Skip to main content
Springer Nature Link
Log in

Analyzing Enterprise Architecture Models by Means of the Meta Attack Language

  • Conference paper
  • First Online:
Advanced Information Systems Engineering (CAiSE 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13295))

Included in the following conference series:

  • 1641 Accesses

Abstract

The digital transformation exposes organizations to new threats endangering their business. A way to uncover these threats is threat modeling and attack simulations. However, modeling an entire organization by hand is time consuming and error prone. Therefore, we propose to reuse Enterprise Architecture (EA) models. In this work, we propose a mapping from ArchiMate, a common EA modeling language, to coreLang, a threat modeling language, and use the resulting models to perform attack simulations to foresee possible attack paths. Then, we play back the results of the attack simulations to the EA model and complete the round-trip. To demonstrate our approach, we developed a prototype performing the transformation from ArchiMate to coreLang and applied our approach to the well-known ArchiSurance example.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
CHF34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
CHF 24.95
Price includes VAT (Switzerland)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
CHF 75.50
Price excludes VAT (Switzerland)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
CHF 94.50
Price excludes VAT (Switzerland)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.first.org/cvss/specification-document.

  2. 2.

    https://github.com/simonhacks/EA-Resilience.

  3. 3.

    https://nvd.nist.gov/vuln/detail/CVE-2021-24212.

  4. 4.

    https://nvd.nist.gov/vuln/detail/CVE-2020-13484.

  5. 5.

    https://nvd.nist.gov/vuln/detail/CVE-2021-2320.

  6. 6.

    https://nvd.nist.gov/vuln/detail/CVE-2021-33663.

  7. 7.

    https://nvd.nist.gov/vuln/detail/CVE-2017-6911.

References

  1. Zaoui, F., Souissi, N.: Roadmap for digital transformation: a literature review. Proc. Comput. Sci. 175, 621–628 (2020)

    Article  Google Scholar 

  2. Verhoef, P.C., et al.: Digital transformation: a multidisciplinary reflection and research agenda. J. Bus. Res. 122, 889–901 (2021)

    Google Scholar 

  3. Chowdhury, A.: Recent cyber security attacks and their mitigation approaches – an overview. In: Batten, L., Li, G. (eds.) ATIS 2016. CCIS, vol. 651, pp. 54–65. Springer, Singapore (2016). https://doi.org/10.1007/978-981-10-2741-3_5

    Chapter  Google Scholar 

  4. Lallie, H.S., et al.: Cyber security in the age of COVID-19: a timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Comp. Sec. 105, 102248 (2021)

    Google Scholar 

  5. LaBerge, L., O’Toole, C., Schneider, J., Smaje, K.: How COVID-19 has pushed companies over the technology tipping point - and transformed business forever (2020)

    Google Scholar 

  6. Hakak, S., Khan, W.Z., Imran, M., Choo, K.K.R., Shoaib, M.: Have you been a victim of COVID-19-related cyber incidents? Survey, taxonomy, and mitigation strategies. IEEE Access 8, 124134–124144 (2020)

    Article  Google Scholar 

  7. Aldea, A., Iacob, M.E., van Hillegersberg, J., Quartel, D., Franken, H.: Modelling value with ArchiMate. In: Persson, A., Stirna, J. (eds.) CAiSE 2015. LNBIP, vol. 215, pp. 375–388. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-19243-7_35

    Chapter  Google Scholar 

  8. Barbosa, A., Santana, A., Hacks, S., Stein, N.V.: A taxonomy for enterprise architecture analysis research. In: ICEIS, vol. 2, SciTePress, pp. 493–504 (2019)

    Google Scholar 

  9. Mathew, D., Hacks, S., Lichter, H.: Developing a semantic mapping between TOGAF and BSI-IT-Grundschutz. MKWI 5, 1971–1982 (2018)

    Google Scholar 

  10. Holm, H., Buschle, M., Lagerström, R., Ekstedt, M.: Automatic data collection for enterprise architecture models. Softw. Syst. Model. 13(2), 825–841 (2012). https://doi.org/10.1007/s10270-012-0252-1

    Article  Google Scholar 

  11. Hacks, S., Katsikeas, S.: Towards an ecosystem of domain specific languages for threat modeling. In: La Rosa, M., Sadiq, S., Teniente, E. (eds.) CAiSE 2021. LNCS, vol. 12751, pp. 3–18. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-79382-1_1

    Chapter  Google Scholar 

  12. Hacks, S., Lagerström, R., Ritter, D.: Towards automated attack simulations of BPMN-based processes. In: EDOC, pp. 182–191 (2021)

    Google Scholar 

  13. Grandry, E., Feltus, C., Dubois, E.: Conceptual integration of enterprise architecture management and security risk management. In: EDOCW, pp. 114–123, September 2013

    Google Scholar 

  14. Hacks, S., Brosius, M., Aier, S.: A case study of stakeholder concerns on EAM. In: EDOCW, pp. 50–56. IEEE (2017)

    Google Scholar 

  15. Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. JIMS 24(3), 45–77 (2007)

    Google Scholar 

  16. The Open Group: ArchiMate 3.1 Specification (2019)

    Google Scholar 

  17. Johnson, P., Lagerström, R., Ekstedt, M.: A meta language for threat modeling and attack simulations. In: ARES, p. 38. ACM (2018)

    Google Scholar 

  18. Katsikeas, S., et al.: An attack simulation language for the IT domain. In: Eades III, H., Gadyatskaya, O. (eds.) GraMSec 2020. LNCS, vol. 12419, pp. 67–86. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62230-5_4

  19. Ekstedt, M., Johnson, P., Lagerström, R., Gorton, D., Nydrén, J., Shahzad, K.: securiCAD by foreseeti: a CAD tool for enterprise cyber security management. In: EDOCW, pp. 152–155. IEEE (2015)

    Google Scholar 

  20. Hacks, S., Butun, I., Lagerström, R., Buhaiu, A., Georgiadou, A., Michalitsi Psarrou, A.: Integrating security behavior into attack simulations. In: ARES, pp. 1–13 (2021)

    Google Scholar 

  21. Aldea, A., Iacob, M.E., Quartel, D., Franken, H.: Strategic planning and enterprise achitecture. In: ES 2013, pp. 1–8. IEEE (2013)

    Google Scholar 

  22. Aldea, A., Iacob, M.E., Daneva, M., Masyhur, L.H.: Multi-criteria and model-based analysis for project selection: an integration of capability-based planning, project portfolio management and enterprise architecture. In: EDOCW, pp. 128–135 (2019)

    Google Scholar 

  23. Hacks, S., Katsikeas, S., Ling, E., Lagerström, R., Ekstedt, M.: powerLang: a probabilistic attack simulation language for the power domain. Energy Inf. 3(1), 1–17 (2020). https://doi.org/10.1186/s42162-020-00134-4

    Article  Google Scholar 

  24. Ling, E.R., Ekstedt, M.: Generating threat models and attack graphs based on the IEC 61850 system configuration description language. In: SAT-CPS, pp. 98–103. ACM (2021)

    Google Scholar 

  25. Katsikeas, S., Johnson, P., Hacks, S., Lagerström, R.: Probabilistic modeling and simulation of vehicular cyber attacks: an application of the meta attack language. In: Proceedings of the 5th ICISSP (2019)

    Google Scholar 

  26. Smajevic, M., Bork, D.: From conceptual models to knowledge graphs: a generic model transformation platform. In: ER. Springer. LNCS (2021)

    Google Scholar 

  27. Smajevic, M., Hacks, S., Bork, D.: Using knowledge graphs to detect enterprise architecture smells. In: PoEM, Springer International Publishing, pp. 48–63 (2021)

    Google Scholar 

  28. Band, I., Engelsman, W., Feltus, C., Paredes, S.G., Diligens, D.: Modeling enterprise risk management and security with the archimate ®. Language, The Open Group (2015)

    Google Scholar 

  29. Ebbers, F., Hacks, S., Thakurta, R.: The business impact of IIOT vulnerabilities. In: PACIS 2021 Proceedings, vol. 225 (2021)

    Google Scholar 

  30. Aldea, A., Vaicekauskaitė, E., Daneva, M., Piest, J.P.S.: Assessing resilience in enterprise architecture: a systematic review. In: EDOC, pp. 1–10 (2020)

    Google Scholar 

  31. Manzur, L., Ulloa, J.M., Sánchez, M., Villalobos, J.: XArchiMate: enterprise architecture simulation, experimentation and analysis. Simulation 91(3), 276–301 (2015)

    Article  Google Scholar 

  32. Grov, G., Mancini, F., Mestl, E.M.S.: Challenges for risk and security modelling in enterprise architecture. In: Gordijn, J., Guédria, W., Proper, H.A. (eds.) PoEM 2019. LNBIP, vol. 369, pp. 215–225. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35151-9_14

    Chapter  Google Scholar 

  33. Xiong, W., Carlsson, P., Lagerström, R.: Re-using enterprise architecture repositories for agile threat modeling. In: EDOCW, pp. 118–127 (2019)

    Google Scholar 

  34. Pavleska, T., Aranha, H., Masi, M., Grandry, E., Sellitto, G.P.: Cybersecurity evaluation of enterprise architectures: the E-SENS case. In: PoEM, pp. 226–241 (2019)

    Google Scholar 

  35. Jiang, Y., Jeusfeld, M., Atif, Y., Ding, J., Brax, C., Nero, E.: A language and repository for cyber security of smart grids. In: EDOC, pp. 164–170 (2018)

    Google Scholar 

  36. Holm, H., Shahzad, K., Buschle, M., Ekstedt, M.: P\(^2\)CySeMoL: predictive, probabilistic cyber security modeling language. TDSC 12(6), 626–639 (2015)

    Google Scholar 

  37. König, J., Zhu, K., Nordström, L., Ekstedt, M., Lagerstrom, R.: Mapping the substation configuration language of IEC 61850 to ArchiMate. In: EDOCW, pp. 60–68 (2010)

    Google Scholar 

  38. Hacks, S., Hacks, A., Katsikeas, S., Klaer, B., Lagerström, R.: Creating meta attack language instances using ArchiMate: applied to electric power and energy system cases. In: EDOC, pp. 88–97 (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Adina Aldea

  2. University of Southern Denmark, Odense, Denmark

    Simon Hacks

Authors
  1. Adina Aldea
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon Hacks
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Simon Hacks .

Editor information

Editors and Affiliations

  1. Department of Service and Information System Engineering (ESSI), Universitat Politècnica de Catalunya, Barcelona, Spain

    Xavier Franch

  2. Ghent University, Gent, Belgium

    Geert Poels

  3. Ghent University, Gent, Belgium

    Frederik Gailly

  4. KU Leuven, Leuven, Belgium

    Monique Snoeck

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Aldea, A., Hacks, S. (2022). Analyzing Enterprise Architecture Models by Means of the Meta Attack Language. In: Franch, X., Poels, G., Gailly, F., Snoeck, M. (eds) Advanced Information Systems Engineering. CAiSE 2022. Lecture Notes in Computer Science, vol 13295. Springer, Cham. https://doi.org/10.1007/978-3-031-07472-1_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07472-1_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07471-4

  • Online ISBN: 978-3-031-07472-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation

  NODES
chat 1
INTERN 2
Note 3
Project 2