This document proposes an innovative systemic approach to risk management across interconnected sectors. It suggests using enterprise architecture models to manage cross-sector risks in Luxembourg's complex ICT ecosystem. The approach would provide regulators an overview of all players and systems, as well as models of different sectors to analyze collected data and risks at a national level, fostering accurate and reactive risk mitigation across economic domains.
Presentation from NCVO's Annual Conference 2011 on The Value of Intrafrastructure, a three-year England-wide initiative to support infrastructure organisations in plan, assess, improve and communicate their impact.
9/9 FRI 2:45 | Planning for Electric Vehicle Infrastructure 3APA Florida
Jon Ippel
By 2015, a total of one million Electric Vehicles (EVs) will be available in the United States. This paradigm shift will require new infrastructure
and permitting standards, as well as the foundation
of new working relationships between utilities, cars, charging companies, and municipalities. Building codes, zoning codes and architectural standards must adapt to provide charging access
at home, work and around the city. The session provides an overview of EVs, charging technologies, and emerging issues such as fitting EVs into the city. The session will cover current information on codes, policies, smart grid integration, cost/benefits, and charging station best practices.
More presentations from the NCVO Annual conference:
http://www.ncvo-vol.org.uk/networking-discussions/blogs/20591
Sakthi Suriyaprakasam, Value of Infrastructure team, NCVO
Rob Macmillan, Research Fellow, Third Sector Research Centre
Bill Freeman, Director of Services and Business Development, NAVCA
In the current context of funding cuts and the focus on frontline organisations, where do infrastructure or support organisations fit? Join us for a highly interactive workshop that will address key questions for infrastructure groups, including how infrastructure organisations can demonstrate their value effectively, how you work with funders and charities to make the biggest difference and how we can work together differently to shape the future of infrastructure ourselves.
You will have the opportunity to connect with representatives from across the sector to actively discuss and decide how infrastructure can respond to the challenges it is facing.
Presentation from NCVO's Annual Conference 2011 on The Value of Intrafrastructure, a three-year England-wide initiative to support infrastructure organisations in plan, assess, improve and communicate their impact.
9/9 FRI 2:45 | Planning for Electric Vehicle Infrastructure 3APA Florida
Jon Ippel
By 2015, a total of one million Electric Vehicles (EVs) will be available in the United States. This paradigm shift will require new infrastructure
and permitting standards, as well as the foundation
of new working relationships between utilities, cars, charging companies, and municipalities. Building codes, zoning codes and architectural standards must adapt to provide charging access
at home, work and around the city. The session provides an overview of EVs, charging technologies, and emerging issues such as fitting EVs into the city. The session will cover current information on codes, policies, smart grid integration, cost/benefits, and charging station best practices.
More presentations from the NCVO Annual conference:
http://www.ncvo-vol.org.uk/networking-discussions/blogs/20591
Sakthi Suriyaprakasam, Value of Infrastructure team, NCVO
Rob Macmillan, Research Fellow, Third Sector Research Centre
Bill Freeman, Director of Services and Business Development, NAVCA
In the current context of funding cuts and the focus on frontline organisations, where do infrastructure or support organisations fit? Join us for a highly interactive workshop that will address key questions for infrastructure groups, including how infrastructure organisations can demonstrate their value effectively, how you work with funders and charities to make the biggest difference and how we can work together differently to shape the future of infrastructure ourselves.
You will have the opportunity to connect with representatives from across the sector to actively discuss and decide how infrastructure can respond to the challenges it is facing.
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio
ITU Security in Telecommunications & Information TechnologyITU
The ITU-T Security Manual offers a comprehensive overview of ITU-T’s work to build confidence and security in the use of information and communication technologies (ICTs).
The manual documents ITU-T’s efforts to respond to global cybersecurity challenges with international standards, complementary guidance documents and outreach to build capacity in the application of advanced ICT security mechanisms.
Introductory chapters highlight high-priority areas of ITU-T security work and basic requirements for the protection of ICT applications, services and information. Central to this introduction is an examination of standards’ role in meeting the security requirements borne of prevalent threats and vulnerabilities.
The manual outlines foundational security architectures as a basis for the discussion of more specific security considerations, following an iterative structure addressing key aspects of ICT security:
Generic security architectures for open systems and end-to-end communications, as well as examples of application-specific architectures, which establish frameworks for the consistent application of multiple facets of security.
Information security management, risk management and asset management, including management activities relevant to securing network infrastructure and the data used to monitor and control the telecommunications network.
The Directory and its role in supporting authentication and other security services. Particular attention is paid to the cryptographic concepts that rely on Directory services, providing an introduction to public key infrastructures, digital signatures and privilege-management infrastructures.
Identity management – a topic of growing importance to connected things, objects and devices – and the related topic of telebiometrics, the use of biometric characteristics for personal identification and authentication in telecommunications environments.
Approaches to network security, including the security requirements for next-generation networks and mobile communications networks in transition from a single technologies (e.g. CDMA or GSM) to mobility across heterogeneous platforms using the Internet Protocol (IP). This section also tackles security provisions for home networks, cable television and ubiquitous sensor networks.
Cybersecurity and incident response, looking at how best to develop an effective response to cyber attacks, including the need to understand the source and nature of attacks when sharing associated information with monitoring agencies.
Application-specific security needs, emphasizing the security features defined in ITU-T standards for Voice over IP, Internet Protocol Television, Web services, and identification tags such as RFID tags.
Technical measures to counter common network threats such as spam, malicious code and spyware, including the importance of ti
Critical Infrastructure Protection against targeted attacks on cyber-physical...Enrique Martin
This White Paper looks the higher impact (and therefore riskier) attacks on cyber-physical systems in critical infrastructure control networks and propose protection by making some changes on organizations structures and procedures and new technologies of intrusion detection based on analysis behavior of control protocols and correlation of operational events.
Application and Network Layers Design for Wireless Sensor Network to Supervis...IJCSEA Journal
Wireless sensor networks have profound effects on many application fields like security management which need an immediate and fast system reaction. Indeed, the monitoring of a dangerous product warehouse is a major issue in chemical industry field. This paper describes the design of chemical warehouse security system using the concept of active products and wireless sensor networks. A security application layer is developed to supervise and exchange messages between nodes and the control center to prevent industrial accident. Different security rules are proposed on this layer to monitor the internal state and incompatible products distance. If a critical event is detected, the application generates alert message which need a short end to end delay and low packet loss rate constraints by network layer. Thus, a QoS routing protocol is also developed in the network layer. The proposed solution is implemented in Castalia/OMNeT++ simulator. Simulation results show that the system reacts perfectly for critical event and can meet the QoS constraints of alert message.
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio
ITU Security in Telecommunications & Information TechnologyITU
The ITU-T Security Manual offers a comprehensive overview of ITU-T’s work to build confidence and security in the use of information and communication technologies (ICTs).
The manual documents ITU-T’s efforts to respond to global cybersecurity challenges with international standards, complementary guidance documents and outreach to build capacity in the application of advanced ICT security mechanisms.
Introductory chapters highlight high-priority areas of ITU-T security work and basic requirements for the protection of ICT applications, services and information. Central to this introduction is an examination of standards’ role in meeting the security requirements borne of prevalent threats and vulnerabilities.
The manual outlines foundational security architectures as a basis for the discussion of more specific security considerations, following an iterative structure addressing key aspects of ICT security:
Generic security architectures for open systems and end-to-end communications, as well as examples of application-specific architectures, which establish frameworks for the consistent application of multiple facets of security.
Information security management, risk management and asset management, including management activities relevant to securing network infrastructure and the data used to monitor and control the telecommunications network.
The Directory and its role in supporting authentication and other security services. Particular attention is paid to the cryptographic concepts that rely on Directory services, providing an introduction to public key infrastructures, digital signatures and privilege-management infrastructures.
Identity management – a topic of growing importance to connected things, objects and devices – and the related topic of telebiometrics, the use of biometric characteristics for personal identification and authentication in telecommunications environments.
Approaches to network security, including the security requirements for next-generation networks and mobile communications networks in transition from a single technologies (e.g. CDMA or GSM) to mobility across heterogeneous platforms using the Internet Protocol (IP). This section also tackles security provisions for home networks, cable television and ubiquitous sensor networks.
Cybersecurity and incident response, looking at how best to develop an effective response to cyber attacks, including the need to understand the source and nature of attacks when sharing associated information with monitoring agencies.
Application-specific security needs, emphasizing the security features defined in ITU-T standards for Voice over IP, Internet Protocol Television, Web services, and identification tags such as RFID tags.
Technical measures to counter common network threats such as spam, malicious code and spyware, including the importance of ti
Critical Infrastructure Protection against targeted attacks on cyber-physical...Enrique Martin
This White Paper looks the higher impact (and therefore riskier) attacks on cyber-physical systems in critical infrastructure control networks and propose protection by making some changes on organizations structures and procedures and new technologies of intrusion detection based on analysis behavior of control protocols and correlation of operational events.
Application and Network Layers Design for Wireless Sensor Network to Supervis...IJCSEA Journal
Wireless sensor networks have profound effects on many application fields like security management which need an immediate and fast system reaction. Indeed, the monitoring of a dangerous product warehouse is a major issue in chemical industry field. This paper describes the design of chemical warehouse security system using the concept of active products and wireless sensor networks. A security application layer is developed to supervise and exchange messages between nodes and the control center to prevent industrial accident. Different security rules are proposed on this layer to monitor the internal state and incompatible products distance. If a critical event is detected, the application generates alert message which need a short end to end delay and low packet loss rate constraints by network layer. Thus, a QoS routing protocol is also developed in the network layer. The proposed solution is implemented in Castalia/OMNeT++ simulator. Simulation results show that the system reacts perfectly for critical event and can meet the QoS constraints of alert message.
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
Aligning the business operations with the appropriate IT infrastructure is a challenging and critical activity. Without efficient business/IT alignment, the companies face the risk not to be able to deliver their business services satisfactorily and that their image is seriously altered and jeopardized. Among the many challenges of business/IT alignment is the access rights management which should be conducted considering the rising governance needs, such as taking into account the business actors' responsibility. Unfortunately, in this domain, we have observed that no solution, model and method, fully considers and integrates the new needs yet. Therefore, the paper proposes firstly to define an expressive Responsibility metamodel, named ReMMo, which allows representing the existing responsibilities at the business layer and, thereby, allows engineering the access rights required to perform these responsibilities, at the application layer. Secondly, the Responsibility metamodel has been integrated with ArchiMate® to enhance its usability and benefits from the enterprise architecture formalism. Finally, a method has been proposed to define the access rights more accurately, considering the alignment of ReMMo and RBAC. The research was realized following a design science and action design based research method and the results have been evaluated through an extended case study at the Hospital Center in Luxembourg.
The increased availability of biomedical data, particularly in the public domain, offers the opportunity to better understand human health and to develop effective therapeutics for a wide range of unmet medical needs. However, data scientists remain stymied by the fact that data remain hard to find and to productively reuse because data and their metadata i) are wholly inaccessible, ii) are in non-standard or incompatible representations, iii) do not conform to community standards, and iv) have unclear or highly restricted terms and conditions that preclude legitimate reuse. These limitations require a rethink on data can be made machine and AI-ready - the key motivation behind the FAIR Guiding Principles. Concurrently, while recent efforts have explored the use of deep learning to fuse disparate data into predictive models for a wide range of biomedical applications, these models often fail even when the correct answer is already known, and fail to explain individual predictions in terms that data scientists can appreciate. These limitations suggest that new methods to produce practical artificial intelligence are still needed.
In this talk, I will discuss our work in (1) building an integrative knowledge infrastructure to prepare FAIR and "AI-ready" data and services along with (2) neurosymbolic AI methods to improve the quality of predictions and to generate plausible explanations. Attention is given to standards, platforms, and methods to wrangle knowledge into simple, but effective semantic and latent representations, and to make these available into standards-compliant and discoverable interfaces that can be used in model building, validation, and explanation. Our work, and those of others in the field, creates a baseline for building trustworthy and easy to deploy AI models in biomedicine.
Bio
Dr. Michel Dumontier is the Distinguished Professor of Data Science at Maastricht University, founder and executive director of the Institute of Data Science, and co-founder of the FAIR (Findable, Accessible, Interoperable and Reusable) data principles. His research explores socio-technological approaches for responsible discovery science, which includes collaborative multi-modal knowledge graphs, privacy-preserving distributed data mining, and AI methods for drug discovery and personalized medicine. His work is supported through the Dutch National Research Agenda, the Netherlands Organisation for Scientific Research, Horizon Europe, the European Open Science Cloud, the US National Institutes of Health, and a Marie-Curie Innovative Training Network. He is the editor-in-chief for the journal Data Science and is internationally recognized for his contributions in bioinformatics, biomedical informatics, and semantic technologies including ontologies and linked data.
Richard's aventures in two entangled wonderlandsRichard Gill
Since the loophole-free Bell experiments of 2020 and the Nobel prizes in physics of 2022, critics of Bell's work have retreated to the fortress of super-determinism. Now, super-determinism is a derogatory word - it just means "determinism". Palmer, Hance and Hossenfelder argue that quantum mechanics and determinism are not incompatible, using a sophisticated mathematical construction based on a subtle thinning of allowed states and measurements in quantum mechanics, such that what is left appears to make Bell's argument fail, without altering the empirical predictions of quantum mechanics. I think however that it is a smoke screen, and the slogan "lost in math" comes to my mind. I will discuss some other recent disproofs of Bell's theorem using the language of causality based on causal graphs. Causal thinking is also central to law and justice. I will mention surprising connections to my work on serial killer nurse cases, in particular the Dutch case of Lucia de Berk and the current UK case of Lucy Letby.
(May 29th, 2024) Advancements in Intravital Microscopy- Insights for Preclini...Scintica Instrumentation
Intravital microscopy (IVM) is a powerful tool utilized to study cellular behavior over time and space in vivo. Much of our understanding of cell biology has been accomplished using various in vitro and ex vivo methods; however, these studies do not necessarily reflect the natural dynamics of biological processes. Unlike traditional cell culture or fixed tissue imaging, IVM allows for the ultra-fast high-resolution imaging of cellular processes over time and space and were studied in its natural environment. Real-time visualization of biological processes in the context of an intact organism helps maintain physiological relevance and provide insights into the progression of disease, response to treatments or developmental processes.
In this webinar we give an overview of advanced applications of the IVM system in preclinical research. IVIM technology is a provider of all-in-one intravital microscopy systems and solutions optimized for in vivo imaging of live animal models at sub-micron resolution. The system’s unique features and user-friendly software enables researchers to probe fast dynamic biological processes such as immune cell tracking, cell-cell interaction as well as vascularization and tumor metastasis with exceptional detail. This webinar will also give an overview of IVM being utilized in drug development, offering a view into the intricate interaction between drugs/nanoparticles and tissues in vivo and allows for the evaluation of therapeutic intervention in a variety of tissues and organs. This interdisciplinary collaboration continues to drive the advancements of novel therapeutic strategies.
Richard's entangled aventures in wonderlandRichard Gill
Since the loophole-free Bell experiments of 2020 and the Nobel prizes in physics of 2022, critics of Bell's work have retreated to the fortress of super-determinism. Now, super-determinism is a derogatory word - it just means "determinism". Palmer, Hance and Hossenfelder argue that quantum mechanics and determinism are not incompatible, using a sophisticated mathematical construction based on a subtle thinning of allowed states and measurements in quantum mechanics, such that what is left appears to make Bell's argument fail, without altering the empirical predictions of quantum mechanics. I think however that it is a smoke screen, and the slogan "lost in math" comes to my mind. I will discuss some other recent disproofs of Bell's theorem using the language of causality based on causal graphs. Causal thinking is also central to law and justice. I will mention surprising connections to my work on serial killer nurse cases, in particular the Dutch case of Lucia de Berk and the current UK case of Lucy Letby.
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Sérgio Sacani
We characterize the earliest galaxy population in the JADES Origins Field (JOF), the deepest
imaging field observed with JWST. We make use of the ancillary Hubble optical images (5 filters
spanning 0.4−0.9µm) and novel JWST images with 14 filters spanning 0.8−5µm, including 7 mediumband filters, and reaching total exposure times of up to 46 hours per filter. We combine all our data
at > 2.3µm to construct an ultradeep image, reaching as deep as ≈ 31.4 AB mag in the stack and
30.3-31.0 AB mag (5σ, r = 0.1” circular aperture) in individual filters. We measure photometric
redshifts and use robust selection criteria to identify a sample of eight galaxy candidates at redshifts
z = 11.5 − 15. These objects show compact half-light radii of R1/2 ∼ 50 − 200pc, stellar masses of
M⋆ ∼ 107−108M⊙, and star-formation rates of SFR ∼ 0.1−1 M⊙ yr−1
. Our search finds no candidates
at 15 < z < 20, placing upper limits at these redshifts. We develop a forward modeling approach to
infer the properties of the evolving luminosity function without binning in redshift or luminosity that
marginalizes over the photometric redshift uncertainty of our candidate galaxies and incorporates the
impact of non-detections. We find a z = 12 luminosity function in good agreement with prior results,
and that the luminosity function normalization and UV luminosity density decline by a factor of ∼ 2.5
from z = 12 to z = 14. We discuss the possible implications of our results in the context of theoretical
models for evolution of the dark matter halo mass function.
Lateral Ventricles.pdf very easy good diagrams comprehensive
Towards an innovative systemic approach of risk management
1. Towards an Innovative Systemic Approach of Risk Management
Hervé Cholez and Christophe Feltus
Public Research Centre Henri Tudor,
29, avenue John F. Kennedy, L-1855 Luxembourg-Kirchberg, Luxembourg
herve.cholez@tudor.lu, christophe.feltus@tudor.lu
ABSTRACT
Nowadays, enterprises from different sectors are strongly
interconnected and need to interact continuously in order to
survive. In this context, the happening of an event (e.g., system
failure) in one sector may lead to a serious risk in another. To
avoid this, a systemic approach for risk management is required.
This approach pursues the objective to foster the accuracy and the
reactivity of the risk mitigation and hence minimize the impact
and the propagation of the risk and, as a consequence, sustain the
initiatives from all economic domains’ regulators in risk
management. This position paper suggests an innovative solution,
which is to be further investigated, to manage cross-sector ICT
ecosystem risks using enterprise architecture model. This solution
is illustrated with a proof of concept related to the Luxembourgish
market.
Categories and Subject Descriptors
H.2.7: Security, Integrity, and Protection
General Terms
Management, Performance, Design, Experimentation, Security,
Languages, Theory, Verification.
Keywords
Information system, information security risk, systemic risk
management, enterprise architecture, ArchiMate®
, position paper.
1 INTRODUCTION & MOTIVATION
1.1 Context
Information systems are everywhere and their roles are central for
all enterprises because of the increasing amount of information
managed during the last decades. Due to the criticality of the
information exchanged, more and more supervision is needed and
operated by national, European or even international authorities.
One of the leading sector having adopted such a model is the
financial sector, with a national regulatory authority (NRA)
established in every country and dealing with sector-based
regulations, defined at the international and/or national level (e.g.,
Basel II agreements [1], the Sarbanes-Oxley Act [2], etc.)
The Luxembourgish market is based on a complex and integrated
ecosystem and sustained by an integrated subcontractors network,
especially in IT services. At the national level, the landscape of
regulators to ensure the control of risks of different actors in the
ecosystem is increasing, e.g., ILR1
for the telecommunications
service providers, ILNAS2
for electronic records, CSSF3
for the
financial service providers, or the CNPD4
for the data protection.
These regulatory initiatives progressively allow improving the
maturity of each actor and collecting data on related risks.
However, due to the complexity and the heterogeneity of the
market, the data analysis performed by the regulators, as well as
the systemic risk management regarding this complete ecosystem
remains challenging.
In this context, this position paper introduces, and gives an
insight, to the research work that we are going to achieve in order
to tackle the above systemic risks issue which we consider as the
risk generated through the interaction between enterprises, having
an influence on the whole customers’-/suppliers’ chain, and
impacting on more than one sector at the same time. This research
work is founded by the Feder project named SARIM (Systemic
Approach of Risk Management) and supported by a strong
Luxembourgish partnership, as illustrated in Figure 1. The
political level (european and national) establish laws and
regulations. Partners on this level are, among others, the Ministry
of State, the Ministry of Trade and Industry and the High
Commissioner for National Protection. The national regulatory
environment supervises the application of these regulations in the
Luxembourgish organizations and their subcontractors. Partners
in this sector are, among others: ILNAS, CNPD and ILR. Finally,
ICT enablers, such as our partners of this project (EBRC
(http://www.ebrc.com/), Post (http://www.post.lu), etc.), are
essential to sustain the implementation of all these regulations and
are also impacted by the regulatory environment.
1.2 Preliminary work
Before adressing an integrated ecosystem such as explained in the
introduction, the Public Research Centre Henri Tudor experienced
a two-years research project on one specific context: the
telecommunications regulation [3]. In this project, conducted in
collaboration with telecommunication operators and the ILR, the
information security risk management (ISRM) process was an
essential step and a strategic challenge.
1
ILR (“Institut Luxembourgeois de Régulation“) is the French
acronym for Luxembourgish Regulatory Institute.
2
ILNAS (“Institut Luxembourgeois de la Normalisation, de
l'Accréditation, de la Sécurité et qualité des produits et services“)
is the French acronym for Luxembourgish Institute for
Standardisation, Certification, Security and Quality of Products
and Services“.
3
CSSF (“Commission de Surveillance du Secteur Financier“) is
the French acronym for the Financial Services Authority.
4
CNPD (“Commission Nationale pour la Protection des
Données“) is the French acronym for the national commission for
data protection.
Permission to make digital or hard copies of part or all of this work
for personal or classroom use is granted without fee provided that
copies are not made or distributed for profit or commercial advantage
and that copies bear this notice and the full citation on the first page.
Copyrights for third-party components of this work must be honored.
For all other uses, contact the Owner/Author.
Copyright is held by the owner/author(s).
SIN '14 , Sep 09-11 2014, Glasgow, Scotland Uk
ACM 978-1-4503-3033-6/14/09.
http://dx.doi.org/10.1145/2659651.2659734
2. Figure 1. Integrated ecosystem of the Luxembourg digital economy governance
The project’s key issues consisted in defining the relevant risks
regarding the businesses operated and the architecture in place, as
well as in selecting the relevant security controls accordingly.
As a result, the main innovation of this project consisted in the
development of a specific ISRM process tailored to the
telecommunication sector. The outcome of this project is a fine-
tuned method supported by a tool (the TISRIM Telco Tool) which
allows telecommunication operators to efficiently perform
information security risk assessments in compliance with both
national and European regulations.
The tool is distributed to all telecommunication operators in
Luxembourg. Its large exploitation in Luxembourg allows a
homogeneous methodology, and risk assessment results are easy
to compare and to analyse by national regulatory authorities.
Widespread implementation of risk assessment and security
measures in this sector have positive benefits for both, citizens
and the economy [3], as telecommunication networks will be
better protected against service interruptions and security
breaches, ensuring continuous and high-quality service. The
TISRIM Telco tool helps the national regulatory authority to raise
awareness of telecommunication operators, as well as to
encourage the ongoing improvement of their level of information
security.
This challenge of adapting information security risk management
processes and practices to the telecommunication sector has
strengthened our competencies in the domain. The large success
of this project and the demands of the market have encouraged us
to consider the developed materials in order to deploy the same
approach in other sectors. This previous project was a first step
that enabled an extremely challenging work on national
governance of systemic risks with all main regulators. Based on
this experience, we aim to develop an innovative systemic
approach of risk management dedicated to the complex and
integrated Luxembourgish market’s ecosystem.
The next section describes our objectives and the research method
to ellaborate this project.
2 FORESEE RESEARCH
2.1 Objectives
The objectives of this position paper are the definition of a
common security risk management framework shared between all
actors of the different sectors. This framework aims at bringing
together the regulated enterprises for elaborating (1) a systemic
risk management approach tailored to IT service systems and
compliant to the Luxembourgish context and standards, (2) a risk
management interface allowing agreements between actors and
easing the service level agreement management, and (3) a method
for monitoring risks at the national level.
As a result, this framework also sustains the regulators’ activities
by offering:
- an overview of the players and an identification of the
service systems following an enterprise architecture
approach in network;
- a set of models dedicated to the different sectors (business
models, information system models, infrastruture models,
etc.);
- a method for the analysis and the interoperability of the data
collected by the regulators.
2.2 Research method
The research method for elaborating the cross-sector risk
management framework consists of four phases: (1) definition of
scope and requirements, (2) cross-sector interaction and risk
modelling, (3) deployment and exploitation framework, (4)
professional dissemination.
Definition of scope and requirements. The first phase aims at
depicting the scientific literature related to the systemic approach
and interoperability for risk management as well as of languages
and models proposed for the formalisation of the method.
Cross-sector interaction and risk modelling. The second phase
has as objective to define, a set of conceptual models sustaining
the risk management, the systemic risk management and the
sectorial risk management based on the review of the literature. In
3. that perspective we have decided to exploit enterprise architecture
theory, i.e. ArchiMate. This phase constitutes the core of the
research and is therefore detailed in the next section.
Deployment and exploitation framework. The third phase aims
at developing tools based on previous models to bring to the
regulated enterprises to perform a systemic risk management. We
also deploy a specific regulator package to exploit the models
elaborated in previous phases by considering the aspects of risk
mapping, risk ecosystem, and risk interface.
Professional validation and dissemination. The fourth phase of
the research is dedicated to an in situ experimentation followed by
sectorial dissemination.
In the next section, we explain the approach that we propose.
Therefore, we first present ArchiMate and then introduce an
integrated map of the main components of the approach.
3 PROPOSED APPROACH
3.1 ArchiMate
ArchiMate [4] is an enterprise architecture [5] modelling
language supported by The Open Group and aiming at
modelling all concepts that compose an enterprise information
system (IS). ArchiMate is especially dedicated to enterprises
which are organised following a service based approach. It
structures the enterprises’ concepts following three layers
(Figure 2): business, application, and technology according to
three dimensions: information, behaviour, and structure. The
language is composed of a set of core concepts and of two
extensions: the motivation extension and the migration
extension which respectively aims at modelling the reasons that
underlay the design or change of some enterprise architectures
and to provide concepts to support the implementation and
migration of architectures. In addition, two extension
mechanisms allow defining new concepts of the core and the
extension models: the addition of attribute(s) and the creation of
stereotype(s). For instance, these extension mechanisms have
been used, e.g., to define a security extension aiming at
analysing and mitigating the IS risk [6].
Figure 2. ArchiMate metamodel
The objectives of enterprise architecture models are various.
The most important is that they allow illustrating the
interconnections between the concepts that compose the
enterprise architecture and hence the impact a modification of
one concept has on the other, for instance, the impact of a
server failure on a business service. Another objective is the
definition of specific views on different aspects of the
architecture depending on the different application required. For
instance, the language may be used to extract a view only
dedicated to the business aspects of the enterprise, a view
related to a specific service, or a view related to the
management of the security [6].
3.2 Cross-sector interaction and risk
modelling approach
As explained in the introduction, enterprises from different fields
are strongly interconnected and nowadays, a risk happening in
one business sector is very likely to have an impact on other
sectors. Unfortunately, information exchange among different
sectors is limited which makes it sometimes difficult to efficiently
share appropriate and crucial information regarding systemic
security. As explained in the research method, one of the first
steps is to develop cross-sector interaction and risk modelling, in
particular by developing conceptual models allowing describing
the ecosystem and the different interactions.
As a result, our approach to face this problem consists of using
and adapting an existing and well established enterprise
architecture language which allows modelling all the sector
characteristics. Figure 3 represents the different dimensions of our
approach in a UML like language. In this figure, we note that
enterprises from different sectors often need to interact in order to
achieve specific goals. E.g., in order to regulate the activities and
to improve the quality of the services provided by an enterprise in
the financial sector, the regulatory authorities require performing
an appropriate risk management activity. To have this high quality
risk management activity generate accurate results, different
interactions with other sectors also need to be taken into account.
For instance, this financial enterprise needs to use highly available
networks provided by telecommunication operators and, as a
result, appropriate information should be exchanged between
these enterprises.
In this context, to sustain this risk management, it is necessary to
represent the following elements through a single enterprise
architecture modelling language (ArchiMate): enterprise IS, risk
management, interaction between enterprises, and risk
management related to this interaction. Using a single language
for representing heterogeneous information issued from different
domains allow these different enterprises to more easily access
and understand the semantic of the systemic risks and to facilitate
the exchange of information.
Figure 3 also represents the ISRM model of the whole
Luxembourgish ecosystem. Several regulatory authorities regulate
enterprises of different economic sectors. All of these enterprises
have different goals but, however, need to interact. A risk
management is commonly defined only in the scope of one
enterprise. The main challenge is to take into account the
enterprise’s interaction to obtain a systemic risk management.
To address this type of risk management, we have exploited the
ISRM model [7, 8] which proposes a risk management framework
based on an extended and motivated risk management literature
review. As explained in the window of figure 3 “Risk
management based on ISRM”, this risk model is composed of an
event and one or more impacts on the enterprise goals. The event
is itself composed of a threat that exploits one or more
vulnerabilities of the enterprise’s assets. However, as explained
previously, the IS risk may have interdependencies between
enterprises and should be related to the enterprise itself or to an
interaction between enterprises.
Afterwards, to extend the risk management to an ecosystem
management, we consider (1) the “Sectors based Risk
management” as an instance of a more “traditional” IS risk
management, and (2) the “Systemic risk management” (both
dashed boxes of Figure 3). Our proposed research work consists
in developing a set of conceptual models sustaining sectorial risk
management and systemic risk management.
4. Figure 3. Foresee approach for cross-sector risk management
The last field according to our approach is the enterprise
architecture. As illustrated at the bottom of Figure 3, the
enterprise architecture models are perceived as appropriate
solutions to sustain the modelling of the whole ecosystem (i.e.,
enterprises, interactions, and risk management). ArchiMate is a
language with many advantages but we acknowledge that it is
semantically not rich enough to model all the elements of the
ecosystem, such as the Enterprise Interaction extension (dashed
box). Enriching the ArchiMate language by using the extension
mechanisms presented in previous sections is a key step of our
approach.
This model is the first step of our work and illustrates the next
main steps of this project by three challenge boxes (dashed
boxes): the “sectors-based risk management modelling”, the
“enterprise interaction extension modelling”, and the “systemic
risk management framework”.
4 CONCLUSIONS AND FUTURE WORKS
In this position paper, we have presented our approach to
establish a systemic risk management framework. After having
detailed our context and our preliminary work, we have exposed
our foresee research with our different objectives and our research
method. This framework will bring a systemic risk management
approach tailored to service systems and compliant with the
Luxembourgish context and standards to the regulated enterprises.
This framework will also sustain the regulators’ activities by
offering a method for the analysis and the interoperability of the
data collected by the regulators.
We have described our first step by modelling the systemic risk
management in cross-sector interactions. Regarding future works,
we have different challenging steps in the project: (1) the scope of
the market and analysis of requirements, (2) the cross-sector
interaction and risk modelling, (3) the deployment and
exploitation framework, (4) the professional dissemination.
References
[1] Basel II. 2006. Bank for International Settlements BIS: International
Convergence of Capital Measurement and Capital Standards:
Revised Framework – Comprehensive Version.
[2] Sarbanes, P. S. and Oxley, M. 2002. “Sarbanes-Oxley Act of 2002”.
[3] Mayer, N.; Aubert, J.; Cholez, H.; Grandry, E. 2013. Sector-Based
Improvement of the Information Security Risk Management Process
in the Context of Telecommunications Regulation, 20th European
Conference, EuroSPI 2013, Dundalk, Ireland. Proceedings.
[4] Lankhorst, M. 2004. ArchiMate language primer, 2004.
[5] Zachman, J. A. 2003. The Zachman Framework For Enterprise
Architecture : Primer for Enterprise Engineering and Manufacturing
By. Engineering, no. July: 1-11.
[6] Grandry, E.; Feltus, C.; Dubois, E. 2013. Conceptual Integration of
Enterprise Architecture Management and Security Risk
Management, SoEA4EE’2013, Vancouver, BC, Canada.
[7] Mayer, N. 2009. Model-based management of information system
security risk. PhD Thesis.
[8] Dubois, E.; Heymans, P.; Mayer, N. and Matulevičius, R. 2010. “A
Systematic Approach to Define the Domain of Information System
Security Risk Management,” in Intentional Perspectives on
Information Systems Engineering, Springer Berlin Heidelberg, pp.
289–306.