In the discipline of business informatics, business process compliance (BPC) addresses identifying, formalizing, implementing, checking, analyzing, and optimizing the adherence to business-relevant requirements before, during, or after executing business processes [ 1 ]. Due to the steadily increasing number of security and compliance requirements, e.g., the cross-sectoral provisions of the European Union's General Data Protection Regulation (EU GDPR), KRITIS for operators of critical infrastructures, or the second Payment Services Directive (PSD2) for banks, ensuring BPC has manifested itself not only as a complex technical challenge, but also as a cost-intensive task [ 2,3 ].

For example, current legislation on the protection of personal data requires the consideration of economic criteria when introducing compliance and security measures in business processes. Accordingly, Article 32 (1) EU GDPR defines that technical and organizational measures must be taken for the security of processing of personal data that ensure an adequate level of protection in relation to the respective risk and considering implementation costs. In contrast, a breach of Article 32 (1) EU GDPR may result in fines of up to 20 million euro or 4% of the total annual global turnover of the previous year (see Article 83 EU GDPR on "general conditions for imposing administrative fines"). In academia and especially in practice, the need for approaches and tools is communicated which no longer focus only on technical feasibility, but rather address economic aspects in ensuring BPC [ 4–6 ].

However, the economic assessment of BPC is a complex task for process owners, especially when data from large log files have to be analyzed. Studies from the field of decision making theory suggest the use of software artifacts to support such complex tasks in order to enable a reduction of the cognitive effort for the end user [ 7,8 ], e.g., by enabling special security and compliance views on business processes or by increasingly automating necessary calculations in large process models [ 6,9 ]. Currently, and to the best of our knowledge, neither are available, tools that explicitly visualize security and compliance measures of business processes in a separate view and tools that can economically assess and analyze these measures taking into account monetary cost and benefit aspects.

Consequently, the goal of our paper is to demonstrate the tool EconBPC, which, based on annotated extensible event streams (XES), takes a first step towards an automated monetary assessment of BPC and, moreover, can generate its own compliance view. The remainder of the paper is structured as follows. Chapter 2 shows the four-step concept of EconBPC, followed by the presentation of the software architecture and implementation in chapter 3. Chapter 4 illustrates a short application example and highlights the maturity of the artifact in a brief summary of the two-stage evaluation. The paper closes with some concluding remarks.

The economic principle is based at its core on an input-output relation that can be specified by quantitative parameters for a wide variety of domains, and thus also for BPC. The assessment of process-based security and compliance measures with regard to this relation, i.e. the economic assessment of security and compliance activities or activity sequences in business processes2, therefore builds upon a graph-theoretical distinction between business activities and compliance activities. Consequently, we define a business process as a 3-tuple , where represents a set of nodes in that follow common execution semantics. represents a set of edges between nodes, i.e. a control flow, thus constitutes a connected process graph. To simplify, we assume to be a set of purely business-related and to be a set of purely compliance-related activities. represents a set of coordination nodes and the function assigns a coordination kind to each coordinating node of , i.e.: . In this sense, a compliance activity is not defined as an activity that itself complies with rules, such as the processing of customer data in a customer account, but as an activity that is carried out for the purpose of compliance, such as pseudonymisation of customer data in accordance with Article 4 (5) EU GDPR. Given that compliance activities have already been implemented in a business process to protect against a compliance risk and that the risk is associated with a specific damage value, compliance activities can be assessed economically. For this purpose, each compliance activity is specified in terms of costs and reliability (for a detailed description of the assessment approach and a calculation example, see [ 10 ]).

With the standard for XES, the IEEE Task Force on Process Mining has published an XML-based standard for log files that defines a generally accepted format for the exchange of log data between information systems and for the provision of data for analysis tools [ 11 ]. The XES standard can be extended by extensions and already offers a number of standard ones, such as the cost extension [ 12 ], but also specific ones, such as our extension "econbpc" (see https://bit.ly/2GI8U0E), which can distinguish activities into compliance-related and business-related, or specify activities by reliabilities.

The conceptual approach of EconBPC is shown in Figure 1 and includes four steps. (1.1) Annotation and complexity reduction (1.2) Graphical reconstruction of compliance process Process log file

Compliance

log file      

… (3) Assessment of compliance process patterns

        (4) Assessment aggregation (2) Mining of compliance process patterns    

  Compliance process

(1.1) Annotation and complexity reduction of log files. Given a process log file, we start with the first step. The flexible character of the XES standard opens up the possibility of annotating log files, i.e., enriching them with additional data [ 11 ]. This means, for example, that additional data can be stored in log files that further specify the activities performed (so-called events) [ 12 ]. If the available log file 2 For ease of understanding, security and compliance measures are hereinafter summarized under the term compliance measures; the same applies to compliance activities, -processes, -patterns and -log files. does not yet contain data about the event type (business/compliance event), costs, or reliabilities of compliance events, these must be annotated. This is followed by a complexity reduction. All events that are not of the "compliance" type are removed from the log file. The resulting so-called "compliance log file" thus only contains the data required for the monetary assessment of BPC, which increases the calculation efficiency of the procedure.

(1.2) Graphical reconstruction of compliance process. Although the approach does not require a graphical process reconstruction, the compliance process can be visualized based on the compliance log file. Such a visualization provides an overview of the compliance activities and can be used as a basis for presenting calculation results graphically in a way appropriate to the target audience, e.g., implemented via compliance activity annotations of costs or reliabilities for compliance officers.

(2) Mining of compliance process patterns. Each executed instance of a business process consists of a finite set of events and is referred to as a trace according to the XES standard [ 11 ]. A compliance log file contains only compliance traces, i.e. the executed instances of a compliance process. First, the event sequences of all compliance traces are analyzed and a list of all those sequences that differ in their sequence is created. Each entry in this list is a unique tuple that represents one of a finite number of pathways through a compliance process and is referred to as a compliance process pattern. For example, if two compliance traces do not differ, neither in the set of their events nor in their sequence, they are based on the same compliance process pattern. Second, the relative frequency of occurrence is determined for each pattern. If, for example, a compliance log file contains data from a total of three compliance traces and two of them do neither differ in their quantity of events nor in their sequence, then the relative frequency of occurrence of the underlying compliance process pattern is 66. %.

(3) Assessment of compliance process patterns. Using our computational approach originating from prior work [ 10 ], we determine the costs and reliabilities of the compliance process patterns3. Since compliance process patterns are derived from the traces of a business process and the control flow of a trace always has either a parallel or sequential character, only the computational rules for sequence, parallel split, and synchronization patterns need to be considered for assessment.

(4) Assessment aggregation. As part of the assessment aggregation, expected costs and expected reliabilities of the entire compliance process are calculated. For this purpose, we use the costs and reliabilities of the compliance process patterns and weight them with the frequencies of occurrence determined in step (2). At the highest level of aggregation, the expected costs of the compliance process can be compared with its benefits, which can be represented in terms of the monetary damage prevented, e.g., by avoiding regulatory breaches [ 10 ].

Design principles were used as a conceptual foundation for the implementation of the approach. Their derivation and the development of the software artifact build on the four steps presented in chapter 2. Design principles are understood as instructions or proposals for software artifacts that can serve to solve design problems and can be a conceptual precursor to artifact implementation [ 8 ]. Owing to space limitations, we refer to a previous study for the derivation of these principles (see: [ 13 ]).

Figure 2 shows the architecture of EconBPC4 as a UML component diagram. The architecture model provides the basis for implementing EconBPC in R as a Shiny application. The import interface for log files enables the import of XES. The compliance data importer is an import interface for compliance data relevant to assessment, such as costs and reliabilities. The interface enables the annotation of log files with quantitative data of input and output factors of process-based compliance measures required for the calculation of monetary input-output ratios. The graph generator is used to reconstruct a business process graph from the log file (process discovery), which is output in the "process view" user interface. Based on an event filter, which is used to reduce the complexity of the annotated log file, the graph generator also enables the modular representation of compliance activities and activity sequences in the "compliance view" user interface. The path analyzer identifies the compliance process patterns, 3 In the description of [ 10 ], the compliance process patterns are referred to as "paths". More details of the assessment approach have been omitted due to space restrictions. For a more detailed description, see [ 10 ]. 4 The R application EconBPC can be downloaded at the web address https://bit.ly/3OHN2Uh. A user guide and a screencast are available at https://bit.ly/2oXZtop and at https://bit.ly/2xwM2wW. determines their relative frequencies of occurrence and sends a list of results to the assessment and analysis engine. Based on this, the engine enables: (1) the economic assessment of compliance process patterns and compliance processes, (2) the identification of inefficient compliance activities and compliance process patterns, and (3) the economic comparison of alternative compliance activities/processes. The aggregated valuation results are presented in the economic view user interface and can finally be used for decision support.

<< component >> shiny application << component >> log file importer

event-related compliance data << component >> compliance data importer compliance data

<< device >> shiny server (linux) event log path list << component >> graph generator << component >> path analyzer << component >> assessment and analysis engine compliance map process map analysis results node component / module provided interface << user interface >>

compliance view << user interface >>

process view << user interface >>

economic view requested interface Figure 2: Software architecture of EconBPC represented as a UML component diagram 

For demonstration purposes, EconBPC was tested with an artificial XES dataset publicly provided by Eindhoven University of Technology and included with the EconBPC download files. This is an anonymized dataset containing 105 synthetic instances of a credit application process. Since the dataset does not contain a specification of compliance events, the log file was annotated using the compliance data importer (see figure 3 (a)). "B1", "B2", "D", and "E" were specified as events of the compliance type and annotated with costs of $2000, $300, $5000, and $400, and reliabilities of 99%, 95%, 83%, and 100%, respectively. In addition, a fictitious compliance requirement was stored in EconBPC, the violation of which is accompanied by a fine of 30,000€.

compliance  process  patterns aggregated results log file  importer log file  /  activity

annotation (a) Screenshot of the log file/compliance data importer as well as the log file  annotation feature (b) Screenshot of the cost‐annotated compliance process  and calculation results Figure 3: Screenshots of the EconBPC tool in the application example  [ 13 ]). Second, the tool was tested by 12 experts from the field of IT governance, risk, and compliance in think-aloud sessions on case studies. The procedure of the think-aloud sessions followed a consistent pattern, initiated by 1) the provision of information about the software artifact and the tasks to be performed, 2) the systematic protocoling of the verbalized thoughts of the subjects, and 3) an analysis of the protocols. Positive expressions were marked with a "+", expressed potential improvements were marked with an "o", and each was assigned to the design principles. A discussion of both evaluations and related data can also be found in [ 13 ].

This paper has introduced the EconBPC tool, briefly highlighting its four-stage concept, its software architecture, its implementation as an R application, and its two-stage evaluation. By using XES, EconBPC offers the possibility to automatically visualize security and compliance measures of business processes in an addressee-oriented way and to assess them economically based on activities. Among many limitations stimulating future research, such as the subjectivity of the underlying conceptual and architectural design or the focus of the assessment on purely monetary values, great potential also lies in the transfer to real-world practice. As part of the project “Process-based Economic Evaluation and Selection of IT Security Measures” (ProBITS), which is funded by the Federal Ministry of Education and Research, we are already working on incorporating non-monetary values into the underlying calculation models, while still keeping the assessment simple enough to be scalable to different company sizes. However, testing in real case studies is still pending.