Article Preview
Top1. Introduction
All development steps of the information system (IS) involves a plethora of actors from inside and from outside the company (e.g., software architect, security providers, or consulting company), should it be for instance, to define the system requirements, to engineer the software, to test it or to deploy the appropriate security controls. Traditionally, the relationship between the company and its providers have for objective to generate value at the company side in exchange of money. This relationship has been largely investigated through the vector of value exchange and value change. For instance, to monitoring of a bank information system is often outsourced to security provider offering a SOC (Security Operation Center) service in exchange of annual fees.
In this article, security and privacy are considered a type of value for the company (Tsiakis & Stephanides (2005)) and security and privacy cocreation (SPCC) is investigated as a specialization of value cocreation. Indeed, security and privacy are characteristics of elements of the information system that, when adequately deployed, ensure the stability and reliability of the latter. Although security and privacy cocreation is an important research topic (Prahalad & Ramaswamy (2004), Hawley et al. (2013), Bennaceur et al. (2016), Garrido-Parez et al. (2016), Vicini et al. (2016)), and despite a plethora of research aiming at depicting the fundamental of SPCC, few contributions have been poured until now in the area of language to support a method for SPCC design and deployment. Nevertheless, such a language is necessary to describe and to visualize of different elements of the information system, as well as their underlying relationships and dependencies. As a result, the goal of that language is to support the process of decision making and to allow understanding and analyzing the impacts associated to a change of the system architecture on the whole IS security and privacy.
Therefore, we propose an innovative approach aiming at extending an existing enterprise architecture language (Josey et al. (2016)) to support and to express security and privacy cocreation. ArchiMate is an open and independent language which supports the description, analysis and visualization of architecture in an unambiguous way. Moreover, ArchiMate proposes two extension mechanisms that allow extending the model and the language to various field of interest like the IS governance or the risk analysis (Grandry et al. (2013)). In that context, ArchiMate appears to be appropriate as a language to express the value cocreation, and by the way, the security and privacy cocreation.
To illustrate the designed language extension, a case study related to the development of surety and privacy in the financial sector is proposed. The first part of this case study illustrates the “traditional” creation of security associated to the outsourcing, by a bank, of the archives of its customers’ data to a datacenter. The second part of the case study illustrates the cocreation of security and privacy between the bank and a security provider. Indeed, because both companies have been collaborating for a long time, the security provider has good knowledge of the bank’s information system. For that reason, the bank has decided to outsource the development of privacy management module of the back office software to that security provider. Both have hence started to cooperate to design the privacy improvement service of the customers and therefore the bank has agreed to give information about its information system (architecture, functions, etc.) to the security provider. In turn, the latter enhances its offer of services and thereby stabilizes its own business. The enhancement is possible as a result of the bank’s feedback.
Figure 1, modeled with the e3value language (Gordijn et al., 2000), illustrates the exchange of value in and between the three stakeholders (blue links).
Figure 1. Value, security and privacy cocreation case study summary - e3value model