Modeling Cyber Systemic Risk for the Business Continuity Plan of a Bank

  • Angelo FurfaroEmail author
  • Teresa Gallo
  • Domenico Saccà
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9817)


The pervasive growth and diffusion of complex IT systems, which handle critical business aspects of today’s enterprises and which cooperate through computer networks, has given rise to a significant expansion of the exposure surface towards cyber security threats. A threat, affecting a given IT system, may cause a ripple effect on the other interconnected systems often with unpredictable consequences. This type of exposition, known as cyber systemic risk, is a very important concern especially for the international banking system and it needs to be suitably taken into account during the requirement analysis of a bank IT system. This paper proposes the application of a goal-oriented methodology (GOReM), during the requirements specification phase, in order to consider adequate provisions for prevention and reaction to cyber systemic risk in banking systems. In particular, the context of the Italian banking system is considered as a case study.


Business Continuity Disaster Recovery Systemic risk Cyber threat Goal-Oriented Methodology Requirements Engineering 



This work has been partially supported by the “National Operative Programme for Research and Competitiveness” 2007–2013, Technological District on Cyber Security (PON03PE_00032_2_02), funded by the Italian Ministry of Education, University and Research, and the Italian Ministry of Economic Development.


  1. 1.
    Business continuity oversight expectations for systemically important payment systems (SIPS). Report, Eurpean Central Bank (2006).
  2. 2.
    ESCB definitions of major business continuity terms in relation to payment and securities settlement systems. European Central Bank, June 2007Google Scholar
  3. 3.
    Business Process Model and Notation\(^{\rm TM}\) v. 2.0. Spec. formal/2011-01-03, Object Management Group (2011).
  4. 4.
    Principles for financial market infrastructures. Press release ISBN 92-9197-108-1, Bank for International Settlements Committee on Payment and Settlement Systems (CPSS) and IOSCO Technical Committee (2012)Google Scholar
  5. 5.
    Cyber Risk a Global Systemic Threat: A White Paper to the Industry on Systemic Risk. White paper, Depository Trust & Clearing Corporation (DTCC), October 2014.
  6. 6.
    Guidelines on business continuity for market infrastructure. guidelines, Bank of Italy (2014).
  7. 7.
    DICET-INMOTO - ORganization of Cultural HEritage for Smart Tourism and Real-time Accessibility (OR.C.HE.S.T.R.A.) - Project funded by the Italian Ministry of Education, University and Research (MIUR) - PON Project - Research and Competitiveness 2007–2013 (2015)Google Scholar
  8. 8.
    Market intermediary business continuity and recovery planning. Technical report FR32/2015, International Organization of Securities Commissions, December 2015.
  9. 9.
    Unified Modeling Language\(^{\rm TM}\), v. 2.5. Spec. formal/15-03-01, Object Management Group (2015).
  10. 10.
    District of cyber security (2016).
  11. 11.
    The global risks report 2016. Insight report, 11th edn. World Economic Forum (2016).
  12. 12.
    Handbook on the assessment of compliance with ESRB recommendations. European Systemic Risk Board (2016)Google Scholar
  13. 13.
    Internet Security Threat Report. vol. 21, Symantec, April 2016Google Scholar
  14. 14.
    Systemic risk barometer: results overview 2016–Q1. Press release, Depository Trust & Clearing Corporation (DTCC) (2016).
  15. 15.
    Caire, P., Genon, N., Heymans, P., Moody, D.L.: Visual notation design 2.0: towards user comprehensible requirements engineering notations. In: 21st IEEE International Requirements Engineering Conference (RE 2013), Rio de Janeiro, Brasil, pp. 115–124, July 2013Google Scholar
  16. 16.
    Cerutti, E., Claessens, S., McGuire, P.: Systemic risks in global banking: What available data can tell us and what more data are needed? Working Paper 18531, National Bureau of Economic Research, November 2012.
  17. 17.
    Chaudhary, R., Hamilton, J.: The five critical attributes of effective cybersecurity risk management - white paper. Technical report, Crowe Horwath LLP (2015)Google Scholar
  18. 18.
    Citrigno, S., Furfaro, A., Gallo, T., Garro, A., Graziano, S., Saccà, D.: Mastering concept exploration in large industrial research projects. In: INCOSE Italia Conference on Systems Engineering (CIISE 2014), Rome, Italy, pp. 26–37, 24-25 November 2014Google Scholar
  19. 19.
    Furfaro, A., Gallo, T., Garro, A., Saccà, D., Tundis, A.: Requirements specification of a cloud service for cyber security compliance analysis. In: Proceedings of the 2nd International Conference on Cloud Computing Technologies and Applications (CloudTech 2016), IEEE, Marrakesh, 24–26 May 2016Google Scholar
  20. 20.
    Glinz, M.: On non-functional requirements. In: 15th IEEE International Requirements Engineering Conference (RE 2007), pp. 21–26. IEEE, New Delhi, October 2007Google Scholar
  21. 21.
    Goldsmith, D., Siegel, M.: Systematic approaches to cyber insecurity. Technical report, MIT Sloan School of Management1 - ECIR Working Paper (2012)Google Scholar
  22. 22.
    Kosub, T.: Components and challenges of integrated cyber risk management. Zeitschrift für die gesamte Versicherungswissenschaft 104(5), 615–634 (2015)CrossRefGoogle Scholar
  23. 23.
    van Lamsweerde, A.: Goal-oriented requirements enginering: a roundtrip from research to practice [enginering read engineering]. In: 12th IEEE International Requirements Engineering Conference, Kyoto, Japan, pp. 4–7, September 2004Google Scholar
  24. 24.
    Nouy, D.: Single supervisory mechanism after one year: the state of play and the challenges ahead. In: Bank of Italy Conference on Micro and Macroprudential Banking Supervision in the Euro Area, Milan, Italy, 24 November 2015.
  25. 25.
    Rissman, D.: US regulators issue guidance on disaster recovery and business continuity planning for hedge funds (2013).
  26. 26.
    Sommer, P.: Reducing systemic cybersecurity risk. Oecd/ifp project on future global shocks, Information Systems and Innovation Group, London School of Economics and Ian Brown, Oxford Internet Institute, Oxford University (2011).
  27. 27.
    Tendulkar, R.: Cyber-crime, securities markets and systemic risk. Joint staff working paper, IOSCO Research Department and World Federation of Exchanges (2013).

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.University of CalabriaRendeItaly

Personalised recommendations