280 likes | 385 Views
Rome “ Piazza di Spagna - 29 Marzo 2012. MOTIA FINAL CONFERENCE ''Project Presentation ”. Project Impact assessment and qualitative evaluation Maria Cristina Brugnoli CASPUR, Università di Tor Vergata mariacristinabrugnoli@gmail.com. Outline. Overview and main objectives
E N D
Rome “Piazza di Spagna - 29 Marzo 2012 MOTIA FINAL CONFERENCE ''Project Presentation” Project Impact assessment and qualitative evaluation Maria Cristina Brugnoli CASPUR, Università di Tor Vergata mariacristinabrugnoli@gmail.com
Outline • Overview and main objectives • Interview schedule • Description of the field • General feedback • Highlights on major items • Specific feedback from the end users • Application of SNA methodology to CI analysis and modelling
Overview Investigation of CI in Italy and proposed metrics for the qualitative evaluation and modelling of CI
Outline of the activity • Qualitative investigation and definition of agencies characteristics in relation to CI • Case study: organizations and agencies in Italy • Focus: qualitative characterization of ICT CI chain, relation btw organizations and ICT infrastructures, and within the ICT infrastructures as a whole • Field (organisations having an extensive us of the ICT Infrastructure): • Public services and administration • Service providers • Civil security and emergency services
Objectives • to gauge initial responses to the MOTIA concept and MOTIA specific R&D objectives; • to gauge initial reactions in relation to the metrics and methodology proposed by the project and get suggestions for further improvements also in order to shape the overall characteristics of the inter-dependences ICT infrastructures; • to identify other actors that make an extensive use of the telecommunication infrastructure and that could be interested in the project results; • to support and provide insights for the project dissemination and overall assessment activities.
Interview schedule • Warm-up • Field • Investigation of ICT and TLC technologies (used in the organizational) • Focus on Critical infrastructures • Presentation of MOTIA Concept • Collection of feedback on MOTIA interest and impact • Plus and minus, suggestions and sum up
PUBLIC SERVICES (field characteristics) • Public administration: • ICT networks used by the administrations are very heterogeneous • In general personnel know-how is quite low • Awareness of SEC and Critical Infrastructure is low • There is a strong will to be involved in the IT adoption/improvement activities • There is a strong will on creating the path for a PA as services enabling also business continuity • Still more focussed on the ICT internal service rather than the external ones (…very low pressure from the customers • Public emergency services: • ICT networks and services used by the administrations are very heterogeneous • There is very high interest in web-based and mobile based apps • The personnel know-how is high and competent in technologies • Willingness to pay for more expensive services if needed • Awareness of SEC and Critical Infrastructure is relevant but has low impact the decision making • Quite high constrains (security in particular) • Relation with the operator is quite satisfying • Disaster recovery services has not been evaluated yet
General reactions and suggestions • High level of impact at EU and national level • Interest in the project although is less clear is…: • the methodology that MOTIA is willing to implement • concrete results of the project • potential impact in the “daily activities” of the end users • New “simplified” concept (for non-technical audience) • Technical characterization of user needs and impact assessment (CASPUR/ENEA internal meeting) • Definition of practical and concrete tools to be easily adopted by the end users • List of EU/national action items and recommendations (to be disseminated also through lobbying activities) • MOTIA white paper…? (e.g. linking the impact ass. results with other data, also considering the specific characteristics of the Italian case study)
Field: characteristics of the end users • ABI Lab (2): • + 150 banks • 4 areas (SEC, IT, organization, and commercial) • participate to several EU and IT boards (high connection with the EU) • produces reports and surveys • are in charge of many communication and dissemination activities • ICT networks for banks are very heterogeneous • ENAV (1): • manages all Italian air traffic • 4 control centres, 35 airports, and 34 radars • participate to several EU and IT boards, is under the regulation of Eurocontrol (very high connection with the EU) • moving all the communication on IP (currently 3 different networks + video surveillance net) • Poste Italiane (1): • one of the backbones of the Italian economy (loss in case of disaster: 60 M Euros per day!) • complex offer with variety of services (postal, commercial, bank,…) • are on the market, but still many characteristic of the public company • participate to the most important IT boards (low connection with the EU, high with the IT) • ad hoc service networks with TI and Fastweb
General reaction on the MOTIA project • Positive: • Strong interest and expectations • The topic and the objectives are clear • Availability in supporting and participating to the project (also in providing representation at EU level) • Not shy in presenting their needs and remarks • Willingness to pay for more expensive services if needed • SEC and Critical Infrastructure have enormous impact on the BID… • Awareness of SEC and Critical Infrastructure relevant is high but has not impact the decision making • Nowadays there is more attention on SEC that on Critical Infrastructure, MOTIA is welcome!
General reaction on the MOTIA project • Less clear is…: • the methodology that MOTIA is willing to implement • concrete results of the project • potential impact in the “daily activities” of the end users
Major items identified • Technical aspects and ICT implementation • Provisioning of ICT services • Regulatory and political aspects • Organizational issues
ICT implementation • Redundancy (civil security), prevention (banks), and early warning (postal services), services differentiation (service providers), as strategies to avoid failure • Very high constrains (customers, national provisioning of services, security and safety) • System do not support traceability of events • “…the ICT system is a “black box” in the house of the operator…” • Testing and verification are crucial (and to be realized each time a changes is implemented) • Strong need of high level guidelines and methodology
Provisioning of ICT services • Relation with the operators • Collaboration • Exchange of information • Post- services consultancy • More transparency and collaboration • More exchange of information • Operators are seen as “Critical Operators” • Other expectations and needs • Customization and personalization of services • More post-services • Availability in supporting during the testing and during the other crucial/critical activities • Disaster recovery as a not satisfied issues
Regulatory and political aspects • National and European legislation, need of clear directive at IT and EU level • Relation and lobbying at EU level • Each sector should have its own regulation • Specific regulation in regard to the operators and ICT providers obligations
Organizational issues • Lack of transparency and collaboration • No clear information on the actual services provided • Low level knowledge of the “failure chain” and its evolution • Strong need of collaboration at all level of personnel
Specific user feedback: Banks and postal services • Characteristics • low level of ICT knowledge • strong pressure from the customers • strong push from the customers • regulation and policies is a benefit • Needs • creation of an unique infrastructure for the bank-system • more support after technology deployment (“what we have is just an email contact!”) • creation of a Map of “Critical operators” and ICT services providers • creation of standard (basic) agreements, based on a “minimum set” of assured services
Specific user feedback Characteristics Needs • Improvement and introduction of a ad hoc alerting system is strongly suggested • Disaster recovery at the moment is too expensive • Recovery timeframe (+ABI) • Business continuity (+ABI) • More collaboration on decision making at high level management • Need to analysis the CI at physical, IP and management level • Operation should work closely with the end users
Specific user feedback (Civil security) Characteristics • Regulation and policies are a benefit for us • No constrains from costs (ENAV) Needs • EU guidelines and cooperation with the other countries • Exchange of best practices and know-how • high quality of ICT providers and operators (high competence) • Support in the transition/evolution towards IP • Understanding of how ATM can be properly places into IP-based communications • New methodologies for moving from complexity to synergy
CIs qualitative vs quantitative analysis and modeling • Literature review on CI qualitative evaluation and modeling (none of them were exhaustive…) • High-level view Socio-technical system (Little, 2004) and CI vulnerabilities model (McEntire, 2001) • In depth analysis: Network Analysis approach, where the CI can be analysed using SNA • Current work: transforming qualitative R&D results into data for the construction of the CI network
SNA approach for CI • SNA is a mature methodology used to to understand and visualize social groups characteristics • Usually SNA is used to map and measure relationships and flows between people, groups, and organizations • In MOTIA use SNA in a broad sense mapping not only social relations but also relations (as interdependencies) between machines, IT services and other tangible and intangible entities and mixed groups • The social-driven analysis of the CI will provide insights for the definition and evaluation of the CI vulnerability attitude (also on the basis of CI liabilities and capacities) • As an outcome for each of the organisational case studies we will be able to define the observed CI network graph and its characterization
Related work • The paper proposed the analysis of CI vulnerability. An example (the case of Canada Province-A) is given to illustrate the ideas and results presented in the paper. The analysis is conducted on the interdependencies of the main infrastructures of the area. Chai C., Liu X., Zhang W . J., Deters R., Liu D, “Social Network analysis of the vulnerability of interdependent critical infrastructures”, International Journal of Critical Infrastructures, Vol 4, No. 3 – 2008.
Civil security and emergency services Lobbying Agency operators Equip. Primary agency (1) Testing Training Legal and tech Telco operators Services Operator OP (2) OP (3)
Postal services Primary agency (1) Lobbying Equip. Services Telco operators Operator OP (2) OP (3)
Analysis • identification of different layers (social, legal, know-how,…) • identification of different actors in the chain • in-degree/out-degree • number and type of lines/links • number of nodes • density • proximity