This document describes a fuzzy logic-based decision support system to help business executives select appropriate e-business models. It discusses existing frameworks for classifying e-business models and their limitations. The proposed system uses fuzzy logic to capture executives' linguistic assessments of key business measures. It assesses each business dimension using fuzzy calculations and rules. A prototype was tested with positive feedback from business executives. The system aims to assist decision-making by narrowing the search for suitable e-business models.
Architecture of a Service Systems Engineering Program
This document discusses the need for a service systems engineering (SSME) program and curriculum. It argues that traditional engineering education focuses on design and construction but SSME needs to apply these principles to service systems. It proposes a computer-based research laboratory for senior executives to test service system designs in a low-risk environment. The goal is to help executives better understand the inherent structures and policies that drive system behaviors, rather than just providing more information, to enable permanent, structural changes.
The document discusses applying the DeLone & McLean Information Systems Success Model to measure the success of e-commerce systems. It proposes updating the original model by adding a service quality dimension and combining individual and organizational impacts into a net benefits construct. The updated model contains six dimensions: system quality, information quality, service quality, use, user satisfaction, and net benefits. These dimensions provide a framework for organizing e-commerce success metrics identified in the literature. Case examples are used to demonstrate how the model can guide the identification and specification of e-commerce success metrics.
Visualizing IT at the Department of Homeland Security with the ArchiMate® Vis...
Department of Homeland Security (DHS) Chief Information Officer (CIO) Luke McCormack recently
submitted testimony to a US Senate Subcommittee [1]. This case study, which is based on CIO
McCormack’s testimony, demonstrates how enterprise architects using the ArchiMate® language [2] can
quickly capture business situations using viewpoints defined in the ArchiMate specification. These
viewpoints are templates for views that address particular sets of stakeholder concerns. This case study
contains views based on and named after standard templates.
Services Modeling based on SOA and BPM for Information System Flexibility Imp...
The lack of identify services mechanism which is related to the development of information systems could be impact in wasting time, over budget and can not adapt to the changing environment. This phenomenon is happened by the belief that lack of capturing user requirement. This is due to consider the business environment is always running normally. In fact, the development of the system needs a way to anticipate the business environment that unpredictable changes.Therefore, the phenomenon on the need for modeling services can able to respond to the changing needs of users still have a chancein this study. It explores modeling services to synergize SOA and BPM.Several previous studies generally use a business driven approach, technical partially driven to develop the service modeling. This leads to the question of how a service should be modeled so that it can be applied in different contexts and business processes also. It is support user needs in diversity and heterogeneous system environments. This Conditions occurs in corporate university. The case studies in this research is a Learning Management System (LMS) in Academic Enterprise System (EAS). The research stages are: (1) Analysis of Synergy in SOA and BPM, (2) Analysis of User Experience in LMS Academic Enterprise System (L-EAS), (3) Analysis of Modeling Framework, (4) Proposed Framework that aligning SOA and BPM. The result of this study is proposed system framework based on services to increase the flexibility of information systems at LMS Academic Enterprise System (L-EAS).
This document discusses architectural integration styles for large-scale enterprise software systems. It proposes using architectural styles as a way to generalize common integration solutions at the enterprise system level, similar to how styles are used in traditional software architecture. The document defines key terms and presents a structure for describing architectural integration styles. It then describes several example styles, and presents a case study applying the style selection process to an energy company's system integration project. The goal is to provide an approach for selecting integration solutions based on the characteristics of existing systems and desired quality attributes.
Strengthening Employees Responsibility To Enhance Governance Of It Cobit Ra...guest418d60a0
The ongoing financial markets debacle and the global economic context advocate enhancing the governance of the companies and, de facto, improving the elaboration and the understanding of employees' responsibilities. Furthermore, the moral aspects of the business and the employees' commitment have appeared as becoming increasingly unavoidable to face emerging ethical challenges. These arising requirements have oriented our research toward the elaboration of an innovative responsibility model built on the concepts of obligation/accountability, right and commitment. This paper aims to present, validate and improve the responsibility model on the basis of a comparison to related concepts from the COBIT framework. In parallel to this improvement, proposals of conceptual modification of the COBIT framework are made and illustrated based on the RACI chart.
Presenting an Excusable Model of Enterprise Architecture for Evaluation of R...Editor IJCATR
The document presents a method for creating an executable model of enterprise architecture diagrams to evaluate reliability. It transforms UML collaboration diagrams into colored Petri nets using an algorithm. This allows simulation of the diagrams to identify potential reliability issues early in the planning process. It aims to avoid high costs of implementation by improving architectural artifacts. The key steps are:
1) Using C4ISR framework and UML diagrams to describe enterprise architecture.
2) Transforming collaboration diagrams to colored Petri nets using a algorithm that represents messages as transitions and senders/receivers as places.
3) Annotating the Petri net model with reliability data to enable simulation and evaluation of reliability.
The Federal Enterprise Architecture (FEA) is the latest attempt by the US federal government to unite its agencies under a single enterprise architecture. The FEA consists of five reference models describing different perspectives of the enterprise architecture, as well as a process for creating and evolving an enterprise architecture. It provides a comprehensive approach, including taxonomy and models, and can be viewed as both a methodology and the architecture of the US government itself.
This document describes a fuzzy logic-based decision support system to help business executives select appropriate e-business models. It discusses existing frameworks for classifying e-business models and their limitations. The proposed system uses fuzzy logic to capture executives' linguistic assessments of key business measures. It assesses each business dimension using fuzzy calculations and rules. A prototype was tested with positive feedback from business executives. The system aims to assist decision-making by narrowing the search for suitable e-business models.
This document discusses the need for a service systems engineering (SSME) program and curriculum. It argues that traditional engineering education focuses on design and construction but SSME needs to apply these principles to service systems. It proposes a computer-based research laboratory for senior executives to test service system designs in a low-risk environment. The goal is to help executives better understand the inherent structures and policies that drive system behaviors, rather than just providing more information, to enable permanent, structural changes.
The document discusses applying the DeLone & McLean Information Systems Success Model to measure the success of e-commerce systems. It proposes updating the original model by adding a service quality dimension and combining individual and organizational impacts into a net benefits construct. The updated model contains six dimensions: system quality, information quality, service quality, use, user satisfaction, and net benefits. These dimensions provide a framework for organizing e-commerce success metrics identified in the literature. Case examples are used to demonstrate how the model can guide the identification and specification of e-commerce success metrics.
Department of Homeland Security (DHS) Chief Information Officer (CIO) Luke McCormack recently
submitted testimony to a US Senate Subcommittee [1]. This case study, which is based on CIO
McCormack’s testimony, demonstrates how enterprise architects using the ArchiMate® language [2] can
quickly capture business situations using viewpoints defined in the ArchiMate specification. These
viewpoints are templates for views that address particular sets of stakeholder concerns. This case study
contains views based on and named after standard templates.
Services Modeling based on SOA and BPM for Information System Flexibility Imp...IJECEIAES
The lack of identify services mechanism which is related to the development of information systems could be impact in wasting time, over budget and can not adapt to the changing environment. This phenomenon is happened by the belief that lack of capturing user requirement. This is due to consider the business environment is always running normally. In fact, the development of the system needs a way to anticipate the business environment that unpredictable changes.Therefore, the phenomenon on the need for modeling services can able to respond to the changing needs of users still have a chancein this study. It explores modeling services to synergize SOA and BPM.Several previous studies generally use a business driven approach, technical partially driven to develop the service modeling. This leads to the question of how a service should be modeled so that it can be applied in different contexts and business processes also. It is support user needs in diversity and heterogeneous system environments. This Conditions occurs in corporate university. The case studies in this research is a Learning Management System (LMS) in Academic Enterprise System (EAS). The research stages are: (1) Analysis of Synergy in SOA and BPM, (2) Analysis of User Experience in LMS Academic Enterprise System (L-EAS), (3) Analysis of Modeling Framework, (4) Proposed Framework that aligning SOA and BPM. The result of this study is proposed system framework based on services to increase the flexibility of information systems at LMS Academic Enterprise System (L-EAS).
This document discusses architectural integration styles for large-scale enterprise software systems. It proposes using architectural styles as a way to generalize common integration solutions at the enterprise system level, similar to how styles are used in traditional software architecture. The document defines key terms and presents a structure for describing architectural integration styles. It then describes several example styles, and presents a case study applying the style selection process to an energy company's system integration project. The goal is to provide an approach for selecting integration solutions based on the characteristics of existing systems and desired quality attributes.
BPM & SOA for Small Business Enterprises (ICIME 2009)IT Industry
Imran Sarwar Bajwa, S. Mumtaz, A. Samad, R. Kazmi, A. Choudhary [2009], "BPM meeting with SOA: A Customized Solution for Small Business Enterprises", in proceedings of IEEE- International Conference on Information management & Engineering 2009, Kuala Lumpur Malaysia, Apr 2009, pp:677-682
A Business Analyst (BA) analyzes organizations and systems to improve business processes and integration with technology. There are four tiers of business analysis from strategic planning to technical analysis. BAs document requirements, assess current processes, define new processes, and ensure technical systems meet business needs. Deliverables include requirements, specifications, models, and documentation to bridge business and technical stakeholders.
Cable Information Architecture_SCTE_Nov14Myles Kennedy
This document describes an emerging Information Business Architecture that provides risk analytics to cable operators. The architecture collects and analyzes data from various sources to identify potential risks and their financial impact. It then ranks the risks to help prioritize mitigation activities. This helps cable operators improve customer experience, reduce costs and gain competitive advantages by more efficiently managing operations and resources.
Analysis and implementation of the impact of change: application to heterogen...IJECEIAES
This document summarizes an article that proposes models and measures to evaluate complexity in enterprise architecture, specifically heterogeneity of components and relationships. It presents three concepts to analyze heterogeneity: 1) single components, 2) relationships between two components, and 3) relationship paths between multiple components. Metrics are defined to measure heterogeneity for each concept. An algorithm hierarchy is implemented using the strategy design pattern to allow algorithms to evolve over time. The observer design pattern is used to automatically update metrics when the enterprise architecture model changes. This allows progressive monitoring of changes to the proposed evaluation system.
Final Project Report on Information Systems Project ManagementAbbas Ahmed
The document discusses the importance of communication, collaboration, and teamwork for the successful completion of information systems projects. It notes that these factors are crucial for managing complex software projects, especially those that are globally distributed. Effective communication, collaboration, and teamwork help ensure projects are completed on time, within budget, and meet requirements. When these factors are lacking, projects are more likely to fail or run over budget.
The document discusses an organization, LGN International, that uses two websites - one for accessing products and one for accessing the business. Users have two back offices, two affiliate links, and two locations for new customers and associates to sign up depending on if they are a retail customer or independent associate.
The document lists various automobile models from 1900 to 1937, including brands such as Berliet, National, Cadillac, Ford, Packard, Rolls Royce, Locomobile, Simplex Crane, Isotta Fraschini, Minerva, McFarlan, Bentley, Stutz, Duesenberg, Cord, Willys-Knight, Mercedes Benz, Chrysler, Ford, Lagonda, and others. The models range from touring cars, roadsters, sedans, limousines, and convertibles. The listing includes both vintage and classic automobiles from early in the 20th century.
Как Оценить Систему Продаж В Малом Бизнесе?
Как ведут свой бизнес предприниматели.
Очень часто предприниматели малого бизнеса открывают и ведут свой бизнес наугад, по интуиции. Никто не обучает будущих и тем более действующих владельцев бизнеса технологии построения бизнеса. Со стороны государства в этом направлении помощи ждать не приходится.
читайте статью полностью на http://bizkon.kz/kak-ocenit-sistemu-prodazh-v-malom-biznese/
Blogging can be a way to make money if simple steps are followed such as going to the link provided, which likely details how to start a blog and monetize it through ads or affiliate marketing in order to earn income from the comfort of your own home. The document uses capital letters and exclamation points to emphasize that blogging can be an easy way for anyone to earn money online.
http://www.SmartSimpleMarketing.com Sydni Craig-Hart from Smart Simple Marketing breaks down what branding really means, what it has to do with you and how to create a compelling brand that is clear, irresistible and client attractive.
This short document promotes fat loss and provides a link to more information, suggesting that fat loss does not have to be hard but is important for one's health. It encourages the reader to check out the link now and not wait to learn more about how simple fat loss can be for them.
Harbor Research - Designing Security for the Internet of Things & Smart DevicesHarbor Research
The document discusses the growing security challenges posed by the increasing number of internet-connected devices (the Internet of Things). It notes that while the Internet has enabled widespread connectivity, the underlying architecture is still vulnerable to security issues. The company Mocana has developed a unique approach to networked device security that could provide a foundation for security in an economy powered by trillions of interconnected devices and sensors.
The document discusses embedded systems and how they have evolved over time. It describes how embedded controllers now power many everyday devices, from phones to washing machines, and how embedded technology will continue advancing to be included in more low-cost products. It promotes an open source training on embedded systems called Open.Embedded that aims to provide practical, up-to-date skills on using different microcontrollers and IDEs to develop working prototypes quickly.
Agile Business Intelligence is taking shape as the way to address the disconnect between Business users and IT developers of BI applications. Find out how Yellowfin is making Agile BI easy.
The document proposes a multi-agent system architecture for incident reaction in telecommunication networks. The architecture has three layers - low level at the network interface, intermediate level to correlate alerts, and high level with a global view. Agents represent components like alert correlation, reaction decision-making, and policy deployment. The reaction decision agent receives alerts and decides if a reaction is needed based on policies, organization knowledge, and specified behavior. It defines new policy rules for the reaction. The policy deployment agent instantiates and sends the new policies to policy enforcement points to change the network security state. A decision support system using ontologies, Bayesian networks, and influence diagrams helps the agents make decisions.
Impact of counterfeits on electronics companiesNEW Momentum
Outsourcing and globalization have numerous benefits, but there is a downside—the proliferation of counterfeits and sales through unauthorized channels. This paper demonstrates the impact of counterfeits on electronics companies and gives solutions for finding the violators as well as a four-step roadmap for recovering revenue lost to counterfeits.
Charla impartida por Pablo González, de la empresa Informática 64 para el evento Asegur@itCamp4! que tuvo lugar durante los días 26, 27 y 28 de Octubre de 2012 en El Escorial, Madrid.
Defensa Centralizada contra amenazas multi-vector - Configuración de un centr...Eventos Creativos
Charla impartida por Dragos Lungu de BitDefender, en el evento "Asegura IT Camp2" que tuvo lugar los días 22, 23 y 24 de Octubre de 2010 en El Escorial.
This document proposes a multi-agent system architecture for reacting to security alerts in heterogeneous distributed networks. The architecture has three layers - a low level that interfaces with the target infrastructure, an intermediate level that correlates alerts from different domains and deploys reaction actions, and a high level global view. It uses an ontology and Bayesian network based decision support system to help agents make decisions according to preferences and influence diagrams. The approach is illustrated using a case study of a medical application distributed across buildings, campuses and metropolitan areas.
This document discusses various techniques for improving email security, including spam filtering, secure authentication, and protecting user accounts. It describes how email services use Bayesian filtering, sender reputation levels, and user feedback to identify spam messages. It also explains security measures like Sender Policy Framework, DomainKeys Identified Mail, and mutual Transport Layer Security to authenticate senders and encrypt server communication. Additionally, it recommends steps users can take to strengthen their accounts, such as associating a mobile number, using single-use codes, and marking computers as trusted. The document emphasizes that maintaining email security requires continual effort as threats evolve over time.
Harbor Research recently completed a review of a new
cloud-based platform that takes a refreshingly new
approach to machine data analytics. Glassbeam jumps
ahead of the current market’s noise and confusion about
Big Data by viewing critical machine data analytics from a
business and operational perspective that can be addressed
by a single, scalable solution. In so doing, Glassbeam is
re-defining how value is created from machine data.
Re mola responsibility model language to align access rights with business pr...christophefeltus
This document proposes a responsibility modeling language (ReMoLa) to align access rights with business process requirements. ReMoLa is a responsibility-centered meta-model that integrates both business and technical perspectives to bridge the gap between them. It uses the concept of employee responsibilities to link business obligations to the technical capabilities and access rights needed to fulfill those obligations. The meta-model includes concepts like responsibilities, obligations, accountabilities, capabilities, and rights. It also maps these concepts to the four types of obligations from the COBIT framework to better define employee responsibilities and access rights assignments based on real needs.
Aligning the business operations with the appropriate IT infrastructure is a challenging and critical activity. Without efficient business/IT alignment, the companies face the risk not to be able to deliver their business services satisfactorily and that their image is seriously altered and jeopardized. Among the many challenges of business/IT alignment is the access rights management which should be conducted considering the rising governance needs, such as taking into account the business actors' responsibility. Unfortunately, in this domain, we have observed that no solution, model and method, fully considers and integrates the new needs yet. Therefore, the paper proposes firstly to define an expressive Responsibility metamodel, named ReMMo, which allows representing the existing responsibilities at the business layer and, thereby, allows engineering the access rights required to perform these responsibilities, at the application layer. Secondly, the Responsibility metamodel has been integrated with ArchiMate® to enhance its usability and benefits from the enterprise architecture formalism. Finally, a method has been proposed to define the access rights more accurately, considering the alignment of ReMMo and RBAC. The research was realized following a design science and action design based research method and the results have been evaluated through an extended case study at the Hospital Center in Luxembourg.
Enhancement of business it alignment by including responsibility components i...christophefeltus
This document proposes enhancements to the Role-Based Access Control (RBAC) model by integrating the concept of responsibility. It summarizes the existing RBAC model and user/permission assignment processes. It then presents a responsibility model built around three concepts: an employee's obligations derived from responsibilities, the rights required to fulfill obligations, and the employee's commitment to fulfill obligations. The paper argues RBAC could be improved by incorporating acceptance of responsibility within the role assignment process. It proposes integrating the responsibility model with RBAC to address identified weaknesses and modeling the integrated model using the OWL ontology language.
Methodology to align business and it policies use case from an it companychristophefeltus
This document proposes a methodology for aligning business and IT policies using a responsibility model. The methodology is a five-step approach consisting of collecting information, defining capabilities, accountabilities and commitments, linking responsibilities to processes, validating the model, and defining policies. It is illustrated with a case study from an IT company where they define an access control policy using this methodology and responsibility model. The responsibility model defines three components - capabilities, accountabilities, and commitments - to clarify roles and responsibilities for policy definition.
Building a responsibility model using modal logicchristophefeltus
This document discusses building a responsibility model using modal logic concepts of accountability, capability, and commitment. It begins with a literature review of existing policy and access control models. The review finds that while concepts like rights, roles, and obligations are addressed, existing models do not fully cover all three responsibility concepts. The document then proposes a preliminary responsibility model and definitions for its components. It suggests a formalization of key concepts using deontic logic adapted from alethic logic. The goal is to provide a framework to define concepts, verify organizational structures, and detect policy issues.
This document discusses building a responsibility model using modal logic. It begins with a literature review of existing policy models and engineering methods related to concepts of accountability, capability and commitment. It identifies that while some concepts like rights and roles are commonly addressed, models do not fully cover all responsibility components. The document then proposes a preliminary responsibility model and defines the main concepts of capability, accountability and commitment. It suggests a formalization of these concepts using deontic logic to help analyze organizational structures and policies for consistency and problems.
Strengthening employee’s responsibility to enhance governance of it – cobit r...christophefeltus
This document presents a study that aims to develop and validate a responsibility model to improve IT governance. The researchers analyzed existing responsibility concepts from literature and frameworks like COBIT. They developed a UML model of responsibility with key concepts like obligation, accountability, right, and commitment. The researchers then compared their model to COBIT's representation of responsibility. They propose enhancements to COBIT based on responsibility concepts from their model, aiming to provide a common understanding of responsibility across frameworks to benefit IT governance. The paper illustrates proposed changes to COBIT's process for identifying system owners.
This document presents a study that aims to develop and validate a responsibility model to improve IT governance. It analyzes concepts of responsibility from literature and frameworks like COBIT. The researchers developed a responsibility model with key concepts like obligation, accountability, right, and commitment. They then compare this model to COBIT's representation of responsibility to identify areas for potential enhancement, like adding concepts that COBIT lacks. The document illustrates how the responsibility model could be used to refine COBIT's process for identifying system owners and their responsibilities.
Extending Role-based Access Control for Business UsageHeik.docxmecklenburgstrelitzh
Extending Role-based Access Control for Business Usage
Heiko Klarl1, 2, Korbinian Molitorisz3, Christian Emig1, 3, Karsten Klinger1 and Sebastian Abeck3
1iC Consult GmbH, Keltenring 14, 82041 Oberhaching, Germany
2Media Computing, University of Regensburg, Germany
3Cooperation & Management, University of Karlsruhe (TH), Germany
Abstract
Role-based access control (RBAC) is used for managing
authorisation in IT systems, by utilising the concept of
roles. Existing approaches do not clearly define the term
“role” in its different contexts as well as not considering
the relation between roles and business process modelling.
Therefore this work introduces business and system role-
based access control (B&S-RBAC). Established role-based
access control models are extended with a business per-
spective and the term role is defined from a business and
from an IT perspective, resulting in business and system
roles. The relation between them is shown in a meta-model
and the usage of business roles for secure business process
modelling is explained.
Keywords: RBAC, Roles, Business Process Modelling,
Identity Management, Access Control, Business-IT Align-
ment.
1 Introduction
Nowadays nearly every business process is extensively
supported by IT systems. Globalisation and hard compe-
tition led to short reaction times in adapting business pro-
cesses and mergers and acquisitions are still challenges for
every enterprise. Due to these conditions, demands for the
companies’ IT systems, business processes and their secu-
rity architecture arise [10]. Business process modelling [17]
tries to cope with those needs as modelled business pro-
cesses are easier to understand, better to redesign and exe-
cutable codes can be generated by model-driven techniques.
As not everyone is allowed to execute particular business
processes, identity management (IdM) ensures that only au-
thorised persons may do so. In order to achieve this, role in-
formation can be assigned to activities within the business
process. In order to accomplish authorisation of the busi-
ness processes’ activities within the supporting IT systems,
role-based access control (RBAC) may be used. But differ-
ent views and definitions of “roles” complicate the RBAC
approach enormously. Within the business process infor-
mation on roles consists of job functions or business tasks
and roles are often more or less just descriptive information.
In contrast, RBAC roles within IT systems encapsulate per-
missions but do often not have any relation to the business
perspective of roles. Generally, the term role used in RBAC
does not distinguish between business and IT. In order to
unify these two different concepts of roles, an error prone
coordination process between business and IT department
arises [2], when business focused roles have to be trans-
ferred to the technological-focused RBAC roles. A first step
to overcome this weakness is to extend existing business
and IT role models and to link them .
This document discusses challenges with access rights management for information systems due to growing complexity from distributed systems and dynamic environments. It proposes an agent-based framework called SIM that focuses on aligning access policies with business objectives by linking them to processes and responsibilities defined in the ISO/IEC 15504 standard. The goals are to define policies based on business needs and automatically deploy them through IT infrastructure using a multi-agent system architecture.
An agent based framework for identity management the unsuspected relation wit...christophefeltus
The document discusses access rights management in information systems and proposes an innovative approach. It aims to better align access policies with business objectives by linking them to organizational processes and responsibilities. The approach uses concepts from the ISO/IEC 15504 process assessment standard to define policies based on processes, outcomes, roles and responsibilities. It then proposes a multi-agent system to automate deployment of access policies across IT systems and devices in a flexible way. The approach seeks to improve on existing identity management solutions which can be rigid and difficult to integrate across organizations.
This document proposes an innovative approach called SIM (Secure Identity Management) that aims to make access management policies closer aligned with business objectives. It does this in two ways:
1) By focusing the policy engineering process on business goals and responsibilities defined in processes, using concepts from the ISO/IEC 15504 standard. This links capabilities and accountabilities to process outcomes and work products.
2) By defining a multi-agent system architecture to automate the deployment of policies across heterogeneous IT components and devices. The agents provide autonomy and ability to adapt rapidly according to context.
The approach was prototyped using open source components and aims to improve how access rights are defined according to business needs and deployed across an organization
Sim an innovative business oriented approach for a distributed access managementchristophefeltus
This document proposes an innovative approach called SIM (Secure Identity Management) that aims to define access control policies in a way that is closely aligned with business objectives. It does this by linking concepts from the ISO/IEC 15504 process-based model for organizing work to concepts of responsibility. The approach also defines a multi-agent system architecture to automate the deployment of access policies across an organization's heterogeneous IT components and devices. This provides autonomy and adaptability. The goal is to improve how access rights are defined according to business needs and how those rights are deployed throughout the IT infrastructure.
If only i can trust my police! sim an agent based audit solution of access right deployment through open network
Similar to Conceptualizing a responsibility based approach for elaborating and verifying rbac policies conforming with cobi t framework requirements (20)
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
This document provides an agenda and overview for a joint workshop on security modeling hosted by the ArchiMate Forum and Security Forum. The workshop aims to identify opportunities to improve the conceptual and visual modeling of enterprise information security using TOGAF and ArchiMate. The agenda includes introductions, a research spotlight on strengthening role-based access control with responsibility modeling, an open discussion on complementing TOGAF and ArchiMate with enhanced security modeling, and identifying next steps. The workshop purpose is to enable better security architecture decisions and drive usage of TOGAF and ArchiMate for security architecture.
This document proposes an innovative systemic approach to risk management across interconnected sectors. It suggests using enterprise architecture models to manage cross-sector risks in Luxembourg's complex ICT ecosystem. The approach would provide regulators an overview of all players and systems, as well as models of different sectors to analyze collected data and risks at a national level, fostering accurate and reactive risk mitigation across economic domains.
This document proposes extending the HL7 standard with a responsibility perspective to better manage access rights to patient health records. It presents the ReMMo responsibility metamodel, which defines actors' responsibilities and associated access rights. The paper aims to align ReMMo with the HL7-based eSanté healthcare platform model in Luxembourg to semantically enhance access controls based on users' real responsibilities rather than just roles. It will first map concepts between the two models, then evaluate the alignment through a prototype applying inference rules.
This document proposes a methodological approach for specifying services and analyzing service compliance considering the responsibility dimension of stakeholders. The approach includes a product model and process model. The product model has three layers: an informational layer describing service context and concepts, an organizational layer describing business rules and roles, and a responsibility dimension layer linking the two. The process model outlines steps for service architects to identify context, define concepts and rules, specify services, and analyze compliance. The approach is illustrated with an example of managing access rights for sensitive healthcare data exchange between organizations.
This document discusses integrating responsibility aspects into service engineering for e-government. It proposes a multi-layered approach including an ontological layer defining legal concepts, an organizational layer describing roles and stakeholders, an informational layer representing data structures and integrity constraints, and a technical layer representing IT components. A responsibility meta-model is also introduced to align responsibilities across these layers and facilitate interoperability between services that share data. The approach aims to ensure service compliance and manage risks associated with e-government services.
1) The document proposes a dynamic approach for assigning functions and responsibilities to agents in a multi-agent system for critical infrastructure management.
2) The approach uses an agent's reputation, which is based on past performance, to determine which agents receive which responsibilities as crisis situations change over time.
3) Assigning responsibilities dynamically based on reputation allows the system to continue operating effectively if an agent becomes isolated or has reduced capabilities during a crisis.
The document describes the NOEMI assessment methodology, which was developed as part of a research project to help very small enterprises (VSEs) improve their IT practices. The methodology aims to assess VSEs' IT capabilities in order to facilitate collaborative IT management across organizations. It was designed to be aligned with common IT standards like ISO/IEC 15504 and ITIL, but adapted specifically for VSEs. The methodology has been tested through several case studies with VSEs in Luxembourg, with promising results.
This document provides a preliminary literature review of policy engineering methods related to the concept of responsibility. It summarizes key access control models and discusses how they address concepts like capability, accountability, and commitment. The document also reviews engineering methods and how they incorporate responsibility considerations. The overall goal is to orient further research towards a new policy model and engineering method that more fully addresses stakeholder responsibility.
This document proposes an extension of the ArchiMate enterprise architecture framework to model multi-agent systems for critical infrastructure governance. The authors develop a responsibility-driven policy concept and metamodel layers to represent agent behavior and organizational policies across technical, application, and organizational layers. The approach is illustrated through a case study of a financial transaction processing system.
This document summarizes an experimental prototype of the OpenSST protocol for secured electronic transactions. OpenSST was developed to achieve high security, simplicity in software engineering, and compatibility with existing standards. The prototype uses OpenSST for the authorization portion of electronic payments in an e-business clearing solution. It describes the OpenSST message format and types, and discusses how OpenSST is implemented in the prototype's three-element architecture of an OpenSST proxy, reverse proxy, and server.
This document proposes an automatic reaction strategy for critical infrastructure SCADA systems. It defines a three-layer metamodel for modeling SCADA components and two types of policies (cognitive and permissive) that govern component behavior. It then presents a two-phase method for identifying these policies from the SCADA architecture and formalizing them to support an automatic reaction strategy. This strategy is modeled as an integral part of the SCADA architecture using the defined metamodel and policy identification method. It includes organizational and application layers with main actors, strategies, and components that realize the reaction policies based on expected automation levels.
This document discusses the NOEMI model, a collaborative management model for ICT processes in SMEs. The model was developed by the Centre Henri Tudor and tested with a cluster of 8 partner SMEs. Key aspects of the model include defining ICT activities across 5 domains, assessing each SME's capabilities, and having an operational team manage activities for the cluster under a coordination committee. The experiment showed improved cost control, management, and partner satisfaction compared to alternatives like outsourcing or hiring individual IT staff. The research is now ready for market transfer as the successful model is adopted long-term by participating SMEs.
The document proposes an agent-based architecture for multi-level security incident reaction in distributed telecommunication networks. The architecture has three levels: a low level interface with the infrastructure, an intermediate level using multi-agent systems to correlate alerts and deploy reactions across domains, and a high level for global supervision and policy management. The architecture was designed based on requirements like scalability, availability, autonomy, and robust reaction and alert management across distributed systems. It was successfully tested for implementing data access control policies.
This document proposes a multi-agent architecture for incident reaction in information system security. The architecture has three layers - low level interacts directly with the infrastructure, intermediate level correlates alerts and deploys reaction actions using multi-agent systems, and high level provides supervision and manages business policies. The architecture was tested for data access control and aims to quickly and efficiently react to attacks while ensuring policy compliance. The document discusses requirements like scalability, autonomy, and global supervision. It also describes the key components of alert management, reaction decision making, and policy definition/deployment to implement the architecture using a multi-agent approach.
This document proposes a metamodel for modeling reputation-based multi-agent systems using an adaptation of the ArchiMate enterprise architecture modeling framework. It describes a case study applying this metamodel to model an electrical distribution critical infrastructure system. Key elements of the metamodel include:
- Representing agents and their behaviors through policies that integrate both behavior and trust components
- Modeling trust relationships between agents using a reputation-based trust model
- Illustrating the metamodel layers and components on a system that detects weather alerts and broadcasts messages to the public through various channels like SMS or social media
The document discusses information security concerns of industry managers. A survey found that information security is the top concern of managers, even more than risks from the economy or natural disasters. While industries invest heavily in information security, most managers still trust their current security systems despite few having organizations well-adapted to new information risks. The complexity of assessing security risks is growing due to new IT capabilities, critical infrastructure developments, cloud services, and increasing cybercrime. Industries and academics must collaborate further on information security research to address these challenges.
More from Luxembourg Institute of Science and Technology (20)
A mature quasar at cosmic dawn revealed by JWST rest-frame infrared spectroscopySérgio Sacani
The rapid assembly of the first supermassive black holes is an enduring mystery. Until now, it was not known whether quasar ‘feeding’ structures (the ‘hot torus’) could assemble as fast as the smaller-scale quasar structures. We present JWST/MRS (rest-frame infrared) spectroscopic observations of the quasar J1120+0641 at z = 7.0848 (well within the epoch of reionization). The hot torus dust was clearly detected at λrest ≃ 1.3 μm, with a black-body temperature of
K, slightly elevated compared to similarly luminous quasars at lower redshifts. Importantly, the supermassive black hole mass of J1120+0641 based on the Hα line (accessible only with JWST), MBH = 1.52 ± 0.17 × 109 M⊙, is in good agreement with previous ground-based rest-frame ultraviolet Mg II measurements. Comparing the ratios of the Hα, Paα and Paβ emission lines to predictions from a simple one-phase Cloudy model, we find that they are consistent with originating from a common broad-line region with physical parameters that are consistent with lower-redshift quasars. Together, this implies that J1120+0641’s accretion structures must have assembled very quickly, as they appear fully ‘mature’ less than 760 Myr after the Big Bang.
Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...Sérgio Sacani
LHS 1140 b is the second-closest temperate transiting planet to the Earth with an equilibrium temperature low enough to support surface liquid water. At 1.730±0.025 R⊕, LHS 1140 b falls within
the radius valley separating H2-rich mini-Neptunes from rocky super-Earths. Recent mass and radius
revisions indicate a bulk density significantly lower than expected for an Earth-like rocky interior,
suggesting that LHS 1140 b could either be a mini-Neptune with a small envelope of hydrogen (∼0.1%
by mass) or a water world (9–19% water by mass). Atmospheric characterization through transmission
spectroscopy can readily discern between these two scenarios. Here, we present two JWST/NIRISS
transit observations of LHS 1140 b, one of which captures a serendipitous transit of LHS 1140 c. The
combined transmission spectrum of LHS 1140 b shows a telltale spectral signature of unocculted faculae (5.8 σ), covering ∼20% of the visible stellar surface. Besides faculae, our spectral retrieval analysis
reveals tentative evidence of residual spectral features, best-fit by Rayleigh scattering from an N2-
dominated atmosphere (2.3 σ), irrespective of the consideration of atmospheric hazes. We also show
through Global Climate Models (GCM) that H2-rich atmospheres of various compositions (100×, 300×,
1000×solar metallicity) are ruled out to >10 σ. The GCM calculations predict that water clouds form
below the transit photosphere, limiting their impact on transmission data. Our observations suggest
that LHS 1140 b is either airless or, more likely, surrounded by an atmosphere with a high mean molecular weight. Our tentative evidence of an N2-rich atmosphere provides strong motivation for future
transmission spectroscopy observations of LHS 1140 b.
El Nuevo Cohete Ariane de la Agencia Espacial Europea-6_Media-Kit_english.pdfChamps Elysee Roldan
Europe must have autonomous access to space to realise its ambitions on the world stage and
promote knowledge and prosperity.
Space is a natural extension of our home planet and forms an integral part of the infrastructure
that is vital to daily life on Earth. Europe must assert its rightful place in space to ensure its
citizens thrive.
As the world’s second-largest economy, Europe must ensure it has secure and autonomous access to
space, so it does not depend on the capabilities and priorities of other nations.
Europe’s longstanding expertise in launching spacecraft and satellites has been a driving force behind
its 60 years of successful space cooperation.
In a world where everyday life – from connectivity to navigation, climate and weather – relies on
space, the ability to launch independently is more important than ever before. With the launch of
Ariane 6, Europe is not just sending a rocket into the sky, we are asserting our place among the
world’s spacefaring nations.
ESA’s Ariane 6 rocket succeeds Ariane 5, the most dependable and competitive launcher for decades.
The first Ariane rocket was launched in 1979 from Europe’s Spaceport in French Guiana and Ariane 6 will continue the adventure.
Putting Europe at the forefront of space transportation for nearly 45 years, Ariane is a triumph of engineering and the prize of great European industrial and political
cooperation. Ariane 1 gave way to more powerful versions 2, 3 and 4. Ariane 5 served as one of the world’s premier heavy-lift rockets, putting single or multiple
payloads into orbit – the cargo and instruments being launched – and sent a series of iconic scientific missions to deep space.
The decision to start developing Ariane 6 was taken in 2014 to respond to the continued need to have independent access to space, while offering efficient
commercial launch services in a fast-changing market.
ESA, with its Member States and industrial partners led by ArianeGroup, is developing new technologies for new markets with Ariane 6. The versatility of Ariane 6
adds a whole new dimension to its very successful predecessors
Testing the Son of God Hypothesis (Jesus Christ)Robert Luk
Instead of answering the God hypothesis, we investigate the Son of God hypothesis. We developed our own methodology to deal with existential statements instead of universal statements unlike science. We discuss the existence of the supernaturals and found that there are strong evidence for it. Given that supernatural exists, we report on miracles investigated in the past related to the Son of God. A Bayesian methodology is used to calculate the combined degree of belief of the Son of God Hypothesis. We also report the testing of occurrences of words/numbers in the Bible to suggest the likelihood of some special numbers occurring, supporting the Son of God Hypothesis. We also have a table showing the past occurrences of miracles in hundred year periods for about 1000 years. Miracles that we have looked at include Shroud of Turin, Eucharistic Miracles, Marian Apparitions, Incorruptible Corpses, etc.
This an presentation about electrostatic force. This topic is from class 8 Force and Pressure lesson from ncert . I think this might be helpful for you. In this presentation there are 4 content they are Introduction, types, examples and demonstration. The demonstration should be done by yourself
Lunar Mobility Drivers and Needs - ArtemisSérgio Sacani
NASA’s new campaign of lunar exploration will see astronauts visiting sites of scientific or strategic
interest across the lunar surface, with a particular focus on the lunar South Pole region.[1] After landing
crew and cargo at these destinations, local mobility around landing sites will be key to movement of
cargo, logistics, science payloads, and more to maximize exploration returns.
NASA’s Moon to Mars Architecture Definition Document (ADD)[2] articulates the work needed to achieve
the agency’s human lunar exploration objectives by decomposing needs into use cases and functions.
Ongoing analysis of lunar exploration needs reveals demands that will drive future concepts and elements.
Recent analysis of integrated surface operations has shown that the transportation of cargo on the
surface from points of delivery to points of use will be particularly important. Exploration systems will
often need to support deployment of cargo in close proximity to other surface infrastructure. This cargo
can range from the crew logistics and consumables described in the 2023 “Lunar Logistics Drivers and
Needs” white paper,[3] to science and technology demonstrations, to large-scale infrastructure that
requires precision relocation.
Collaborative Team Recommendation for Skilled Users: Objectives, Techniques, ...Hossein Fani
Collaborative team recommendation involves selecting users with certain skills to form a team who will, more likely than not, accomplish a complex task successfully. To automate the traditionally tedious and error-prone manual process of team formation, researchers from several scientific spheres have proposed methods to tackle the problem. In this tutorial, while providing a taxonomy of team recommendation works based on their algorithmic approaches to model skilled users in collaborative teams, we perform a comprehensive and hands-on study of the graph-based approaches that comprise the mainstream in this field, then cover the neural team recommenders as the cutting-edge class of approaches. Further, we provide unifying definitions, formulations, and evaluation schema. Last, we introduce details of training strategies, benchmarking datasets, and open-source tools, along with directions for future works.
Hydrogen sulfide and metal-enriched atmosphere for a Jupiter-mass exoplanetSérgio Sacani
We observed two transits of HD 189733b in JWST program 1633 using JWST
NIRCam grism F444W and F322W2 filters on August 25 and 29th 2022. The first
visit with F444W used SUBGRISM64 subarray lasting 7877 integrations with 4
BRIGHT1 groups per integration. Each effective integration is 2.4s for a total effective exposure time of 18780.9s and a total exposure duration of 21504.2s (∼6 hrs)
including overhead. The second visit with F322W2 used SUBGRISM64 subarray
lasting 10437 integrations with 3 BRIGHT1 groups per integration. Each effective
integration is 1.7s for a total effective exposure time of 17774.7s and a total exposure
duration of 21383.1s (∼6 hrs) including overhead. The transit duration of HD189733
b is ∼1.8 hrs and both observations had additional pre-ingress baseline relative to
post-egress baseline in anticipating the potential ramp systematics at the beginning
of the exposure from NIRCam infrared detectors.
ScieNCE grade 08 Lesson 1 and 2 NLC.pptxJoanaBanasen1
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it..............
Conceptualizing a responsibility based approach for elaborating and verifying rbac policies conforming with cobi t framework requirements
1. Conceptualizing a Responsibility based Approach for Elaborating and Verifying
RBAC Policies Conforming with CobiT Framework Requirements
Toward a Business/IT Alignment Method based on the Translation of Business to Application Roles
Christophe Feltus, Eric Dubois
Public Research Center Henri Tudor
Luxembourg-Kirchberg,
Luxembourg
christophe.feltus@tudor.lu, eric.dubois@tudor.lu
Michaël Petit
PReCISE Research Centre,
Faculty of Computer Science, University of Namur,
Belgium
mpe@info.fundp.ac.be
Abstract—The objective of this paper is to present the first
results toward the definition of a two steps approach for
aligning business level requirements issued from corporate
framework such as CobiT down to technical policies such as
the access rights modeled by RBAC. To achieve that, our
approach is based on the concept of employees’ responsibility.
Using this concept is motivated by the importance and the
omnipresence of the responsibility all along the company
frameworks, from the CEO responsibilities such as in the
financial sector as defined by Sarbanes-Oxley Act down to the
responsibility at the operation layer such as the one of a trader
who must follow stock quotes for private banking. The
approach is illustrated based on an example, which highlights
how access rights are assigned to employees having
responsibilities defined at the CobiT framework layer.
Keywords-Alignment; CobiT; Responsibility; Traceability;
Access right; RBAC; Requirement engineering.
I. INTRODUCTION
In all the company’s layers, standards and norms define
business activities. Those activities are called strategic
activities at the higher layer such as the activity to report the
company’s results at the board of directors, management
activities at the intermediary layer like activities to manage
the budget of a company unit, or operational activities at the
lower layer such as the activity to encode customers’ data.
For all of those activities, implementation rules (e.g.: access
right policies) must accordingly be defined. For instance, at
the higher layer, the CEO needs to have access to strategic
data to prepare the company report, at the intermediary layer,
the unit managers need to have access to the accounting
software to manage the budget and at the lower layer, and
secretaries need access to the customer database.
Meanwhile governance standards and norms [1, 2, 3]
request a strict alignment between these business layer
activities and the corresponding rights. This strict alignment
affords e.g. to respect the principle of least privilege and, by
consequence, to provide to the employees with strict rights,
which are indispensable to achieve their goals. For instance,
it is not permitted to give access to the customer database to
the whole team of secretaries if only one of them is
concerned with the customers’ records. The financial sector
is particularly sensitive to this requirement and additionally
requests traceability of this alignment of permission and
rights according to business needs. In practice, this alignment
between the business view and the technical view is
problematic and the traceability of the right assigned to the
employee according to the business specifications too.
In most companies, the management of employees’
permissions and rights is done by using the central concept
of a role, which permits to manage a large amount of users
on the one hand and the permissions assigned to the role on
the other hand. Role engineering is the process to define
roles, which ought to be affected to a set of users who have
the same function in the company. The Role Based Access
Control (RBAC [4]) has emerged as a reference model in
this discipline. RBAC models two main types of
assignments, which are the user-role assignment and the
permission-role assignment. That means that a role is defined
with a set of permissions and that users are assigned to his
role to get the permissions.
Using the concept of role presents weaknesses due to the
difficulty to align the role defined at the business layer
(business role) and at the same time the roles used at the IT
layer to operate IT transactions (application role). This
weakness brings out two kinds of situations. Firstly, the
company restricts its number of application roles to the
amount of business roles. In this first case, the company
works with a limited number of roles and employees receive,
by the way, more permissions and rights than they need. In
the second case, the company defines as many application
roles as IT transaction possibilities. In this second case, the
company works with many roles, which renders the access
right management difficult and decreases the advantages of
according to RBAC specifications. This problem mainly
emerges due to the misalignment between business role and
application role. The business roles gather employees with
the same function who can have different tasks to perform,
although application roles gather employees with the same
tasks to perform but this could be assigned to different
business role.
Based on the review of the literature, we have observed
that the concept of responsibility is central to the business
models and that it can be model with concepts from the
business view like the employee’s obligations and
accountabilities, and concepts from the technical view like
2. the employee’s rights, access rights and permissions needed
to perform business obligations. In previous work [5, 6], we
have elaborated a responsibility meta-model (Fig. 2) built
around three sets of concepts: (i) the accountability of an
employee regarding an obligation derived from a
responsibility; (ii) the rights required to fulfill the obligation;
(iii) the commitment pledged by the employee to fulfill the
obligation. Whereas the first two sets are common in the
field of IT, the last one derives from social aspects, which
underline the importance of dealing with the engagement of
the employee in the responsibility assignment process.
In this paper, we present a responsibility centered meta-
model, which permits to assure the interoperability between
the business view and the technical view and we explain how
it can be used as a pivot point between both. We propose a
method that has the objective to assign permissions to
employees and also permits to trace this assignment. This
method is a two steps approach (Fig. 1). In the first step, the
meta-model is mapped with CobiT (business view) and
responsibilities are defined and associated to business roles
issued from the business framework they refer to. In the
second step, the meta-model is mapped with RBAC
(technical view) and the responsibilities previously defined
are assigned to employees following the RBAC model.
Figure 1. Two steps of the responsibility based approach
In the next section, we present the responsibility meta-
model and its concepts, and propose our own definitions of
them. In section III, we present the first step of the approach
related to the mapping of the responsibility meta-model with
CobiT. In section IV, we introduce the second step of the
approach, which maps the meta-model with RBAC and
considers the assignment of employees and permissions to
responsibilities. In section V we conclude the paper.
II. THE RESPONSIBILITY META-MODEL
The elaboration of the responsibility meta-model (Fig. 2)
has been performed based on literature overview. We have
firstly analyzed how the responsibility is included in
information technology professional frameworks (ISO
15504 [7], ISO 27000 [8], CIMOSA [9], ITIL [10] and
COBIT [11]), in the field of requirement engineering and
role engineering [12], and in the field of access control with
the review of the DAC, MAC, RBAC and UCON model
[13].
The literature overview has permitted to observe that
some components are commonly accepted, whereas others
are missing or not at all addressed by the field of IT. The
stakeholder is the basic component and is most of the time
associated to a group. Stakeholder appears as a person, an
employee, a subject, a system or a software component. We
use the term employee since our responsibility meta-model
is more for business usage. Most of the time the
responsibility also refers to a duty, which may take a large
scale of representations i.e.: the performance of a scenario
or the achievement of a task. We propose to refer the
employee’s responsibility to a behavior, which we represent
by the Task performed by an Actor on an Object. Capability
is a component that is part of most frameworks. Capability
is most frequently declined under access right,
authorizations or permissions. Obligation is a component,,
which exists mainly in engineering methods and which is
declined as the obligation to achieve a task or to perform an
action.
Commitment does not really exist in requirement
engineering but appears only punctually and not explicitly
in some management frameworks like CobiT. The literature
overview in the field of IT has been completed by a
literature review in the field of Human Sciences. This has
permitted to complete the understanding of some concepts
such as concepts of commitment, commitment antecedents,
accountability and sanction.
Figure 2. Responsibility meta-model UML diagram
3. To structure the meta-model, we define three sets of
concepts: the obligation/ accountability, the right and the
delegation/ assignment process.
From the literature review, we propose our own
definitions of the concepts:
Responsibility a state assigned to an employee to signify
him its obligation concerning a behavior,
the accountability regarding this obligation
and the right necessary to perform it
Behavior a task performed or avoid by an actor with
or on an object
Task an action to use or transform an object
Object a material or immaterial entity that can be
transformed or used
Employee a human actor hired in a company
Actor a human or a machine that performs a task
A. Concept of obligation/accountability
Obligation (Fig. 3) is the most frequent concept to appear
as well in literature as in industrial and professional
frameworks. Two types of obligations have been defined by
Dobson [14]: functional obligation that points out what a role
must do with respect to a state of affairs (e.g. execute an
activity) and a structural (managerial) obligation that
represents what a role must do in order to fulfill a
responsibility such as directing, supervising and monitoring,
whenever an obligation or a right is delegated.
Figure 3. Obligation concept UML diagram
Accountability and Answerability are closed concepts.
Both of them are types of obligations to report the
achievement, maintenance or avoidance of some given state
[15] to an authority. The difference between them is that one
accountability is composed of one answerability and zero or
many sanctions [16]. Stahl [17] argues that accountability
describes the structures, which have to be in place to
facilitate responsibility and that responsibility is the
ascription of an object to a subject rendering the subject
answerable for the object. Stahl also focuses on the sanction
as being of central importance to responsibility. He nuances
the sanction as positive or negative. The answerability is
defined by Cholvy as an obligation or a moral duty to report
or explain the action or someone else’s action to a given
authority [18]. There are other definitions of accountability.
Laudon and Laudon [19] define this concept in the following
way: Accountability is a feature of systems and social
institutions: It means that mechanisms are in place to
determine who took responsibility of actions with the
following definition: responsibility has to do with tracing the
causes of actions and events, of finding out who is
answerable in a given situation. For Goodpaster and
Matthews [20] accountability is a mechanism set allowing
such tracing of causes, actions, and events, whereas for
Spinello [21], it is a necessary but not a sufficient
responsibility condition.
We propose the following definitions of the concepts
introduced in the meta-model:
Answerability a state assigned to an employee which
could justify the performance of a behavior
to someone else
Sanction a task or an object gained by the employee
resulting of the performance of an
accountability
Accountability a type of obligation to justify the
performance of a behavior to someone else
under threat of sanction
Obligation a type of behavior that links a responsibility
with a behavior that must be performed
B. Concept of right
The concept of right (Fig. 4.) is common but is not
systematically embedded in the frameworks. It encompasses
facilities required by an employee to fulfill his obligations.
Figure 4. Right concept UML diagram
Capability describes the requisite qualities, skills or
resources necessary to perform an action. Capability is a
component,, which is part of all models and methods [9, 15,
22], and it may be declined through knowledge or know-how
needed by the employee, but also time, training, manpower,
budget, material, etc.
Authority describes the power or right to give orders or
to make decisions. This concept is introduced in CIMOSA
[9] as the power to command and control other employees
and to assign responsibilities. CIMOSA argues that
responsible employees have rights over resource in the first
place and over process, action and task in the second place.
CIMOSA distinguishes resources from their capabilities:
Resources are companies’ assets required for carrying out
processes, whereas capabilities are technical abilities
provided by a specific resource. There are four types:
functional, performance, object oriented or operational.
Delegation right describes the right to transfer a part of
the responsibility to another employee who pledges
commitment for it (Cf. next section). This transfer may
concern the transfer of rights, of obligations or of both. The
delegation of an obligation may or may not be accompanied
4. by the delegation of the right to further delegate this same
obligation [15]. This delegation of rights depends on the
right’s type (access to information, money, time…) and on
the employee’s status, function or position. This delegation
also may or may not include the transfer of obligation as the
obligation to be accountable [23].
We propose the following definitions of the concepts
introduced in the meta-model:
Right a facility required to perform a behavior
Delegation
Possibility
the right to delegate all or some part of the
responsibility to another employee
Authority the power or right to give orders or make
decisions (from CIMOSA)
Access Right the right to access an object
Capability employee qualities, skills or resources
C. Assignment/delegation process
Assignment is the action of linking an employee to a
responsibility and delegation process is the transfer of an
employee’s responsibility assignment to another employee.
Figure 5. Assignment/delegation process UML diagram
The commitment pledged by the employee related to this
assignment or delegation process represents his moral
engagement to fulfill the action and the assurance that he
does it in respect of an ethical code. The commitment
remains a virtual concept, difficult to define as well as to
integrate in a strictly formalized framework. In [24], Meyer
and Allen acknowledge that commitment should be
conceptualized as a psychological state concerned with how
people feel about their organizational engagements. To
bypass the integration difficulty, we propose to integrate the
components, which enforce the commitment, as an
alternative solution into the meta-model. These components,
traditionally called Commitment’s antecedent in literature,
correspond to more pragmatic variables [25] (Fig. 5).
The antecedents may take many forms depending on the
type of commitment. These forms are i.e. the characteristics
and the experiences a person brings to the organization [26],
the employee’s age and the time he is part of the
organization [27, 28, 29], the perception of job security [30],
the management culture and style [31], the employee’s
investments in time, money and effort [32]. A scientific
survey of the commitment also highlights that Commitment
outcomes may really influence the quality and efficiency of
the action achieved. Pfeffer explains in [33] that Employee
commitment is argued to be critical to contemporary
organizational success. The following list summarizes
commitment outcomes:
• The employee performance [34]. Committed
employees performed better because of their high
expectations of their performance. Moreover,
employees have a high level of performance when
they are committed to both, their organization and
their profession.
• The retention of the employee. Many studies reveal
a link between the employee’s commitment and his
turnover [32, 34, 35].
• The citizen behavior or extra-role behavior. The
research on these outcomes remain however
inconclusive [36].
Based upon the commitment outcomes and antecedent
definition, we may assume that being committed to the
responsibility of an action for an employee on the one hand
means an increasing of trust in the achievement of the
obligation or in the accountability attached to responsibility,
and on the other hand more efficiency (and consequently
more capabilities) for this employee to perform the action.
We propose the following definitions of the concepts
introduced in the meta-model:
Commitment a state of being of an employee who pledges
a personal engagement to perform a
behavior
Commitment
Antecedant
a state or behavior that brings about
commitment
Commitment
Outcomes
a state or behavior that results in employee
commitment
III. STEP 1: BUILDING RESPONSIBILITIES
The first step of the approach consists of building the
responsibilities by mapping the responsibility meta-model
with the CobiT framework.
A. Responsibility in CobiT
The CobiT responsibility model is formalized through a
RACI chart matrix attached to all 34 CobiT processes. RACI
stands for Responsible, Accountable, Consulted and
Informed and defines what the responsibilities of the
business roles must be, regarding the key activities of
control. CobiT addresses the responsibility of all business
roles assigned to employees involved in IT governance and
IT security actions.
The paper is illustrated based on the AI6 control of
CobiT: Manage Change. CobiT provides a framework for
controls without providing fine grain tuning rights and
obligations of each business roles on this control. Indeed, if
we look at the Manage Change control, we observe that one
CobiT control provides: a process description, control
objectives, a list of inputs, a list of outputs, a list of activities
5. and their corresponding RACI charts, goals and metrics, and
a maturity model. CobiT’s objective is to provide control
requirements and guidelines for deploying those controls in
practice. As a consequence, the framework does not provide
detailed information to deploy the standard in practice and
additional information needs to be engineered in the
company itself. For instance, CobiT provides 8 business
roles involved in the Manage Change process (Fig. 4): CIO,
Business Process Owner, Head of Operations, Chief
Architect, Head Development, Head IT Administration, PMO
and Compliance, Audit, Risk and Security. Each of those
business roles may be affected by up to 5 activities, and have
different functions (R, A, C, I) through those activities. In
this case, we have got 8 business roles X 5 activities X 4
functions = 160 possible assignments. In the rest of the
paper, we consider and call the RACI functions
responsibilities. As consequence, employees may be
assigned to the responsibility to be accountable, to be
responsible, to be informed and to be consulted. By the mean
time, it is unrealistic to provide the same rights and same
obligations to all employees. For instance, the Head
Operation, which is responsible and accountable for
Authorizing changes, does not have the same rights and
obligations that the Business Process Owner which is
informed of The management and dissemination of relevant
information by regarding the changes. In practice, deploying
CobiT in the company implies to precise what the
responsibilities of each employee for all controls are and to
ensure that those responsibilities are personally accepted.
B. Alignment of the responsibility meta-model with CobiT
responsibilities
The mapping of CobiT and the responsibility meta-model
(Fig. 7) permits to instantiate the meta-model with inputs
from CobiT. In this figure, we observe that:
• the 4 responsibilities (R, A, C, I) from the RACI chart
correspond to four types of responsibilities taken from
the responsibility meta-model,
• the obligations, which combine responsibility and
rights require are provided by the CobiT Framework,
• the RACI chart is provided by the CobiT framework, is
composed of responsibility, business role, and activity,
• CobiT assignment of business role to employee makes
the link between the employee and CobiT obligations
and rights,
• Activity is composed of tasks, which may partially be
extracted from CobiT.
If we consider AI6 control of CobiT: Manage Change,
this control is composed of five activities (Fig. 6):
1. Develop and Implement a process to consistently
record, assess and prioritise change requests,
2. Assess impact and prioritise changes based on business
needs,
3. Assure that any emergency and critical change follows
the approved process,
4. Authorise changes,
5. Manage and disseminate relevant information
regarding changes.
Figure 6. Manage Change control RACI chart
Figure 7. Mapping responsibility and RACI chart UML diagram
6. The deeper analysis of the second activity of control
Assess impact and priorities change based on business needs
highlights that eight business roles are susceptible, according
to CobiT, to be assigned to the four RACI responsibilities:
• Accountable: Head operation
• Responsible: BPO, PMO, Head operation, Head
development
• Consulted: Chief Architect, Head IT operation and
Compliance, Audit, Risk and Security
• Informed: CIO
Suppose the responsibility of being responsible. The
meaning for CobiT’s responsibility is the employee who gets
the action done. This responsibility is spread over 4 business
roles but CobiT does not provide more information which
tasks of these activities are being achieved by which
employee, neither by which business role. To instantiate the
responsibility meta-model, we need to collect all the tasks,
which compose the activity and associate them with the
business role foreseen for this responsibility. This association
is obtained by analyzing the company’s processes or usual
practices. Those tasks are partially provided by CobiT and
are completed with data from other frameworks such as ITIL
or from company’s specific data and practices (Table I).
TABLE I. RACI RESPONSIBILITIES TO TASKS ASSOCIATION
From CobiT:
Tasks Resp.
Assessing change (based on business needs) R
Priorising changes (based on business needs) R
Assess the impact of change to the IT infrastructure,
application and technical solutions
R
Scheduling change R
From ITIL:
Be available for consultation should an urgent Change
required
C
Attend all relevant CAB (Change Advisory Board) A
Consider all changes on the agenda and give an opinion on
which changes should be authorized
A
From the company:
Inform about the Business needs C
Perform a monthly review A
Introduce changes scheduled in a database R
Prepare CAB report A
Accountability concerning “Priorising changes” : Justify the
priorising
A
The CAB is informed about the changes I
The activity Assess impact and prioritize changes based
on business needs is composed of obligations to realize tasks.
Those tasks are afterward mapped to a kind of responsibility
corresponding to the RACI chart. The association of RACI
responsibility to tasks is based on the CobiT definitions of
responsibility: R is the employee who gets the action done
and corresponds the following tasks, e.g.: assessing change,
prioritizing changes, scheduling change, etc. A is the
employee, who provides direction and authorizes an action
and corresponds the following tasks , e.g.: Attend all relevant
CAB, Consider all changes on the agenda and give an
opinion on which changes should be authorized, etc.
After the mapping with CobiT and the responsibility
meta-model, we have got a list of tasks, which composes
each activity and, through the RACI chart, a list of business
roles, which can be assigned responsible for all those tasks.
For instance the responsibility to Schedule change can be
assigned in the step 2 of the approach to employees who
have one of the following business roles: BPO, PMO, Head
operation, Head development.
C. Right to Task association
In order to provide the strictly necessary permissions and
rights requested to perform a task to a responsibility, we
have to directly link the concept of right to the concept of
responsibility rather than to the concept of business roles.
To instantiate the concept of rights, we analyze task by
task which rights and permissions are indispensible to
perform those tasks.
TABLE II. RIGHTS TO TASKS ASSOCIATION
From CobiT:
Tasks Rights
Assessing change (based on
business needs)
List of required changes (CobiT),
information related to the business
needs
Priorising changes (based on
business needs)
List of accepted changes,
information related to the business
needs
Assess the impact of change to the
IT infrastructure, application and
technical solutions
List of required changes (CobiT),
documentation related to the IT
infrastructure, List of applications
and technical solutions
Scheduling change List of required changes (CobiT),
List of accepted changes, list of
priorising changes
From ITIL:
Be available for consultation should
an urgent Change required
List of urgent required changes
Attend all relevant CAB (Change
Advisory Board)
No right
Consider all changes on the agenda
and give an opinion on which
changes should be authorized
List of required changes (CobiT)
From the company:
Inform about the Business needs Management report
Perform a monthly review List of required changes (CobiT),
List of accepted changes
Introduce changes scheduled in a
database
List of accepted changes
Prepare CAB report List of required changes (CobiT),
List of accepted changes
Accountability concerning
“Priorising changes” : Justify the
priorising
List of changes schedules and
justifications
The CAB is informed about the
changes
List of required changes (CobiT),
List of accepted changes, list of
priorising changes
7. For AI6 control, the rights and permissions do not exist
explicitly in CobiT but some first information is provided by
the inputs indispensible for the control. Those control inputs
however do not separately target each task of the control but
the control as a whole. These rights are also not refined
according to one type of responsibility (R, A, C, I). By
consequence, the required rights are extracted from a fine
grain analysis of CobiT, completed with such a fine analysis
of ITIL and, for illustration, with some rights, which are
issued from the company’s business processes as well. For
this example, those rights are fictitious and for illustration
only.
IV. STEP 2: ASSIGNING RESPONSIBILITIES
The second step of the approach consists of modeling the
assignment of permissions to employees by mapping the
responsibility meta-model with RBAC model.
A. RBAC User-Role and Permission-Role assignment
process
The concept of role has been introduced to software
engineering about 35 years ago and has followed the
development of traditional access control techniques such as
the Mandatory Access Control or Discretionary Access
Control. Role Based Access Control (Fig. 8) has been
introduced in the NIST standard for role-based access control
[4] and embodies the entire previously developed notions in
a single model which is now the reference access control
mechanism for most software applications. The publication
of this standard has been followed by many related papers
which adapt the model for specific fields (e.g. eCommerce,
[37]), to propose alternative solutions according to other
constraints (Context Aware RBAC, [38]), or to propose
solutions for managing some of its aspects (e.g. ARBAC
[39], URA97 [40] or PRA97 [41].
Figure 8. RBAC model
RBAC is a high level model with the objective to
simplify the management of granting permissions to users.
This is especially necessary in multinational companies
where the amount of employees often count in thousands. It
provides access decisions based on two associations – the
association of users to roles based on the function that users
assume, and based on their responsibilities, and the
association of permission to roles describing that a role has
the permission to perform specific operations on objects.
This means that it is easy to change the assignment of people
to roles without changing permissions. RBAC is a high level
model with the objective to simplify the management of
granting permissions to users. This is especially necessary in
multinational companies where you have thousands of
employees. It provides access decisions based on two
associations – the association of users to roles based on the
function, which users assume and based on their
responsibilities, and the association of permissions to roles
describing that a role has the permission to perform specific
operations on objects. This means that it is easy to change
the assignment of people to roles without changing
permissions.
The process to assign users to roles and permissions to
roles is normally a managerial function performed by the
business manager or the process owner to decide which
employee needs to access what application to achieve her
job. The actual implementation may be delegated by the
application business owner to a security administrator.
URA97 [40] and PRA97 [41] are both part of the ARBAC97
[39] model (Administrative RBAC), which permits the
assignment of the users to roles and permission to role by
means of administrative roles and permissions. Both URA97
and PRA97 are defined in the context of RBAC96 model
family but are applicable for most of the RBAC model. Their
philosophy is to create of administrative roles managed by
security officers. These administrative roles are granted
administrative permissions to assign or to remove users
to/from roles. In the same way that RBAC96 defines role
hierarchies, ARBAC97 defines administrative role hierarchy,
so that a senior security officer inherits permissions from a
junior security officer below him in the role hierarchy. For
example, if the junior has assigned an employee to an
inappropriate business role, the senior security officer can
remove this employee from the role or change the
permissions associated with it. URA97 gives a detailed
explanation of the administration of the assignment process.
B. Employee-Responsibility assignment process based on
RBAC
To capitalize on the advantages of RBAC for managing
access rights, needed by employees to perform a task (Table
II), we could consider the business role defined by CobiT as
the RBAC concept of role (which we call application role),
and associate employees and permissions to this application
role. The problem by doing so, is that the activities are
composed of tasks and that all of the employees, who are
assigned to a business role, do not have to achieve all tasks
targeted by this business role. By consequence, doing that
would provide some employees with too many permissions
and would be in opposition to the minimum of privilege
principle.
To face this problem, we propose to map the
responsibility concept with the RBAC concept of role
(application role) and consider those responsibilities as types
of application roles. Additionally, we consider the employee
corresponding to the RBAC concept of a user and that the
rights assigned to the responsibilities correspond to the
RBAC concept of permission (Fig. 9).
8. Figure 9. Mapping responsibility and RBAC UML diagram
The mapping of the responsibility meta-model achieved
in step 1, has permitted to instantiate the concepts of activity,
task, responsibility and right. From the mapping of RBAC
with the responsibility meta-model achieved in step 2, we
have modeled the assignment of permissions to employees
by the intermediary concept of responsibilities.
C. Employee commitment to the responsibility
According to the previous section, we agree upon the
idea that the simplest way for a manager to assign
permissions to an employee is to simply assign this employee
to a responsibility, which encompasses specific tasks to
perform and is associated to the permissions needed to
perform the tasks. By doing so, the manager implicitly
obliges the employee to accept the responsibility to perform
the tasks, but he does not actually know whether the
employee has agreed to this. Not taking the employee’s
commitment into account is an authoritarian way of
managing the staff and may result in company goals not
being achieved due to unwillingness of employees to
perform assigned tasks (see section II.D). Although this may
seem unavoidable, especially in large companies, it could
easily be improved by incorporating acceptance of
responsibility by an employee within the responsibility
assignment process.
In order to explain how the commitment may be included
in the employee to responsibility assignment process, a
conceptual assignment process is proposed as illustrated in
Fig. 9. When being assigned to a responsibility, the
employee needs to explicitly commit to the achievement of
the task(s) related to the responsibility. This concept of
commitment does not exist in RBAC as it considers the
assignment of an employee to a role as an action performed
solely by the employee’s manager. Based on our review of
the significance of the commitment in section II.D and
according to the responsibility meta-model, we propose to
integrate the commitment to the employee to responsibility
assignment process.
An employee responsibility assignment process may start
with a request from a delegator to transfer the obligation
related to a task to an employee (Fig. 10). This transfer is
possible if the employee‘s manager accepts the assignment
of the responsibility to the employee and if this employee
explicitly commits to fulfill the task. The first condition
corresponds to a double control: the employee’s availability
and the employee’s capability. In some cases, the employee
is also the manager and consequently, decides whether to
accept or reject new responsibilities according to
availabilities. The second condition corresponds to the
commitment pledged by the employee according to his
perception of the environment, guarantees received, interest
in the task, etc. (see commitment antecedent in section II.D).
Once the delegator receives the agreement from the
employee’s manager and the commitment from the
employee, the delegator requests the RBAC administrator to
provide the permissions needed to achieve the task. As soon
as the permissions are granted, the employee is assigned to
the responsibility (Fig 10).
D. Example of assignment process
To assign an employee responsible for the task
Prioritizing changes (based on business needs), which
compose the activity Assess impact and prioritize changes
based on business needs, we firstly have to identify to
which responsibility this task is corresponding. According
to Table I, we see that it corresponds to the responsibility to
be responsible and that this responsibility is assigned to the
four following business roles: BPO, PMO, Head operation,
Head development (Fig. 6).
Suppose that Bob is a Business Process Owner (BPO)
who is considered interesting by the CobiT Manager to be
assigned to this responsibility. Before the assignment, Alice
who Bob’s manager has to check e.g.: that Bob has enough
capabilities to achieve the work and that he is available as
well. Additionally, that new responsibility is proposed to
Bob who has to commit to it. Once Bob is committed and if
Alice has confirmed Bob’s capability and availability, the
RBAC administrator has to assign Bob to the application
role, which corresponds to this responsibility and that is
assigned the corresponding access rights, according to Table
II:
• List of accepted changes,
• Information related to the business needs
V. CONCLUSION
In this paper, we propose a conceptualizing responsibility
based approach for elaborating RBAC policies conforming
to CobiT requirements. The objective of the approach is to
improve the assignation of permissions to employees and to
permit by the mean time to trace this assignment. The centric
component of the approach is the responsibility of the
employees, which is used as a pivot point between the
business view and the IT view.
9. Figure 10. Workflow for assigning responsibility taking into account employees’ commitment
Although the business role aims to gather a number of
employees with the same functions under the same set, that
business role cannot directly be mapped to application roles.
We propose to use the concept of responsibility as hyphens
between both types of roles. Responsibility refers in its
definition to the employees’ obligations, required rights by
this obligation and their personal engagement to fulfill this
obligation. This perception of responsibility, by the way, is
that it does not attempt to replace the role or to be a subset of
it, but rather, has for finality to refine the link between an
employee, its business obligations, and its IT rights and
permissions.
The approach is structured in 2 steps:
1. The mapping of the responsibility meta-model with the
CobiT framework , which permits to decompose CobiT
activities on tasks, map RACI responsibility to these
tasks and define the requisite right to perform the task.
2. The mapping of the responsibility meta-model with
RBAC has permitted to model the assignment of
permissions to employees by the intermediary concept
of responsibilities and has permitted to assign
employees to responsibilities taking the employees’
commitment into account.
The approach has been illustrated based on Bob’s
responsibility to be responsible. This responsibility also
includes following the responsibility meta-model, an
accountability which is defined by the obligation to report
the achievement of a task and as such, is a task itself, which
requests additional permissions to be assigned to Bob such
as: access to the reporting tool.
Although the responsibility as been used in this paper as
a vector to aligned business roles with application roles in an
access right policy engineering process, it could also have
been used to control the assignment of permissions to
employees in a situation in production. This would have
been achieved by analyzing if the permissions requested to
perform an activity would be dully assigned to an employee,
himself assigned to a business role with responsibility over
this activity.
ACKNOWLEDGMENT
This research was funded by the National Research Fund
of Luxemburg in the context of TITAN (Trust-Assurance for
Critical Infrastructures in Multi-Agents Environments, FNR
CO/08/IS/21) project.
REFERENCES
[1] ISO/IEC 38500 (2008), International Standard for Corporate
Governance of IT.
[2] P. S. Sarbanes, and M. Oxley (2002) Sarbanes-Oxley Act of 2002.
[3] Basel Committee on Banking Supervision, International convergence
of capital measurement and capital standards; BIS; Basel, June 2004.
[4] D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R.
Chandramouli. 2001. “Proposed NIST standard for role-based access
control”. ACM Trans. Inf. Syst. Secur. 4, 3 (Aug. 2001), 224-274.
[5] C. Feltus, M. Petit, and M. Sloman, “Enhancement of Business IT
Alignment by Including Responsibility Components in RBAC”, Proc.
10. 5th
International Workshop on Business/IT Alignment and
Interoperability (BUSITAL 2010), Hammamet, Tunisia.
[6] C. Feltus, M. Petit, and E. Dubois, “Strengthening employee's
responsibility to enhance governance of IT: COBIT RACI chart case
study”. Proc. of the First ACM Workshop on Information Security
Governance. ACM, New York, NY, 23-3. DOI=
http://doi.acm.org/10.1145/1655168.1655174.
[7] ISO/IEC 15504, Information Technology – Process assessment, (parts
1-5), 2003-2006.
[8] ISO/IEC 27001:2005, “Information technology – Security techniques
– Information security management systems – Requirements”, 2005-
10-15.
[9] F. B. Vernadat, “Enterprise Modelling and Integration”, Chapman &
Hall, London (1995), ISBN 0-412-60550-3.
[10] ITIL (2001), IT Infrastructure Library – Service Delivery, The
Stationery Office Edition, ISBN 011 3308930.
[11] COBIT 4.1, Control Objectives for Information and Related
Technology, Information Systems Audit and Control Association..
[12] C. Feltus, and M. Petit, “Building a Responsibility Model Including
Accountability, Capability and Commitment” 4th
International
Conference on Availability, Reliability and Security (ARES), 2009,
Fukuoka, Japan .
[13] R. Sandhu, and J. Park, “Usage Control: A Vision for Next
Generation Access Control”, Proc. of the Second International
Workshop on Mathematical Methods, Models and Architectures for
Computer Networks Security, 2003.
[14] J. Dobson, and D. Martin, “Enterprise Modeling Based on
Responsibility, Trust in Technology: A Socio-Technical Perspective”,
Clarke, K., Hardstone, G., Rouncefield, M. and Sommerville, I., eds.,
Springer, 2006.
[15] I. Sommerville, R. Lock, T. Storer, and J. Dobson, “Deriving
Information Requirements from Responsibility Models”, Proc. of the
21st International Conference, CAiSE 2009, Amsterdam, The
Netherlands, June 8-12, 2009. ISBN 978-3-642-02143-5.
[16] J. A. Fox, “The uncertain relationship between transparency and
accountability” (August 1, 2007). Center for Global, International and
Regional Studies. Reprint Series. Paper CGIRS-Reprint-2007-2.
http://repositories.cdlib.org/cgirs/reprint/CGIRS-Reprint-2007-2.
[17] B. C. Stahl, “Accountability and reflective responsibility in
information systems”. In: C. Zielinski et al. The information society -
emerging landscapes. Springer, 2006, pp. 51 -68.
[18] L. Cholvy, F. Cuppens, and C. Saurel, “Towards a logical
formalization of responsibility”, Proc. of the 6th
International
Conference on Artificial Intelligence and Law, pp. 233-242, 1997.
[19] K. C. Laudon, and J. P. Laudon, “Essentials of Management
Information Systems”, 4th
edition London et al., 1999, Prentics Hall.
[20] K. E. Goodpaster, and J. B. Jr. Matthews, “Can a corporation have a
moral conscience ?” Hardvard Business Review (Jan-Feb 1982), pp.
132 – 141.
[21] R. Spinello, “Case studies in information and computer ethics”,
Upper Saddle River, 1997, NJ: Prentice Hall.
[22] E. S. Yu, and L. Liu, “Modelling Trust for System Design Using the
i* Strategic Actors Framework.” Workshop on Deception, Fraud, and
Trust in Agent Societies Held During the Autonomous, Eds. Lecture
Notes In Computer Science, vol. 2246. Springer-Verlag, 2001.
London, 175-194.
[23] T. J. Norman, and C. Reed, “Delegation and Responsibility”. In
Proceedings of the 7th
international Workshop on intelligent
Employees Vii. Employee theories Architectures and Languages (July
07 - 09, 2000). C. Castelfranchi and Y. Lespérance, Eds. Lecture
Notes In Computer Science, vol. 1986. Springer-Verlag, London,
136-149.
[24] J. P. Meyer, and N. J. Allen, ‘A three component conceptualization of
organizational commitment’. Human Resource Management Review.
1991. 1, 61-98.
[25] C. Vandenberghe, K. Bentein, and F. Stinglhamber, “Affective
commitment to the organization, supervisor, and work group:
Antecedents and outcomes”, Journal of Vocational Behavior, Volume
64, Issue 1, February 2004, pp. 47-71.
[26] R. T. Mowday, L. W. Porter, and R. M. Steers, “Employee-
Organization Linkages: The Psychology of Commitment”,
Absenteeim, and Turnover. 1982. New York: Academic Press.
[27] B. Buchanana, “Building organizational Commitment: The
Socialization of Managers in work organizations”, Administrative
science Quarterly, 19, pp. 533 – 546.
[28] D. Hall, “Organizational Identification as a function of Career Pattern
and Organizational Type”, Administrative Science Quarterly, 1977,
17, pp. 340 – 350.
[29] K. Lio, “Professional Orientation and Organizational Commitment
among Employees: an Empirical Study of Detention Workers”,
Journal of Public Administration Research and Theory, 1995, 5, pp.
231 – 246.
[30] B. P. Niehoff, C. A. Enz, and R. .A., Grover, “The Impact of Top-
Management Ctions on Employee Attitudes and Perceptions”, Group
& Organization Studies, 1990, 15, 3, 337 – 352.
[31] G. Florkowski, and M. Schuster, “Support for Profit Sharing and
Organizational Commitment: A Path Analysis”, Human Relations,
1992, 45, 5, pp. 507 – 523.
[32] G. J. Blau, “The measurmement and Prediction of Career
Commitment”, Journal of Occupational Psychology, 1985, 58, pp.
277 – 288.
[33] J. Pfeffer, (1998). ��The Human Equation”. Boston, MA., Harvard
Business School Press.
[34] J. P. Meyer, and N. J. Allen, “Testing the ‘Side-Bet Theory’ of
Organizational Commitment: Some Methodological Considerations”,
Journal of Applied Psychology, 1994, 69, pp. 372 – 378.
[35] L. W. Porter, R. M. Steers, R. T. Mowday, and P. V. Boulian,
“Organizational Commitment, Job Satisfaction, and Turnover Among
Psychiatric Technicians”, Journal of Applied Psychology, 1974, 59,
pp. 603 – 9.
[36] E. S. Williams, K. V. Rondeau, and L. H. Francescutti, “Impact of
culture on commitment, satisfaction, and extra-role behaviors among
Canadian ER physicians”, Leadership in Health Services, 2007, vol.
20, Issue 3, 147-158.
[37] C. Yang, “Designing secure e-commerce with role-based access
control”. Int. J. Web Eng. Technol. 2007, 3, 1, pp. 73-95.
[38] D. Kulkarni, and A. Tripathi, “Context-aware role-based access
control in pervasive computing systems”. Proc. of the 13th
ACM
Symposium on Access Control Models and Technologies (Estes Park,
CO, USA, June 11 - 13, 2008). SACMAT '08. ACM, New York, NY,
113-122.
[39] R. S. Sandhu, V. Bhamidipati, and Q. Munawer, “The ARBAC97
Model for Role-Based Administration of Roles”, Proc. of TISSEC,
1999.
[40] R. S. Sandhu and V. Bhamidipati, “The URA97 Model for Role-
Based User-Role Assignment”. Proc. of the IFIP Tc11 Wg11.3
Eleventh international Conference on Database Securty Xi: Status and
Prospects (August 10 - 13, 1997). T. Y. Lin and S. Qian, Eds. IFIP
Conference Proceedings, vol. 113. Chapman & Hall Ltd., London,
UK, 262-275.
[41] R. S. Sandhu, and V. Bhamidipati, 1998. “An Oracle implementation
of the PRA97 model for permission-role assignment”. Proc. of the
Third ACM Workshop on Role-Based Access Control (Fairfax,
Virginia, United States, October 22 - 23, 1998). RBAC '98. ACM,
New York, NY, 13-21.