Business processes have gained more and more importance in today's business environment, and their unimpeded execution is crucial for a company's success. Since business processes are permanently exposed to several threats, organizations are forced to pay attention to security issues. Although security of business activities is widely considered as important, business processes and security aspects are often developed separately. Recent approaches for managing business process security focus on certain aspects only and neglect others, thus not providing a holistic framework for analyzing process security and evaluating security safeguards. Often, these safeguards are evaluated according to technical aspects only; multiple objectives are not considered.
This diploma thesis introduces a model-supported, risk-based multiobjective decision making methodology (MR-MOD) for the elicitation of security requirements of business processes, for the analysis of assets, threats, and vulnerabilities, and for the selection of appropriate security technologies. Thereby it combines the strengths of different methods, including process modeling, quantitative risk assessment, and multiobjective decision making techniques, for the definition of Secure Business Processes. MR-MOD is supported by the MODStool, a software application developed in the course of this thesis.
Finally, the feasibility of this methodology is demonstrated in a case study.