DOI: 10.4018/IJSSMET.2019100101 International Journal of Service Science, Management, Engineering, and Technology Volume 10 • Issue 4 • October-December 2019 Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. 1 Deriving Information System Security and Privacy From Value Cocreation Theory: Case Study in the Financial Sector Christophe Feltus, Luxembourg Institute of Science and Technology, Esch-sur-Alzette, LU ABSTRACT Traditionally, the relationship between the company and its providers have for objective to generate value at the company side in exchange of money. This relationship is largely investigated through the vector of value chain. In this article, security and privacy cocreation (SPCC) is investigated as a specialization of value cocreation. Although it is an important research topic, and despite a plethora of research aiming at depicting the fundamental of SPCC, few contributions have been appeared until now in the area of a language to support SPCC design and deployment. However, such a language is necessary to describe elements of the information system, as well as their underlying dependencies. As a result, this article proposes extending an existing enterprise architecture language to support the process of decision-making and to allow understanding and analysis of the impacts associated to a change of the system architecture as a whole. KEywoRDS ArchiMate, Case study, Design, Enterprise Architecture, Privacy, Security, Value Cocreation 1. INTRoDUCTIoN All development steps of the information system (IS) involves a plethora of actors from inside and from outside the company (e.g., software architect, security providers, or consulting company), should it be for instance, to define the system requirements, to engineer the software, to test it or to deploy the appropriate security controls. Traditionally, the relationship between the company and its providers have for objective to generate value at the company side in exchange of money. This relationship has been largely investigated through the vector of value exchange and value change. For instance, to monitoring of a bank information system is often outsourced to security provider offering a SOC (Security Operation Center) service in exchange of annual fees. In this article, security and privacy are considered a type of value for the company (Tsiakis & Stephanides (2005)) and security and privacy cocreation (SPCC) is investigated as a specialization of value cocreation. Indeed, security and privacy are characteristics of elements of the information system that, when adequately deployed, ensure the stability and reliability of the latter. Although security and privacy cocreation is an important research topic (Prahalad & Ramaswamy (2004), Hawley et al. (2013), Bennaceur et al. (2016), Garrido-Parez et al. (2016), Vicini et al. (2016)), and despite a plethora of research aiming at depicting the fundamental of SPCC, few contributions have been poured until now in the area of language to support a method for SPCC design and deployment. Nevertheless, such a language is necessary to describe and to visualize of different elements of the information system, as well as their underlying relationships and dependencies. As a result, the goal of