution Framework and the main goal of the evaluation is to demonstrate that the extension of the known solution in a new problem area is not trivial, useful and interesting (Gregor & Hevner, 2013).

For this purpose, the prototyping pattern of Sonnenberg and Vom Brocke is employed in this thesis as a framework construct for the artifact evaluation. The prototyping pattern is intended to demonstrate the suitability of a DSR artifact by implementing a prototype. For this purpose, an artifact is designed and prototypically implemented in an organizational context. In the next step, real users from this organizational context test the prototype. Finally, it is evaluated whether the use cases could be executed by the prototype. This pattern shows that the artifact works in practice and solves an identified business problem (Sonnenberg & Vom Brocke, 2012). Prototyping is considered an adequate evaluation method for DSR artifacts (March & Storey, 2008).

The evaluation of the prototype is carried out ex post, i.e. after the prototype was already in use (Sonnenberg & Vom Brocke, 2012). In this thesis two different methods for ex post evaluation are combined: By means of expert interviews the artifact is qualitatively evaluated on defined criteria by experts in the fields of IT security and EAM. Furthermore, the usability of the artifact is quantitatively evaluated by a larger group of evaluators utilizing a survey. These methods are recommended by Sonnenberg & Vom Brocke for this kind of ex post evaluation. The criteria of the qualitative evaluation are also based on Sonnenberg & Vom Bro name="_ftnref6" title="">⁶ Table 3.1 provides a summary of the structure of the evaluation including the evaluated criteria.

[...]

---

¹ The systematic literature review method will be introduced in section 3.2.

² The conducted literature review is attached in appendix E.

³ The design science research approach is presented in section 3.1.

⁴ Since the conducted expert interviews are not published, they are attached in appendix B.

⁵ The notation of the different UML diagrams is intentionally not described here. It is specified in Object Management Group, 2015.

⁶ The questions and results of the survey are attached in appendix G.