A framework and theory for cyber security assessments

Sommestad, Teodor

January 2012

Information technology (IT) is critical and valuable to our society. An important type of IT system is Supervisor Control And Data Acquisition (SCADA) systems. These systems are used to control and monitor physical industrial processes like electrical power supply, water supply and railroad transport. Since our society is heavily dependent on these industrial processes we are also dependent on the behavior of our SCADA systems. SCADA systems have become (and continue to be) integrated with other IT systems they are thereby becoming increasingly vulnerable to cyber threats. Decision makers need to assess the security that a SCADA system’s architecture offers in order to make informed decisions concerning its appropriateness. However, data collection costs often restrict how much information that can be collected about the SCADA system’s architecture and it is difficult for a decision maker to know how important different variables are or what their value mean for the SCADA system’s security. The contribution of this thesis is a modeling framework and a theory to support cyber security vulnerability assessments. It has a particular focus on SCADA systems. The thesis is a composite of six papers. Paper A describes a template stating how probabilistic relational models can be used to connect architecture models with cyber security theory. Papers B through E contribute with theory on operational security. More precisely, they contribute with theory on: discovery of software vulnerabilities (paper B), remote arbitrary code exploits (paper C), intrusion detection (paper D) and denial-of-service attacks (paper E). Paper F describes how the contribution of paper A is combined with the contributions of papers B through E and other operationalized cyber security theory. The result is a decision support tool called the Cyber Security Modeling Language (CySeMoL). This tool produces a vulnerability assessment for a system based on an architecture model of it. / Informationsteknik (IT) är kritiskt och värdefullt för vårt samhälle. En viktig typ av IT-system är de styrsystem som ofta kallas SCADA-system (från engelskans "Supervisor Control And Data Acquisition"). Dessa system styr och övervakar fysiska industriella processer så som kraftförsörjning, vattenförsörjning och järnvägstransport. Eftersom vårt samhälle är beroende av dessa industriella processer så är vi också beroende av våra SCADA-systems beteende. SCADA-system har blivit (och fortsätter bli) integrerade med andra IT system och blir därmed mer sårbara för cyberhot. Beslutsfattare behöver utvärdera säkerheten som en systemarkitektur erbjuder för att kunna fatta informerade beslut rörande dess lämplighet. Men datainsamlingskostnader begränsar ofta hur mycket information som kan samlas in om ett SCADA-systems arkitektur och det är svårt för en beslutsfattare att veta hur viktiga olika variabler är eller vad deras värden betyder för SCADA-systemets säkerhet. Bidraget i denna avhandling är ett modelleringsramverk och en teori för att stödja cybersäkerhetsutvärderingar. Det har ett särskilt focus på SCADA-system. Avhandlingen är av sammanläggningstyp och består av sex artiklar. Artikel A beskriver en mall för hur probabilistiska relationsmodeller kan användas för att koppla samman cybersäkerhetsteori med arkitekturmodeller. Artikel B till E bidrar med teori inom operationell säkerhet. Mer exakt, de bidrar med teori angående: upptäckt av mjukvarusårbarheter (artikel B), fjärrexekvering av godtycklig kod (artikel C), intrångsdetektering (artikel D) och attacker mot tillgänglighet (artikel E). Artikel F beskriver hur bidraget i artikel A kombineras med bidragen i artikel B till E och annan operationell cybersäkerhetsteori. Resultatet är ett beslutsstödsverktyg kallat Cyber Security Modeling Language (CySeMoL). Beslutsstödsverktyget producerar sårbarhetsutvärdering för ett system baserat på en arkitekturmodell av det. / <p>QC 20121018</p>

cyber security

security assessment

vulnerability assessment

architecture modeling

enterprise architecture

Extendibility of a proposed Business Architecture Assessment Model (BAAM)

Pretorius, Delina

January 2015

Magister Commercii (Information Management) - MCom(IM) / Purpose: The research aims to validate whether the proposed beta version of a Business Architecture Assessment Model (BAAM) can be usefully extended to organisations. Design/methodology/approach: The research draws from existing literature to further extend the scope of the BAAM. The literature review includes a description of Business Architecture (BA) and investigates the requirements of maturity models. The literature did reveal that the beta version of the BAAM’s maturity levels should be extended from the initial 3 levels to 5 well documented maturity levels (i.e. the roadmap). A focus group consisting of various subject matter experts evaluated the BAAM using an interpretative survey. The focus group approved the BAAM with some minor recommendations. The online BAAM survey was then deployed at eight (8) organisations to collect data on the level of maturity of the organisations’ business architecture. The output of the BAAM consists of a roadmap and the assessment results which assist organisations to improve their business architecture maturity. Findings: The literature review revealed that maturity models exist, but not many focus specifically on BA maturity. Those that does exist primarily focuses on the methodology involved in BA but do not specifically point out areas where the content matter of BA can be improved upon.

Business architecture

Enterprise architecture

Using the Unified Modeling Language (UML) to represent artefacts in the Zachman Frameword

Els, Lynette

25 October 2006

An interpretive research approach will be used to describe and decompose UML diagrams into their respective building blocks. A top down approach will be used to determine views that are important to enterprises during the system development lifecycle. The importance of providing graphical representations to describe conceptual ideas will be stressed. A short history will be provided of the origins of UML as well as a description of the diagrams used. Since UML is a language and not a methodology a brief discussion regarding a methodology, the Rational Unified Process, will be covered. The Zachman framework will be used to present a two-dimensional (Columns and Rows) view of an enterprise together with a summary of what could be represented in the framework. The UML building blocks will be mapped within the Zachman framework together with possible reasons for the mapping. The paper will conclude by combining several views by different authors to represent artefacts within the Zachman framework and to show the strengths and weaknesses of the current UML version 1.5 and what organisations should be aware of when considering implementing UML. / Dissertation (M.IT)--University of Pretoria, 2007. / Informatics / unrestricted

Primitive

Artefact

Composite

UCTD

Vytvoření modelu Enterprise Architektury podle rámce TOGAF / Creation of the Enterprise Architecture model according to the TOGAF framework

Čapek, Jan

January 2016

The present diploma thesis aims at introducing the Enterprise Architecture and creating an abstract model of a company. The primary focus is on application and process layers as defined in the architecture framework TOGAF. The thesis is divided into theoretical and practical part. The theoretical chapter starts with a business model analysis which means to describe mission vision and companys values as a part of the strategy framework. Furthermore the business processes are described in the latter part of this section. This chapter attempts to explain how to map a business process and to categorize it by nature and maturity level. Penultimate chapter introduces the Enterprise Architecture in general. This section includes arguments as to why the companies should be concerned with the Enterprise Architecture advantages of the Enterprise Architecture implementation into the companys documentation relationship of companys core business and IT and examples of the Enterprise Architecture frameworks. The last chapter deals with the TOGAF framework where Architecture Development Method is described. This means how Enterprise Architecture model is created and how to implement changes into the layers according to the TOGAF framework. Simultaneously the last section of this chapter describes the reference models which provide graphical overview of all abstractions layers. The practical part of the thesis elaborates on the theoretical part using the Architecture Development Method process in order to create the Enterprise Architecture model according to TOGAF framework. Same as the theoretical part it only focuses on the application and process layer. Firstly the business model is decomposed into vision mission and companys values to the companys strategy and business goals in order to grasp further understanding of business processes detailed description. Subsequently the abovementioned aspects are recomposed to create process map which provides the management overview. The application layer undergoes the same process; nonetheless the process map is replaced by information system description and reference model creation. Once the models are created the thesis compares them with the business and strategic goals. The benefit brought by this thesis is critical evaluation of current status to propose changes to achieve target architacture according business and strategic goals established by management.

Nástroj pro sdílenou dokumentaci v business analysis týmu / Tool for Shared Documentation Within the Business Analysis Team

Husár, Michal

January 2016

Diploma thesis is focused on analysis of documentation method in business analysis team in chosen company. Based on this analysis it proposes elimination of identified weaknesses and risks by creating a tool for shared documentation in form of business architecture model and definitions of processes which will allow to build and maintain proposed method of documentation.

Business information architecture for successful project implementation based on sentiment analysis in the tourist sector

Zapata, Gianpierre, Murga, Javier, Raymundo, Carlos, Dominguez, Francisco, Moguerza, Javier M., Alvarez, Jose Maria

01 December 2019

El texto completo de este trabajo no está disponible en el Repositorio Académico UPC por restricciones de la casa editorial donde ha sido publicado. / In the today’s market, there is a wide range of failed IT projects in specialized small and medium-sized companies because of poor control in the gap between the business and its vision. In other words, acquired goods are not being sold, a scenario which is very common in tourism retail companies. These companies buy a number of travel packages from big companies and due to lack of demand for these packages, they expire, becoming an expense, rather than an investment. To solve this problem, we propose to detect the problems that limit a company by re-engineering the processes, enabling the implementation of a business architecture based on sentimental analysis, allowing small and medium-sized tourism enterprises (SMEs) to make better decisions and analyze the information that most possess, without knowing how to exploit it. In addition, a case study was applied using a real company, comparing data before and after using the proposed model in order to validate feasibility of the applied model. / Revisión por pares

Business model

Data governance

Enterprise architecture

Process improvement

Tourism management

Effective Capacity Planning of the Virtual Environment using Enterprise Architecture

Mahimane, Arati

23 August 2013

No description available.

Computer Science

Computer Engineering

Information Technology

Enterprise Architecture

Capacity Planning

Enterprise Architecture Ontology: A Shared Vocabulary for Efficient Decision Making for Software Development Organizations

Nagarajan, Praveen

03 August 2010

No description available.

Computer Science

Enterprise Architecture

Decision making

Project management

Enterprise Systems Modifiability Analysis : An Enterprise Architecture Modeling Approach for Decision Making

Lagerström, Robert

January 2010

Contemporary enterprises depend to great extent on software systems. During the past decades the number of systems has been constantly increasing and these systems have become more integrated with one another. This has lead to a growing complexity in managing software systems and their environment. At the same time business environments today need to progress and change rapidly to keep up with evolving markets. As the business processes change, the systems need to be modified in order to continue supporting the processes. The complexity increase and growing demand for rapid change makes the management of enterprise systems a very important issue. In order to achieve effective and efficient management, it is essential to be able to analyze the system modifiability (i.e. estimate the future change cost). This is addressed in the thesis by employing architectural models. The contribution of this thesis is a method for software system modifiability analysis using enterprise architecture models. The contribution includes an enterprise architecture analysis formalism, a modifiability metamodel (i.e. a modeling language), and a method for creating metamodels. The proposed approach allows IT-decision makers to model and analyze change projects. By doing so, high-quality decision support regarding change project costs is received. This thesis is a composite thesis consisting of five papers and an introduction. Paper A evaluatesa number of analysis formalisms and proposes extended influence diagrams to be employed for enterprise architecture analysis. Paper B presents the first version of the modifiability metamodel. InPaper C, a method for creating enterprise architecture metamodels is proposed. This method aims to be general, i.e. can be employed for other IT-related quality analyses such as interoperability, security, and availability. The paper does however use modifiability as a running case. The second version of the modifiability metamodel for change project cost estimation is fully described in Paper D. Finally, Paper E validates the proposed method and metamodel by surveying 110 experts and studying 21 change projects at four large Nordic companies. The validation indicates that the method and metamodel are useful, contain the right set of elements and provide good estimation capabilities. / QC20100716

Enterprise Architecture

Software System Modifiability

Decision Making

Metamodeling

Enterprise Architecture Analysis

Software Change Cost Estimation

Other information technology

Övrig informationsteknik

Definiera Gränsvärden för Enterprise Architecture Debt Measurements

Vergara Borquez, Claudio Nikolas, Holmgren, Max

January 2023

Företagens tillväxt har resulterat i en ökad mängd data som kräver analys och därmed uppkommer utmaningar för hantering och analys. För att stödja företagens mål har Enterprise Architecture (EA) utvecklats som ett ramverk. Dessutom har begreppet Technical Debt (TD) uppkommit för att bistå i beslutsfattande om hur begränsade resurser ska investeras och identifiera eventuella nackdelar med befintliga designbeslut. För att inkludera både tekniska och affärsrelaterade aspekter har begreppet Enterprise Architecture Debt (EAD) introducerats. Trots att EAD har börjat bli mer välkänt saknas för närvarande fastställda gränsvärden för mätning och hantering av konceptet. Detta gör det svårt för organisationer att erhålla en klar uppfattning om sin skuld och prioritera lämpliga åtgärder. Mot denna bakgrund har syftet med denna uppsats varit att definiera gränsvärden för Enterprise Architecture Debt Measurements (EADM) för att underlätta för organisationer att förstå omfattningen av sin skuld och därigenom kunna prioritera åtgärder på ett bättre sätt. För att uppnå detta har en kvalitativ forskningsansats använts i studien, där data har samlats in genom semistrukturerade intervjuer med EA-experter. Genom att lägga fokus på deltagarnas synpunkter och åsikter syftar studien till att bidra till kunskapen om EAD och dess mätvärden. Resultaten visar på en stark vilja bland EA-experter att anpassa och förbättra mätning och hantering av EA inom organisationer. Förändringsarbete betraktas som nödvändigt för att uppnå effektivitet och relevans inom EA, där kostnadsaspekter spelar en betydande roll vid beslutsfattande. Studien undersöker även möjligheten att fastställa kvaliteten på mätningar inom EA. Respondenterna uttrycker en positiv inställning till standardisering av EAD, samtidigt som de betonar utmaningar med att tillämpa generella mätetal. Studien framhäver vikten av flexibilitet och kontinuerlig anpassning för att utveckla meningsfulla och användbara mätvärden som effektivt kan bedöma kvaliteten inom EAD. Slutsatsen i studien blev att fastställandet av kvaliteten på mätetal är möjligt i de sammanhang där organisationerna visar en vilja att påta sig de kostnader som kan uppstå vid utvecklingen av sådana mätetal och att kvaliteten endast kan fastställas när mätetalen är anpassade efter organisationen. / The growth of companies has resulted in an increased amount of data that requires analysis, posing challenges for its management and analysis. To support the goals of companies, Enterprise Architecture (EA) has been developed as a framework. Furthermore the concept of Technical Debt (TD) has emerged to assist in decision-making regarding the allocation of limited resources and identifying potential drawbacks of existing design decisions. To encompass both technical and business-related aspects, the concept of Enterprise Architecture Debt (EAD) has been introduced. Despite EAD gaining recognition, there are currently no established thresholds for measuring and managing this concept. This poses difficulties for organizations to gain a clear understanding of their debt and prioritize appropriate actions. Against this backdrop, the aim of this thesis has been to define thresholds for Enterprise Architecture Debt Measurements (EADM) to facilitate organizations' understanding of the extent of their debt and enable better prioritization of actions. To achieve this, a qualitative research approach has been employed, with data collected through semi-structured interviews with EA experts. By focusing on participants' perspectives and opinions, the study aims to contribute to the knowledge of EAD and its metrics. The findings indicate a strong willingness among EA experts to adapt and improve the measurement and management of EA within organizations. Change efforts are seen as necessary to achieve efficiency and relevance in EA, with cost considerations playing a significant role in decision-making. The study also explores the possibility of determining the quality of EA measurements. Respondents express a positive attitude towards the standardization of EAD while highlighting challenges in applying generic metrics. The study emphasizes the importance of flexibility and continuous adaptation in developing meaningful and useful metrics that can effectively assess the quality within EAD. The conclusion of the study was that determining the quality of metrics is possible in contexts where organizations show a willingness to bear the costs that may arise in the development of such metrics, and that the quality can only be determined when the metrics are tailored to the organization's needs.

Enterprise Architecture Debt (EAD)

Enterprise Architecture (EA)

Technical Debt (TD)

Key Performance Indicators (KPI)

Information Systems