In our research program (a set of research efforts with a
common denominator) we are using semi-formal models in
order to provide theoretical foundation in different domains
(for example IT governance in general and IS security in
particular). As metamodels represent the underlying, often
implicit structure of the models/standards, they can be used in
various ways. On the one hand, they are a methodological
support for the construction of company specific
extensions/adaptations of known standards/models. If
extensions are oriented by both, the company specific needs
and the metamodel, it will more likely be consistent with the
used model/standard. Further aspects, which take into account
the use and application of different models and standards in an
enterprise, are the relationships between them. A security
model of an enterprise should be linked to and integrated into
models used for related tasks and initiatives (e.g. IT
governance models like COBIT, ITIL [8]). This linking can be
supported by metamodels as they are a useful tool to integrate
different models. On the other hand, the representation of the
standards structure on meta-level supports its deeper
evaluation, e.g. for comparing it to other models (e.g. a security
ontology).