Pontus Johnson
Royal Institute of Technology
Network
Latest external collaboration on country level. Dive into details by clicking on the dots.
Publication
Featured researches published by Pontus Johnson.
Information Systems Frontiers | 2007
Pontus Johnson; Robert Lagerström; Per Närman; Mårten Simonsson
The discipline of enterprise architecture advocates the use of models to support decision-making on enterprise-wide information system issues. In order to provide such support, enterprise architecture models should be amenable to analyses of various properties, as e.g. the level of enterprise information security. This paper proposes the use of a formal language to support such analysis. Such a language needs to be able to represent causal relations between, and definitions of, various concepts as well as uncertainty with respect to both concepts and relations. To support decision making properly, the language must also allow the representation of goals and decision alternatives. This paper evaluates a number of languages with respect to these requirements, and selects influence diagrams for further consideration. The influence diagrams are then extended to fully satisfy the requirements. The syntax and semantics of the extended influence diagrams are detailed in the paper, and their use is demonstrated in an example.
enterprise distributed object computing | 2007
Pontus Johnson; Erik Johansson; Teodor Sommestad; Johan Ullberg
The discipline of enterprise architecture advocates the use of models to support decision-making on enterprise-wide information system issues. In order to provide such support, enterprise architecture models should be amenable to analyses of various properties, as e.g. the availability, performance, interoperability, modifiability, and information security of the modeled enterprise information systems. This paper presents a software tool for such analyses. The tool guides the user in the generation of enterprise architecture models and subjects these models to analyses resulting in quantitative measures of the chosen quality attribute. The paper describes and exemplifies both the architecture and the usage of the tool.
Computers & Security | 2010
Teodor Sommestad; Mathias Ekstedt; Pontus Johnson
Information system security risk, defined as the product of the monetary losses associated with security incidents and the probability that they occur, is a suitable decision criterion when considering different information system architectures. This paper describes how probabilistic relational models can be used to specify architecture metamodels so that security risk can be inferred from metamodel instantiations. A probabilistic relational model contains classes, attributes, and class-relationships. It can be used to specify architectural metamodels similar to class diagrams in the Unified Modeling Language. In addition, a probabilistic relational model makes it possible to associate a probabilistic dependency model to the attributes of classes in the architectural metamodel. This paper proposes a set of abstract classes that can be used to create probabilistic relational models so that they enable inference of security risk from instantiated architecture models. If an architecture metamodel is created by specializing the abstract classes proposed in this paper, the instantiations of the metamodel will generate a probabilistic dependency model that can be used to calculate the security risk associated with these instantiations. The abstract classes make it possible to derive the dependency model and calculate security risk from an instance model that only specifies assets and their relationships to each other. Hence, the person instantiating the architecture metamodel is not required to assess complex security attributes to quantify security risk using the instance model.
IEEE Software | 2012
Pontus Johnson; Mathias Ekstedt; Ivar Jacobson
Darwins theory of natural selection, Maxwells equations, the theory of demand and supply; almost all established academic disciplines place great emphasis on what their core theory is. This is not, however, the case in software engineering. What is the reason behind the software engineering communitys apparent indifference to a concept that is so important to so many others?
Information Systems Management | 2010
Mårten Simonsson; Pontus Johnson; Mathias Ekstedt
There are several best practice based frameworks that detail effective arrangements for the internal structure of an IT organization. Although it is reasonable that there is a correlation between the quality of the internal structure of an IT organization – labeled IT governance maturity, and the external impact of the same IT organization on the business – labeled IT governance performance, this has not been validated. The results, based on 35 case studies, confirm the hypotheses of a positive correlation between IT governance maturity and IT governance performance. Among IT processes described in 34 references, the internal structure of the IT organization, clearly defined organizational structures and relationships, mature quality management, and cost allocation show the strongest positive correlation to IT governance performance. The maturity of project management and service level management, as well as performance and capacity management, show almost no correlation to IT governance performance. The findings can be used to improve current frameworks for IT governance.
hawaii international conference on system sciences | 2009
Teodor Sommestad; Mathias Ekstedt; Pontus Johnson
To facilitate rational decision making regarding cyber security investments, decision makers need to be able to assess expected losses before and after potential investments. This paper presents a model based assessment framework for analyzing the cyber security provided by different architectural scenarios. The framework uses the Bayesian statistics based Extended Influence Diagrams to express attack graphs and related countermeasures. In this paper it is demonstrated how this structure can be captured in an
ubiquitous computing | 2010
Robert Lagerström; Pontus Johnson; David Höök
Enterprise architecture (EA) models can be used in order to increase the general understanding of enterprise systems and to perform various kinds of analysis. This paper presents instantiated architectural models based on a metamodel for enterprise systems modifiability analysis, i.e. for assessing the cost of making changes to enterprise-wide systems. The instantiated architectural models detailed are based on 21 software change projects conducted at four large Nordic companies. Probabilistic relational models (PRMs) are used for formalizing the EA analysis approach. PRMs enable the combination of regular entity-relationship modeling aspects with means to perform enterprise architecture analysis under uncertainty. The modifiability metamodel employed in the analysis is validated with survey and workshop data (in total 110 experts were surveyed) and with the data collected in the 21 software change projects. Validation indicates that the modifiability metamodel contains the appropriate set of elements. It also indicates that the metamodel produces estimates within a 75% accuracy in 87% of the time and has a mean accuracy of 88% (when considering projects of 2000 man-hours or more).
enterprise distributed object computing | 2007
Per Närman; Pontus Johnson; Lars Nordström
Enterprise Architecture is a model-based approach to business-oriented IT management. To promote good IT decision making, an enterprise architecture framework needs to explicate what kind of analyses it supports. Since creating enterprise architecture models is expensive and without intrinsic value, it is desirable to only create enterprise architecture models based on metamodels that support well-defined analyses. This paper suggests a metamodel derived specifically with a set of theory-based system quality analyses in mind. The ISO 9126-based theory behind the system quality analysis is introduced in the shape of an extended influence diagram. Finally, an example illustrates that our theory-based metamodel does support system quality analysis.
ACM Sigsoft Software Engineering Notes | 2013
Pontus Johnson; Paul Ralph; Michael Goedicke; Pan Wei Ng; Klaas-Jan Stol; Kari Smolander; Iaakov Exman; Dewayne E. Perry
Many academic disciplines have general theories, which apply across the discipline and underlie much of its research. Examples include the Big Bang theory (cosmology), Maxwells equations (electrodynamics), the theories of the cell and evolution (biology), the theory of supply and demand (economics), and the general theory of crime (criminology). Software engineering, in contrast, has no widely-accepted general theory. Consequently, the SEMAT Initiative organized a workshop to encourage development of general theory in software engineering. Workshop participants reached broad consensus that software engineering would benefit from better theoretical foundations, which require diverse theoretical approaches, consensus on a primary dependent variable and better instrumentation and descriptive research.
hawaii international conference on system sciences | 2008
Mårten Simonsson; Pontus Johnson
Does good IT governance improve the effect of IT? This paper presents the IT Organization Modeling and Assessment Tool (ITOMAT) which has been created to overcome operationalization and subjectivity weaknesses in the Control Objectives for Information and related Technology (COBIT) framework. ITOMAT was applied to assess IT governance maturity in four case studies. Simultaneously, external metrics of the effect of IT were collected and correlated to the maturity levels. Based on the correlations, a model linking internal and external measures was created. The model can be used to predict the effect of IT given the maturity levels of IT processes.