Submitted Abstract
Nowadays, there is a strong emphasis on the security of information systems and the management of cybersecurity risks. Numerous regulations are emerging that impose a risk-based approach for information system security on entire economic sectors. Compliance to these regulations is a real challenge for current organizations, asking for innovative regulatory technologies, also known as “RegTech”. In the telecommunications sector, the EU Directive 2009/140/EC introduces Article 13a about security and integrity of networks and services. This article states that Member States shall ensure that providers of public communications networks ‘take appropriate technical and organisational measures to appropriately manage the risks posed to security of networks and services’. As part of the adoption of this directive at the national level, a first project has been developed in collaboration with ILR, the national regulatory authority for the telecommunications sector in Luxembourg that aimed to adapt and facilitate security risk management in the telecommunications sector. To this end, both ILR and LIST have produced an initial framework composed of two parts: an approach and a tool to support the adoption of this regulation by Telecommunications Service Providers (TSPs) at the national level (regulated entity part) and a tool collecting the data received by the regulatory authority from the regulated entities through the preceding approach (regulatory authority part). In light of the feedbacks following the first regulatory cycle performed from December 2015 to July 2016 and followed by the gathering of data by ILR, R&D challenges have emerged to facilitate and improve the quality of the risk management process performed by the regulated entities on one side and to improve the governance of the regulation by the regulatory authority on the other side. The main limitations identified are the lack of support to the security risk management process, a management of risks based on individual assessments instead of taking care of the whole ecosystem, and limited data analytics capabilities. The main objective of this project is to establish an advanced security risk management framework dealing with the limitations highlighted. The main improvements of the framework are the evolution and development of models and reference architectures supporting the framework, the development of a customer-centric and systemic risk assessment approach, and finally the definition of an extended set of measurements for data analytics for both the regulatory authority and regulated entities. As outcome of the project, the planned innovation will enable a better governance of the regulation. Risk awareness and decision-making ability of ILR will be improved based on the indicators that will be established. The value for ILR will also be in the standardized and high-level quality of the results obtained to comply with the regulation, thanks to the supporting models, positioning Luxembourg as a top performer in the EU to comply with Article 13a. Finally, the security of TSPs as well as the quality of service for end-users will be improved, hence risks taken by the end-users related to lack of security and integrity of networks and services will be minimized.