Calculation of COBIT Metrics Using a Formal Ontology Andreas Textor Distributed Systems Lab RheinMain University of Applied Sciences Unter den Eichen 5, D-65195 Wiesbaden, Germany andreas.textor@hs-rm.de Kurt Geihs Distributed Systems University of Kassel Wilhelmsh¨ oher Allee 73, D-34121 Kassel, Germany geihs@uni-kassel.de Abstract—For enterprises, it is important to know how the IT infrastructure contributes to the business goals set. The COBIT IT governance framework provides a high-level view how this can be achieved. However, COBIT provides no machine-readable model that allows to refer to entities (processes, goals, actions, metrics etc.). In this paper, we present an approach to create a formal model for COBIT using an ontology. The COBIT ontology is enhanced with a formalization of metrics and a way to use selection rules and mappings to calculate metric values at runtime using data from existing systems. The calculated metric values are then inserted into the COBIT ontology and can be used for dynamic management decisions. The paper describes the modeling of the COBIT ontology and the corresponding runtime system. I. I NTRODUCTION For enterprises, it is not only important to have a working IT infrastructure to support core business, but it is also impor- tant to know how the IT infrastructure contributes to the speci- fied business goals. Creation and maintenance of processes and structures to ensure the effective and efficient use of IT in an organization to achieve its business goals is known as IT gover- nance. According to Johannsen and Goeken [1], IT governance encompasses business-IT-alignment, compliance, performance measurement, resource management and risk management. As IT governance is a part of business management, often metrics are used to measure the success of IT governance. While IT governance is concerned with the use of IT to achieve higher-level goals (the what), IT management focusses on the planning and organization of IT resources (the how). Here, given requirements are implemented. To ensure proper functioning, measurable parameters of running systems are monitored. A number of standards, tools and models exist for IT monitoring that can read, aggregate and visualize data about the systems or inform responsible parties about threshold violations. The well-known IT governance framework COBIT [2] models relationships between the different layers of abstrac- tion, beginning top-down with business goals, their relation- ships to business processes and then down to IT processes and their metrics. The definition of relations between IT processes and measurable IT monitoring data is not part of the framework, because this goes beyond the goals of IT governance. On the other hand, neither is it the duty of IT management or monitoring tools to provide a mapping to governance models. Yet, such a relationship is required in order to efficiently fulfil three goals. Firstly, IT should not appear as black box to management. To enable qualified decisions, an understanding beyond the mere existence of IT systems is necessary. Analysis and reporting should be able to make use of relations between technical systems and IT processes and business processes that depend on the systems. When such relations are defined in a formal (i.e., machine readable) fashion, many questions can be answered without manual processing. For example, it is possible to automatically and exactly determine which financial resources are required to keep the IT infrastructure, supporting a certain business process, running. Secondly, IT governance key figures that can be derived from IT monitoring data should be calculated automatically and presented in a suitable fashion to the management, e.g., failure rate of services that support certain business processes, including the root cause, if necessary. Thirdly, approaches for automation are already state of the art on a technical level, e.g., self management and other self-X properties of autonomic computing. Also, approaches for formal description of business rules exist, e.g. Seman- tics of Business Vocabulary and Rules (SBVR) specified by the Object Management Group (OMG) [3]. However, when a formalism (and implementation) of a bridge between IT governance and IT monitoring is available, rules and queries can be defined that refer to both technical and non-technical entities. For example, a rule referring only to technical entities could automatically migrate services or virtual machines if storage runs low or CPU thresholds are exceeded. If rules can also refer to relevant non-technical entities, services could also be automatically migrated when related Service Level Agreements (SLAs) can not be fulfilled, or switched off to save energy when it is known that supported business processes do not require the services any longer. To achieve such a bridge, a formal meta model is required that is flexible and expressive enough to allow different do- mains being modeled separately – both technical and non- technical – and then allows to connect concepts of different models. Furthermore, as domains can be modeled by different parties and updated standards and mappings appear, adding and connecting new models must be possible without changing existing ones. These requirements can be satisfied by ontology- based models. Then, ontologies of the relevant domains are needed. Ontologies formally describe entities, types and prop- erties of a domain. 978-3-901882-76-0 @2015 IFIP 1384