Improvement of security costs evaluation process by using data automatically captured from BPMN and EPC models

Abstract

Amount of security breaches and organizations’ losses, related to them, is increasing every year. One of the key reasons is a high dependency of organization’s key business processes on information and information technology. To decrease the risk of possible breaches, organizations have to ensure “due diligence” and “due care” principles. This means, organizations need to apply requirements or controls defined by existing security standards. One of the main issues in such approach is identification of critical areas and evaluation of cost for security requirements implementation. In this paper we consider how our previously proposed method for information security requirements implementation cost evaluation could be linked with organizations’ business processes. Our proposal could help us identify organization critical areas, which need to be protected and could let us to calculate security costs, related to the protected areas.