Business Impact Analysis (BIA) evaluates how cyberattacks affect essential business
processes and IT assets. Traditionally conducted through manual interviews by consultants,
this approach is often inefficient and prone to errors and omissions. In this paper,
we present an automated methodology leveraging process mining to assess the impact
of cybersecurity incidents on business processes. This methodology extracts event
logs from information systems to construct business dependency graphs, quantify impact
propagation across them, and integrate cybersecurity risk inputs from security officers.
Tested on procurement workflows for an international transportation company, and compared
with established baselines as well as the insight and knowledge of the company itself,
our methodology proved to be effective at identifying risks stemming from a cybersecurity
incident without significant labor, as well as uncovering high-risk paths that weren’t
yet identified, resulting in actionable insights. This is an extended and revised
version of this methodology, evaluated with an extensive case study encompassing a
company’s BIA, historical data and expert opinion, first presented in Raptaki (IEEE
Access 12: 194322–194339, 2024).
