Download - ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
1/22
Building a Responsibility Model
including Accountability,
Capability and Commitment
Christophe Feltus
Public Research Centre Henri Tudor, Luxembourg
Michaël Petit
University of Namur, Belgium
http://images.google.lu/imgres?imgurl=http://www.fundp.ac.be/sciences/physique/physique2005/Images/fundp.jpg&imgrefurl=http://www.fundp.ac.be/sciences/physique/physique2005/&usg=__uB93uFFhGagVjWKEATdexVmEOaY=&h=255&w=397&sz=95&hl=fr&start=1&um=1&tbnid=JbJvuwBnowToaM:&tbnh=80&tbnw=124&prev=/images%3Fq%3Dfundp%26um%3D1%26hl%3Dfr%26sa%3DN
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
2/22
Context
• Governance of IT is becoming more and morenecessary
• Sarbanes-Oxley Act• Basel II
• ISO/IEC 38500:2008
• Need for more responsibility, transparency,
accountability, ethic, commitment• Existing frameworks don’t address those
requirements systematically
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
3/22
Plan
• Camerer’s analysis
• Review of the scientific literature
• Presentation of the model of responsibility
• Introduction to future works
• Conclusions
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
4/22
Camerer’s analysis
• There are at least three symptoms of the disease causingthe queasy dissatisfaction with policy research :
• Concepts are often ambiguous and their definitions are not agreed
upon• Checklists or theories are rarely tested, and never tested directlyagainst competing theories and
• Theories do not ‘cumulate’ or built upon previous theories as they should.
These three deficiencies are a result of the way policy
research is typically done
• Inductive to deductive approach
• It addresses Business Goals
• IT goals derived from business goal
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
5/22
Review of the scientific literature
• Lot of surveys produced : Crook and Epstein
• Responsibility in IT : IT security and RE
• Capability : The quality of having the requisite qualitiesor accesses to resources to achieve a task
• Accountability : The state of being answerable about theachievement of a task
• Poor existence of the concept of commitment in IT• Engagement of a stakeholder to fulfill a task and the
assurance he will do it
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
6/22
Review of responsibility in RE
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
7/22
Review of responsibility in IT
Security
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
8/22
The responsibility model
Responsibility
Obligation to satisfactorily perform or complete a task
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
9/22
The responsibility model
Responsibility
The state of being answerable about the achievement of a task
AccountabilityAnswerability
Sanction
Soft
Hard
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
10/22
The responsibility model
Responsibility
Describes the quality of having the required qualities orresources to achieve a task
AccountabilityCapability
Access Right
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
11/22
The responsibility model
Responsibility
The engagement of a stakeholder to fulfil a task taking
Capability Accountability Commitment
Affective Continuance
Antecedents Outcomes
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
12/22
The responsibility model
Responsibility
Capability Accountability Commitment
Task Stakeholder
Accountability CommitmentCapability
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
13/22
Advantage of the model
• Improve business/IT alignment (principle 1 of ISO38500 : establish clearly understood
responsibilities for IT)• Accountability linked to an agent rather than to a
group more involvement and concerned
• It addresses the commitment and increase ethic
• Right capability to the right user minimum of privilege
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
14/22
Selection of a formal system
• All responsibility elements compose asystem with operators and properties
(constraints) to be satisfied• Meyer et al. :
• Some constraints may not be violated and could be formalized with predicate, temporal or
dynamic logic
• Others constraints are violable and could beformalized using deontic logic
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
15/22
Inviolable / Violable constraints
• I.e. before to have access to a file, it is necessary that theright for accessing the file are dully set on the fileserver
• Access right is a capability or a moral operator of accessthe file.
• This capability is an Inviolable Constraint
• I.e Access right are provided by the IT Administrators• Time (managed by the administrator) is a capability or a
moral operator for provisioning access right
• This capability is a Violable Constraint
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
16/22
Cholvy
• Cholvy proposes a logical framework to modelresponsibility based on deontic logic
• System that encompasses ideal but violable properties• The choose is justified if we consider the responsibility
of one user that has to perform one unique task
• Indeed, the 3 components that compose the
responsibility are violable :• I.e. a responsible must have some access right but for a
undefined raison he doesn’t have it.
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
17/22
Enterprise perspective
• Extension from a user perspective to a enterprise perspective
• If we consider the enterprise as a set of tasks, persons and responsibilities…
• …we may supposed that in an ideal situation, allneeded capabilities, accountabilities and
commitment exist for each responsibility
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
18/22
Capability & Accountability
• Existence of both concepts is manageable andverifiable.
• CapabilityAccountability• I.e. :
• Having access right Provide access right
• Employee having time Manager provides time
• IT service budget IT service manager provide budget
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
19/22
Capability & Accountability
• Existence of both concepts manageable andverifiable.
• CapabilityAccountability• I.e. :
• Having access right Provide access right
• Employee having time Manager provides time
• IT service budget IT service manager provide budget
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
20/22
Commitment
• Commitment concept is depending on psychological factors and moral willingness
• More likely to discussion
• However, if we analyze that concept inmanagerial, psychological or sociologicalsciences, this is to be nuanced
• No guarantee of inviolability to be formalized withdeontic logic
• Conclusion : Responsibility is to be formulatedusing both : predicate and deontic logic
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
21/22
Future works
• Transpose Obligatory Accountable• Notion of constraint that is need or obligatory
• Transpose Permissible Capable
• Notion of constraint that permits an action
Commitment
• From TTC to Responsibility based TC
• Every proposition is obligatory, optional, or
impermissible, but no proposition falls into morethan one of these three categories
-
8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment
22/22
Conclusions
• Analysis of the literature to understand thesemantic of responsibility• Capability and accountability are common concept
• Commitment is more infrequent
• Innovative responsibility model
• Future works
• Camerer’s warning : • Symptom 1 (concepts ambiguous) and 2 (theories donot cumulate) OK
• Symptom 2 (theory tested : new case study)