ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment

8/16/2019 ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment

1/22

Building a Responsibility Model

including Accountability,

Capability and Commitment

Christophe Feltus

Public Research Centre Henri Tudor, Luxembourg

Michaël Petit

University of Namur, Belgium

http://images.google.lu/imgres?imgurl=http://www.fundp.ac.be/sciences/physique/physique2005/Images/fundp.jpg&imgrefurl=http://www.fundp.ac.be/sciences/physique/physique2005/&usg=__uB93uFFhGagVjWKEATdexVmEOaY=&h=255&w=397&sz=95&hl=fr&start=1&um=1&tbnid=JbJvuwBnowToaM:&tbnh=80&tbnw=124&prev=/images%3Fq%3Dfundp%26um%3D1%26hl%3Dfr%26sa%3DN


2/22

Context

• Governance of IT is becoming more and morenecessary

• Sarbanes-Oxley Act• Basel II

• ISO/IEC 38500:2008

• Need for more responsibility, transparency,

accountability, ethic, commitment• Existing frameworks don’t address those

requirements systematically


3/22

Plan

• Camerer’s analysis

• Review of the scientific literature

• Presentation of the model of responsibility

• Introduction to future works

• Conclusions


4/22

Camerer’s analysis

• There are at least three symptoms of the disease causingthe queasy dissatisfaction with policy research :

• Concepts are often ambiguous and their definitions are not agreed

upon• Checklists or theories are rarely tested, and never tested directlyagainst competing theories and

• Theories do not ‘cumulate’ or built upon previous theories as they should.

These three deficiencies are a result of the way policy

research is typically done

• Inductive to deductive approach

• It addresses Business Goals

• IT goals derived from business goal


5/22

Review of the scientific literature

• Lot of surveys produced : Crook and Epstein

• Responsibility in IT : IT security and RE

• Capability : The quality of having the requisite qualitiesor accesses to resources to achieve a task

• Accountability : The state of being answerable about theachievement of a task

• Poor existence of the concept of commitment in IT• Engagement of a stakeholder to fulfill a task and the

assurance he will do it


6/22

Review of responsibility in RE


7/22

Review of responsibility in IT

Security


8/22

The responsibility model

Responsibility

Obligation to satisfactorily perform or complete a task


9/22


Responsibility

The state of being answerable about the achievement of a task

AccountabilityAnswerability

Sanction

Soft

Hard


10/22


Responsibility

Describes the quality of having the required qualities orresources to achieve a task

AccountabilityCapability

Access Right


11/22


Responsibility

The engagement of a stakeholder to fulfil a task taking

Capability Accountability Commitment

Affective Continuance

Antecedents Outcomes


12/22


Responsibility

Capability Accountability Commitment

Task Stakeholder

Accountability CommitmentCapability


13/22

Advantage of the model

• Improve business/IT alignment (principle 1 of ISO38500 : establish clearly understood

responsibilities for IT)• Accountability linked to an agent rather than to a

group more involvement and concerned

• It addresses the commitment and increase ethic

• Right capability to the right user minimum of privilege


14/22

Selection of a formal system

• All responsibility elements compose asystem with operators and properties

(constraints) to be satisfied• Meyer et al. :

• Some constraints may not be violated and could be formalized with predicate, temporal or

dynamic logic

• Others constraints are violable and could beformalized using deontic logic


15/22

Inviolable / Violable constraints

• I.e. before to have access to a file, it is necessary that theright for accessing the file are dully set on the fileserver

• Access right is a capability or a moral operator of accessthe file.

• This capability is an Inviolable Constraint

• I.e Access right are provided by the IT Administrators• Time (managed by the administrator) is a capability or a

moral operator for provisioning access right

• This capability is a Violable Constraint


16/22

Cholvy

• Cholvy proposes a logical framework to modelresponsibility based on deontic logic

• System that encompasses ideal but violable properties• The choose is justified if we consider the responsibility

of one user that has to perform one unique task

• Indeed, the 3 components that compose the

responsibility are violable :• I.e. a responsible must have some access right but for a

undefined raison he doesn’t have it.


17/22

Enterprise perspective

• Extension from a user perspective to a enterprise perspective

• If we consider the enterprise as a set of tasks, persons and responsibilities…

• …we may supposed that in an ideal situation, allneeded capabilities, accountabilities and

commitment exist for each responsibility


18/22

Capability & Accountability

• Existence of both concepts is manageable andverifiable.

• CapabilityAccountability• I.e. :

• Having access right Provide access right

• Employee having time Manager provides time

• IT service budget IT service manager provide budget


19/22

Capability & Accountability

• Existence of both concepts manageable andverifiable.

• CapabilityAccountability• I.e. :

• Having access right Provide access right

• Employee having time Manager provides time

• IT service budget IT service manager provide budget


20/22

Commitment

• Commitment concept is depending on psychological factors and moral willingness

• More likely to discussion

• However, if we analyze that concept inmanagerial, psychological or sociologicalsciences, this is to be nuanced

• No guarantee of inviolability to be formalized withdeontic logic

• Conclusion : Responsibility is to be formulatedusing both : predicate and deontic logic


21/22

Future works

• Transpose Obligatory Accountable• Notion of constraint that is need or obligatory

• Transpose Permissible Capable

• Notion of constraint that permits an action

Commitment

• From TTC to Responsibility based TC

• Every proposition is obligatory, optional, or

impermissible, but no proposition falls into morethan one of these three categories


22/22

Conclusions

• Analysis of the literature to understand thesemantic of responsibility• Capability and accountability are common concept

• Commitment is more infrequent

• Innovative responsibility model

• Future works

• Camerer’s warning : • Symptom 1 (concepts ambiguous) and 2 (theories donot cumulate) OK

• Symptom 2 (theory tested : new case study)

Documents

ARES 2009 _ Building a Responsibility Model Including Accountability Capability and Commitment