A risk management framework for security and integrity of networks and services
N. Mayer, and J. Aubert
Journal of risk research, doi:10.1080/13669877.2020.1779786, 2020
It is clearly acknowledged that, in complex sectors like telecommunications, to consider an infrastructure as fully secure, although desirable, is not realistic. The current European regulation on public communications networks is aware of this assumption and currently requires that Telecommunications Service Providers (TSPs) take appropriate technical and organizational measures to manage the risks posed to the security of networks and services. In this context, risk management has become both a key aspect for dealing with security and a main trust vector included particularly in regulations. In this context, our paper concerns the establishment of a national security risk management framework to comply with national and European regulations for TSPs. This framework is composed of two parts: a security risk management tool to be used by the TSPs and an analysis tool to be used by the regulatory authority to gather and assess the risk management reports from the TSPs. The latter is specifically used to benchmark the security level of TSPs and the security of the sector as a whole. This paper reports on the design of this framework and the challenges emerging after an entire regulatory cycle.