Modeling Information Security and Risk in Archi and Sparx EA

Introduction: Why Model Information Security?

In today’s digital landscape, organizations must defend against increasing cybersecurity threats, comply with complex regulatory mandates (such as GDPR, NIS2, ISO 27001, DORA), and demonstrate operational resilience. Information security is no longer a specialized function — it must be embedded in enterprise architecture.

Modeling security and risk in tools like Sparx Enterprise Architect (EA) and Archi allows organizations to visualize attack surfaces, dependencies, data flows, and control mechanisms. Architecture-driven security bridges the gap between security strategy and IT implementation.

Security Architecture Layers and Modeling Needs

To model information security effectively, architects must cover multiple domains:

  • Business Layer: Threat actors, business impact analysis, critical processes
  • Application Layer: Identity, authentication, access controls, data flows
  • Technology Layer: Firewalls, network zoning, encryption, logging
  • Compliance Layer: ISO controls, data classification, audit policies

In addition, risk modeling must capture:

  • Risk types (operational, cyber, legal, reputational)
  • Threats and vulnerabilities
  • Impact and likelihood
  • Controls and residual risk

Using Archi for Security and Risk Modeling

Capabilities

Archi, with its ArchiMate support and the jArchi scripting plugin, enables fast, lightweight modeling of security aspects — especially in a TOGAF or SABSA-aligned context.

Key ArchiMate Elements for Security

  • Business Role , Actor , Contract — for roles and responsibilities
  • Application Service , Interface — for authentication, APIs, and user entry points
  • Technology Node , Device — to represent secured endpoints and servers
  • Access Relationship , Flow , Triggering — for modeling control flows
  • Custom Viewpoints: “Threat Landscape”, “Risk Zones”, “Compliance View”

Extending Archi for Security

Archi doesn't have native risk modeling support, but using tagged values , stereotypes, and jArchi scripts, you can introduce fields like:

  • ConfidentialityImpact , IntegrityLevel , AvailabilityScore
  • ISO27001Control , ControlOwner , AuditFrequency

Reporting in Archi

With jArchi, it’s easy to script reports for:

  • Systems missing specific controls
  • Assets with risk scores above a threshold
  • Data stores with no access controls defined

Reports can be exported as CSV or visual dashboards using external tools (e.g., Power BI, Excel).

Using Sparx EA for Security and Risk Modeling

Capabilities

Sparx EA is a full modeling platform that supports detailed modeling, integrations, and governance. It can model information security as part of enterprise architecture, solution architecture, or process modeling initiatives.

Relevant Notations

  • ArchiMate: Security layered over business, application, and technology
  • UML: Use Case diagrams for security access, sequence diagrams for intrusion flows
  • BPMN: Risk-related processes and exception handling

Security Modeling in EA

In EA, security-specific modeling is often implemented using:

  • Stereotypes like SecureNode , EncryptedStore , RiskAsset
  • Tagged Values for classification (e.g., DataSensitivity=High )
  • Constraints and Requirements linked to system elements
  • Security Controls as UML Classes or ArchiMate Contracts

Risk Register Modeling

You can model a full risk register in EA using:

  • Risk Elements — including impact and likelihood attributes
  • Threats and Vulnerabilities — as stereotyped components
  • Controls — linked mitigation elements (technical or procedural)
  • Traceability — from risk to impacted services, systems, and data

Reporting and Governance

  • Use Model Views and SQL Queries to detect unclassified data stores
  • Leverage Prolaborate for dashboards showing:
    • Systems with expired certificates
    • Processes with missing segregation of duty controls
  • Run Validation Scripts to check control coverage across assets

Use Cases and Modeling Patterns

1. Modeling Data Classification and Access Control

  • Tag elements with Confidentiality , Ownership , SharingRules
  • Show access links using Access or UsedBy relationships
  • Highlight uncontrolled access or improper linkages

2. Threat Modeling

  • Model actors (internal, external, malicious)
  • Diagram entry points (e.g., APIs, web services)
  • Trace flow from threat to data impact
  • Map mitigations, compensating controls

3. Compliance Coverage (e.g., ISO 27001)

  • Create a package for each compliance domain (A.5 to A.18)
  • Link systems and controls to compliance elements
  • Generate coverage heatmaps and dashboards

Scaling Security Modeling

  • In Archi: Use Git-backed repositories, consistent tagged values, and shared patterns
  • In Sparx EA: Use Pro Cloud Server, version control, floating licenses
  • Use metadata for filtering and querying across domains
  • Automate model quality checks for control coverage and compliance

Comparison Table: Security Modeling in Archi vs Sparx EA

Feature Archi Sparx EA
Security Notation ArchiMate + Custom Tags ArchiMate, UML, BPMN, Requirements
Risk Modeling Limited (scripts + tags) Full (elements, attributes, traceability)
Compliance Mapping Manual via tagged values Structured packages, traceability, reports
Threat Modeling Basic actor & access flows Advanced (use cases, diagrams, traceability)
Reporting Script-based CSV exports SQL, Model Views, Prolaborate Dashboards
Tool Integration Git, HTML Export Jira, Confluence, Excel, Prolaborate

Conclusion

Both Archi and Sparx EA provide ways to model information security, but they serve different needs. Archi is ideal for smaller teams needing fast, lightweight models using ArchiMate. Sparx EA, on the other hand, is built for large-scale governance, traceability, and risk compliance modeling.

If you’re embedding security in your enterprise architecture, modeling is essential — and tools like EA and Archi help visualize, analyze, and govern your security landscape. Choose the one that fits your organization’s complexity, compliance needs, and collaboration style.

Keywords/Tags

  • Modeling information security in Archi
  • Sparx EA risk modeling
  • Security architecture diagrams in EA
  • Compliance modeling in enterprise architecture
  • ISO 27001 modeling in EA
  • Threat modeling with ArchiMate
  • Security control traceability
  • Prolaborate dashboards for security
  • GDPR and risk modeling in EA
  • Enterprise architecture for cybersecurity

Using Archi and Sparx EA as a Risk Repository

Enterprise Architecture tools can serve not only for design but also as a centralized risk repository where identified risks are modeled, categorized, mitigated, and linked to impacted assets. When risks are traceable across business processes, data assets, systems, and interfaces, organizations gain superior visibility and control over their threat landscape.

Why Use a Modeling Tool as a Risk Repository?

  • Single Source of Truth: Centralize risks alongside architecture models
  • Traceability: Connect risks to the systems, capabilities, and data they impact
  • Audit Readiness: Demonstrate compliance and risk control coverage
  • Impact Analysis: Understand downstream effects of risk changes or mitigations

Step-by-Step: Modeling Risks as Repository Elements

In Sparx EA:

  • Create a dedicated Risk element type or stereotype it (e.g., InformationRisk , OperationalRisk )
  • Assign tagged values:
    • RiskCategory (e.g., Cyber, Operational, Legal)
    • Impact and Likelihood scores
    • ResidualRisk , ControlStatus
  • Link the risk to:
    • Systems or Applications (Technology Layer)
    • Processes (Business Layer)
    • Data Objects (e.g., PII, critical data)
    • Controls (as Requirements or Components)
  • Use custom matrix views or dynamic model views to identify coverage gaps

In Archi:

  • Use a Business Object or Assessment element to represent risks
  • Add tagged values for RiskType , Severity , TreatmentPlan
  • Create a “Risk Viewpoint” to show threats, vulnerable systems, and control mechanisms
  • Use Association or Flow relationships to show risk propagation
  • Script exports for regular risk review meetings

Linking Risks to Controls and Model Elements

  • Each risk can be linked to one or more:
    • Controls (with effectiveness rating)
    • Requirements that define expected mitigations
    • Service or Capability that would be impacted
  • Create traceability reports:
    • “Which risks impact customer-facing applications?”
    • “Which risks lack a control owner or mitigation plan?”
  • Visualize risk heatmaps using Prolaborate or external BI tools

Governance Benefits

  • Establish a living risk register integrated with architecture
  • Assign risk owners and track change history
  • Support internal audit and cybersecurity readiness reviews

Tips for Effective Risk Repository Modeling

  • Use consistent risk classification schemas (e.g., ISO 31000, FAIR)
  • Define reusable control elements to link across projects
  • Leverage versioning and change logs to track risk evolution
  • Automate detection of unlinked risks or uncontrolled systems

With this approach, Archi and Sparx EA go beyond static architecture tools — becoming true platforms for risk governance and secure system design.