See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/292018455

A new architecture multi-agents based combining EBIOS and ISO 27001 in IT

risk management

Conference Paper · July 2013

CITATIONS READS

6 826

3 authors:

Hajar Iguer Hicham Medromi

16 PUBLICATIONS 60 CITATIONS
Université Hassan II de Casablanca
310 PUBLICATIONS 1,597 CITATIONS
SEE PROFILE
SEE PROFILE

Adil Sayouti

91 PUBLICATIONS 429 CITATIONS

SEE PROFILE

All content following this page was uploaded by Hajar Iguer on 29 January 2016.

The user has requested enhancement of the downloaded file.

 A new architecture multi-agents based
combining EBIOS and ISO 27001 in IT risk
management
Hajar IGUER1, Hicham MEDROMI2, Adil SAYOUTI3, Saadia TALLAL4
1
EAS Team, LISER Laboratory, ENSEM – Université Internationale de Casablanca,
Casablanca, Morocco, hajar.iguer@eas.ensem.ac.ma
2
EAS Team, LISER Laboratory, ENSEM, Casablanca, Morocco, hmedromi@yahoo.fr
3
EAS Team, LISER Laboratory, ENSEM, Casablanca, Morocco, sayouti@gmail.com
4
EAS Team, LISER Laboratory, ENSEM, Casablanca, Morocco, s.tallal@hotmail.com

Abstract
Within companies, the security of information systems is increasingly addressed using
risk-based approaches. Indeed, studies have shown that using IT governance methods,
standards or frameworks significantly reduce losses. One of the most used and effective
methods of risk management is EBIOS “Expression des Besoins et Identification des
Objectifs de Sécurité”. ISO 27001 incorporate a set of requirements of risk
management. Aligning all these tools in a distributed architecture is the ultimatum to
secure the information system.
Hence, we will benefit from the weaknesses and advantages of others methods or tools
of risk management to design a more complete and hybrid architecture based on multi
agents system since they share the same goals as our architecture
EBIOS is a methodological approach which provides a global view of information
security systems while ISO 27001‘s objective is to help establish and maintain an
effective information management system, using a continual improvement approach.
The SGR (Système de Gestion de Risque) architecture considers every aspect of any risk
and treats it following a series of multi-agents system.
To better understand risk management in information security, this paper aims to
present and in details show all the concepts and processes of the risk domain.

Keywords: IT Governance, EBIOS, ISO 27001, Multi-Agents approach,

Distributed systems, SGR Architecture.

1. Introduction
For several years, security has been the weakness of computer systems generating no
income for the company. The security risks are considerable threats for companies that
are struggling to improve their image and their process. While more and more
companies are opening their information system to their partners or suppliers, it is

International Conference on Engineering Education and Research 1 July - 5 July 2013, Marrakesh
essential to know the resources of the company to protect and manage access control
and rights of system user’s information.
As businesses continue to expand their technology infrastructure, ensuring that IT
resources are properly aligned to business strategy while managing a multitude of
associated risks becomes increasingly difficult.
In order to know and protect these systems, we find in the areas of information systems
a multitude of frameworks, norms and standards that interact to provide the information
system manager with key elements for better management of the system. Over the
years, there have been several accomplishments in this field. Software vendors or
consulting companies such as MEGA and IBM have developed a system of governance
to assist companies in their project management information systems.
To a variety of standards, methods, frameworks and best practices guide, the choice is
more difficult. International agencies are exhausted in the search for new techniques and
tools to continuously improve their services.
In the second section, we are going to start by introducing information security and risk
management then this will be followed by a state of art of risk management tools to
position our article in IT management. In the third section, we will expose the IT
governance solutions used in the IT market. While in the fourth section, we will present
in detail our architecture SGR. Finally, we will conclude with a suggestion of a case
study to implement our architecture.Overall, this paper addresses risk management in
the governance of information security, and highlights their relationships.

2. State of Art
Before starting to introduce our choice of standards, methods or frameworks, we must
have knowledge in the computer field especially in computer security. We need to know
a set of definitions related to this article such as information security, risk management
that will allow a better comprehension of this article.

2.1. Information Security

Computer security is a major challenge for companies which need to be managed and
resolved in a very short time that’s why the real-time management is essential to the
security of computer systems. As a matter of fact, there are several standards, methods
or frameworks that help companies improve risk management in their system.
Information exists in different forms. During the exchange of this information, it must
be protected from a number of threats that can affect its quality. To preserve the quality
of this information should be taken into account three parameters confidentiality,
integrity and availability that can be defined as follows:
 Confidentiality: The information must be protected against unauthorized
interception or publication.
 Integrity: The accuracy and completeness of the information must be
guaranteed.
 Availability: The information must be available when needed.
The information security is provided by the establishment of a set of measures which
may be company’s policies, procedures, practices, organization or software features.

International Conference on Engineering Education and Research 1 July - 5 July 2013, Marrakesh
2.2. Risk Management
A management system as defined by the International organization of standardization
ISO (in ISO 9000) establishes a set of policy and objectives and allows reaching these
goals. It can be seen as a set of technical and organizational measures aiming one goal.
While introducing risk management, we must define and show the difference between
threats, vulnerability and risk. Academically it can be defined as follows; the threat is a
possible attack to an individual or element (information) with potential negative
consequences, vulnerability is the exposure to the threat in a particular context whereas
risk is a combination of threats and losses that may be caused to the element.
ISMS (information security management system) is an example of a management
system, it can be defined by a set of resources for security information enabling an
organization to establish a policy and objectives in order to implement them. Once these
goals are achieved, we must control and supervise them for a continuous improvement
of information security.

2.3. Comparative study

In this section, we are going to see a comparison of methods of risk management. In
fact, there are a lot of methods of risk management that are on the market. We may
mention EBIOS, MEHARI, OCTAVE, CRAMM, SP800-30, ISF methods, Australian
IT security handbook, and Dutch A&K analysis.
It is time to give the responsible management of information systems key to choose
between these ranges of methods. There are a lot of other methods and frameworks
which are used around the world and which don’t have a reputation neither a strong
potential for risk management as the methods we have presented.
That is why we will introduce briefly below a table [1] with the advantages and
disadvantages of all methods of risk management on the market. It should be noted that
this table is based on a selected number of attribute values corresponding models used
for description of methods. These attributes were considered the most representative for
a brief comparison.
* Basic level, ** Standard level, *** Specialist level.
The symbols (●, ● ●, ● ● ●) used in the table vary between 0 and 3. They specify the
degree of fulfilment of the phase of the chosen method.

Table 1. Comparative study of risk management methods

International Conference on Engineering Education and Research 1 July - 5 July 2013, Marrakesh
We note that in terms of risk management practices, EBIOS aligned with ISO 27001 is
the most efficient method in terms of risk management and widely used with the IT
community.

2.4. EBIOS
EBIOS is the ANSSI (Agence Nationale de la sécurité des systèmes d’information)
response to risk management for information system. Since its first release out in 2004,
it was able to develop and improve its processes. Its final version appeared in 2010 and
has known several improvements [2].
The ANSSI publishes methodological guides for free to contribute to the improvement
of the security of public or private organization’s IS (Information system). Among these
guides, it has produced a comprehensive approach, free and equipped with the
collaboration of experts in the field of information systems. The aim of the method is
the formalization of objectives and safety requirements adapted to the studied system
and its context while taking into account the business processes.
EBIOS approach consists of five steps with the different elements to be addressed in the
context of risk analysis. The main steps in the process interacting EBIOS are as follow:
 Study Context
 Expression of security needs
 Study threats
 Identification of security objectives
 Expression of security requirements

2.5. ISO27001
Following practices and exchanges, standardisation has allowed simplifying their
management. ISO international in scope has been able to generate confidence in several
fields. Due to regular revisions, this trust has resulted in worldwide recognition of their
processes generating value for any system. The series ISO 2700x are described as
follows 27000 [3]: Overview and vocabulary, 27001: ISMS Requirements, 27002:
Practical Steps, 27003: Implementation Guide, 27004: Safety indicators, measurement,
27005: Risk Management, 27006: Requirements for auditors and certification bodies,
27007: Audit Guide, 27008: Guidance for auditors on controls ISMS,
In this article we will only discuss the second standard of the series ISO 2700x which is
ISO27001.
The standard governs the design, implementation, monitoring, maintenance,
improvement and certification of an information security management system (ISMS)
although it doesn’t prescribe specific controls for information security and stops on the
level of system management.
ISO 27001 is the requirements of risk management which states the following:
The definition of an approach of risk assessment is to identify a suitable method and
define risk acceptance criteria.
The definition of the probable risk of information system, it is imperative to identify
assets, threats, vulnerabilities and impacts

International Conference on Engineering Education and Research 1 July - 5 July 2013, Marrakesh
In risk analysis, we must, assess the impact on the business, assess the probability of an
incident which can be a threat, a vulnerability or an impact, estimate the level of risk
and determinate risk acceptance.

3. IT Governance Solutions
While the risks introduced to businesses by process, policy, and technology failures, it
also can have a serious impact on the business in terms of achieving the business value,
protecting brand reputation, and ensuring an overall performance.
In the market of IT governance solutions, there is a multitude of solutions that partly
satisfies the need of information system managers. These solutions don’t give the
managers the opportunity to choose from the processes of the methods, standards or
frameworks that would be suitable for their system. Examples of these IT GRC
solutions are Metric Stream, IBM OpenPages, SAP GRC or RSA Archer. These
solutions use different frameworks, methods and standards that may not fit the
manager’s information system [4] .Until this day there is no framework that aligns both
EBIOS and ISO27001.
In order to mitigate risk while also keeping pace with technological advancements,
organizations need to take a holistic view of the interdependencies between technology
risk and business performance. Many businesses still rely on fragmented and disparate
strategies to manage their technology risks; this approach is not only costly and
inefficient, but it does not facilitate contextual understanding of the real impact that
insufficient and faltering technology processes and policies have on the business.

4. SGR Proposed Architecture

Our aim is to create a new hybrid architecture that will allow flexibility to managers.
This architecture introduces the process of EBIOS following the recommendations of
the ISO 27001 standard. Its objective is to cover all external it risks. This association is
based on a solid and secure computer system.
Because of the complexity of computer systems that are distributed in multiple
locations, we want our architecture SGR (Système de Gestion de Risque) to be
automated and distributed which is aligned with the MAS (Multi-agents system)
objective .If we are talking about the multi-agents approach we need to define two
major expressions; Agent and MAS.
An agent can be defined as a physical entity or abstract characterized by its ability to
make independent decisions, his knowledge of the surrounding environment and its
ability to act accordingly. The characteristics of an agent model are the cooperation,
coordination and communication. [5]
A multi-agents system is a part of the process of improving the classical AI (artificial
intelligence) that models the behavior of a single agent in a system of agents that work
together to solve complex problems. Thus, we can define a multi-agent system as a set
of intelligent agents and effective cooperating together to solve the most complex
problems and achieve their goals. An agent in MAS environment has several
characteristics; autonomy, flexibility and cooperation. There are several types of agents

International Conference on Engineering Education and Research 1 July - 5 July 2013, Marrakesh
which include communicative agent, reactive agent, cognitive agent and intentional
agent.

Figure1. SGR Architecture

The multi-agent system reinforces the achievement of the same objectives of our hybrid
architecture SGR. In particular, we will show how a flexible and extensible architecture
of agents is constructed to form an intelligent risk mapping and assessment system [6].
SGR is made of four essential MAS; security drivers, controls, risk management and
metrics management. Each part is a multi-agent system. The security professionals exist
to help the company achieve its business objectives. Consequently, it should follow
certain rules and regulations to avoid facing legal actions. It also has to be aware of the
externals threats in order to manage them throughout the process.
Once all drivers are set, the company needs to set a series of policies, standards aligned
with the drivers, to be followed by the security professionals. Every security solution
should be put in a security repository to achieve steady security. Thus, these
recommendations need to be considered for risk management MAS. Thereby an action
plan is sent to apply metrics management for this risk.
Accordingly, we try to improve the metrics management MAS and correct the risk
management if there is any improvement. The final step after the implementation is to
inform all stakeholders and decision making managers with the final results. As a result,
the stakeholders must ensure that the results meet their expectations if this isn’t the case
they need to update their business goals to the security drivers MAS.
Every treatment in the risk management MAS is stored in a database “Storage”. In need
of a previous treatment of a risk, the risk management MAS consults a knowledge
database to check if this risk has already been treated by the MAS. If it exists, a set of
stored instructions are sent to constitute the action plan. If the risk is a combination of
stored instructions, the intelligence of the knowledge database makes sure to assemble
these set of instructions to consolidate an action plan.

International Conference on Engineering Education and Research 1 July - 5 July 2013, Marrakesh
With the great number of frameworks, standards, our architecture take advantage of
their processes by exchanging information with the metrics management MAS. In this
article we chose to integrate EBIOS and ISO 27001 for their compatibility.
Without any drivers, they would be no security at all that’s why we intended to add the
security drivers MAS. This multi-agent system is composed with three agents [7]:
 LR Agent (Law and regulations): This agent collects law and regulations that the
company must comply with in order to avoid facing legal action. An example of
a law is the data protection law.
 BO Agent (Business Objective): This agent is responsible for gathering the
company business objectives. Security supports these objectives by offering a
full protection for their systems and for information used in the business process.
Its aim is to keep the system running and protect it from attacks.
 ST Agent (Security threats): This agent is in charge of conducting information
security to respond to threats.
The second part is held controls which are a set of policies, standards and guidelines
that describe how the company addresses information security drivers. There are also
International standards which can be available to be implemented. This multi-agent
system is composed with three agents:
 SP Agent (Security Policies): This agent describes security controls objectives
including the alignment of policies with the business objectives and drivers.
 S Agent (Standard): This agent ensures that security controls follow an
international catalogue of controls. It also has to detail all the security controls
that should be applied to support policies.
 SR Agent (Security Repository): This agent is responsible for the
standardisation of documentation into a shared library. That way security
professional benefit from the previous experiences.
The third part is the MAS Risk Management where we go through the analysis of risks
as details in EBIOS processes. This multi-agent system is composed with six agents [8]:
 RI Agent (Risk Identification): definition of the scope of the risk
 RAS Agent (Risk Assessment): The agent has to evaluate threats and
vulnerabilities to understand and measure the impact of the risk involved.
 RT Agent (Risk Treatment): This agent has to select between different measures
to modify risks that have been assessed.
 RAC Agent (Risk Acceptance): This agent makes decisions in order to accept a
risk by the organization management. Risk acceptance depends on risk criteria
defined within the RI agent (risk identification).
 RC Agent (Risk Communication): This agent is accountable for the exchange
and share of information about risk between the decision-maker and other
stakeholders inside and outside an organization.
 RRM Agent (Risk Reviewing and Monitoring): This agent is under obligation to
review and monitor the risk analysis management.
The fourth part is the MAS Metrics Management where we apply risk measurement.
This multi-agent system is composed with four agents [9]:
 SM Agent (Security Measures): This agent is in control of aligning policies
statement with business objectives

International Conference on Engineering Education and Research 1 July - 5 July 2013, Marrakesh
  APE Agent (Action Plan Execution): This agent has to execute the action plan
from the risk management MAS.
 CI Agent (Continual Improvement): This agent has to make sure that there is a
continual improvement of the metrics management.
 RC Agent (Results Communication): This agent carries the authority to
communicate results to managers, stakeholders and executives.
These results are useful in supporting decision making processes and raising critical
dependencies between risk projects. SGR reduces the complexity of IT risk
management by aligning IT operations management with corporate business initiatives,
strategy, and regulatory requirements.

5. Conclusion
With the imminent need to improve education around the world and in Morocco; we
thought to implement this platform and apply it to an academic purpose. We suggest
using this platform for an e-Learning system to manage its security. A project of this
magnitude will take into account the threats that may disrupt the success of this project.
The SGR Architecture uses a hybrid risk management treatment while using other tools
in IT governance that will maximize the protection of the e-Learning Platform.
By combining technology and pedagogy, the result can only be a success for the
improvement of the education system in the world.

References
[1] Technical Department of ENISA, “Risk Management: Implementation
principles and Inventories for Risk Management/Risk Assessment methods and
tools”, The ENISA Work Programme, June 2006.
[2] P. Tourron, M. Grall, “Utilisation de la méthode EBIOS”, JRES 2009.
[3] http://olsc.org/_export/s5/lp_asrsi/iso2700x#slide5
[4] http://www.cio.com/article/111700/IT_Governance_Definition_and_Solutio
ns
[5] J. Ferber, “Les systèmes multi-agents, vers une intelligence collective”.
InterEditions, 1995, pp. 63-144.
[6] A.Sayouti, H.Medromi, “Autonomous and intelligent Mobile Systems based on
Multi-agent Systems” Book Chapter in the book “Multi-Agent Systems
Modeling, Control, Programming, Simulations and Applications “April4, 2011.
[7] http://www.jirasekonsecurity.com/2011/10/security-model-business-
oriented.html
[8] Nato Otan, “Risk Analysis Tools”, Improving Common Security Risk Analysis
2008, Chapter 5.
[9] Y. B. Khoo1, M. Zhou1, B. Kayis2, S. Savci3, A. Ahmed 2, and R. Kusumo1S.
H. Bokhari, “An agent based risk management tool for concurrent engineering
projects”, Complexity International, Vol. 12, 2005.

International Conference on Engineering Education and Research 1 July - 5 July 2013, Marrakesh

View publication stats