Asset Identification in Information Security Risk Assessment Using Process Mining

Edri Yunizal, Judhi Santoso, Kridanto Surendro


Information security risk assessment (ISRA) currently has gaps in inadequate asset identification. This activity is still manual, depending on the approach adopted and used, thus leading to subjectivity and inaccuracies. Whereas incorrect identification will lead to inaccurate results. The need to consider the dependency of assets within ISRA, which is still not resolved by ISRA, complicates this. A process perspective that can view assets based on their role in organizational processes rather than physical connections should be able to bridge this gap. Unfortunately, Small and Medium Enterprises (SME) find it difficult to take advantage of this opportunity due to time and cost constraints. This research bridges this gap by providing a process-oriented perspective that uses process mining. It automates asset identification based on historically derived organizational workflows using Legacy Information Systems (LIS) triggers. For rigor and relevance, this research uses a series of design research evaluation stages: problem, design, construct, and usage. Problem evaluation is through the study of related literature. For design evaluation, it made comparisons with asset and process-oriented ISRA and preprocessing of process mining. The construct evaluation by testing the system before and after method implementation. It also considers the method's maximum capability. Meanwhile, usage evaluation through a case study on an inventory system. The contribution offered: (1) integrating process mining with ISRA, (2) making the process-aware LIS without disturbing the running process, (3) preparing an artifact to generate an event log using database trigger, and (4) automating ISRA's asset identification which also considers asset dependency.


Information security; risk assessment; asset identification; small and medium enterprise; process mining; event log.

Full Text:



P. Tubío Figueira, C. López Bravo, and J. L. Rivas López, “Improving information security risk analysis by including threat-occurrence predictive models,” Comput. Secur., vol. 88, p. 101609, 2020.

D. G. Rosado, J. Moreno, L. E. Sánchez, A. Santos-Olmo, M. A. Serrano, and E. Fernández-Medina, “MARISMA-BiDa pattern: Integrated risk analysis for big data,” Comput. Secur., vol. 102, 2021.

A. Ključnikov, L. Mura, and D. Sklenár, “Information security management in SMEs: Factors of success,” Entrep. Sustain. Issues, vol. 6, no. 4, pp. 2081–2094, 2019.

B. Suh and I. Han, “The IS risk analysis based on a business model,” Inf. Manag., vol. 41, no. 2, pp. 149–158, 2003.

Y. Wang, M. Zhao, Y. Hu, Y. Gao, and X. Cui, “Secure computation protocols under asymmetric scenarios in enterprise information system,” Enterp. Inf. Syst., vol. 15, no. 4, pp. 492–512, 2021.

C. Schmitz and S. Pape, “LiSRA: Lightweight Security Risk Assessment for decision support in information security,” Comput. Secur., vol. 90, 2020.

N. S. Safa et al., “Deterrence and prevention-based model to mitigate information security insider threats in organisations,” Futur. Gener. Comput. Syst., vol. 97, pp. 587–597, 2019.

P. J. Steinbart, R. L. Raschke, G. Gal, and W. N. Dilla, “The influence of a good relationship between the internal audit and information security functions on information security outcomes,” Accounting, Organ. Soc., vol. 71, pp. 15–29, 2018.

S. Muller, C. Harpes, Y. Le Traon, S. Gombault, and J. M. Bonnin, “Efficiently computing the likelihoods of cyclically interdependent risk scenarios,” Comput. Secur., vol. 64, pp. 59–68, 2017.

D. Gritzalis, G. Stergiopoulos, V. Kouktzoglou, and M. Theocharidou, “A process-based dependency risk analysis methodology for critical infrastructures,” Int. J. Crit. Infrastructures, vol. 13, no. 2/3, p. 184, 2017.

Y. Y. Haimes, “Risk Modeling of Interdependent Complex Systems of Systems: Theory and Practice,” Risk Anal., vol. 38, no. 1, pp. 84–98, Jan. 2018.

A. Shameli-Sendi, R. Aghababaei-Barzegar, and M. Cheriet, “Taxonomy of information security risk assessment (ISRA),” Comput. Secur., vol. 57, pp. 14–30, 2016.

P. Shedden, A. Ahmad, W. Smith, H. Tscherning, and R. Scheepers, “Asset identification in information security risk assessment: A business practice approach,” Commun. Assoc. Inf. Syst., vol. 39, no. 1, pp. 297–320, 2016.

Ü. Tatar and B. Karabacak, “An hierarchical asset valuation method for information security risk analysis,” in International Conference on Information Society, i-Society 2012, 2012, pp. 286–291.

C. Joshi and U. K. Singh, “Information security risks management framework – A step towards mitigating security risks in university network,” J. Inf. Secur. Appl., vol. 35, pp. 128–137, 2017.

I. Loloei, H. R. Shahriari, and A. Sadeghi, “A model for asset valuation in security risk analysis regarding assets’ dependencies,” in ICEE 2012 - 20th Iranian Conference on Electrical Engineering, 2012, pp. 763–768.

A. K. Adesemowo, “Towards a conceptual definition for IT assets through interrogating their nature and epistemic uncertainty,” Computers and Security, vol. 105. 2021.

J. Breier and F. Schindler, “Assets dependencies model in information security risk management,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2014, vol. 8407 LNCS, pp. 405–412.

A. Shameli-Sendi, “An efficient security data-driven approach for implementing risk assessment,” J. Inf. Secur. Appl., vol. 54, 2020.

B. Rahmad, S. H. Supangkat, J. Sembiring, and K. Surendro, “Modeling asset dependency for security risk analysis using threat-scenario dependency,” Int. J. Comput. Sci. Inf. Secur., vol. 10, no. 4, pp. 103–111, 2012.

K. Khanmohammadi and S. H. Houmb, “Business process-based information security risk assessment,” in Proceedings - 2010 4th International Conference on Network and System Security, NSS 2010, 2010, pp. 199–206.

S. Schmidt and S. Albayrak, “A quantitative framework for dependency-aware organizational IT Risk Management,” in Proceedings of the 2010 10th International Conference on Intelligent Systems Design and Applications, ISDA’10, 2010, pp. 1207–1212.

V. Agrawal, “A Comparative Study on Information Security Risk Analysis Methods,” J. Comput., pp. 57–67, 2017.

E. G. L. de Murillas, H. A. Reijers, and W. M. P. van der Aalst, “Connecting databases with process mining: a meta model and toolset,” Softw. Syst. Model., vol. 18, no. 2, pp. 1209–1247, Apr. 2019.

A. Augusto et al., “Automated Discovery of Process Models from Event Logs: Review and Benchmark,” IEEE Transactions on Knowledge and Data Engineering, vol. 31, no. 4. pp. 686–705, 2019.

W. M. P. van der Aalst, “Extracting Event Data from Databases to Unleash Process Mining,” in BPM-Driving innovation in a digital world, Springer, 2015, pp. 105–128.

C. dos S. Garcia et al., “Process mining techniques and applications – A systematic mapping study,” Expert Syst. Appl., vol. 133, pp. 260–295, 2019.

L. Lan, Y. Liu, and W. Feng Lu, “Learning from the Past: Uncovering Design Process Models Using an Enriched Process Mining,” J. Mech. Des., vol. 140, no. 4, 2018.

J. Maeyens, A. Vorstermans, and M. Verbeke, “Process mining on machine event logs for profiling abnormal behaviour and root cause analysis,” Ann. des Telecommun. Telecommun., vol. 75, no. 9–10, pp. 563–572, 2020.

M. Jans, P. Soffer, and T. Jouck, “Building a valuable event log for process mining: an experimental exploration of a guided process,” Enterp. Inf. Syst., vol. 13, no. 5, pp. 601–630, 2019.

R. Andrews, C. G. J. van Dun, M. T. Wynn, W. Kratsch, M. K. E. Röglinger, and A. H. M. ter Hofstede, “Quality-informed semi-automated event log generation for process mining,” Decis. Support Syst., vol. 132, 2020.

D. Calvanese, M. Montali, A. Syamsiyah, and W. M. P. van der Aalst, “Ontology-driven extraction of event logs from relational databases,” in Lecture Notes in Business Information Processing, 2016, vol. 256, pp. 140–153.

A. P. Kurniati, E. Rojas, D. Hogg, G. Hall, and O. A. Johnson, “The assessment of data quality issues for process mining in healthcare using Medical Information Mart for Intensive Care III, a freely available e-health record database,” Health Informatics J., vol. 25, no. 4, pp. 1878–1893, 2019.

G. Li, E. G. L. de Murillas, R. M. de Carvalho, and W. M. P. van der Aalst, “Extracting object-centric event logs to support process mining on databases,” in Lecture Notes in Business Information Processing, 2018, vol. 317, pp. 182–199.

R. Pérez-Castillo, B. Weber, J. Pinggera, S. Zugal, I. G. R. de Guzmán, and M. Piattini, “Generating event logs from non-process-aware systems enabling business process mining,” Enterp. Inf. Syst., vol. 5, no. 3, pp. 301–335, 2011.

Y. Barlette, K. Gundolf, and A. Jaouen, “CEOs’ information security behavior in SMEs: Does ownership matter?,” Systèmes d’information Manag., vol. 22, no. 3, p. 7, 2017.

S. Kabanda, M. Tanner, and C. Kent, “Exploring SME cybersecurity practices in developing countries,” J. Organ. Comput. Electron. Commer., vol. 28, no. 3, pp. 269–282, 2018.

T. Woschke, H. Haase, and J. Kratzer, “Resource scarcity in SMEs: effects on incremental and radical innovations,” Manag. Res. Rev., vol. 40, no. 2, pp. 195–217, 2017.

M. Jans, “Auditor choices during event log building for process mining,” J. Emerg. Technol. Account., vol. 16, no. 2, pp. 59–67, 2019.

A. R. Hevner, S. T. March, J. Park, and S. Ram, “Design science in information systems research,” MIS Q. Manag. Inf. Syst., vol. 28, no. 1, pp. 75–105, 2004.

C. Sonnenberg and J. Vom Brocke, “Evaluations in the science of the artificial - Reconsidering the build-evaluate pattern in design science research,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2012, vol. 7286 LNCS, pp. 381–397.

P. Brereton, B. Kitchenham, D. Budgen, and Z. Li, “Using a protocol template for case study planning,” in 12th International Conference on Evaluation and Assessment in Software Engineering, EASE 2008, 2008.

J. Wagner et al., “Carving database storage to detect and trace security breaches,” Digit. Investig., vol. 22, pp. S127–S136, 2017.

L. K. Branting, “Data-centric and logic-based models for automated legal problem solving,” Artif. Intell. Law, vol. 25, no. 1, pp. 5–27, 2017.

E. Yunizal, K. Surendro, and J. Santoso, “A Method of Simplifying the Asset Dependency Cycle in Security Risk Analysis,” 2021.

G. Stergiopoulos, D. Gritzalis, and V. Kouktzoglou, “Using formal distributions for threat likelihood estimation in cloud-enabled IT risk assessment,” Comput. Networks, vol. 134, pp. 23–45, 2018.

H. Zhou and J. Li, “A dynamic instrumentation tool for obtaining software logs,” J. Phys. Conf. Ser., vol. 1684, no. 1, 2020.

M. Abdulrazzaq and Y. Wei, “Industrial Control System (ICS) Network Asset Identification and Risk Management,” 2018.

M. Lyu, H. Habibi Gharakheili, C. Russell, and V. Sivaraman, “Mapping an Enterprise Network by Analyzing DNS Traffic,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2019, vol. 11419 LNCS, pp. 129–144.

D. B. Speights, D. M. Downs, and A. Raz, Essentials of modeling and analytics: Retail risk management and asset protection. 2017.



  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development