Atana

Process managers have to model and assess processes to assure that they fit corporate security needs, and in doing so deal with a great spectrum of potential risks. Decision makers selecting the most appropriate set of IT security investments, and, thus, the right level of investments according to a given set of business processes and/or policies, must take into consideration (i) an optimal alignment of business processes, IT systems, and IT security investments in order to concentrate resources on value-generating and supplementary business processes, (ii) multiple objectives that are often mutually exclusive, (iii) the cost efficient use of available resources, as well as (iv) interdependencies between IT security investments, and (v) legal requirements and policies, such as ISO 17799. Additionally, the number of safeguards has increased dramatically during the past few years, making an efficient manual composition of these systems nearly impossible. As a consequence, security decisions provide only punctual solutions and are made without considering the costs and benefits of introducing these measures. Existing methods aim at characterizing security safeguard candidates with one aggregated value criterion, such as the return on investment. However, it is not always possible to aggregate measures from different dimensions and stakeholders may vary strongly in their utility functions, i.e. their view on how much a unit of criterion A is "worth" compared to one unit of criterion B. In this situation stakeholders need better support to deal with the more complex data, as existing approaches are not organized in such a way that business people can relate to them. In particular, decision makers demand full control over the decision making process, they want to learn about alternative solutions and then be supported in making their own decisions in an interactive and intuitive way.