Keywords: risk analysis, information systems, FMEA, ARIS, event process chains, critical infrastructures, failure mode and effects analysis, architecture integrated information systems, business modelling, risk assessment, ICT, information technology, communications
Risk analysis of information systems by event process chains
Information and Communication Technology (ICT) has an important impact on critical infrastructure operation. However, the current use of risk analysis techniques has reached its limits when analysing these systems at least in practical terms. The application of extended event process chains (EPC) bypasses some of the difficulties, as they model business processes within an information system instead of much more complex hardware architectures and software interactions. The methodology described in this paper integrates ARIS (Architecture Integrated Information Systems) and FMEA (Failure Mode and Effects Analysis), i.e., a business modelling method based on EPCs and a risk assessment technique which are well established in their areas of application and branches of competence. A novel risk representation is discussed. The practicability of the methodology is demonstrated by a feasibility study.