Systemic Risk analysis through SE methods and techniques Andrea Tundis, Max Mühlhäuser Teresa Gallo, Alfredo Garro, Domenica Saccá Telecooperation Lab, Department of Computer Science Department of Informatics, Modeling, Electronics and Technische Universität Darmstadt Systems Engineering (DIMES), University of Calabria Darmstadt, Germany Via Ponte P. Bucci 41C, Rende (CS), 87036 Italy {tundis, max}@tk.tu-darmstadt.de {t.gallo, a.garro, sacca}@dimes.unical.it Simona Citrigno, Sabrina Graziano Centro di Competenza ICT-SUD Piazza Vermicelli, 87036 Rende (CS), Italy {simona.citrigno, sabrina.graziano}@cc-ict-sud.it Copyright © held by the author Abstract—The Systemic Risk is the risk that derives from the regulations that govern the context under analysis are interdependence of the system under consideration, object of the identified. analysis, and the services provided by other systems and, in general, by the interactions among them. The combination of the GOReM methodology and the RAMSoS method is proposed for Systemic Risk Assessment so as to provide the following benefits: (i) Effective modeling of SoSs structure and behavior; (ii) Explicit representation of dysfunctional behavior; (iii) Evaluation of different risk scenarios through agent-based simulation; (iv) Quantitative and qualitative risk assessment also in combination with classical analysis techniques (such as Bayesian Networks). Keywords—Cybersecurity, Modeling and Simulation, Requirement Engineering, Systemic Risk Analysis Fig. 1. Systemic Risk Analysis Phases I. IDEA AND PROPOSAL  Identify the main phases of the Systemic Risk (SR) B. System Design  Proposed a Modelling and Simulation based approach The target of the analysis as well as boundaries of the design, i.e. what needs to be represented and what can or  Defined a step by step methodology (not a software should be neglected/omitted, are defined. Specific use cases are tool) redefined in terms of scenarios of interest. Application  Performing Static and Dynamic Systemic Risk Analysis scenarios are introduced to specify the functionalities that should be provided in each business scenario description of the system is delivered by providing from different points of view II. SYSTEMIC RISK ANALISYS PHASES such as for structural, functional, and so on. The proposed process to support the analysis of the systemic risk can be organized in three macro-phases (see C. Simulation Modeling & Results Evaluation Figure 1): System Analysis, System Design and Simulation Modeling and Results Assessment. At this point, a subset of the models generated in the System Design macro-phase is selected and processed. According to the simulation-platform different Model-to- A. System Analysis Model transformation rules are defined. Great attention is System requirements and other aspects of interest are placed on the indices / objectives identified during the System identified and described. The involved entities (such as Analysis. From these indices and the objectives to be pursued, stakeholders, services providers and so on) are identified along the simulation platform, which is able to support the desired with their roles and related objectives. Goals to be achieved analysis, is selected. Based on the objectives to be verified, it is and their dependencies are highlighted. The rules and possible to choose the simulation environment that better fits the type of analysis to be carried out. III. DERIVING BAYESIAN NETWORKS MODELS FOR  Payments and Transactions service (Web Service SUPPORTING SYSTEMIC RISK ANALYSIS Provider, Energy Provider, IT infrastructure) A. A combined approach for modeling and assessing the 1. A statistics based approach using a tool for a static analysis is applied: GeNIe (Graphical Network Interface) a Systemic Risk development environment for the creation of decision models based on Bayesian Network (BN) 2. An agent-based approach using a dynamic tool is adopted: ReActor an object oriented framework based on discrete- How and which entities of the overall system influence the events simulation operation of the entire system and the evaluation of the Systemic Risk. For each actor the following risk ranges (or QoS) have been identified:  SMS Notification: Good, Low;  Payments and Transactions: LowRisk, HighRisk; Modeling and evaluating Systemic Risk by exploiting  IT Internal Infrastructure: Good, Standard, Poor; (agent-based) simulation + Bayesian Network  WebServiceProvider: High, Medium, Low; B. RAMSoS and GOReM: Enabling Factors  Energy Provider: High, Standard;  Common modeling notation: SysML/UML.  MobileServiceProvider: HighLevelOfService,  Both RAMSoS and GOReM are defined in terms of StandardLevelOfService; phases and work-products Once the model and relationships among actors and their  GOReM is defined as a method to support the analysis goals are well described and defined, it is possible to use of system requirements with particular emphasis on simulation to provide an assessment about what can happen their elicitation and tracking; while RAMSoS is meant into an application scenario according to specific inputs to the to be used mostly for supporting the validation and system. Figure 3 shows Architectural Modeling for risk verification phases. Together they cover the entire analysis applied to a service of Electronic Online Payment of Systemic Risk Analysis Phases Poste Italiane.  Reuse of models. Figure 2 shows the integration approach based on Work- Products Fig. 3. RAMSoS – System Design Fig. 2. Combining GOReM and the RAMSoS method Figure 4 and Figure 5 represent, respectively, examples of GOReM Application and Behavioural Model. IV. RISK ANALYSIS APPLIED TO A SERVICE OF ELECTRONIC ONLINE PAYMENT OF POSTE ITALIANE The risk of success or failure of the PEO service relies on two complementary services:  SMS Notifications service (Mobile Service Provider) Figure 7 and Figure 8 show further quantitative and qualitative information gathered by exploiting agent-based simulation such as: (i) the availability (working) or unavailability (not working) of a service (ii) the time when the failure of a service happened (timestamps) (iii) the cause of the failure, if it is due to internal or external factors. This allows to assess the main system (PEO Service) and its interdependencies with the involved services, by considering Fig. 4. GOReM - Application Modeling events of faults and failures and their propagation in the network, from a dynamic point of view by including temporal constrains. Fig. 7. Simulation Results related to the PEO Service Fig. 5. GOReM - Behavioural Model A. PEO Service Result Analysis Considering a combination of services based on high level quality percentage, the probability of PEO success is 99%, which means a LowRisk. Fig. 6. Exploitation of Bayesian Network Fig. 8. Simulation Implementation related to the PEO Service REFERENCES Simulation and Bayesian Networks. Proceedings of the 12th International Conference on Availability, Reliability and Security [1] A. Tundis, A. Garro, T. Gallo, D. Saccá, S. Citrigno, S. Graziano, and (ARES 2017), Reggio Calabria (Italy), 29 August - 1 September 2017. M. Mühlhäuser. 2017. Systemic Risk Modeling and Evaluation through