Enabling security risk assessment and management for business process models

Business processes (BP) are considered the enterprise’s cornerstone but are increasingly in the spotlight of attacks. Therefore, the design of business processes must consider the security risks and be adequately integrated into the information and operational systems. However, security risk assessment and management are rarely considered at the level of business processes during design time, let alone considering a risk architecture that takes into account the connection and dependencies of risks at these levels of the organisation, business processes, and information systems. In general, most approaches deal with integrating new artefacts for business process models to support risk analysis, but sometimes, the notation can increase complexity, making it difficult to have a risk management tool to support the analysis. After analysing the current risk processes and frameworks, we have realised that they are often neglected when considering organisational and business process levels. In this paper, MARISMA-BP (MARISMA for Business Process) pattern is proposed, a security risk pattern to enable the assessment and management of risks for business process models. This approach is an artefact that has been validated in a real scenario following the design science methodology. Further, MARISMA-BP pattern is supported by eMARISMA, an automated infrastructure that allows the definition and reuse of each risk component, helping us to carry out the risk assessment and management process in an efficient and dynamic way. To demonstrate the applicability of the proposal, MARISMA-BP pattern is applied to a real health-based business process scenario. The findings illustrate the efficacy of MARISMA-BP within eMARISMA for comprehensive risk assessment and management, underscoring its versatility and practical relevance in any business process environment.