=Paper=
{{Paper
|id=Vol-1728/paper2
|storemode=property
|title=Extending GOReM Through the RAMSoS Method for Supporting Modeling and Virtual Evaluation of the Systemic Risk
|pdfUrl=https://ceur-ws.org/Vol-1728/paper2.pdf
|volume=Vol-1728
|authors=Simona Citrigno,Angelo Furfaro,Teresa Gallo,Alfredo Garro,Sabrina Graziano,Domenico Saccá,Andrea Tundis
|dblpUrl=https://dblp.org/rec/conf/ciise/CitrignoFGGGST16
}}
==Extending GOReM Through the RAMSoS Method for Supporting Modeling and Virtual Evaluation of the Systemic Risk==
https://ceur-ws.org/Vol-1728/paper2.pdf
Extending GOReM through the RAMSoS method
for supporting modeling and virtual evaluation of the
Systemic Risk
Angelo Furfaro, Teresa Gallo, Alfredo Garro,
Simona Citrigno, Sabrina Graziano
Domenico Saccà, Andrea Tundis
Centro di Competenza ICT-SUD,
Department of Informatics, Modeling, Electronics and Piazza Vermicelli,
Systems Engineering (DIMES), University of Calabria, 87036 Rende (CS), Italy
Via Ponte P. Bucci 41C, Rende (CS), 87036 Italy simona.citrigno@cc-ict-sud.it,
{a.furfaro, t.gallo, a.garro, sacca, a.tundis}@dimes.unical.it sabrina.graziano@cc-ict-sud.it
Copyright © held by the authors.
Abstract— Recently, due to the increasing complexity and remarkable entity. Its main features are: (i) small fragilities
wider adoption of heterogeneous systems, the management of that combine to produce a more extensive failure; (ii) risk
security properties, vulnerabilities and risks of systems by sharing or contagion, when a loss triggers a chain of other
integrating and structuring existing components, is becoming losses; (iii) hysteresis, when the system is unable to recover
more and more crucial. A particular aspect to be considered is after a shock. [10]. The causes that lead to systemic events
the Risk Analysis and, specifically, the analysis of the Systemic reside primarily in the influence that the various actors in the
Risk. This risk derives from the interdependence of the system network have with each other; furthermore the systemic
under consideration, from services provided by other systems importance of the various actors is not determined by their
and, in general, from the interactions among them. In fact, it may
size, but from the correlation degree among them. Similarly, it
happen that an adverse event, which occurs at a certain system
that is not properly controlled, can cause dangerous effects that,
is not always true that a negative event of large dimensions
through its propagation to other interconnected systems, can be always defined as systemic. In fact, the propagation
would/could compromise their operation. Thus, suitable mechanism can be realized not only through the direct
engineering approaches need to be exploited to prevent and exposure to a negative event caused by the shock, but also
manage the risks arising from the integration of system indirectly. In this context, it is interesting to understand how it
components so as to increase the security of systems, data and is possible to modeling actors and factors arising from
even human life. In this context, the paper proposes specific systemic risk in order to fully consider them in the different
extensions of a Goal Oriented methodology for Requirement phases the of risk analysis.
Modeling, called GOReM, through the RAMSoS method,
natively conceived for supporting dependability analysis. Such
In this context, the paper aims at investigating in such
combination enables the modeling and the evaluation of the direction by exploiting engineering tools for representing
Systemic Risk centered on agent-based simulation techniques. relationships among systems/services and observing their
The combination of RAMSoS and GOReM is experimented on a behavior. Specifically, the adoption of the Systems
case study concerning an online payment service, by evaluating Engineering approach combined with Modeling and
the impact of the failure of a single component on the overall Simulation techniques are used to catch how and which
system. entities of the overall system influence the operation of the
entire system and, as a consequence, the evaluation of the
Keywords— Cybersecurity, Modeling and Simulation, Systemic Risk. In particular, the combination of a Goal
Requirement Engineering, Systemic Risk Analysis. Oriented methodology for Requirement Modeling, called
GOReM [4], with the RAMSoS method [8], natively
I. INTRODUCTION conceived for supporting systems dependability analysis, is
In recent years, the global crisis has shown that the provided. Such combination enables the modeling and the
benefits of globalization are increasingly accompanied by a evaluation of the Systemic Risk by exploiting an agent based
growing interdependence and interconnection of systems and simulator that has been ad-hoc implemented.
services, bringing out new vulnerabilities coming from The rest of the paper is structured as follows: Section II
unexpected directions. Global risk can cause a significant presents the related work and highlights the main research
negative impact on a number of countries and companies, challenges related to the systemic risk in the cyber-security
showing a systemic nature [14]. In this view, it is important to domain; the combination of the GOReM and RAMSoS
distinguish between the idiosyncratic shock which affects only methods are presented in Section III. A case study concerning
a single institution or activity, respect to the systemic risk that an online payment service is described in Section IV, whereas
can cause the rupture of an entire system (social, political, the simulation-based evaluation is presented in Section V.
economic, technological, etc.), causing a damage of Finally conclusions are drawn in Section VI.
� II. A PANORAMA ON THE SYSTEMIC RISK affect the overall market trend, and influencing systemic risk
growth):
A. Overview on the Systemic Risk
As mentioned above the Systemic Risk is intended as a Informational contamination. Rapid news propagation
risk deriving from the interdependence between the main having influence on financial topics leading to considerable
system, object of the analysis, and the services provided by mismatches on assets and liabilities maturities. A striking
other systems and, in general, by the interactions between example of the materialization of such event is the failure of
them. It is possible to define the systemic risk as “any set of Lehman Brothers, which led, from one side, Merrill Lynch to
circumstances that threatens the stability of or the public trust merge with Bank of America, and, on the other side, Goldman
in the system” [2]. In this way, there is a strong link between Sachs and Morgan Stanley to become ordinary banks, causing
systemic risk and operational risk and it is interesting to in this way the collapse of US real estate stocks. The
understand how it is possible to explicitly modeling factors involvement of important institutions in the crisis is relevant
deriving from systemic risk in order to fully consider them in for the propagation of negative information.
the different phases of operational risk analysis and treatment. Loss of specific and confidential information about the
Companies inadvertently expose themselves to risks creditworthiness of the debtor. The failed credit bank
outside of their structure, by outsourcing, interconnecting or customers will have greater difficulty in obtaining a credit to
divulging their data to an increasingly complex and new banks. This is because new banks can apply more
inscrutable networks’ system. Some risk factors have been restrictive policies for granting credit to new customers since
identified and published on the “Zurich Cyber Risk Report”, there is scarce information about them.
and, in particular, seven IT risks have been identified that Debt-Credit relations between banks. Credit institutions
could threaten a systemic shock: internal corporate network, and financial intermediaries are inclined to work more closely
outward counterparts and affiliates, supply chain and among themselves at commercial level. The risk of a crisis
outsourcing contracts, disruptive technologies (IoT in the first spreading in the whole financial system can be increased by
place), critical infrastructure and external shocks [15]. the interactions between banks and intermediaries, which can
These seven risks can be grouped in three areas “Near, be related not only to the interbank market, but also to a large
Everywhere and Distant”. The “near” area is related to the sector of derivatives markets, included CDS (Credit Default
usage of contracts, SLAs, internal corporate controls and Swap), guarantees, brokerage services, etc.
resiliency within a company. The “everywhere” area includes Liquidity spiral. This negative externality occurs when
all those companies that may have contractual relationships financial market operators, instead of selling financial assets
with other companies around the world, so the risks are not for gaining liquidity, use different strategies to restrict the new
generally controlled by individual contracts, but by companies credit extension, that means, for example, making a credit
and governments through standards, regulations, global and rationing having high-margin/cuts, or increasing the interest
national governance. The “distant” area is then related to all rate for the grant allocation. These activities can reduce prices
those external risks to which individuals or group of and outputs and, can increase the possibility of failure in
companies may not have any influence. Risk control coming accessing the loan. This kind of problem is caused by an
from external shocks is almost entirely in charge of extreme exposure to risk of the liquidity shortage by financial
governments, intergovernmental organizations and institutions, which make use of high debt strategies.
transnational organizations [15].
In the end, the negative propagation effects can be greater
B. Systemic Risk in the Finalcial field when the failure is related to large institutions having different
Systemic risk in the financial sector can be thought as the interconnections and in the presence of a not transparent
probability that a failure of a significant portion of the market structure (OTC markets, not characterized by the
financial sector can occur, which can lead to a reduction in typical requirements for regulated markets). Government
credit availability. The materialization of such event is likely institutions implicitly support and foster financial institutions
to generate negative effects on the real economy. Systemic to increase their size and interconnections, so that they can
risk in the financial sector is essentially related to the risk of increase the possibility of being saved in time of crisis, since
infection among financial institutions, which could generate a they are “too big to fail”.
potential destabilization of the entire financial system. Some
negative externalities, or inappropriate behaviors, generating C. Systemic Risk in the Information Technology field
damaging effects on the financial market status, have great Microsoft has proposed the creation of a G20+20 Cyber
impact on the increasing of the systemic risk. Several Stability Board, that means, 20 governments and 20
preventing approaches have been proposed: making use of companies, operating in the information and communication
suitable financial stability or strength indicators; measuring technology, which should work in synergy to draw up a set of
the existing correlations between financial institutions; usage basic principles ensuring, from one side, an 'acceptable
of legislative bodies aiming at regulating the activities of the behavior' in cyberspace and, on the other side, some
actors in the financial sector to minimize such kind of risks. “guidelines” to improve IT risk management.
Four main reasons determining negative effects on a The following recommendations about potential systemic
system have been identified (the focus is on negative risk impact in IT, can be useful for both large and small
externalities, i.e. economic and financial behaviors which organizations to survive to a potential cyber shock, and can be
�considered as a kind of “shock absorber” that can potentially been incrementally improved through its actual exploitation
reduce the magnitude of the shock: (i) improving the resilience for better supporting the requirements modeling aspects and it
and incident response at system level; (ii) expanding security has been experimented in other real industrial research
concepts aim at involving third-party suppliers as much as projects. Moreover, a set of lessons learned have found a
possible; (iii) providing targeted subsidies; (iv) considering response in the current proposal. The full-fledged version of
other measures, such as “Stability Board” and the “G-SIFIs” GOReM methodology is described in this section. The
requirements. GOReM method is centered on the UML notation, which is
easy to use and it simplifies concepts sharing with a wide
For small business enterprises there are three categories of variety of stakeholders. The resulting requirements modeling
recommendations: Basic, Advanced and Resilience. activity is recognized by the actual users to be easier and more
Basic. The main 5 crucial recommendations of the 20 effective than their past requirements elicitation activities.
Critical Security Controls SANS, are taken in consideration: GOReM consists of three main phases, each of which is
(1) Whitelist application - organizations should enable devoted to modeling specific aspects of a requirement
computers to perform only a limited set of pre-approved engineering process: Context Modeling, Scenario Modeling,
programs; (2) Standard system configurations usage - Application Modeling; specifically:
computers with a few standard configurations are less
expensive and easier to defend; (3) Patch application software in the Context Modeling phase, the stakeholders are
and (4) System software within 48 hours - large companies identified along with their objectives as well as the
should check software on a regular basis looking for any bugs dependencies among softgoals; moreover, the rules and
in order to drastically reduce the opportunities of regulations that govern the business context under
vulnerabilities exploitation by hackers;(5) Reduction of the analysis are identified and documented.
number of users having administrative privileges.
in the Scenario Modeling phase, different business
Advanced. Broadening risk horizon - taking in scenarios are derived from the Context model, in terms
consideration counterparts, contracts and outsourcing of roles that are played by the stakeholders involved in
agreements, and critical infrastructure, each part should be at the modeled scenario, their specific goals and their
least partially controlled by contracts, agreements on service dependencies, and the rules and regulations that govern
levels, in-depth site visits and audits; Cyber Insurance usage - each elicited business scenario. Furthermore specific
to transfer IT risks, particularly risks associated with third- analyses that show the strengths, weaknesses,
party data breaches or business interruption; Requiring opportunities and threats are also performed to guide and
standard and more resilient and safe products to key suppliers; support strategic decisions at business level related to the
Acquiring at management level a broader view on IT risks. future work.
Resilience (the ability of large companies to recover from in the Application Modeling phase, one or more
interruptions in the shortest time as possible): Redundancy - application scenarios are introduced in order to specify
redundant power and telecommunications suppliers, ISP main functionalities which should be provided by a
alternately connected to the peering point, work-around with single business scenario resulting from the previous
little dependence on IT in order to provide some alternative phase.
solutions when Internet access is off; well defined Response to
incidents and business continuity planning - standard
operating procedures, clear objectives based on metrics,
quantification of the needed time to detect an accident or an
intrusion in the system; Simulating scenarios and security
training - analyzing the most likely and the most dangerous
cyber risks and test their Security Response Team, together
with the company management in order to build a historical
memory for incident response.
III. COMBINING GOREM AND RAMSOS METHODS FOR
MODELING AND SIMULATING SYSTEMIC RISK
A. GOReM Overview
GOReM (Goal Oriented Requirements Methodology) is a
lean, easy to master methodology for capturing and
maintaining up-to-date requirements of large systems
operating in complex application domains. GOReM first
definition [4] was done in 2014, for supporting the
Fig. 1. The GOReM process
requirements engineering activities in an industrial research
project [5, 6, 7] where numerous stakeholders, coming from
several industrial and academic domains, with different goals,
skills and languages had to cooperate. Since then, GOReM has
� Multiple scenarios are concurrently set down. A sketch of context history: does the current context state depend on
the reference process for the GOReM method along with its a previous ones?
main work-products is shown in Figure 1.
Lesson 3: legal aspects. The specific context model and
The lessons learned from the experience derived by the different business scenarios are handled by several Rules
exploiting the GOReM method on important research projects and Regulations that might be in conflict. As a consequence, it
by cooperating with industrial partners such as ACI is important for modeling a context and any specific business
Informatica [1] and Poste Italiane [12], allowed to catch not scenario, to understand which laws are involved, which is a
only strengths but also weaknesses of the method, which have policy as a “standard” or a best practice as a “guideline” that
been considered to refine and improve GOReM. The most can be adopted or not, depending on the stakeholders needs. In
interesting and relevant “lessons learned” are reported in the addition, there are stakeholders of specific customers that can
following. have a set of internal policies which, in turn, should be
considered and their eventual contrast with some laws or
Lesson 1: human interactions and cooperation. It is
requested best practices should be discovered and resolved.
probably the most difficult task due to different skills,
Finally, as a desired service can be used in different Nations,
backgrounds and knowledge which lead to big
the requirement model has to analyze and manage the legal
misunderstandings, lethal for establishing system
usability of a service for a given customer. Furthermore,
requirements. It is likely to encounter mistakes when a new
requirements engineering processes should manage legal
application domain is being explored because of: (i)
aspects by continually monitoring their changes over the time,
misleading interpretation, due to the coexistence of different
during the overall system lifecycle.
interpretations of stakeholder goals and requirements, that
usually happens when people have different skills and the Lesson 4: tracing evolution. Business context, scenarios
same concepts are interpreted differently according to the and applications can evolve because of their dynamic nature.
stakeholder’s background; (ii) conflicting specifications, when It is important to have some tracing mechanism that allows
specific strategies, that could potentially create strong knowing which application model version from which
disadvantages in other application scenarios are adopted in scenarios model version has been derived and this last one to
order to reach a specific goals in a specific application which business context model version refers to. For big and
context; (iii) late discovery of redundancy, when in advanced continuously evolving system engineering process, this is of
development project stages the same concept is described and fundamental importance and especially for maintaining
represented differently several time or different terminologies control and governing the system evolution along its life.
is used for describing the same concepts (iv) fragmentation of
efforts; (v) weak focus on objectives for achieving the desired Lesson 5: inter-scenarios dependencies and reuse. Quite
goals and being competitive and effective; (vi) partner often, business scenarios evolve with a specific team of
coordination, when there exist different partners having analyst/designer (sub)domain experts that have the objective
different objectives to reach; (vii) work-product integration, to go ahead following their requirements engineering for
when there is a need to integrate, harmonize and handle specific final services. This can lead to duplication of work
deliverables, services and products coming from different and, worse, to services which do the same thing (same
tasks. requirements) but in a different way. This is often difficult to
discover and create customer dissatisfactions. This happen, for
Lesson 2: cross-domain aspects. There are some recurrent example, when the same stakeholder has two different goals
features that might be identified once for all as well as which belong to two different scenarios, but the two
common characteristics for each domain of interest that have application models reaching the two goals, share many “what
to be considered and properly represented, which in turn arise to do” but unawares.
questions that need to be answered, such as:
In the light of the above reported lessons learned during
space: Is the considered context model influenced by the the method exploitation, starting from Lesson n.1, an updated
location and the territorial extension (e.g. regional, and refined version of the GOReM method in [4] is provided.
national, international, members states)?
1) The Context Modeling phase
time: Is the considered context model influenced by The Context Modeling phase aims at clearly representing
temporal aspects (e.g. a new law replaces partially or the reference business domain for the project under
totally a previous one )? consideration. The work-products of this phase are: a
Stakeholder Diagram, which shows a (hierarchical)
Whereas there are some features that need to be identified
specification of all the involved stakeholders, each of which is
and analyzed according to the specific scenario, such as:
in turn characterized by a set of Softgoals they intend to
subject: who/what is the subject of the described context? pursue; a Softgoal Dependency Diagram, which shows the
relationships among Softgoals, (i.e., contribute, hinder,
user profile: are the user preferences/personal features include, extend, generalize); a Rules and Regulations report
represented in the context model? Does the system shortly describing the rules and regulations governing the
describe the user’s characteristics one by one or does it Context, distinguishing between Laws, which can be National
provide a role-based model of user classes? or International, and known used Policies and Best practices.
� Table I shows symbols already used in the first version of The SWOT Analysis activity [11], represented in a matrix
the methodology, while table II shows the identified and as showed in Table IV, provides an assessment of internal and
considered types of rules and regulations. external factors that may affect the scenario and may support
decisions whereas to continue with the next phase, that is the
TABLE I. THE CONTEXT MODEL - MAIN CONCEPTS Application Modeling. For Goals and dependencies diagram,
Concept Graphical Description
symbols in Table I are used.
Notation
Stakeholder The UML Actor symbol TABLE IV. THE SCENARIO MODEL – SWOT ANALYSIS
extended through a yellow- HELPFUL HARMFUL
filled head stereotype
Internal Strengths: what are Weaknesses: what are the
Softgoal/Goal The SysML[16] Requirement
Origin the strengths (i.e. weak points (i.e.
native construct
benefits controllable) disadvantages controllable)
Contribute A UML Dependency symbol
External Opportunities: possible Threats: potential threats
Dependency extended with a “+” stereotype
Origin opportunities (i.e. (i.e. disadvantages not
Hinder A UML Dependency symbol advantages not controllable);
Dependency extended with a “-” stereotype controllable)
Include/Extend The UML native dependencies
Dependencies applied among softgoals or Rules and Regulations selection activity considers which
goals rules and regulations, identified in the Context Modeling
phase, must be considered in the modelled scenario, by
Generalize The UML Generalize identifying them with a structured ID, describing them,
Dependency Dependency native symbol specifying if they are laws, policies and best practices,
indicating the adopters, and warning possible dependencies
TABLE II. THE CONTEXT MODEL – RULES AND REGULATIONS with other considered rules. In particular, GOReM uses the
Type Description matrix formats, showed in table V. This is an improvement
Best Practice Best practice is considered a business buzzword, introduced and allows to better manage the issues discussed in
used to describe the process of developing and lesson 3 related to legal aspects.
following a standard way of doing things that
multiple organizations can use to maintain TABLE V. THE SCENARIO MODEL – RULES AND REGULATIONS
quality. It is not mandatory and can be based on
self-assessment or benchmarking. Identifier Rule/ Type Location / Warnings
Policy A Policy is a deliberate system of principles to Regulation Adopter
guide decisions and achieve rational outcomes. Structured Description Policy/ Best Locations List of
It is a statement of intent, and it is implemented ID Practices/ and/or identifiers
as a procedure or protocol. National names of of other
National Laws National laws are valid and affect the State or Law/ known rules and
Country that has enacted them. Internation adopters regulations
International International laws are enacted by specific al Law which can
Laws Authorities and they govern the behavior of the have
Members States belonging to a specific influence
community according to specific agreements. on its
application
2) The Scenario Modeling phase
The Scenario Modeling phase specializes the Context 3) The Application Modeling phase
Model through the identification of evolutionary scenarios that Starting from the scenarios defined during the previous
have to be modelled within the context of interest. Such phase, in the Application Modeling phase, a set of specific
scenarios are identified through an analysis that takes into business scenarios might be identified. This phase defines
account the roles played by stakeholders in each scenario, by application scenarios that are used to specify in detail the
indicating the specific Goals related to some Softgoals in the capabilities to be provided in the specific scenarios identified
context model and the Rules and Regulations that govern the in the previous phase, along with main use cases description,
scenario. Table III shows symbols used for roles and for the actors and processes. In particular, each main use case may
associations with the stakeholders. become a service to be developed as a research prototype
and/or developed and engineered as part of a more complete
TABLE III. THE SCENARIO MODEL – MAIN CONCEPTS industrial system.
Concept Graphical Description In addition, some processes can be specified using UML or
Notation
BPMN notations [13].
Stakeholder's The UML actor symbol extended
Role through a pink-filled head Table VI shows basic used symbols in modelling an
stereotype application scenario. The Package is a Namespace of use
Plays A UML Dependency symbol cases, which are not in the scope of the application which is
Dependency extended with a “plays” stereotype modelled, but are assumed that they exist in some different
Application model, even in an Application model obtained
�from a different Scenario Model, while in this Application A full description of RAMSoS can be found in [8];
Model they have to be identified and extended through the whereas Table VIII reports the main phases (Requirement
standard “extend” UML relationship. Analysis, System Design, e System Risk Evaluation) that are
identified by combing GOReM and RAMSoS for modeling
TABLE VI. THE APPLICATION MODEL – MAIN CONCEPTS the systemic risk aspects and supporting its analysis through
Concept Graphical Description
agent-based simulation.
Notation
Application The UML actor symbol TABLE VII. PHASES, ACTIVITIES AND WORK-PRODUCTS OF RAMSOS
Scenario’s extended through a blue-filled Phase Activity Work-product
Actor head stereotype
SoS - Organizational Organizational Model (MO)
Use Case The UML Use Case native
symbol.
Structural Structure Modeling Architectural Model (AM)
Modeling - Architectural
Modeling
SoS - Goal Modeling Goal Model (GM)
Package The UML NameSpace for Use Behavioral - Role Modeling Role Model (RM)
cases supposed already existent Modeling
in another Application Model, SoS - Agent Modeling Multi-Agent Model (MAM)
Simulation - Scenario Modeling Scenario Model (SM)
Modeling
Extend The UML <>and In particular, some phases are complementary, some others
/Include <>native use the output produced from a method as input for the other
dependencies among use cases one. The resulting method will be exemplified through a case
This is how GOReM is now responding to lesson n.2 study in the next Section.
cross-domain aspects and lesson n.5, Inter-scenarios
TABLE VIII. GOREM EXTENSIONS THROUGH THE RAMSOS METHOD
dependencies and reuse. The corresponding work-products
should be more precise and should indicate exactly to which Phases GOReM RAMSoS Description
use case of which scenario an extending use case refers to and
the kind of needed extension. Requirement Context - Through GOReM it is
Analisys Modeling possible to identify the
Every UML based diagram can be enriched with the UML involved entities:
Stakeholders, Goals,
comment symbol which allows adding a description to all the Rules and Regulations,
GOReM diagrams. However, a textual description and for the Systemic Risk
complete information is located in the corresponding work- Analysis.
product. System - SoS Starting from the entities
Design Structural identified in the previous
Finally, concerning lesson n.4, tracing evolution, some Modeling phase, RAMSoS enable
shared existing policy of naming and versioning method/tool, their formal structural
and organizational
for every model (context, scenario, application) and each of its representation as peer-to-
work-products, must be used. In addition, some configuration peer or hierarchical
management tool should be of help in maintaining the entities.
requirements evolution of the whole system [17]. This allows Scenario SoS GOReM is exploited for
knowing exactly for each application model, which scenario Modeling Behavioral modeling the scenarios,
model and context model refer to. In addition, whichever Modeling roles and rules that
and characterize the scenario;
refinement for a model created in one of the three GOReM the objectives to be
phases must produce a new model referring the model it wants Use Case achieved, weaknesses
to improve. Moreover, each application model, if implemented Modeling and strengths. By
should refers to its development artefacts and releases in adopting RAMSoS, such
Role Model can be
operation. exploited for identifying
and defining tasks for
B. Combining RAMSoS and GOReM achieving the identified
RAMSoS [8] is an agent-based method that aims at objectives.
supporting the dependability analysis of Systems of Systems Systemic - SoS Starting from the
(SoSs). It is conceived as an extension of RAMSAS [8], a Risk Simulation objectives defined in the
Evaluation Modeling Use Case Modeling
model-based method for the reliability analysis of systems phase of GOReM, the
through simulation, based on UML/SysML for modeling the system is represented in
system structure and behavior, and on well-known simulation terms of Simulation
platforms, such as Mathworks Simulink and OpenModelica. Agents that are used to
simulate and evaluate the
The RAMSoS method defines three main phases, which in risk and its propagation
turn are divided into activities (see Table VII). among the involved
entities.
� IV. A CASE STUDY ON AN ONLINE PAYMENT SERVICE services. It is estimated in terms of success and failure, where
The case study under consideration falls within the online Success = 1-Failure, therefore Success + Failure = 1. The
payment services and in particular exemplifies the approach higher the percentage / value of the Success, the lower the
based on combination of GOReM and RAMSoS, adopted for level of risk associated to it and as a consequence the lower
systemic risk analysis applied to a service of Electronic the risk level of the PEOservice. Vice versa the lower the
Payment Online (PEO) of Poste Italiane. The main objectives percentage of the Failure variable, the lower the level of risk
of this study are: (i) The assessment of systemic risk, when associated to it, and then the lower the risk level of the PEO
there is a dysfunctional behavior in one of the service service. In the following, the extended version of GOReM is
components, in terms of the propagation of a disservice among employed for the modeling and evaluating the system above
other components; (ii) impact of a service failure to the described.
services. B. Context Modeling
A. Service Description, Risk Factors and Involved Actors As described above, the context falls within the scope of
The PEO service is based on two services: SMS online payment systems in which through a websites is
Notifications and Payments and Transactions, both designed possible to make purchases, transfers of money etc. A
to be used from smartphones and tablets. SMS Notifications particular important diagram of GOReM is the Dependency
allows to receive SMS messages on transactions made on a diagram (Fig. 2) that at the same time allow to represents the
bank account or by “PostePay” card; whereas Payments and stakeholders, the goals that they are meant to achieve and
Transactions allows bank transfers, payment of bills, money dependencies (conflicts/extensions and so on among goals).
transfer via MoneyGram, PostePay top up, or balance check
and movements. In this context, the aim of this experience is
the identification and the analysis of systemic risk factors
linked to the PEO service. In particular, the risk of success or
failure of the PEO service relies on two complementary
services: SMS Notifications and Payments and Transactions,
plus the IT Internal Infrastructure. A preliminary analysis
shows that the SMS Notification service is linked to the Mobile
Service Provider whose goal is to notify the user of the
transaction (payment, charging, etc.). Whereas the Payments
and Transactions is related both to the Web Service Provider
that provides access to the Intranet / Internet and the Energy
Provider that supports the entire infrastructure with the
electrical service. An additional risk factor is related to the
underlying IT infrastructure (hardware, servers, etc.).
In this context, the following risk factors: IT Internal, Fig. 2. Dependency diagram
Outsourcing and Contracts, Infrastructure Upstream, are
identified and described along with the related actors. In C. Scenario Modeling
particular: (i) the IT Internal risk relies on the reliability of the In this phase of the method, as it is shown in Figure 3, both
Internal IT infrastructure; (ii) the Outsourcing and Contracts the roles played by the stakeholders in each specific scenario
risk depends on the WebServiceProvider for supporting the are identified, and the goals related to each identified role are
monetary transactions; (iii) whereas Infrastructure Upstream highlighted. Furthermore the dependencies among the Goals
risk is related to the availability of both the mobile are shown in Table IX.
notification service offers by the MobileServiceProvider and
the electricity provided by the ElectricityProvider.
Furthermore, since the approach requires the input of
information related to potential risk groups (e.g. contract type,
involved partner), for each actor, the following risk groups
have been identified:
- IT-Internal-Infrastructure: Good, Standard, Poor;
- WebServiceProvider: High, Medium, Low;
- Energy Provider: High, Standard;
- MobileServiceProvider: HighLevelOfService,
StandardLevelOfService;
- SMS Notification: Good, Low;
- Payments and Transactions: LowRisk, HighRisk.
The output of this analysis is the risk level of the PEO
service according to the different levels of risk of the other Fig. 3. Stakeholders, Roles and Goals
� TABLE IX. STAKEHOLDERS, ROLES, GOALS AND DEPENDENCIES V. SIMULATION-BASED EVALUATION
Stakeholders Roles Goal Dependencies Once the model and relationships among actors and their
goals are well described and defined, it is possible to use
Customer PEO User G1 simulation to provide an assessment about what can happen
into an application scenario according to specific inputs to the
system. In the following, first a statistic based tool is exploited
Service Web Service Provider G9 G9 contributes to G1
Provider for a static analysis and then a more dynamic is adopted.
Electricy Service A. A statistics-centered approch
Service Provider
provider of GeNIe (Graphical Network Interface) is a development
the customer Mobile Service Provider environment for the creation of decision models [9]. It is
presented as a graphical user interface of SMILE, a platform-
Poste PEO Services G2 G2 and G4 independent library that implements functions for the
Personnnel Responsible contribute to G1 execution and analysis of probabilistic / decision models, such
as Bayesian networks, used to make probabilistic reasoning in
PEO Services decision-making situations under uncertainty.
Continuity planner G3
Starting from different contractual terms of the services
PEO Continuity Internal G4 described above, it is possible to obtain an assessment in terms
Audit and Test of the level of success (and complementary to the failure
level) of the PEO service, which in turn can be associated with
Operator of PEO Continuity Internal G4 G4 contributes to G1 a level of risk. From the experience of the domain experts of
Technological Audit and Test Poste Italiane, the following percentage range is used:
infrastructures
or networks PEO IT Infrastructure - Success>90% then LowRisk
resilience G6 G6 contributes to G3 - 89%≥Success>70 then MediumRisk;
PEO Disaster Recovery G5 G5 contributes to G1 - Success≤70 then HighRisk;
Responsible
A first example is shown in Figure 5. By considering a
combination of services based on the percentages shown in
Poste operator PEO Damage Impact G7 G7 includes G3 each block the probability of success is 99%, which means a
Evaluator
LowRisk. The diagram is also enriched with to additional
PEO processes blocks: FinancialGain and InvestmentDecision, lead the
definition responsible G8 G8 includes G3 decision maker to make decisions about the quality of the
services to be subscribed. In this case, as shown by the
“InvestmentDecision” and “Financial income” blocks, it is
D. Application Modeling convenience to invest (with a gain of € 9850) by subscribing
The application model allows describing, with more services with such quality parameters indicated, compared to
details, a particular instance of the scenario under not invest (€ 6940).
consideration. Specifically, Figure 4 represents the case of
failure of a service to third parties necessary for the provision
of online payment services, and the impact on the other users
who use the service, possible costs (impact) for the failure to
provide the service.
Fig. 5. Low Risk of the PEO service
Conversely, considering a low level quality of the SMS
Notification service, and by also subscribing a low level
quality of the WebServiceProvider service, the level of risk
spreads systematically on the Payments and Transactions
Fig. 4. Use Case diagram services by influencing drastically the PEO service. In fact, the
success rate drops to 63%, which means “HighRisk” (Fig. 6).
� Fig. 6. High Risk of the PEO service
B. An Agent-based approach
This second approach is centered on a reference Fig. 7. Reference Model
framework, called ReActor, an object oriented framework
based on discrete-events simulation[3]. The reference model
adopted for the definition and the development of the agent-
based simulator for the analysis of the systemic risk is
represented in Figure 7. In particular for each static blocks
represented in Figure 6, a specific ReActor entity is defined.
Then a behavior is associated to each of them, based on the
follow four main actor models:
ServiceModel: this model is employed for services
belonging in the specific scenario to be analyzed; its
aim is to provide the service associated to it;
AttackModel: this model is adopted for modeling
attack scenarios and related typologies of attacks
respect to a specific ServiceModel;
RecoveryModel: it aims to model policies and
countermeasures in order to make more resilient a
specific service when some anomalies occur; Fig. 8. ServiceAgent behavior
ObserverModel: it is employed for monitoring
specific properties of interest which are strictly In particular, when the simulation starts, the status of
related to a specific service; it aims to collect ServiceAgent becomes Working. This means that the
information of specific properties, locally at service ServiceAgent is doing its job/delivering the service
level or globally at scenario level. correctly.When an anomaly occurs, the state Working can get
two types of events: ServiceFailure and
Such models have been implemented by extending the ServiceFailurePropagation. Such events change the status of
above mentioned agent-based framework by mapping them as ServiceAgentinto NotWorking, which, in turn, is defined in
agents, that is, autonomous entities each of which has its own terms of two sub-states DirectFailure and IndirectFailure. In
behavior. In particular, the ServiceModel is mapped as particular, when the ServiceFailure event occurs, the status
ServiceAgent; the AttackModel as an AttackAgent; the NotWorking declines into the state of DirectFailure. This
RecoveryModel is mapped as a RecoveryAgent and the means that the failure of the service was due to internal factors
ObserverModel as an ObserverAgent. of the service. This condition triggers the propagation of the
failure by a ServiceFailurePropagation event to the services
Such agents and their behaviors are achieved by
that depend from the ServiceAgent; this means that a service
implementing and extending the basic class ActorBehavior of
of the system, could receive a ServiceFailurePropagation
the Reactor framework, which in turn, has been also defined
event, which turns its status into NotWorking and specifically
as Observable. Consequently all agents that are introduced in
into the IndirectFailurestatus. This implies that its failure was
the system, and that extends ActorBehavior, are potentially
due to a failure propagated by third parties on which it
trackable. Whereas, the ObserverModel and as a consequence
depends.Finally, from the NotWorking status, the ServiceAgent
the ObserverAgent, has been marked as Observer, that is with
can receive a ServiceRepearing event that brings it into the
the ability to monitor other agents. Finally, the behavior of
Repearing status. This allows to recover/restore the
each agent is characterized by different types of Message, that
ServiceAgent and propagate this information among the other
can respectively transmit, receive and handle in order to
services depending on it, so as to make them all Working
enable the communication with the other agents. As an
again.
example, the diagram in Figure 8 shows the behavior of the
ServiceAgent defined as a state machine.
�C. Discussion on the gathered results framework for the development of a simulation platform for
From the analysis conducted on this case study, it is clear supporting the evolutionary assessment and dynamic behavior
how the quality of services level and the involved system analysis of system has been exploited.
infrastructure (internal or third-party), strongly influence the Finally, a first experimentation of such above mentioned
success or the failure for the delivery of a service. In this case conceptual and technical tools has been conducted on a case
the use of a low quality Notification service is a critical. As a study concerning the assessment and the impact of failures on
consequence, the choice of a good MobileServiceProvider, an online payment service.
combined to a Medium/High quality of the
WebServiceProvider is essential for making the system more ACKNOWLEDGMENT
resilient. Indeed, (i) in the first scenario, which involves the This work has been partially supported by the “National
deployment of services with a high level of reliability, or in
Operational Programme for Research and Competitiveness”
the second scenario, which combines medium-quality
2007-2013, Technological District on Cyber Security
services, the system operates to keep resilient in presence of
permanent failures, or temporary blackout, of some involved (PON03PE 00032 2 02), funded by the Italian Ministry of
entities; (ii) instead, the second scenario highlights the high Education, University and Research, and the Italian Ministry
risk due to the strong dependence on entities that provide low of Economic Development.
robust / reliable services.
REFERENCES
Whereas from the conducted study based software agents, [1] ACI Informatica – website http://www.informatica.aci.it/
other useful and more dynamic information are gathered from [2] M. Billio, M. Getmansky, A.W. Lo, and L. Pelizzon, “Econometric
the simulation for each service involved (see Table X); for measures of connectedness and systemic risk in the finance and
example: if a service is available (working) or unavailable (not insurance sectors”, February 2012.
working), the time when the failure of a service happened [3] F. Cicirelli, A. Furfaro, L. Nigro,“A DEVS M&S framework based on
(timestamps), if the cause of the failure is due to external Java and actors”, Proc. of 2nd European Modelling and Simulation
Symposium, pp. 337-342, Barcelona (Spain), October 4-6, 2006.
factors, the impact (e.g. in terms of money) per unit of time
[4] S. Citrigno, A. Furfaro, T. Gallo, A. Garro, S. Graziano, and D. Saccà,
(e.g. per hours). “Mastering concept exploration in large industrial research projects,”
Proceedings of the INCOSE Italian Conference on Systems Engineering
TABLE X. SIMULATION RESULTS RELATED TO THE PEO SERVICE (CIISE2014), Rome(Italy), November 24 – 25, 2014.
Service Timestamp Service External Impact (€) [5] A. Furfaro, T. Gallo, and D. Saccà, “Modeling cyber systemic risk for
the business continuity plan of a bank,” Proceedings of the International
Name status causes of per Hour
Cross Domain Conference and Workshop (CD-ARES’16), Salzburg
failure (Austria), August 31-September 2, 2016.
WebService 44 Not no 3 [6] A. Furfaro, T. Gallo, A. Garro, D. Saccà, and A. Tundis,
Provider Working “Requirements specification of a Cloud Service for Cyber Security
Payment & 44 Not yes 2 Compliance Analysis”, Proceedings of the 2nd International Conference
Transaction Working on Cloud Computing Technologies and Applications (CloudTech'16),
PEO 47 Not yes 5 IEEE, May 24-16, Marrakesh (Morocco), 2016.
Working [7] A.Furfaro, T. Gallo, A. Garro, D. Saccà and
A. Tundis, “ResDevOps: A Software Engineering Framework for
Achieving Long-lasting Complex Systems”, Proceedings of the 24th
WebService 56 Working - 3 IEEE International Requirements Engineering Conference, Beijing
Provider (China), September 12-16, 2016.
Payment & 58 Working - 2 [8] A. Garro, and A Tundis, “On the Reliability Analysis of Systems and
Transaction SoS: the RAMSAS method and related extensions”, IEEE Systems
PEO 64 Working - 5 Journal (IJS), vol. 9 (1), pp. 232-241, 2015.
… … … … … [9] GeNIe & SMILE – http://www.openclinical.org/dld_genieSmile.html.
[10] National Security – https://www.sicurezzanazionale.gov.it/sisr.nsf/
VI. CONCLUSION letture/prevenire-e-gestione-dei-rischi-globali.html.
This paper presented a panorama on the concept of risk [11] B.Phadermrod, R.M. Crowder, and G.B. Wills, “Developing SWOT
and, in particular, the systemic risk in the financial sector as Analysis from Customer Satisfaction Surveys”, Proc.of the 11th IEEE
International Conference on e-Business Engineering (ICEBE), 2014.
well as in the cyber-security field. Furthermore, some recent
[12] Poste Italiane – website: https://www.poste.it/
research efforts about the modeling and assessment of
[13] Unified Modeling Language (UML) – http://www.omg.org/spec/UML/
systemic risk are also presented. In particular, an extended
[14] World Economic Forum - Global risks 2014. Ninth Edition. 2014.
version of GOReM combined with the RAMSoS method has
been employed. [15] Zurich Insurance Company - Risk Nexus . Beyond data breaches: global
interconnections of cyber risk. April 2014.
A statistical analysis tool for the assessment of systemic [16] SysML V1.4 Specification Release http://www.omgsysml.org/
risk based on a probabilistic approach, called GeNIe, has been [17] Meyer B, “Agile! The Good, the Hype and the Ugly”, Springer
adopted; whereas an actor-based and agent-oriented International Publishing, 2014.
�