A conceptual framework for the automated assessment of IT security risks based on enterprise architecture

Table of Contents

• Abstract
• Chapter 1: Introduction
• Chapter 2: Related Work
• Chapter 3: Methodology
• Chapter 4: Development of the ERA Framework
• Chapter 5: Case Study and Evaluation
• Chapter 6: Conclusion (Excluded per instructions)

Objectives and Key Themes

The objective of this master's thesis is to develop an automated assessment framework for IT security risks within enterprise architectures. This framework aims to provide a comprehensive, company-wide view of threats, overcoming the limitations of siloed traditional approaches. The research employs a design science research paradigm.

• Automated IT Security Risk Assessment
• Integration of IT Risk Management and Enterprise Architecture Management
• Development of the ERA Framework (an artifact)
• Prototypical Implementation and Evaluation
• Contribution to Research at the Interface of IT Security and Enterprise Architecture Management

Chapter Summaries

Chapter 1: Introduction: This chapter introduces the problem of increasing complexity in enterprise architectures and associated IT security risks, highlighting the limitations of traditional, siloed risk management approaches. It establishes the need for an automated, comprehensive assessment framework and outlines the thesis's objective: to develop the Enterprise Architecture Management Risk Assessment (ERA) framework. The chapter lays the groundwork for the subsequent chapters, explaining the research methodology and the structure of the thesis.

Chapter 2: Related Work: This chapter reviews existing literature on IT risk management and enterprise architecture management, identifying relevant concepts and approaches. It analyzes the strengths and weaknesses of current methodologies for assessing IT security risks and lays the foundation for the design of the novel ERA framework. This section explores the gaps in existing literature that the thesis intends to address, contextualizing the significance of the proposed framework within the current state of the field. The analysis of previous works critically evaluates their effectiveness and limitations, leading to a clear justification for the need for a new approach.

Chapter 3: Methodology: This chapter details the research methodology employed in developing the ERA framework. It explains the adoption of the design science research paradigm, outlining the iterative process of problem analysis, requirements gathering, artifact design, prototyping, implementation, and evaluation. This section justifies the selection of the design science research approach and explains how this approach is used to guide the development and evaluation of the ERA framework, demonstrating a clear understanding of the research process.

Chapter 4: Development of the ERA Framework: This chapter presents the detailed design and development of the ERA framework. It describes the architecture, functionality, and key components of the framework, explaining how it integrates concepts from IT risk management and enterprise architecture management. The chapter elaborates on the design choices and decisions made during the development process, justifying the selected architecture and functionality based on the requirements gathered in previous chapters. It outlines the technical details of the ERA framework, providing a clear understanding of its inner workings and capabilities.

Chapter 5: Case Study and Evaluation: This chapter describes the prototypical implementation and evaluation of the ERA framework as a dashboard solution within a case study with a German bank. The evaluation, conducted in two iterations—qualitative via expert interviews and quantitative via a survey— assesses the usability, usefulness, and non-triviality of the framework. The findings of both qualitative and quantitative evaluations are presented, including feedback from experts and survey participants. The chapter analyzes the results, highlighting strengths and weaknesses of the implemented framework and identifying potential areas for improvement.

Keywords

IT security risk assessment, enterprise architecture management, automated risk assessment, design science research, ERA framework, dashboard solution, IT risk management, case study, qualitative evaluation, quantitative evaluation.

Frequently Asked Questions: Automated IT Security Risk Assessment Framework

What is the main objective of this master's thesis?

The primary objective is to develop an automated assessment framework for IT security risks within enterprise architectures. This framework aims to provide a comprehensive, company-wide view of threats, addressing limitations of traditional, siloed approaches.

What methodology was used in this research?

The research employed a design science research paradigm, following an iterative process of problem analysis, requirements gathering, artifact design, prototyping, implementation, and evaluation.

What is the name of the developed framework?

The developed framework is called the Enterprise Architecture Management Risk Assessment (ERA) framework.

What are the key themes explored in this thesis?

Key themes include automated IT security risk assessment, the integration of IT risk management and enterprise architecture management, the development of the ERA framework, its prototypical implementation and evaluation, and contributions to research at the interface of IT security and enterprise architecture management.

What are the key components of the ERA framework?

The thesis details the architecture, functionality, and key components of the ERA framework in Chapter 4. It explains how it integrates concepts from IT risk management and enterprise architecture management and justifies the design choices made during development.

How was the ERA framework evaluated?

The ERA framework was evaluated through a case study with a German bank. Evaluation involved two iterations: qualitative evaluation via expert interviews and quantitative evaluation via a survey, assessing usability, usefulness, and non-triviality.

What are the chapter summaries?

Chapter 1 introduces the problem and the thesis objective. Chapter 2 reviews existing literature. Chapter 3 details the research methodology. Chapter 4 presents the ERA framework's design and development. Chapter 5 describes the case study and evaluation. Chapter 6 (Conclusion) is excluded per instructions.

What are the key words associated with this research?

Key words include IT security risk assessment, enterprise architecture management, automated risk assessment, design science research, ERA framework, dashboard solution, IT risk management, case study, qualitative evaluation, and quantitative evaluation.

What type of solution was implemented for the case study?

The ERA framework was prototypically implemented as a dashboard solution within a case study with a German bank.

What kind of data was used for the evaluation of the ERA framework?

Both qualitative data (expert interviews) and quantitative data (a survey) were collected and analyzed to evaluate the usability, usefulness, and non-triviality of the ERA framework.