Abstract
This paper introduces a participative and collaborative approach for security risk management modelling in the context of Essential Services for NIS Directive compliance. This approach allows building sectoral models using the necessary knowledge of domain experts and obtaining a better acceptability and handling of these models. The application of the methodology is related based on our experience of national modelling of several essential sectors/sub-sectors in Luxembourg. This modelling implied more than forty participatory workshops, involving more than a hundred experts to gather their knowledge. The methodology as well as the different workshops are presented in detail, and then analysed in terms of relevance, adequacy and results produced.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barjis, J.: Collaborative, participative and interactive enterprise modeling. In: Filipe, J., Cordeiro, J. (eds.) ICEIS 2009. LNBIP, vol. 24, pp. 651–662. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01347-8_54
European Parliament and of the Council: Directive (eu) 2009/140 of the European parliament and of the council of 25 November 2009 amending directives 2002/21/ec on a common regulatory framework for electronic communications networks and services, 2002/19/ec on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/ec on the authorisation of electronic communications networks and services (2009). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32009L0140
European Parliament and of the Council: Directive (eu) 2016/1148 of the european parliament and of the council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the union (2016). https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:32016L1148
France24: Cyber attacks hit two French hospitals in one week. France24 (2021). https://www.france24.com/en/europe/20210216-cyber-attacks-hit-two-french-hospitals-in-one-week. Accessed 7 Nov 21
International Organization for Standardization and International Electrotechnical Commission: Iso/iec 27005 information technology – security techniques – information security risk management (2018)
Mayer, N., Aubert, J.: A risk management framework for security and integrity of networks and services. J. Risk Res. 24, 1–12 (2020)
Mayer, N., Aubert, J., Cholez, H., Grandry, E.: Sector-based improvement of the information security risk management process in the context of telecommunications regulation. In: McCaffery, F., O’Connor, R.V., Messnarz, R. (eds.) EuroSPI 2013. CCIS, vol. 364, pp. 13–24. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39179-8_2
Mayer, N., Aubert, J., Grandry, E., Feltus, C., Goettelmann, E., Wieringa, R.: An integrated conceptual model for information system security risk management supported by enterprise architecture management. Softw. Syst. Model. 18(3), 2285–2312 (2019)
Mayer, N., Sottet, J.S.: Systemic security risks in the telecommunications sector: an approach for security and integrity of networks and services. In: COMPLEXIS, pp. 72–79 (2020)
NIS Cooperation Group: Reference document on security measures for operators of essential services, cg publication 01/2018 (2018). http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=53643
Poulsen, K., McMillan, R., Evans, M.: A hospital hit by hackers, a baby in distress: the case of the first alleged ransomware death. Wall Street J. (2021). https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116. Accessed 7 Nov 21
Sophos: The state of ransomware in healthcare 2021 (2021). https://www.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-in-healthcare-2021-wp.pdf
Stirna, J., Persson, A., Sandkuhl, K.: Participative enterprise modeling: experiences and recommendations. In: Krogstie, J., Opdahl, A., Sindre, G. (eds.) CAiSE 2007. LNCS, vol. 4495, pp. 546–560. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72988-4_38
The Open Group: ArchiMate 3.1 Specification. Van Haren Publishing, The Netherlands (2020)
Acknowledgement
Thanks to the Institut Luxembourgeois de Régulation, the National Competent Authority for Luxembourg (except for banking and the financial market infrastructure), for their participation and support in the project that enabled the establishment and application of this methodology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Aubert, J., Cholez, H. (2022). A Participative and Collaborative Approach for Security Risk Management Modelling in the Context of Essential Services. In: Rocha, A., Adeli, H., Dzemyda, G., Moreira, F. (eds) Information Systems and Technologies. WorldCIST 2022. Lecture Notes in Networks and Systems, vol 470. Springer, Cham. https://doi.org/10.1007/978-3-031-04829-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-04829-6_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-04828-9
Online ISBN: 978-3-031-04829-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)