Towards a Business Process-Based Economic Evaluation and Selection of IT Security Measures Keynote Stephan Kühnel1, Stefan Sackmann1, Simon Trang2, Ilja Nastjuk2, Tizian Matschak2, Laura Niedzela1, Leonard Nake1 1 Martin Luther University Halle-Wittenberg, 06108 Halle (Saale), Germany {stephan.kuehnel, stefan.sackmann, laura-maria.niedzela, leonard.nake}@wiwi.uni-halle.de 2 Universität Goettingen, 37073 Goettingen, Germany {simon.trang, ilja.nastjuk, tizian.matschak}@wiwi.uni-goettin- gen.de 1 Introduction Technological innovations, such as cloud computing, intelligent process automation, and big data analytics offer substantial opportunities for maintaining and strengthening a company's competitive position. However, the introduction of such technologies en- tails new compliance and security risks. One of the most challenging risks that compa- nies face is to protect technologies and other organizational assets from incidents or attacks that aim to access sensitive information (confidentiality attacks), change the code or data in information systems (integrity attacks), as well as disrupt the normal operation of information systems (availability attacks) [1]. To mitigate such risks, both legislators and companies define far-reaching and over- arching requirements for information, data, and information technology (IT) security. Examples can be found in a company's information security governance requirements (e.g., general policies on authentication or guidelines on data classification and han- dling), in sector-specific guidelines (e.g., the second Payment Services Directive of the European Union (EU) for banks), or in cross-sectoral regulations (e.g., the EU General Data Protection Regulation (GDPR) or the German IT Security Act). It is essential for companies to comply with such requirements, i.e., to implement the requirements through adequate IT security measures. 16th International Conference on Wirtschaftsinformatik, March 2021, Essen, Germany Copyright © 2021 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). 7 IT security measures are mechanisms that support organizations to identify and alert about security incidents, to protect critical infrastructure services with the aim to pre- serve the confidentiality, integrity, and availability of information, to respond to secu- rity incidents (e.g., reduce the number of successful attacks), and to recover system integrity after a security incident [2]. IT security measures include both technical measures, such as firewalls, intrusion detection systems, or authentication mechanisms, as well as human-centric measures, such as information classification policies, clean- desk regulations, and password policies [3]. In most cases, the implementation of ex- tensive IT security requirements cannot be realized through isolated IT security measures but requires a complex bundle of interdependent measures. On the one hand, such measures entail high investment costs and, on the other hand, can significantly influence companies' business processes. For example, Article 32 (1) of the GDPR re- quires that appropriate technical and organizational measures should be implemented to ensure compliance with the protection goals of confidentiality, integrity, availability, and resilience when processing personal data. To implement this requirement, both technical precautions (e.g., encryption and pseudonymization of personal data) and pro- cedural configurations (e.g., activities and controls to ensure compliance in business processes) are necessary. Such technical precautions and procedural configurations can lead to high expenses [4, 5]. It is therefore not surprising that compliance with IT secu- rity requirements is already described in existing literature as a cost-intensive task [6, 7] and even as a "heavy cost driver" [8]. Consequently, “the focus of IT security management is shifting from what is technically possible to what is economically efficient” ([9], p. 66). To ensure that a company's prof- itability is not affected by implementing bundles of IT security measures, it becomes necessary to identify suitable alternative courses of action to meet IT security require- ments and select the best alternatives based on economic criteria [10]. Accordingly, the evaluation and selection of IT security measures have become critical skills for infor- mation security managers. Traditional investment-based approaches and theories, such as the return on investment (ROI), the real options theory (ROT), or the utility maximi- zation theory (UMT), form the backbone of most contemporary methods to economi- cally evaluate IT security investment decisions [11]. In the context of IT security, widely accepted methods to evaluate the return on investment include the return on security investment (ROSI) and the return on information security investment (ROISI) [12]. Such methods consider directly attributable monetary costs and benefits, which become important determinants of investment decisions. Decision makers benefit from utilizing investment-based evaluation methods because they enforce to think about ex- plicit assumptions and decision rationales. In addition, they help to understand whether security investments are consistent with the organizational risk strategies [13]. However, investment-based approaches offer only limited guidance for the decision to implement IT security measures because of the lack of available data to generate accu- rate results, the high dependency of these approaches on subjective assumptions, and the negligence to account for the interdependency between multiple IT security 8 measures [11]. In addition, investment-based methods usually do not account for non- monetary and indirect effects, such as the impact of IT security measures on business process performance or outcome. This is an important topic of interest for two reasons. First, IT investments in general impact the efficiency of business processes [14], and second, business processes have a substantial impact on the competitive position and financial performance of any organization [15]. Since business processes are at the center of a company’s success, they offer a solid foundation for cost-benefit analysis [16]. However, to the best of our knowledge, there is a lack of approaches in the literature supporting a comprehensive economic evalua- tion of IT security measures (and bundles of measures) with particular regard to their interaction with business processes. Based on existing knowledge about contemporary business process management and compliance, we propose several requirements for the development of business process-driven approaches to the evaluation and selection of IT security measures for guiding future research. In particular, the paper discusses the requirements needed on the journey towards a process-based approach for the economic evaluation and selection of IT security measures. Such an approach enables effective selection and implementation of IT security measures, stimulates business process im- provement, and further offers the opportunity to overcome the limitations of existing investment-based methods. 2 Important Investment-based Approaches for the Economic Evaluation of IT Security Measures As mentioned above, investment theories form the backbone of most existing methods for the economic evaluation of IT security measures [11]. In this context, direct costs for the introduction and operation of (mostly isolated) IT security measures (e.g., costs for software, hardware, or personnel) are interpreted as an investment from which an expected direct return on capital (monetary benefit) results [17]. The existing literature on the evaluation of IT security measures is dominated by the following three ap- proaches [11]: 1. Approaches based on the ROI (see, e.g., [18]), which value the return on in- vestment generated by an isolated IT security measure relative to the capital invested. 2. Approaches based on the ROT (see, e.g., [19]), which are based on option pricing models for the valuation of IT security investments taking into account time-dependent variability. 3. Approaches based on the UMT (see, e.g., [20]), which aim to maximize the benefit of an IT security investment for a given subject. All three approaches share the assumption that the capital reflow is represented by the expected proportion of monetary damage from a potential IT security incident that can 9 be prevented by the use of an IT security measure, such as prevented operational down- time or avoided recovery costs of an attack [21]. Based on these approaches, different methods have been discussed in the literature to economically evaluate IT security measures (for a detailed survey, see [11]). In the following, we would like to present an important selection of these. 2.1 The Annual Loss Exposure In 1979, the National Bureau of Standards of the U.S. Department of Commerce intro- duced the Annual Loss Exposure (ALE) as a first method to assess IT security risks. ALE can be used to estimate the monetary annual loss exposure of a company based on the damage that results from security incidents (impact) and the likelihood of such an incident occurring (frequency of occurring) [22]. For single security incidents, the ALE is simply computed by multiplying the estimated impact (e.g., expressed as a monetary value) by the expected occurrence frequency. If there are several security incidents, the ALE totals the product of the two variables for each security incident (summation) [23]. As a single metric, ALE is not sufficient to accurately perform an economic evaluation of IT security measures, but usually represents an input variable for more complex eval- uation procedures (see, e.g., [5, 23–25]). 2.2 Return on Security Investment The ROSI is based on the traditional ROI calculation and compares the benefits of IT security measures with their costs [21, 26, 27]. It considers the probability of occurrence of an IT security incident, loss prevention due to an IT security measure, the cost of security incidents, and the costs of IT security measures. While the costs of an IT secu- rity measure correspond to the investment costs, benefits are determined by reducing the probability of occurrence of security incidents and reducing the amount of loss due to the implementation of the IT security measure. Sonnenreich et al. [5] suggest that the ALE can be used to calculate ROSI. Thereby the ALE is multiplied by an effectiveness parameter, which provides information on the effectiveness of IT security measures (expressed as a percentage). The result represents the portion of the monetary annual expected loss value that can be saved by implementing IT security measures. Then, the total costs resulting from the implementation of IT security measures are subtracted to determine the net financial “return.” Finally, the net financial return is divided by the total costs to produce a relative ROSI value. Per classical ROI interpretation, an invest- ment in IT security measures is economically advantageous if it holds that ROSI > 0. If the ROSI < 0, IT security investments are financially not viable and, thus, should be avoided for economic reasons. For ROSI=0, the monetary advantages and disad- vantages are balanced. Further alternatives to calculate the ROSI are based on a direct 10 comparison of costs incurred due to a security incident and total costs for implementing and operating IT security measures (see, e.g., [28–30]). 2.3 Return on Information Security Investment Another model for evaluating IT security measures is Mizzi’s Return on Information Security Investment (ROISI) [31]. In alignment with ROSI, ROISI considers the secu- rity expenditures based on one-time costs to implement a defense mechanism, mainte- nance costs, and costs to fix system vulnerabilities. The potential total loss resulting from security incidents is conceptualized based on missed revenue and information lost due to system downtimes and the financial costs of rebuilding the system (e.g., labor costs for system recovery). The main difference to the ROSI method is that Mizzi’s approach includes a cost-benefit consideration of the malicious entity. To determine ROISI, Mizzi defines the cost of an attack as the cost of penetrating the security mech- anism and exploiting vulnerabilities. A rational attacker only carries out an attack (in the sense of ROSI this means influencing the probability of occurrence) if the benefit accruing to the attacker is greater than his costs. The rationale behind this assumption is that a rational attacker is usually unwilling to pay more for an attack than the imme- diate loss suffered by the attacked entity (e.g., the value of the stolen information). Mizzi suggests that IT security measures should be designed to maximize attackers' costs and minimize the information potentially accessible. 2.4 Adapted Loss Database Sackmann and Syring [32] base the evaluation of IT security measures or security ad- aptations of technical infrastructures on the protection goals of business processes. In this context, changes are modeled in a binary way from the perspective of an IT risk reference model and based on a cause-and-effect concept that maps the chain from threats to attacks and vulnerabilities to business processes. For the evaluation of both isolated security measures and bundles of measures, the original data (e.g., historical damages) are adapted to a more realistic cause-and-effect model and, thus, recalculated. In principle, the adaptation of the data basis could be used with any method (e.g., ROSI) for an evaluation of the measures under consideration. 2.5 Cyber Investment Analysis Methodology The Cyber Investment Analysis Methodology (CIAM) is a four-step data-driven ap- proach to evaluate and select IT security measures [33]. First of all, it is necessary to collect and/or select data on the assets to be protected, including data on security inci- dents, appropriate IT security measures, the impact of exploited vulnerabilities on the 11 business, and costs to implement IT security measures. The second step involves esti- mating weightings by domain experts to understand how each IT security measure con- tributes to the goals of prevention, detection, and recovery. The third step includes per- forming an effectiveness scoring in which each IT security measure is matched against each attack step. Finally, an algorithm uses the data to compute a relative priority rank- ing for each IT security measure. 2.6 Security Attribute Evaluation Method Butler [13] proposes the Security Attribute Evaluation Method (SEAM) as an economic approach for assessing security investments. SAEM also proposes four steps to perform the cost-benefit analysis of security measures. First, it starts with an assessment of the benefits of an IT security measure. The second step includes evaluating the effective- ness of the IT security measure in mitigating security risks. Third, a threat coverage assessment is performed. The final step involves an assessment of the costs of the IT security measure. Butler suggests that the data needed for the evaluation is sourced from structured interviews with IT and security experts. To successfully conduct a SEAM analysis, the company must have effective IT security policies and procedures in place, have security mechanisms properly integrated into the existing IT infrastruc- ture, and be able to accurately predict attacks and their associated consequences. 3 Limitations of Existing Evaluation Methods for IT Security Measures While the methods presented in the previous chapter are valuable to evaluate and select appropriate IT security measures economically, they offer several limitations. One limitation is related to the lack of multidimensionality. Besides having an impact on monetary returns, IT security measures have non-monetary effects. For example, they can impact employee behavior, the organization’s reputation, as well as process complexity or flexibility [4, 5]. Investment theory-based evaluation methods usually do not account for such effects [11]. Accordingly, the scope and coverage of existing ap- proaches need to be extended to also include the impact of IT security measures on non- financial dimensions. Another limitation is related to the lack of valid data for calculation. It is one of the biggest challenges for organizations to obtain accurate data on the true costs of a secu- rity incident. Most methods are data-driven, although necessary input data or accurate estimators are often unavailable [11, 17]. Decision makers frequently underestimate the costs of security incidents by looking only at the short-term tangible costs (e.g., lost revenue), but there are also long-term intangible costs (e.g., loss of trust) that are diffi- cult to measure and therefore often neglected [9]. Another reason for the lack of valid data is that most companies do not proactively and accurately capture cost information, 12 as emphasized by Sonnenreich et al. ([5], p.47): “Security breaches that have no imme- diate impact on day-to-day business often go completely unnoticed. When a breach does get noticed, the organization is usually too busy fixing the problem to worry about how much the incident actually costs. After the disaster, internal embarrassment and/or concerns about public image often result in the whole incident getting swept under the rug. As a result of this “ostrich response” to security incidents, the volume of data behind existing actuarial tables is woefully inadequate.” Another limitation is related to the lack of comparability. It is often difficult to com- pare IT security measures, which are characterized by different goals and scopes based on a monetary assessment of costs and benefits alone. In this context, Butler [13] em- phasizes that it is more difficult to compare benefits among different IT security measures than comparing costs. Existing and proven financial analysis tools allow costs to be estimated quite accurately, but benefits are more difficult to quantify since they are usually characterized by greater uncertainty, time lag, and indirect effects. In addi- tion, decision-makers are often confronted with imperfect knowledge about the explicit benefits of IT security measures. Therefore, estimating costs and benefits often depends on the IT security experts’ intuition, practical expertise, knowledge, and experience. Research has also criticized the lack of scalability of existing evaluation methods (see, e.g., [9, 11]). Investment-based methods are sensitive to different business sizes. Alt- hough large corporations as well as small and medium-sized enterprises (SMEs) are equally affected by IT security requirements, SMEs often have fewer financial and per- sonnel resources. For instance, Sonnenreich et al. [5] emphasize that the cost-benefit ratio of security investments is increasingly skewed as the number of employees de- creases, which is the case for most SMEs compared to large corporations. They exem- plify how an initially financially viable investment in an anti-spam solution would not have been viable if the same organization were smaller, i.e. had fewer employees. Finally, the presented methods are usually aimed at the evaluation of isolated IT se- curity measures, but they do not account for the effects that IT security measures have on other measures when implemented as a bundle. Understanding synergies between IT security measures is important to achieve desired business outcomes [34]. In this context, Axelsson ([35], p. 189) emphasizes: “The best effect is often achieved when several security measures are brought to bear together. How should intrusion detection collaborate with other security mechanisms to achieve this synergy effect? How do we ensure that the combination of security measures provides at least the same level of security as each applied singly would provide, or that the combination does not in fact lower the overall security of the protected system?” No single IT security measure can ensure security by itself, and therefore, they need to be implemented in bundles and configured to achieve optimal outcomes [36]. In this regard, Cavusoglu et al. [9] criti- cize investment-based approaches as they do not consider the potential positive and negative interactions of different IT security measures. More concretely, they criticize 13 the assumption that implementing one security measure will reduce the number of at- tacks by a certain percentage and will result in a certain benefit value, as this neglects substitution and complementary effects with other existing IT security measures. The next chapter discusses how business process management concepts can contribute to overcoming some of the limitations outlined. 4 A Journey Towards a Process-Based Approach to Selecting and Evaluating IT Security Measures Using contemporary business process management concepts offers a promising ap- proach to address some of the key limitations outlined in the previous chapter. At the core of business process management are business processes, which are defined as a structured sequence of activities designed to achieve a specific output [37]. 4.1 Two Interesting Approaches as Examples of How Business Process Management Can Already Be Used to Evaluate Magnani and Montesi [38, 39] proposed an approach for the cost evaluation of business processes. The authors suggest extending relevant process elements in a business pro- cess model with cost annotations. Costs are represented as textual information at the respective process elements. Such an approach reaches its limits if business processes are nested, i.e., if they contain one or more subprocesses and the calculation of costs depends on their sequence flows. This is the case, for example, if a subprocess contains connectors of the XOR type. The authors propose two alternatives for this limitation. The first involves annotating cost intervals instead of individual cost values to all flow objects (including subprocesses). Processes with fully annotated cost intervals are suit- able for the application of graph-based algorithms to determine the minimum and max- imum costs. For example, Dijkstra's algorithm [40] can be applied to identify a mini- mum cost path between start and end events in a business process. However, it is chal- lenging to use cost intervals when loops are included in subprocesses since the upper interval tends towards infinity in this case. The second alternative addresses this prob- lem by calculating and annotating average costs, provided that data from a sufficiently large sample of process instances are available. However, the accuracy of the calcula- tion of average costs depends on the availability and correctness of data. The authors demonstrate the applicability of both alternatives using the example of hotel reserva- tions. Sampathkumaran and Wirsing [41, 42] present a similar approach focused on determin- ing the expected costs of successfully executing a process, which they refer to as "busi- ness costs." In contrast to Magnani and Montesi [38, 39], this approach does not only focus on the determination of costs but also the degree of achievement of a defined 14 business objective. To include this degree in the calculation, the authors extended the approach of Magnani and Montesi with the concept of “reliability” in calculating pro- cess costs. Reliability represents the probability of successful execution of a task that an organization performs to achieve a specific (business) objective. Consequently, the business costs of a process depend not only on the costs of the process itself (e.g., the amount of money needed to execute a process) but also on the process reliability (e.g., factors leading to successful process completion and the achievement of business ob- jectives). Sampathkumaran and Wirsing additionally suggest performing sensitivity analyses to identify parameters that have the most critical impact on the business costs and to optimize the process model. 4.2 Requirements for a Process-Based Approach to the Economic Evaluation and Selection of IT Security Measures The aforementioned approaches can also be applied to IT security measures imple- mented in business processes if specific conditions are met (e.g., modeling IT security measures as modular and thus interchangeable subprocesses). Thus, they can provide valuable information for determining the additional costs of IT security measures. However, they do not accurately capture the interdependence between IT security and business performance, i.e., how IT security measures impact the performance of busi- ness processes. This is important to understand in order to improve the decision-making process for IT security measures. We argue that a process-based approach for the eco- nomic evaluation and selection of IT security measures offers tremendous opportunities to complement existing approaches and overcome their limitations. Still, for the suc- cessful implementation of a process-based evaluation approach in the context of IT se- curity, several requirements have to be taken into account. The development of a process-based approach requires, as a first step, the identification of factors that characterize a business process and allow for its performance determina- tion. For example, complexity is a common characteristic of a business process that significantly impacts associated quality and cost [43, 44]. The implementation of IT security measures can lead to either a reduction or an increase in the complexity of a business process and thus influence the cost-effectiveness of achieving business goals. For example, Stoewer and Kraft [45] show that new security solutions can lead to im- proved process efficiency if the IT security measure to be implemented triggers a rede- sign of the underlying process. Therefore, we argue that a prerequisite for a process- based approach to assessing IT security measures is to capture relevant factors that characterize business processes and impact their performance. However, it is important to consider that business processes have different and possibly competing priorities in terms of factors such as time, cost, flexibility, or quality [46]. In this regard, vom Brocke and Sonnenberg [47] emphasize the importance of considering trade-offs be- 15 tween factors when determining the economic value of business processes: “[…] a pro- cess that produces quality products might have long cycle times and relatively high costs, whereas a process with low cycle times might have moderate costs and a low quality level” (p. 114). A goal-oriented approach is desirable to appropriately manage competing priorities in business processes. Goal orientation accounts for the strategic objectives of an organization and how these objectives are achieved through business process design [48]. Consequently, a process-driven approach requires a definition and evaluation of the specific business process goals. Once relevant influencing factors are identified, the next step is to investigate which business processes are affected by IT security measures. Standards such as the Business Process Modeling and Notation (BPMN) allow for the graphical modeling and specifi- cation of business process models [49]. Business process models provide specific in- sights into how organizations work and we argue that they offer the opportunity to in- tegrate IT security measures into their process landscape, as shown by Seyffarth et al. [50]. One example is the implementation of so-called access controls to monitor and control access to organizational systems for ensuring the integrity and confidentiality of data [51]. Access controls can be mapped in business process models by specific modeling objects such as tasks, events, gateways, and annotations. In a purchase-to- pay scenario, Sadiq et al. [52] demonstrate that compliance controls can be integrated into an organizational process model through specific process annotations (so-called control tags). The next step involves quantitatively evaluating the extent to which a process model is influenced by the integration of IT security measures. Kuehnel et al. [53] use so-called process log files as the data basis for their calculations in the context of compliance measures. They propose various design requirements and principles for an IT tool that is supposed to enable an economic evaluation of business process compliance. For ex- ample, the IT tool should be able to automatically reconstruct the paths of a business process from a given log file and support a modular process view to visualize compli- ance activities. We argue that log files can be used to capture the performance of a business process and any changes caused by the implementation of IT security measures. It should be noted that the economic analysis of IT security measures based on business processes is a "complex task" that can overwhelm the person in charge (e.g., the process owner or IT security expert), especially if log files are analyzed man- ually [53]. Considering that the main goal of human decision-makers is to optimize decision quality with the least possible cognitive effort, the use of software artifacts is recommended (e.g., [53–55]). The development and evaluation of a process-based approach for the economic evalu- ation of IT security measures should also be performed in close cooperation with busi- nesses of different sizes and types. This is important since large corporations differ from small and medium-sized corporations, for example, in terms of available re- sources, processes, security requirements, and security expertise [56, 57]. In addition, IT security requirements and associated business processes vary across industries. For 16 example, information systems from electricity suppliers that rely on smart meters to exchange information with other devices in a smart grid have specific infrastructure requirements and different system vulnerabilities than information systems from the healthcare sector [58, 59]. Understanding and accounting for such differences when developing a process-based approach to the economic evaluation of IT security measures contributes to the early identification of gaps and missing requirements and supports broad applicability. 5 Conclusion Selecting the best set of IT security measures is an important strategic decision for any organization, considering the costs associated with security incidents and the significant impacts on the organization’s business processes. Therefore, the ability to accurately evaluate the costs and benefits associated with IT security investments has become a critical skill for decision-makers. Traditional (investment-based) approaches provide only limited guidance in determining the true costs and benefits of IT security measures. We, therefore, discuss the journey towards a process-based approach to economically evaluating and selecting IT security measures. We argue that it is important to account for the interdependencies between IT security measures and business processes, as busi- ness processes form the backbone of an organization’s business model and are key cost and performance drivers. Although a process-based approach cannot address all short- comings of traditional methods, it has the potential to improve the quality of strategic IT security investment decisions. References 1. Gunduz, M.Z., Das, R.: Cyber-security on smart grid: Threats and potential solu- tions. Computer Networks 169, 107094 (2020) 2. Information Systems Audit and Control Association (ISACA): Implementing the NIST Cybersecurity Framework. ISACA, Rolling Meadows, IL (2014) 3. Trang, S., Brendel, B.: A Meta-Analysis of Deterrence Theory in Information Se- curity Policy Compliance Research. Information Systems Frontiers 21, 1265– 1284 (2019) 4. Kühnel, S., Sackmann, S., Seyffarth, T.: Effizienzorientiertes Risikomanagement für Business Process Compliance. HMD 54, 124–145 (2017) 5. Sonnenreich, W., Albanese, J., Stout, B.: Return On Security Investment (ROSI): A Practical Quantitative Model. Journal of Research and Practice in Information Technology 38, 45–56 (2006) 6. Sadiq, S., Governatori, G.: Managing Regulatory Compliance in Business Pro- cesses. In: Vom Brocke, J., Rosemann, M. (eds.) Handbook on Business Process Management 2. Strategic Alignment, Governance, People and Culture, pp. 265– 288. Springer Berlin Heidelberg, Berlin, Heidelberg, s.l. (2015) 17 7. La Rosa, M.: Strategic business process management. International Conference on Software and Systems Process (ICSSP) (2015) 8. Becker, J., Delfmann, P., Dietrich, H.-A., Steinhorst, M., Eggert, M.: Business process compliance checking – applying and evaluating a generic pattern match- ing approach for conceptual models in the financial sector. Information Systems Frontiers 18, 359–405 (2016) 9. Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Economics of IT Security Man- agement: Four Improvements to Current Security Practices. CAIS 14 (2004) 10. Sackmann, S.: A Reference Model for Process-oriented IT Risk Management. ECIS 2008 Proceedings (2008) 11. Schatz, D., Bashroush, R.: Economic valuation for information security invest- ment: a systematic literature review. Information Systems Frontiers 19, 1205– 1228 (2017) 12. Tsiakis, T., Stephanides, G.: The economic approach of information security. Computers & Security 24, 105–108 (2005) 13. Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. Pro- ceedings of the 24th International Conference on Software Engineering (ICSE 2002), 232–240 (2005) 14. Tallon, P.P.: A Process-Oriented Perspective on the Alignment of Information Technology and Business Strategy. Journal of Management Information Systems 24, 227–268 (2007) 15. Ray, G., Barney, J.B., Muhanna, W.A.: Capabilities, business processes, and competitive advantage: choosing the dependent variable in empirical tests of the resource-based view. Strat. Mgmt. J. 25, 23–37 (2004) 16. Kuehnel, S., Zasada, A.: An Approach Toward the Economic Assessment of Business Process Compliance. In: Woo, C., Lu, J., Li, Z., Ling, T.W., Li, G., Lee, M.L. (eds.) Advances in Conceptual Modeling. ER 2018 Workshops Emp-ER, MoBiD, MREBA, QMMQ, SCME, Xi’an, China, October 22-25, 2018, Proceed- ings, pp. 228–238. Springer International Publishing, Cham (2018) 17. Davis, A.: Return on security investment – proving it's worth it. Network Security 2005, 8–10 (2005) 18. Pulliam Phillips, P., Phillips, J.J.: ROI fundamentals. Why and when to measure ROI. Pfeiffer, San Francisco (2008) 19. MILLER, L.T., PARK, C.S.: Decision Making Under Uncertainty—Real Options to the Rescue? The Engineering Economist 47, 105–150 (2002) 20. Strotz, R.H.: Myopia and Inconsistency in Dynamic Utility Maximization. The Review of Economic Studies 23, 165 (1955) 21. Soo Hoo, K.J.: How Much is Enough? A Risk Management Approach to Com- puter Security. Working Paper. Stanford University (2000) 22. National Bureau of Standards: Guideline for Automatic Data Processing Risk Analysis. Federal Information Processing Standards Publication (FIPS PUB) Nr. 65 23. Sackmann, S., Hofmann, M., Kühnel, S.: Return on Controls Invest. HMD 50, 31–40 (2013) 18 24. Kühnel, S., Sackmann, S.: Effizienz Compliance-konformer Kontrollprozesse in internen Kontrollsystemen (IKS). HMD 51, 252–266 (2014) 25. Rumpel, R., Glanze, R.: Verfahren zur Wirtschaftlichkeitsanalyse von IT-Sicher- heitsinvestitionen. Practical Business Research 2, 1–12 (2008) 26. Fox, D.: Betriebswirtschaftliche Bewertung von Security Investments in der Pra- xis. Datenschutz und Datensicherheit (DuD) 35, 50–55 (2011) 27. Wei, H., Frinke, D., Carter, O., Ritter, C.: Cost-Benefit Analysis for Network In- trusion Detection Systems. Proceedings of the CSI 28th Annual Computer Secu- rity Conference (2001) 28. Dirk Schadt: Über die Ökonomie der IT-Sicherheit - Betrachtungen zum Thema "Return on Security Investment. HMD Prax. Wirtsch. 248 (2006) 29. Matousek, M., Schlienger, T., Teufel, S.: Metriken und Konzepte zur Messung der Informationssicherheit. HMD (2004) 30. Pohlmann, N.: Wie wirtschaftlich sind IT-Sicherheitsmaßnahmen. HMD (2006) 31. Mizzi, A.: Return on information security investment-the viability of an anti- spam solution in a wireless environment. International Journal of Network Secu- rity 10, 18–24 (2010) 32. Sackmann, S., Syring, A.: Adapted Loss Database–A New Approach to Assess IT Risk in Automated Business Processes. AMCIS 2010 Proceedings (2010) 33. Llanso, T.: CIAM: A data-driven approach for selecting and prioritizing security controls. In: 2012 IEEE International Systems Conference SysCon 2012. IEEE (2012) 34. Chatterjee, S., Sarker, S., Lee, M.J., Xiao, X., Elbanna, A.: A possible conceptu- alization of the information systems ( IS ) artifact: A general systems theory per- spective 1. Inf Syst J 31, 550–578 (2021) 35. Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. 3, 186–205 (2000) 36. Cavusoglu, H., Raghunathan, S., Cavusoglu, H.: Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems. Information Systems Research 20, 198–217 (2009) 37. Davenport, T.H.: Process Innovation. Reengineering Work Through Information Technology. Harvard Business Press (1993) 38. Magnani, M., Montesi, D.: Computing the Cost of BPMN Diagrams. Technical Report UBLCS-07-17. Bologna (2007) 39. Magnani, M., Montesi, D.: BPMN. How Much Does It Cost? An Incremental Ap- proach. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) Business process man- agement. 5th international conference, BPM 2007, Brisbane, Australia, Septem- ber 24 - 28, 2007; proceedings, 4714, pp. 80–87. Springer, Berlin (2007) 40. Dijkstra, E.W.: A Note on Two Problems in Connexion with Graphs. Numerische Mathematik 1, 169–271 (1959) 41. Sampathkumaran, P., Wirsing, M.: Computing the Cost of Business Processes. In: Aalst, W., Ginige, A., Kutsche, R.-D., Mayr, H.C., Mylopoulos, J., Sadeh, N.M., Shaw, M.J., Szyperski, C., Yang, J. (eds.) Information Systems: Modeling, De- 19 velopment, and Integration. Third International United Information Systems Con- ference, UNISCON 2009, Sydney, Australia, April 21-24, 2009. Proceedings, 20, pp. 178–183. Springer, Berlin, Heidelberg (2009) 42. Sampathkumaran, P.B., Wirsing, M.: Financial Evaluation and Optimization of Business Processes. IJISMD 4, 91–120 (2013) 43. Münstermann, B., Eckhardt, A., Weitzel, T.: The performance impact of business process standardization. Business Process Management Journal 16, 29–56 (2010) 44. Wuellenweber, K., Koenig, W., Beimborn, D., Weitzel, T.: The Impact of Process Standardization on Business Process Outsourcing Success. In: Information Sys- tems Outsourcing, pp. 527–548. Springer, Berlin, Heidelberg (2009) 45. Stöwer, M., Kraft, R.: IT Security Investment and Costing Emphasizing Benefits in Times of Limited Budgets. In: ISSE 2012 Securing Electronic Business Pro- cesses, pp. 37–47. Springer Vieweg, Wiesbaden (2012) 46. REIJERS, H., LIMANMANSAR, S.: Best practices in business process redesign: an overview and qualitative evaluation of successful redesign heuristics. Omega 33, 283–306 (2005) 47. Vom Brocke, J., Sonnenberg, C.: Value-Orientation in Business Process Manage- ment. In: Handbook on Business Process Management 2, pp. 101–132. Springer, Berlin, Heidelberg (2015) 48. Nurcan, S., Etien, A., Kaabi, R., Zoukar, I., Rolland, C.: A strategy driven busi- ness process modelling approach. Business Process Management Journal 11, 628–649 (2005) 49. Chinosi, M., Trombetta, A.: BPMN: An introduction to the standard. Computer Standards & Interfaces 34, 124–134 (2012) 50. Seyffarth, T., Kühnel, S., Sackmann, S.: ConFlex - An Ontology-Based Approach for the Flexible Integration of Controls into Business Processes. Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI´16), 1341–1352 (2016) 51. Sampemane, G.: Internal access controls. Commun. ACM 58, 62–65 (2015) 52. Sadiq, S., Governatori, G., Namiri, K.: Modeling Control Objectives for Business Process Compliance. Proceedings of the 5th International Conference on Business Process Management (BPM'07), 149–164 (2007) 53. Kühnel, S., Trang, S., Lindner, S.: Conceptualization, Design, and Implementa- tion of EconBPC – A Software Artifact for the Economic Analysis of Business Process Compliance. In: Laender, A.H.F., Pernici, B., Lim, E.-P. (eds.) Concep- tual Modeling. 38th International Conference, ER 2019, Salvador, Brazil, No- vember 4–7, 2019, Proceedings, pp. 378–386 (2019) 54. Bhamidipaty, A., Narendra, N.C., Nagar, S., Varshneya, V.K., Vasa, M., Deshwal, C.: Indra: An integrated quantitative system for compliance manage- ment for IT service delivery. IBM Journal of Research and Development (IBM J. Res. & Dev.) 53, 1–12 (2009) 55. Doganata, Y.N., Curbera, F.: A method of calculating the cost of reducing the risk exposure of non-compliant process instances. In: Jajodia, S., Kudo, M. (eds.) Proceedings of the first ACM workshop on Information security governance, p. 7. ACM, New York, NY (2009) 20 56. Abbas, J., Mahmood, H.K., Hussain, F.: Information security management for small and medium size enterprises. Sci. Int. (Lahore) 27, 2393–2398 (2015) 57. Alshboul, Y., Streff, K.: Analyzing Information Security Model for Small-Me- dium Sized Businesses. AMCIS 2015 Proceedings (2015) 58. Díaz Redondo, R.P., Fernández-Vilas, A., Fernández dos Reis, G.: Security As- pects in Smart Meters: Analysis and Prevention. Sensors 20, 3977 (2020) 59. Chen, Q., Lambright, J., Abdelwahed, S.: Towards Autonomic Security Manage- ment of Healthcare Information Systems. 2016 IEEE First International Confer- ence on Connected Health: Applications, Systems and Engineering Technologies (CHASE), 113–118 (2016) 21