Identifying and evaluating risks related to enterprise dependencies: a practical goal-driven risk analysis framework Paolo Donzelli Department for Innovation and Technology, Office of the Prime Minister, Via Po 14, 00198 Rome, Italy E-mail: p.donzelli@governo.it Roberto Setola* Complex System & Security Lab., Università CAMPUS Biomedico di Roma, Via E. Longoni, 86 00155 Rome, Italy E-mail: r.setola@unicampus.it *Corresponding author Abstract: This paper suggests a framework for identifying the extent to which an organisation depends on services and resources provided by either external or internal technological infrastructures and for evaluating the corresponding business risks. By combining the advantages provided by a goal-driven organization modelling technique with the analysis capabilities of an infrastructures simulator, the proposed framework provides a valuable managerial support for identifying, analysing, and eventually mitigating risks associated with enterprise dependencies. Its practical application is illustrated in a simplified context using e-government project data. Keywords: critical infrastructures; goal-based risk analysis; qualitative and quantitative risk assessment; risk identification and mitigation. Reference to this paper should be made as follows: Donzelli, P. and Sertola, R. (2007) ‘Identifying and evaluating risks related to enterprise dependencies: a practical goal-driven risk analysis framework’, Int. J. Risk Assessment and Management, Vol. 7, No. 8, pp.1120–1137. Biographical notes: Paolo Donzelli is an advisor within the Department of Innovation and Technology of the Italian Prime Minister’s Office and Visiting Senior Research Scientist with the Computer Science Department at the University of Maryland. His research interests include software process improvement, requirements engineering, and dependability modelling and validation. He received an MSc from the University of Cranfield, UK, and a PhD from the University of Rome TorVergata, Italy Roberto Setola received a master’s degree in Electronic Engineering (1992) and a PhD in Electronic Engineering and Computer Science (1996) from University of Naples ‘Federico II’. From 1999 he served at the Italian Prime Minister’s Office, and he is currently Assistant Professor of Automatic Control at University CAMPUS Bio-Medico of Rome. He is the technical officer responsible to the Italian Government Working Group on Critical Infrastructure 111 2 3 4 5 6 7 8 9 1011 1 2 3 4 5 6 7 8 9 2011 1 2 3 4 5 6 7 8 9 30 1 2 3 4 5 6 7 8 9 40 1 2 3 4 5 6 711 8 Copyright © 2007 Inderscience Enterprises Ltd. 1120 Int. J. Risk Assessment and Management, Vol. 7, No. 8, 2007