This document proposes an innovative systemic approach to managing risks across interconnected sectors in Luxembourg's digital economy. It discusses how individual sectors are increasingly interdependent, so risks in one sector can impact others. The authors argue a systemic risk management approach is needed to improve accuracy, reactivity and minimize risk propagation across sectors. They describe ongoing work to develop an enterprise architecture model to assess cross-sector risks using proof of concepts with Luxembourg's regulators and ICT providers. The goal is a common risk management framework and interface to facilitate agreement between actors and oversee risks at a national level.
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio
ITU Security in Telecommunications & Information TechnologyITU
The ITU-T Security Manual offers a comprehensive overview of ITU-T’s work to build confidence and security in the use of information and communication technologies (ICTs).
The manual documents ITU-T’s efforts to respond to global cybersecurity challenges with international standards, complementary guidance documents and outreach to build capacity in the application of advanced ICT security mechanisms.
Introductory chapters highlight high-priority areas of ITU-T security work and basic requirements for the protection of ICT applications, services and information. Central to this introduction is an examination of standards’ role in meeting the security requirements borne of prevalent threats and vulnerabilities.
The manual outlines foundational security architectures as a basis for the discussion of more specific security considerations, following an iterative structure addressing key aspects of ICT security:
Generic security architectures for open systems and end-to-end communications, as well as examples of application-specific architectures, which establish frameworks for the consistent application of multiple facets of security.
Information security management, risk management and asset management, including management activities relevant to securing network infrastructure and the data used to monitor and control the telecommunications network.
The Directory and its role in supporting authentication and other security services. Particular attention is paid to the cryptographic concepts that rely on Directory services, providing an introduction to public key infrastructures, digital signatures and privilege-management infrastructures.
Identity management – a topic of growing importance to connected things, objects and devices – and the related topic of telebiometrics, the use of biometric characteristics for personal identification and authentication in telecommunications environments.
Approaches to network security, including the security requirements for next-generation networks and mobile communications networks in transition from a single technologies (e.g. CDMA or GSM) to mobility across heterogeneous platforms using the Internet Protocol (IP). This section also tackles security provisions for home networks, cable television and ubiquitous sensor networks.
Cybersecurity and incident response, looking at how best to develop an effective response to cyber attacks, including the need to understand the source and nature of attacks when sharing associated information with monitoring agencies.
Application-specific security needs, emphasizing the security features defined in ITU-T standards for Voice over IP, Internet Protocol Television, Web services, and identification tags such as RFID tags.
Technical measures to counter common network threats such as spam, malicious code and spyware, including the importance of ti
Critical Infrastructure Protection against targeted attacks on cyber-physical...Enrique Martin
This White Paper looks the higher impact (and therefore riskier) attacks on cyber-physical systems in critical infrastructure control networks and propose protection by making some changes on organizations structures and procedures and new technologies of intrusion detection based on analysis behavior of control protocols and correlation of operational events.
Application and Network Layers Design for Wireless Sensor Network to Supervis...IJCSEA Journal
Wireless sensor networks have profound effects on many application fields like security management which need an immediate and fast system reaction. Indeed, the monitoring of a dangerous product warehouse is a major issue in chemical industry field. This paper describes the design of chemical warehouse security system using the concept of active products and wireless sensor networks. A security application layer is developed to supervise and exchange messages between nodes and the control center to prevent industrial accident. Different security rules are proposed on this layer to monitor the internal state and incompatible products distance. If a critical event is detected, the application generates alert message which need a short end to end delay and low packet loss rate constraints by network layer. Thus, a QoS routing protocol is also developed in the network layer. The proposed solution is implemented in Castalia/OMNeT++ simulator. Simulation results show that the system reacts perfectly for critical event and can meet the QoS constraints of alert message.
ITU Security in Telecommunications & Information TechnologyITU
The ITU-T Security Manual offers a comprehensive overview of ITU-T’s work to build confidence and security in the use of information and communication technologies (ICTs).
The manual documents ITU-T’s efforts to respond to global cybersecurity challenges with international standards, complementary guidance documents and outreach to build capacity in the application of advanced ICT security mechanisms.
Introductory chapters highlight high-priority areas of ITU-T security work and basic requirements for the protection of ICT applications, services and information. Central to this introduction is an examination of standards’ role in meeting the security requirements borne of prevalent threats and vulnerabilities.
The manual outlines foundational security architectures as a basis for the discussion of more specific security considerations, following an iterative structure addressing key aspects of ICT security:
Generic security architectures for open systems and end-to-end communications, as well as examples of application-specific architectures, which establish frameworks for the consistent application of multiple facets of security.
Information security management, risk management and asset management, including management activities relevant to securing network infrastructure and the data used to monitor and control the telecommunications network.
The Directory and its role in supporting authentication and other security services. Particular attention is paid to the cryptographic concepts that rely on Directory services, providing an introduction to public key infrastructures, digital signatures and privilege-management infrastructures.
Identity management – a topic of growing importance to connected things, objects and devices – and the related topic of telebiometrics, the use of biometric characteristics for personal identification and authentication in telecommunications environments.
Approaches to network security, including the security requirements for next-generation networks and mobile communications networks in transition from a single technologies (e.g. CDMA or GSM) to mobility across heterogeneous platforms using the Internet Protocol (IP). This section also tackles security provisions for home networks, cable television and ubiquitous sensor networks.
Cybersecurity and incident response, looking at how best to develop an effective response to cyber attacks, including the need to understand the source and nature of attacks when sharing associated information with monitoring agencies.
Application-specific security needs, emphasizing the security features defined in ITU-T standards for Voice over IP, Internet Protocol Television, Web services, and identification tags such as RFID tags.
Technical measures to counter common network threats such as spam, malicious code and spyware, including the importance of ti
Critical Infrastructure Protection against targeted attacks on cyber-physical...Enrique Martin
This White Paper looks the higher impact (and therefore riskier) attacks on cyber-physical systems in critical infrastructure control networks and propose protection by making some changes on organizations structures and procedures and new technologies of intrusion detection based on analysis behavior of control protocols and correlation of operational events.
Application and Network Layers Design for Wireless Sensor Network to Supervis...IJCSEA Journal
Wireless sensor networks have profound effects on many application fields like security management which need an immediate and fast system reaction. Indeed, the monitoring of a dangerous product warehouse is a major issue in chemical industry field. This paper describes the design of chemical warehouse security system using the concept of active products and wireless sensor networks. A security application layer is developed to supervise and exchange messages between nodes and the control center to prevent industrial accident. Different security rules are proposed on this layer to monitor the internal state and incompatible products distance. If a critical event is detected, the application generates alert message which need a short end to end delay and low packet loss rate constraints by network layer. Thus, a QoS routing protocol is also developed in the network layer. The proposed solution is implemented in Castalia/OMNeT++ simulator. Simulation results show that the system reacts perfectly for critical event and can meet the QoS constraints of alert message.
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Sérgio Sacani
We characterize the earliest galaxy population in the JADES Origins Field (JOF), the deepest
imaging field observed with JWST. We make use of the ancillary Hubble optical images (5 filters
spanning 0.4−0.9µm) and novel JWST images with 14 filters spanning 0.8−5µm, including 7 mediumband filters, and reaching total exposure times of up to 46 hours per filter. We combine all our data
at > 2.3µm to construct an ultradeep image, reaching as deep as ≈ 31.4 AB mag in the stack and
30.3-31.0 AB mag (5σ, r = 0.1” circular aperture) in individual filters. We measure photometric
redshifts and use robust selection criteria to identify a sample of eight galaxy candidates at redshifts
z = 11.5 − 15. These objects show compact half-light radii of R1/2 ∼ 50 − 200pc, stellar masses of
M⋆ ∼ 107−108M⊙, and star-formation rates of SFR ∼ 0.1−1 M⊙ yr−1
. Our search finds no candidates
at 15 < z < 20, placing upper limits at these redshifts. We develop a forward modeling approach to
infer the properties of the evolving luminosity function without binning in redshift or luminosity that
marginalizes over the photometric redshift uncertainty of our candidate galaxies and incorporates the
impact of non-detections. We find a z = 12 luminosity function in good agreement with prior results,
and that the luminosity function normalization and UV luminosity density decline by a factor of ∼ 2.5
from z = 12 to z = 14. We discuss the possible implications of our results in the context of theoretical
models for evolution of the dark matter halo mass function.
Slide 1: Title Slide
Extrachromosomal Inheritance
Slide 2: Introduction to Extrachromosomal Inheritance
Definition: Extrachromosomal inheritance refers to the transmission of genetic material that is not found within the nucleus.
Key Components: Involves genes located in mitochondria, chloroplasts, and plasmids.
Slide 3: Mitochondrial Inheritance
Mitochondria: Organelles responsible for energy production.
Mitochondrial DNA (mtDNA): Circular DNA molecule found in mitochondria.
Inheritance Pattern: Maternally inherited, meaning it is passed from mothers to all their offspring.
Diseases: Examples include Leber’s hereditary optic neuropathy (LHON) and mitochondrial myopathy.
Slide 4: Chloroplast Inheritance
Chloroplasts: Organelles responsible for photosynthesis in plants.
Chloroplast DNA (cpDNA): Circular DNA molecule found in chloroplasts.
Inheritance Pattern: Often maternally inherited in most plants, but can vary in some species.
Examples: Variegation in plants, where leaf color patterns are determined by chloroplast DNA.
Slide 5: Plasmid Inheritance
Plasmids: Small, circular DNA molecules found in bacteria and some eukaryotes.
Features: Can carry antibiotic resistance genes and can be transferred between cells through processes like conjugation.
Significance: Important in biotechnology for gene cloning and genetic engineering.
Slide 6: Mechanisms of Extrachromosomal Inheritance
Non-Mendelian Patterns: Do not follow Mendel’s laws of inheritance.
Cytoplasmic Segregation: During cell division, organelles like mitochondria and chloroplasts are randomly distributed to daughter cells.
Heteroplasmy: Presence of more than one type of organellar genome within a cell, leading to variation in expression.
Slide 7: Examples of Extrachromosomal Inheritance
Four O’clock Plant (Mirabilis jalapa): Shows variegated leaves due to different cpDNA in leaf cells.
Petite Mutants in Yeast: Result from mutations in mitochondrial DNA affecting respiration.
Slide 8: Importance of Extrachromosomal Inheritance
Evolution: Provides insight into the evolution of eukaryotic cells.
Medicine: Understanding mitochondrial inheritance helps in diagnosing and treating mitochondrial diseases.
Agriculture: Chloroplast inheritance can be used in plant breeding and genetic modification.
Slide 9: Recent Research and Advances
Gene Editing: Techniques like CRISPR-Cas9 are being used to edit mitochondrial and chloroplast DNA.
Therapies: Development of mitochondrial replacement therapy (MRT) for preventing mitochondrial diseases.
Slide 10: Conclusion
Summary: Extrachromosomal inheritance involves the transmission of genetic material outside the nucleus and plays a crucial role in genetics, medicine, and biotechnology.
Future Directions: Continued research and technological advancements hold promise for new treatments and applications.
Slide 11: Questions and Discussion
Invite Audience: Open the floor for any questions or further discussion on the topic.
Professional air quality monitoring systems provide immediate, on-site data for analysis, compliance, and decision-making.
Monitor common gases, weather parameters, particulates.
A brief information about the SCOP protein database used in bioinformatics.
The Structural Classification of Proteins (SCOP) database is a comprehensive and authoritative resource for the structural and evolutionary relationships of proteins. It provides a detailed and curated classification of protein structures, grouping them into families, superfamilies, and folds based on their structural and sequence similarities.
Richard's aventures in two entangled wonderlandsRichard Gill
Since the loophole-free Bell experiments of 2020 and the Nobel prizes in physics of 2022, critics of Bell's work have retreated to the fortress of super-determinism. Now, super-determinism is a derogatory word - it just means "determinism". Palmer, Hance and Hossenfelder argue that quantum mechanics and determinism are not incompatible, using a sophisticated mathematical construction based on a subtle thinning of allowed states and measurements in quantum mechanics, such that what is left appears to make Bell's argument fail, without altering the empirical predictions of quantum mechanics. I think however that it is a smoke screen, and the slogan "lost in math" comes to my mind. I will discuss some other recent disproofs of Bell's theorem using the language of causality based on causal graphs. Causal thinking is also central to law and justice. I will mention surprising connections to my work on serial killer nurse cases, in particular the Dutch case of Lucia de Berk and the current UK case of Lucy Letby.
This pdf is about the Schizophrenia.
For more details visit on YouTube; @SELF-EXPLANATORY;
https://www.youtube.com/channel/UCAiarMZDNhe1A3Rnpr_WkzA/videos
Thanks...!
Seminar of U.V. Spectroscopy by SAMIR PANDASAMIR PANDA
Spectroscopy is a branch of science dealing the study of interaction of electromagnetic radiation with matter.
Ultraviolet-visible spectroscopy refers to absorption spectroscopy or reflect spectroscopy in the UV-VIS spectral region.
Ultraviolet-visible spectroscopy is an analytical method that can measure the amount of light received by the analyte.
Multi-source connectivity as the driver of solar wind variability in the heli...Sérgio Sacani
The ambient solar wind that flls the heliosphere originates from multiple
sources in the solar corona and is highly structured. It is often described
as high-speed, relatively homogeneous, plasma streams from coronal
holes and slow-speed, highly variable, streams whose source regions are
under debate. A key goal of ESA/NASA’s Solar Orbiter mission is to identify
solar wind sources and understand what drives the complexity seen in the
heliosphere. By combining magnetic feld modelling and spectroscopic
techniques with high-resolution observations and measurements, we show
that the solar wind variability detected in situ by Solar Orbiter in March
2022 is driven by spatio-temporal changes in the magnetic connectivity to
multiple sources in the solar atmosphere. The magnetic feld footpoints
connected to the spacecraft moved from the boundaries of a coronal hole
to one active region (12961) and then across to another region (12957). This
is refected in the in situ measurements, which show the transition from fast
to highly Alfvénic then to slow solar wind that is disrupted by the arrival of
a coronal mass ejection. Our results describe solar wind variability at 0.5 au
but are applicable to near-Earth observatories.
Multi-source connectivity as the driver of solar wind variability in the heli...
Towards an innovative systemic approach of risk management
1. Towards an Innovative Systemic Approach of Risk Management
Hervé Cholez and Christophe Feltus
Public Research Centre Henri Tudor,
29, avenue John F. Kennedy, L-1855 Luxembourg-Kirchberg, Luxembourg
herve.cholez@tudor.lu, christophe.feltus@tudor.lu
ABSTRACT
Nowadays, enterprises from different sectors are strongly
interconnected and need to interact continuously in order to
survive. In this context, the happening of an event (e.g., system
failure) in one sector may lead to a serious risk in another. To
avoid this, a systemic approach for risk management is required.
This approach pursues the objective to foster the accuracy and the
reactivity of the risk mitigation and hence minimize the impact
and the propagation of the risk and, as a consequence, sustain the
initiatives from all economic domains’ regulators in risk
management. This position paper suggests an innovative solution,
which is to be further investigated, to manage cross-sector ICT
ecosystem risks using enterprise architecture model. This solution
is illustrated with a proof of concept related to the Luxembourgish
market.
Categories and Subject Descriptors
H.2.7: Security, Integrity, and Protection
General Terms
Management, Performance, Design, Experimentation, Security,
Languages, Theory, Verification.
Keywords
Information system, information security risk, systemic risk
management, enterprise architecture, ArchiMate®
, position paper.
1 INTRODUCTION & MOTIVATION
1.1 Context
Information systems are everywhere and their roles are central for
all enterprises because of the increasing amount of information
managed during the last decades. Due to the criticality of the
information exchanged, more and more supervision is needed and
operated by national, European or even international authorities.
One of the leading sector having adopted such a model is the
financial sector, with a national regulatory authority (NRA)
established in every country and dealing with sector-based
regulations, defined at the international and/or national level (e.g.,
Basel II agreements [1], the Sarbanes-Oxley Act [2], etc.)
The Luxembourgish market is based on a complex and integrated
ecosystem and sustained by an integrated subcontractors network,
especially in IT services. At the national level, the landscape of
regulators to ensure the control of risks of different actors in the
ecosystem is increasing, e.g., ILR1
for the telecommunications
service providers, ILNAS2
for electronic records, CSSF3
for the
financial service providers, or the CNPD4
for the data protection.
These regulatory initiatives progressively allow improving the
maturity of each actor and collecting data on related risks.
However, due to the complexity and the heterogeneity of the
market, the data analysis performed by the regulators, as well as
the systemic risk management regarding this complete ecosystem
remains challenging.
In this context, this position paper introduces, and gives an
insight, to the research work that we are going to achieve in order
to tackle the above systemic risks issue which we consider as the
risk generated through the interaction between enterprises, having
an influence on the whole customers’-/suppliers’ chain, and
impacting on more than one sector at the same time. This research
work is founded by the Feder project named SARIM (Systemic
Approach of Risk Management) and supported by a strong
Luxembourgish partnership, as illustrated in Figure 1. The
political level (european and national) establish laws and
regulations. Partners on this level are, among others, the Ministry
of State, the Ministry of Trade and Industry and the High
Commissioner for National Protection. The national regulatory
environment supervises the application of these regulations in the
Luxembourgish organizations and their subcontractors. Partners
in this sector are, among others: ILNAS, CNPD and ILR. Finally,
ICT enablers, such as our partners of this project (EBRC
(http://www.ebrc.com/), Post (http://www.post.lu), etc.), are
essential to sustain the implementation of all these regulations and
are also impacted by the regulatory environment.
1.2 Preliminary work
Before adressing an integrated ecosystem such as explained in the
introduction, the Public Research Centre Henri Tudor experienced
a two-years research project on one specific context: the
telecommunications regulation [3]. In this project, conducted in
collaboration with telecommunication operators and the ILR, the
information security risk management (ISRM) process was an
essential step and a strategic challenge.
1
ILR (“Institut Luxembourgeois de Régulation“) is the French
acronym for Luxembourgish Regulatory Institute.
2
ILNAS (“Institut Luxembourgeois de la Normalisation, de
l'Accréditation, de la Sécurité et qualité des produits et services“)
is the French acronym for Luxembourgish Institute for
Standardisation, Certification, Security and Quality of Products
and Services“.
3
CSSF (“Commission de Surveillance du Secteur Financier“) is
the French acronym for the Financial Services Authority.
4
CNPD (“Commission Nationale pour la Protection des
Données“) is the French acronym for the national commission for
data protection.
Permission to make digital or hard copies of part or all of this work
for personal or classroom use is granted without fee provided that
copies are not made or distributed for profit or commercial advantage
and that copies bear this notice and the full citation on the first page.
Copyrights for third-party components of this work must be honored.
For all other uses, contact the Owner/Author.
Copyright is held by the owner/author(s).
SIN '14 , Sep 09-11 2014, Glasgow, Scotland Uk
ACM 978-1-4503-3033-6/14/09.
http://dx.doi.org/10.1145/2659651.2659734
2. Figure 1. Integrated ecosystem of the Luxembourg digital economy governance
The project’s key issues consisted in defining the relevant risks
regarding the businesses operated and the architecture in place, as
well as in selecting the relevant security controls accordingly.
As a result, the main innovation of this project consisted in the
development of a specific ISRM process tailored to the
telecommunication sector. The outcome of this project is a fine-
tuned method supported by a tool (the TISRIM Telco Tool) which
allows telecommunication operators to efficiently perform
information security risk assessments in compliance with both
national and European regulations.
The tool is distributed to all telecommunication operators in
Luxembourg. Its large exploitation in Luxembourg allows a
homogeneous methodology, and risk assessment results are easy
to compare and to analyse by national regulatory authorities.
Widespread implementation of risk assessment and security
measures in this sector have positive benefits for both, citizens
and the economy [3], as telecommunication networks will be
better protected against service interruptions and security
breaches, ensuring continuous and high-quality service. The
TISRIM Telco tool helps the national regulatory authority to raise
awareness of telecommunication operators, as well as to
encourage the ongoing improvement of their level of information
security.
This challenge of adapting information security risk management
processes and practices to the telecommunication sector has
strengthened our competencies in the domain. The large success
of this project and the demands of the market have encouraged us
to consider the developed materials in order to deploy the same
approach in other sectors. This previous project was a first step
that enabled an extremely challenging work on national
governance of systemic risks with all main regulators. Based on
this experience, we aim to develop an innovative systemic
approach of risk management dedicated to the complex and
integrated Luxembourgish market’s ecosystem.
The next section describes our objectives and the research method
to ellaborate this project.
2 FORESEE RESEARCH
2.1 Objectives
The objectives of this position paper are the definition of a
common security risk management framework shared between all
actors of the different sectors. This framework aims at bringing
together the regulated enterprises for elaborating (1) a systemic
risk management approach tailored to IT service systems and
compliant to the Luxembourgish context and standards, (2) a risk
management interface allowing agreements between actors and
easing the service level agreement management, and (3) a method
for monitoring risks at the national level.
As a result, this framework also sustains the regulators’ activities
by offering:
- an overview of the players and an identification of the
service systems following an enterprise architecture
approach in network;
- a set of models dedicated to the different sectors (business
models, information system models, infrastruture models,
etc.);
- a method for the analysis and the interoperability of the data
collected by the regulators.
2.2 Research method
The research method for elaborating the cross-sector risk
management framework consists of four phases: (1) definition of
scope and requirements, (2) cross-sector interaction and risk
modelling, (3) deployment and exploitation framework, (4)
professional dissemination.
Definition of scope and requirements. The first phase aims at
depicting the scientific literature related to the systemic approach
and interoperability for risk management as well as of languages
and models proposed for the formalisation of the method.
Cross-sector interaction and risk modelling. The second phase
has as objective to define, a set of conceptual models sustaining
the risk management, the systemic risk management and the
sectorial risk management based on the review of the literature. In
3. that perspective we have decided to exploit enterprise architecture
theory, i.e. ArchiMate. This phase constitutes the core of the
research and is therefore detailed in the next section.
Deployment and exploitation framework. The third phase aims
at developing tools based on previous models to bring to the
regulated enterprises to perform a systemic risk management. We
also deploy a specific regulator package to exploit the models
elaborated in previous phases by considering the aspects of risk
mapping, risk ecosystem, and risk interface.
Professional validation and dissemination. The fourth phase of
the research is dedicated to an in situ experimentation followed by
sectorial dissemination.
In the next section, we explain the approach that we propose.
Therefore, we first present ArchiMate and then introduce an
integrated map of the main components of the approach.
3 PROPOSED APPROACH
3.1 ArchiMate
ArchiMate [4] is an enterprise architecture [5] modelling
language supported by The Open Group and aiming at
modelling all concepts that compose an enterprise information
system (IS). ArchiMate is especially dedicated to enterprises
which are organised following a service based approach. It
structures the enterprises’ concepts following three layers
(Figure 2): business, application, and technology according to
three dimensions: information, behaviour, and structure. The
language is composed of a set of core concepts and of two
extensions: the motivation extension and the migration
extension which respectively aims at modelling the reasons that
underlay the design or change of some enterprise architectures
and to provide concepts to support the implementation and
migration of architectures. In addition, two extension
mechanisms allow defining new concepts of the core and the
extension models: the addition of attribute(s) and the creation of
stereotype(s). For instance, these extension mechanisms have
been used, e.g., to define a security extension aiming at
analysing and mitigating the IS risk [6].
Figure 2. ArchiMate metamodel
The objectives of enterprise architecture models are various.
The most important is that they allow illustrating the
interconnections between the concepts that compose the
enterprise architecture and hence the impact a modification of
one concept has on the other, for instance, the impact of a
server failure on a business service. Another objective is the
definition of specific views on different aspects of the
architecture depending on the different application required. For
instance, the language may be used to extract a view only
dedicated to the business aspects of the enterprise, a view
related to a specific service, or a view related to the
management of the security [6].
3.2 Cross-sector interaction and risk
modelling approach
As explained in the introduction, enterprises from different fields
are strongly interconnected and nowadays, a risk happening in
one business sector is very likely to have an impact on other
sectors. Unfortunately, information exchange among different
sectors is limited which makes it sometimes difficult to efficiently
share appropriate and crucial information regarding systemic
security. As explained in the research method, one of the first
steps is to develop cross-sector interaction and risk modelling, in
particular by developing conceptual models allowing describing
the ecosystem and the different interactions.
As a result, our approach to face this problem consists of using
and adapting an existing and well established enterprise
architecture language which allows modelling all the sector
characteristics. Figure 3 represents the different dimensions of our
approach in a UML like language. In this figure, we note that
enterprises from different sectors often need to interact in order to
achieve specific goals. E.g., in order to regulate the activities and
to improve the quality of the services provided by an enterprise in
the financial sector, the regulatory authorities require performing
an appropriate risk management activity. To have this high quality
risk management activity generate accurate results, different
interactions with other sectors also need to be taken into account.
For instance, this financial enterprise needs to use highly available
networks provided by telecommunication operators and, as a
result, appropriate information should be exchanged between
these enterprises.
In this context, to sustain this risk management, it is necessary to
represent the following elements through a single enterprise
architecture modelling language (ArchiMate): enterprise IS, risk
management, interaction between enterprises, and risk
management related to this interaction. Using a single language
for representing heterogeneous information issued from different
domains allow these different enterprises to more easily access
and understand the semantic of the systemic risks and to facilitate
the exchange of information.
Figure 3 also represents the ISRM model of the whole
Luxembourgish ecosystem. Several regulatory authorities regulate
enterprises of different economic sectors. All of these enterprises
have different goals but, however, need to interact. A risk
management is commonly defined only in the scope of one
enterprise. The main challenge is to take into account the
enterprise’s interaction to obtain a systemic risk management.
To address this type of risk management, we have exploited the
ISRM model [7, 8] which proposes a risk management framework
based on an extended and motivated risk management literature
review. As explained in the window of figure 3 “Risk
management based on ISRM”, this risk model is composed of an
event and one or more impacts on the enterprise goals. The event
is itself composed of a threat that exploits one or more
vulnerabilities of the enterprise’s assets. However, as explained
previously, the IS risk may have interdependencies between
enterprises and should be related to the enterprise itself or to an
interaction between enterprises.
Afterwards, to extend the risk management to an ecosystem
management, we consider (1) the “Sectors based Risk
management” as an instance of a more “traditional” IS risk
management, and (2) the “Systemic risk management” (both
dashed boxes of Figure 3). Our proposed research work consists
in developing a set of conceptual models sustaining sectorial risk
management and systemic risk management.
4. Figure 3. Foresee approach for cross-sector risk management
The last field according to our approach is the enterprise
architecture. As illustrated at the bottom of Figure 3, the
enterprise architecture models are perceived as appropriate
solutions to sustain the modelling of the whole ecosystem (i.e.,
enterprises, interactions, and risk management). ArchiMate is a
language with many advantages but we acknowledge that it is
semantically not rich enough to model all the elements of the
ecosystem, such as the Enterprise Interaction extension (dashed
box). Enriching the ArchiMate language by using the extension
mechanisms presented in previous sections is a key step of our
approach.
This model is the first step of our work and illustrates the next
main steps of this project by three challenge boxes (dashed
boxes): the “sectors-based risk management modelling”, the
“enterprise interaction extension modelling”, and the “systemic
risk management framework”.
4 CONCLUSIONS AND FUTURE WORKS
In this position paper, we have presented our approach to
establish a systemic risk management framework. After having
detailed our context and our preliminary work, we have exposed
our foresee research with our different objectives and our research
method. This framework will bring a systemic risk management
approach tailored to service systems and compliant with the
Luxembourgish context and standards to the regulated enterprises.
This framework will also sustain the regulators’ activities by
offering a method for the analysis and the interoperability of the
data collected by the regulators.
We have described our first step by modelling the systemic risk
management in cross-sector interactions. Regarding future works,
we have different challenging steps in the project: (1) the scope of
the market and analysis of requirements, (2) the cross-sector
interaction and risk modelling, (3) the deployment and
exploitation framework, (4) the professional dissemination.
References
[1] Basel II. 2006. Bank for International Settlements BIS: International
Convergence of Capital Measurement and Capital Standards:
Revised Framework – Comprehensive Version.
[2] Sarbanes, P. S. and Oxley, M. 2002. “Sarbanes-Oxley Act of 2002”.
[3] Mayer, N.; Aubert, J.; Cholez, H.; Grandry, E. 2013. Sector-Based
Improvement of the Information Security Risk Management Process
in the Context of Telecommunications Regulation, 20th European
Conference, EuroSPI 2013, Dundalk, Ireland. Proceedings.
[4] Lankhorst, M. 2004. ArchiMate language primer, 2004.
[5] Zachman, J. A. 2003. The Zachman Framework For Enterprise
Architecture : Primer for Enterprise Engineering and Manufacturing
By. Engineering, no. July: 1-11.
[6] Grandry, E.; Feltus, C.; Dubois, E. 2013. Conceptual Integration of
Enterprise Architecture Management and Security Risk
Management, SoEA4EE’2013, Vancouver, BC, Canada.
[7] Mayer, N. 2009. Model-based management of information system
security risk. PhD Thesis.
[8] Dubois, E.; Heymans, P.; Mayer, N. and Matulevičius, R. 2010. “A
Systematic Approach to Define the Domain of Information System
Security Risk Management,” in Intentional Perspectives on
Information Systems Engineering, Springer Berlin Heidelberg, pp.
289–306.