Improving information security through model driven IT governance

The ubiquitous use of technology has caused a critical dependency on Information Technology. This dependency has shed light on the importance of establishing a high-level IT Governance (ITG) model in organizations. The ultimate goal of such model is to incorporate leadership as well as organizational processes and structures to ensure that the organization’s IT extends and sustains its strategies and objectives (De Haes & Grembergen, 2008). Moreover, ITG interoperability is one of the leading challenges to be addressed in realizing efficient applications (Turner, Budgen, & Brereton, 2003). Today, the costs of integration for enterprise applications in the context of ITG are still tremendously high. This is because of the existence of different regulatory processes, requirements, data organization and application interfaces that should be reconciled, typically with manual intervention. A typical process in ITG includes different tangled concerns such as data processing, control flow, event handling, service invocations, human interactions and transactions. The entanglement of these concerns enhances the complexity of the development and the maintenance of process-driven ITG as the number of involved processes and services grow. As such, in the area of interoperability, the main challenge is to get systems to share information which is understandable both semantically and syntactically. This is possible via model transformation and semantic mapping (Turner, Budgen, & Brereton, 2003). Conceptual modelling refers to the activity of formal description of some of the aspects of social and physical world around us with the goals of understanding and communicating. It is used to communicate a common view to members of a group – who need to have a shared understanding of relevant aspects of some world – through a variety of linguistic and graphic interfaces. The advantage of conceptual modelling over diagrammatic notations or natural language is the fact that it is derived from a formal notation and thus allows one to capture the application semantics. Moreover, supporting structuring and inferential facilities, is an advantage of conceptual modelling over mathematical or other formal notations which are developed in computer science (Mohamed and Kaur, 2012). Furthermore, a model refers to an abstraction of a system and generally, it represents a simplified and partial view of a system (Ludewig, 2003), (Favre, 2006), (Kühne, 2006). Using models allows for sharing a common knowledge and vision among technical and non-technical stakeholders and thus facilitates and promotes the communication among them (Booch et al., 2007), (Yourdon, 1989). Considering these models not only as documentation artefacts but also as central artefacts in the process of software engineering is referred to as Model Driven Engineering (MDE) (Atkinson & Kühne, 2003), (Stahl and Völter, 2006). One of the areas in which MDE can be applied is the governance of Information Technology. For that, MDE is established on a more abstract level (Wautelet, 2018). Nevertheless, it is not possible to create optimal value from IT without maintaining a balance between optimizing risk levels and resource use, and realizing benefits. Therefore, IT governance should provide good and solid controls to cover the security of information (De Haes & Grembergen, 2008). The core focus of this research will be on developing a model driven ITG framework called InfoSecMoDrIGo which will be the evolution of the MoDrIGo framework in a way that it aims at tackling more ITG challenges and representing how integrating conceptual modelling with ITG ensures information security (InfoSec).