Application of Business Analysis techniques for Safety and Security Assurance and Assessment

 

Abstract

This paper aims to develop a practical approach to implement business analysis techniques for safety and security assurance and assessment. General issues of business analysis applicable in the IT safety and security domain are analyzed. The BABOK Guide describes business analysis knowledge areas, tasks, underlying competencies, techniques, and perspectives on how to approach business analysis. Reasons for business analysis implementation include its support of requirement management approach with safety and security life cycle as well opportunities to support practical safety and security frameworks. We prioritize business analysis techniques applicable to the Assurance Case framework and represent the results of such application.

Introduction

The Business Analysis (BA) approach is usually defined as the set of processes, rules, guidelines, heuristics, and activities that are used to perform assurance or assessment of some kind of compliance in a specific context. There is “A Guide to the Business Analysis Body of Knowledge” (BABOK Guide), that has been issued by the International Institute of Business Analysis (IIBA) to supply the community with educational purposes describing BA knowledge areas, tasks, underlying competencies, techniques, and perspectives on how to approach BA. The main goal of business analysis is the practice of enabling change in an enterprise by defining needs and recommending solutions that deliver value to stakeholders.

A core of BA is requirements engineering (RE), which is the process of defining, documenting, and maintaining requirements in the engineering design process. At the same time, RE is dramatically important for the information technology (IT) safety and security domain, which requests intensive research to ensure compliance of computer-based systems and applications with standards and best practices. Despite BA being one main trend for IT and software engineering, BA is underestimated for safety and security-critical applications in such areas, as oil & gas, energy, aerospace, railway, automotive, machinery, etc. It is worth stressing IT and operational technology (OT) convergence in Industrial Control Systems (ICS) and Internet of Things (IoT).

This paper aims to define BA techniques' contribution to safety and security assurance and assessment of ICS and IoT systems. We analyze the main points of the BA approach, which can be applied in the IT safety and security domain. We performed research of available BA techniques according to BABOK Guide. We compare BA techniques with safety and security activities to elicit the applicability of BA techniques in safety and security assurance and assessment. We choose the Assurance Case (AC) framework to specify and demonstrate applicable case studies implementing the BA approach.

Literature Review

During our review, we discovered a lack of research in both the common BA approach and BA application for safety and security. It means BA is underestimated as a powerful tool in the IT safety and security domain, and we have the intention to cover this gap in the rest of the paper.

Some professional editions are introducing the profession of business analyst, the common concepts, and the business analysis process. Nowadays this book discusses BA in the context of digital technologies and the role and competencies a modern analyst needs. However, such professional publications do not take into account the needs of safety and security. Quite often, the BA approach is related to the research with financial statement data including business strategy analysis, accounting analysis, financial analysis, and prospective analysis.

Another approach in BA-related research is to analyze the institutions using the business anatomy model to identify the underlying causes of the problems observed. Company analysis is an important tool in the improvement of system and software life cycle processes. Researchers identify the case studies based on company analysis, company analysis as a methodology in management research, and the possible recommendations based on analysis.

Many BA-related publications are devoted to business and entrepreneurship education. The assessed education factors include the following: level of the innovation potential of an enterprise; degree of utilization of the business analysis instruments at the enterprise; level of interconnections between the corporate information systems and business analysis; the needs of the corporate information systems. Some results indicated that a gap does exist between business and IT students’ skills/competencies and the needed skills/competencies in the job market.

The AC is a structured argument that some system has some properties we desire; that it is safe, reliable, or secure against attack. The University of York developed Goal Structuring Notation (GSN), while Adelard developed Claim, Argument and Evidence (CAE) notation, as well as a software tool Adelard ASCE (Assurance and Safety Case Environment).

Some works in the 2000s broaden the concept of AC to the higher level of system attributes. A research group from the Software Engineering Institute of the Carnegie Mellon University (CMU/SEI) proposed this AC application. The report discusses Dependability Case for communication systems using GSN. It is only a terminological issue because an approach is identical to AC. An idea is, if only dependability or quality attribute of interest is safety, then Dependability or Quality Case becomes Safety Case. The same is right for a Security Case that can be a particular case of Dependability or Quality Case. This also entails a general concept of AC that can be an umbrella for different system attributes including dependability, quality, safety, and security. In addition, the Nimrod Review recommended that Safety Cases should be renamed “Risk Cases”.

The CMU/SEI also proposed the Survivability Analysis Framework (SAF), which is a structured view of people, processes, and technology that was developed to help organizations characterize the complexity of multi-system and multi-organizational business processes. By combining SAF and GSN based AC, the strengths and gaps for the survivability of a business process can be described in a graphical and visually compelling form that management, architects, system engineers, software engineers, and users can share.

Certification activity is very close to licensing activity, so it is obvious, there are researchers’ efforts directed to the application of AC for certification goals. Certification is a process, which is to substantiates the compliance of applicable requirements by critical software and systems. With the recommended processes that are intended to support certification, it is easy and clear for duty-holders to organize and plan activities and resources in the development lifecycle. The main idea is the integration of the AC regime with existing regulations and practices in certification. For that, practical guidance will be required as to how to formulate arguments, appropriately select evidence and critically review AC.

The paper presents Assurance Based Development (ABD), what is an approach to the simultaneous development of systems and their assurance argumentation, which finally shall be represented in a view of AC. ABD ensures that the techniques and means selected to create a system support the correct evidence to justify the required confidence. ABD is based on two key concepts: firstly, engineering choices should be driven by the need to produce evidence for the assurance arguments, and, secondly, an argument should be used to document the rationale for believing that the system is fit for use. Such an approach is close to the BA approach.

The safety contracts method is a modification of the approach to ABD since contracts are an approach to formalize the development of software. The paper proposes deriving contracts from fault trees. Such safety contracts guarantee to prevent or minimize the faulty state described by the node. Descriptions of specific safety contracts are implemented in the AC diagram as components of GSN. Another brunch of ABD is the application of model-based development. The paper is devoted to the development of software and AC in parallel following a model-based technique that combines formal modeling of the system, systematic code generation from the formal model, and measurement-based verification of timing behavior.

A new wave of AC researches appeared after some critical notes were made in the as named Nimrod Report published in 2009. It became clear, that neither the philosophy literature nor other disciplines that use argument seem to offer a universal theory of knowledge that applies to safety arguments. Normative models of informal argumentation do not offer clear guidance on when an argument should cite evidence rather than appeal to a more detailed argument. Therefore, improvement of argumentation stimulated a lot of papers devoted to this issue taking into account there is not any completed agreement on which kind of evidence could be sufficient.

The epistemology-based approach takes into account the study of the nature of knowledge, justification, and the rationality of belief (“What makes justified beliefs really justified?”). The paper hypothesizes that recognition of a set of rules for what counts as sufficient evidence for a given kind of claim under given circumstances would provide developers, assessors, and regulators with a practical means to make justified decisions about how much detail an argument should have and whether an argument is sufficiently compelling.

Eliminative induction was suggested firstly by Sir Francis Bacon for evaluating confidence in a claim. The idea is, confidence in a hypothesis (or claim) increases as reasons for doubting its truth are identified and eliminated (Baconian confidence). The paper proposes to improve argumentation confidence by converting AC models between different notations. The methods start from argument-based cases (CAE or GSN), which are converted into a set of Toulmin model instances; then they use Hitchcock’s evaluative criteria for solo verb reasoning to analyze and quantify the Toulmin model instances into Bayesian Belief Network (BBN); running the BBN, quantified confidence from each claim of the AC is got.

The paper surveys how researchers have reasoned about uncertainty in assurance cases. The types of uncertainties are addressed and distinguished between qualitative and quantitative approaches. The qualitative approach is covered with Baconian probability and logical argumentation, as per. The paper introduces assured safety arguments. This structure explicitly separates the safety case argument into two components – a safety argument and an accompanying confidence argument. The safety argument is allowed to talk only in terms of the causal chain of risk reduction and is not allowed to contain general ‘confidence raising’ arguments.

Objective and tasks

Based on the literature review, we recognize some gaps in areas of research related to BA applications for IT safety and security domain. These gaps are in the area of some lack of empirical data as well as a lack of theoretical basis to understand and research the importance of BA for safety and security, to analyze BA techniques and exercises from the point of view of safety and security frameworks, and to improve the compliance criteria coverage and accuracy-related with BA. The objective of this paper is to develop a practical approach to implement the business analysis techniques for safety and security assurance and assessment. To achieve the paper's objective, we perform the following research steps:

• Firstly, we analyzed general issues of BA in the IT safety and security domain including such key processes as BA planning and monitoring, elicitation and collaboration, requirements lifecycle management, strategy analysis, requirements analysis and design definition, and solution evaluation;

• Secondly, we defined BA techniques applicable for the AC framework;

• Finally, we represented some practical results related to BA activities implementation for the AC framework.

Business Analysis Applicability for Safety and Security Assurance and Assessment

In this section, we analyzed the main issues of BA concluding how is it applicable for IT safety and security domain. The core content of the BABOK Guide is composed of business analysis tasks organized into six knowledge areas, including BA planning and monitoring, elicitation and collaboration, requirements lifecycle management, strategy analysis, requirements analysis, and design definition, and solution evaluation. Following this, we structured all safety and security-related activities into six groups. These process groups are standardized as per BABAOK Guide but updated by safety and security implementation needs. Description of processes is done in a view of Input/Output diagrams, which also contain performed tasks connecting inputs and outputs. Reading sequence of entities on diagrams is left to right and top to bottom.

Safety and Security Planning and Monitoring

The safety and security planning and monitoring process organizes and coordinates the efforts of analysts, engineers, and stakeholders. A context of this process is directed to ensure a complete understanding of the context under analysis to develop an efficient assurance and assessment approach. A core concept for safety and security planning and monitoring includes the following tasks (see Fig. 1):

Fig. 1. Safety and Security Planning and Monitoring Input/Output Diagram

• Plan safety and security approach describes the planning from creation or selection of a safety and security implementation methodology to planning the individual activities, tasks, and deliverables;

• Plan stakeholder engagement describes understanding which stakeholders are relevant to the change, what analysts need from them, what they need from analysts, and what is the best way to collaborate;

• Plan safety and security governance defines the components that are used to support the governance function of the involved organizations. It helps ensure that decisions are made properly and consistently, and follows a process that ensures decision-makers have the information they need;

• Plan safety and security information management defines how information developed by participants is captured, stored, and integrated with other information for long-term use;

• Identify safety and security performance improvements describes managing and monitoring to ensure that commitments are met and continuous learning and improvement opportunities are realized.

Elicitation and Collaboration

The elicitation and collaboration process describes the tasks performed to obtain information from stakeholders and confirm the results. It also describes the communication with stakeholders once any information is assembled. Elicitation is the drawing ahead or receiving of information from stakeholders or other sources. It is the main path to discovering requirements and design information and might involve talking with stakeholders directly, researching topics, experimenting, or simply being handed information. The elicitation and collaboration are composed of the following tasks (Fig. 2):

Fig. 2. Elicitation and Collaboration Input/Output Diagram

• Prepare for elicitation involves ensuring that the stakeholders have the information they need to provide and that they understand the nature of the activities they are going to perform;

• Conduct elicitation describes the work performed to understand stakeholder needs and identify potential solutions that may meet those needs;

• Confirm elicitation results involves ensuring that stakeholders have a shared understanding of the outcomes of elicitation and that elicited information is recorded appropriately. This task also involves comparing the information received from different sources to look for inconsistencies or gaps;

• Communicate safety and security information provides stakeholders with the information they need at the time they need it;

• Manage stakeholder collaboration describes working with stakeholders to engage them in safety and security activities to ensure that valuable outcomes can be delivered.

Requirements Lifecycle Management

The requirements life cycle management process includes the following tasks (see Fig. 3):

Fig. 3. Requirements Lifecycle Management Input/Output Diagram

• Trace requirements to analyze and maintain the relationships between requirements, design, solution components, and other work products for impact analysis, coverage, and allocation. The purpose of tracing is to ensure that requirements and design at different levels are aligned to one another, and to manage the effects of a change to one level on related requirements;

• Maintain requirements to ensure that requirements and design are accurate and current throughout the life cycle and facilitates reuse where appropriate;

• Prioritize requirements assessing the value, urgency, and risks associated with particular requirements and designs to ensure that analysis and delivery are done on the most important ones at any given time;

• Assess requirements changes does evaluate new and changing requirements to determine if they need to be acted on within the scope of a change;

• Approve requirements works with stakeholders involved in the governance process to reach approval and agreement on requirements and design.

BA deals with the following levels of requirements:

• Business requirements are statements of goals, objectives, and outcomes that describe why a change has been initiated. They can apply to the whole of an enterprise, a business domain, or a specific plant and system;

• User requirements describe the needs of the users that shall be met in order to achieve the business requirements. They may serve as a bridge between business and technical solution requirements;

• Technical requirements describe the capabilities and qualities of a solution that meets the stakeholder requirements. They provide the appropriate level of detail to allow for the development and implementation of the solution. Technical requirements can be divided into functional and non-functional (quality of service) requirements.

Strategy Analysis

Firstly, we attack opportunities to establish a strategy of safety and security implementation for critical systems. Strategy defines the most effective way to apply the capabilities of a system to reach the desired set of safety and security goals and objectives. Strategies may exist for the entire plant site, for a system, a programmable part of a system, and for a software application. Strategy analysis provides context to requirements analysis and design definition. Strategy analysis should be performed as needs for safety and security improvement are identified. The following Fig. 4 illustrates the spectrum of value as business analysis activities progress from strategy analysis through requirements and design development to actual value of the implemented solution.

Fig. 4. Business Analysis value proposition for IT safety and security domain

Strategy defines the most effective way to apply the capabilities of an organization or a development team to reach the desired set of goals and objectives. Strategy analysis focuses on defining the future and transition states needed to address the business needs as well as safety and security needs based on strategic thinking. The strategy analysis process includes the following tasks (see Fig. 5):

Fig. 5. Strategy Analysis Input/Output Diagram

• Analyze current state understands the business need and how it relates to the way the critical site with ICS or IoT system performs today;

• Define future state sets objectives that demonstrate that the business needs satisfied and defines what parts need to change in order to meet those objectives;

• Assess risks: understands the uncertainties around the change, considers the effect those uncertainties may have on the ability to deliver value through a change and recommends actions to address risks where appropriate;

• Define change strategy performs a gap analysis between current and future state, assesses options for achieving the future state, and recommends the best approach for reaching the future state.

Requirements Analysis and Design Definition

The requirements analysis and design definition describe the tasks that are performed to structure and organize requirements discovered during elicitation activities including the following tasks (Fig. 6):

Fig. 6. Requirements Analysis and Design Definition Input/Output Diagram

• Specify and model requirements describes a set of requirements or design in detail using analytical techniques;

• Verify requirements ensures that a set of requirements or design has been developed in enough detail to be usable by a particular stakeholder, is internally consistent, and is of high quality;

• Validate requirements ensures that a set of requirements or design delivers business value and supports the organization's goals and objectives;

• Define requirements architecture structures all requirements and design so that they support the overall business purpose for a change and that they work effectively as a cohesive whole;

• Define design options identifies, explores, and describes different possible ways of meeting the needs;

• Analyze value and potential solution assesses the business value associated with a potential solution and compares different options.

Solution Evaluation

The solution evaluation process describes the tasks fulfilled to assess the performance of and value delivered by a solution in use by the enterprise and to recommend removal of barriers or constraints that prevent the full realization of the value. This process includes the following tasks (Fig 7):

Fig. 7. Solution Evaluation Input/Output Diagram

• Measure solution performance determines the most appropriate way to assess the performance of a solution, including how it aligns with enterprise goals and objectives, and performs the assessment;

• Analyze performance metrics examines information regarding the performance of a solution in order to understand the value it delivers to the enterprise and to stakeholders and determines whether it is meeting current business needs;

• Assess solution limitations investigates issues within the scope of a solution that may prevent it from meeting current business needs;

• Assess safety and security limitations investigates issues outside the scope of a solution that may be preventing the enterprise from realizing the full value that a solution is capable of providing;

• Recommend actions for safety and security identifies and defines actions the enterprise can take to increase safety and security with the value that can be delivered by a solution.

Business Analysis Techniques Applicable for the Assurance Case Framework

There are the following main activities performed by business analysts during IT projects running:

• Pre-sales which include activities related to preliminary negotiation with potential client communicating him generic information about future project scope and price;

• Discoveries which include an initial project phase related to elicitation, analyzing, and documenting of requirements with the execution of different kinds of BA exercises. BA discovery activity is the most important for IT projects. This stage is relatively independent of the business environment context and can be implemented for safety and security-critical ICS and IoT systems. Researchers and engineers involved in the IT safety and security projects can perform discovery activities depending on the system context and requirements level;

• The main project activities usually managed in accordance with agile methodologies including backlog prioritization and grooming with communicating requirements to a project team and organizing User Acceptance Tests to get feedback from stakeholders;

• Internal company activities directed business processes management and improvement of the company processes which can be described, for example, in a view of Business Process Modeling Notation (BPMN) diagrams.

IT safety and security domain has some specific issues in comparison with usual BA activities. Safety and security activities can be implemented with special frameworks, for example, like the AC. In this and the next section, we demonstrate the BA technics application for the AC framework. The AC framework is decomposed into some tasks and each of the tasks is supported with BA techniques. The results are presented in Table 1, including the following: name of the technique, description of the technique, the applicability of the technique for specific activities of the AC framework. These BA techniques are extracted from BABOK Guide.

A list of BA exercises in Table 1 is not comprehensive and may be extended depending on the safety and security framework. For example, the focus for system or software engineering can be displaced to details of design of high-level architecture, third-party integration analysis, or design of a database. The most applicable for the IT safety and security domain are such BA techniques as risk analysis and management, functional decomposition, document analysis, and item tracking. Priorities also can be updated depending on specific objectives of the safety and security framework.

Table 1. Business Analysis Techniques for the Assurance Case Framework

Name	Description	Applicability for AC
Scope modeling	Define the nature of one or more limits or boundaries and place elements inside or outside those boundaries	Decomposition of requirements to the system
Risk analysis and management	Identify areas of uncertainty that could negatively affect value, analyzes and evaluates those uncertainties, and develops ways of dealing with the risks	Decomposition of requirements to the system
Acceptance and evaluation criteria	Define the requirements, outcomes, or conditions that shall be met, and assess a set of requirements in order to choose between multiple solutions	Templates of structured text
Concept modeling	Organize the business vocabulary needed to consistently communicate the knowledge of a domain	Templates of structured text
Decision analysis	Assess a problem and possible decisions in order to determine the value of alternate outcomes	An algorithm of the structured argumentation
Functional decomposition	Manage complexity and reduce uncertainty by breaking down processes, systems, functional areas, or deliverables into their simpler constituent parts and allowing each part to be analyzed independently	An algorithm of the structured argumentation
Document analysis	Elicit information, including contextual understanding and requirements, by examining available materials	Specified structured text for requirements
Item tracking	Capture and assign responsibility for issues and issues those pose an impact on the solution	Specified structured text for requirements
Non-functional requirements	Examines the requirements for a solution that defines how well the functional requirements must perform	The AC requirements graph
Root cause analysis	Identify and evaluate the underlying causes of a problem	The AC requirements graph

Business Analysis Techniques Application for Assurance Case

In this section, we demonstrate some artifacts and activities related to the AC framework, which are supported with BA techniques as per BABOK Guide (see Table 1). Decomposition of requirements to the system was performed with scope modeling as well as risk analysis and management. A hierarchy of requirements creates the structure of the AC in the form of a pyramid. In most regulatory requirements for control systems, the structure of requirements includes 3 or 4 levels (Fig. 8).

Zero level is a meta-goal according to which the control system must meet all safety requirements. At the first level, global safety goals are achieved, for example, according to functional safety requirements:

• The safety and security management system shall achieve all safety objectives;

• Safety and security life cycle should be implemented during system development;

• A sufficient set of measures against random failure must be applied to the system;

• A sufficient set of measures against systematic and software failures, including cyberattack defense, must be applied to the system.

Fig. 8. Hierarchy of Requirements with a Relation to Argumentation Steps

The structure of the links between the zero, first and second levels is a tree transparent enough and does not require the detailed elaboration of the arguments, since these arguments are typical and well tested. However, structured arguments are required when moving from the second level to the lower levels. The requirements of the lower levels may be either composite (such as include several separate requirements) or separate. If all requirements are separate, this level becomes third, and then it is directly related to the subgroups of requirements. Fig. 7 combines the overall structure of the AC and the algorithm for constructing structured arguments. Such arguments should be developed for the second, third, and fourth (if any) levels. For the lowest level, besides the Reasoning Step (RS), the Evidential Step (ES) should also be applied. Since it is not appropriate to add detailed information about the content of the arguments on the graph structure, each of the nodes of the AC, starting with the second level, is marked with an argument description using so-called structured text (ST). Notice, that the AC is not a strict tree because the same evidence can support different arguments or subgoals.

Templates of structured text have been developed with the support of acceptance and evaluation criteria as well as concept modeling. The structured text has a template with a set of fields that are denoted by service words that correspond to the AC components. We need to provide two templates, for the RS and the ES (Fig. 9,10).

Reasoning Step 

Context

Connection with the Assurance Case graph in relation with high and low levels

Docs

Technical documents related to arguments and evidences

Claim

Goal related with an argument

Subclaims

Subgoals demonstrated the goal (Claim) achievement

Justification

Structure and content of subgoals (Subclaims) 

END Reasoning Step

Fig. 9. A Template of Structured Text for a Reasoning Step

Evidential Step

Context

Connection with the Assurance Case graph in relation with high and low levels

Docs

Technical documents related to arguments and evidences

Claim

Subclaims from Reasoning Step become Claim

Evidence

Proofs, which support Claim achievement

Justification

Structure and content of Evidence

END Evidential Step

Fig. 10. A Template of Structured Text for an Evidential Step

Moving forward, we can perform the rest of the activities of the AC framework, which are supported with BA techniques, including the development of an algorithm of the structured argumentation, specification of structured text for safety and security requirements, and drawing of the AC requirements graph.

Conclusions

In this paper, we obtain the following results. General issues of BABOK Guide have been analyzed. The core content of the BABOK is composed of business analysis tasks organized into six knowledge areas, including BA planning and monitoring, elicitation and collaboration, requirements lifecycle management, strategy analysis, requirements analysis, and design definition, and solution evaluation. Business Analysis Core Concept Model (BACCM) defines a conceptual framework for the business analysis profession. The six core concepts in the BACCM are: change, need, solution, stakeholder, value, and context.

Reasons for business analysis implementation in the IT safety and security domain include its support of requirement management approach with safety and security life cycle as well opportunities to support practical safety and security frameworks. We prioritize business analysis techniques applicable to the Assurance Case framework and represent the results of such application.

One more important BA technique utilization is the application in IT education. Reasons for BA learning include its support of the case method approach with project-based learning as well as the development of students’ hard and soft skills. BABOK provides evidence that BA learning and training support the development of such hard skillset as analytical thinking and problem-solving, business knowledge, and tools and technology knowledge.