Design and Implementation of a Risk Management Tool : A Case Study of the Moodle Platform

During the last years, the distinctive feature of our society has been the rapid pace of technological change. In the Moroccan context, universities have put digital learning at the heart of their projects of development thanks to a wide range of hybrid training devices, Small Private Online Course (SPOC) and Massive Open Online Courses (MOOCs) via Virtual Work Environment (ENT, Environnement Numérique de Travail ). On the one hand, the purpose of using these devices consist in helping improve their performance and in enhancing their attractiveness. On the other hand, is aimed at meeting the increasingly diverse student’s needs, thanks to the infrastructures reorganization and a renovated pedagogy. Also, extensive use of information and communication technologies at different universities exposes them to a problem related to information system (IS) risks in general and e-learning in particular. The risk assessment is quite complicated and multidimensional. It must take into account many components, including assets, threats, vulnerabilities, controls already in place and analyses. In this work, we first propose the methods of risk management. We then present the risk analysis related to the Moodle platform. Keywords—Risk management; e-learning; mehari; platform


I. INTRODUCTION
The universities of today have at their disposal an exceptional potential to exploit: collaborative platforms, the blockchain, deep learning, serious games, rapid learning, virtual classes/video conferencing, mobile learning, MOOCs all tools accessible and navigable from all devices with improved ergonomics [1].These new practices also concern Big Data, learning analytics and performance management.However, the rapid evolution of these technologies is increasing the risks related to digital learning in particular and information systems in general (risks related to the storage and transmission of data, etc.) [2].The risk is an integral part of the management of a digital project.Hence, it is essential to have a risk management plan of at an early stage of the projects.Risk management then becomes a strategic function, an integral part of the university's operational and strategic management process.Thus, IS risk management defined as a mechanism for identifying and analyzing risks to information systems, to determine security objectives and implement security measures to achieve these objectives.However, the absence of an IS risk management strategy favours the appearance of many facets of risk.Currently, several standards and methods are available internationally are working to sustain a high level of protection and performance for the IS.Risk management can be applied across the organization, in all areas and at all levels, at any time, as well as to specific functions, projects and activities.So, what are the risks related to the digital device?Moreover, what are the standards and IT standards used to manage risks related to e-learning?In the first part of this article, we discuss the methods of risk management.The second part is devoted to a case study, and in the third part, we present an application dedicated to risk management about online platforms.

II. AVAILABLE RISK MANAGEMENT METHODS AND TOOLS
Currently, universities are evolving in a complex, uncertain and changing environment.The Moroccan university, for instance, Hassan II University of Casablanca (UH2C), should face the emergence of more and more diversified risks.For this reason, the UH2C has set up, since 2013, a Directorate General of Information Systems Security (DGISS).Faced with this environment of "less and less predictable," it is becoming increasingly urgent for all institutions to put in place a risk management system that will identify, assess and manage both actual and potential risks.Several methods of risk analysis are currently available, and the primary concern of decisionmakers is to choose the most appropriate method in the context of their organizations.This section provides an overview of existing risk management methodologies and tools.Table I lists the main well-known methods and associated tools.
Before investing in one method or another, it is essential that the chosen method meet the requirements of the organization.Also, a risk management method is an analytical tool for identifying risks and by proposing solutions to address it.Risk management methods are based on different analysis strategies.Methods exist for covering différent perspectives in risk management, for example, EBIOS, MEHARI and www.ijacsa.thesai.orgOCTAVE.It should note that, while there are concepts familiar to all these methods, each method has a different way of performing an information system risk assessment.Among these tools, we propose an integrated use of ISO27005 and Mehari for the implementation of an e-learning risk management platform (PGRE, platform de Gestion des Risques en e-learning ) (see Fig. 1).The reason for ISO 27005 is to give rules to information security risk management.It bolsters the general concepts indicated in ISO 27001 and is intended to assist the satisfactory implementation of information security based on a risk management approach.[3].It does not indicate, prescribe or even name any specific risk analysis method, although it specifies a structured, systematic and rigorous process from analyzing risks to creating the risk treatment plan [4].MEHARI is agreeable to ISO 13335 risk management standard.It allows the stakeholder to develop security plans, based on a list of vulnerability control points and an accurate monitoring process to achieve a continual improvement cycle.

III. CASE STUDY: RISK MANAGEMENT OF THE MOODLE PLATFORM
The information system of the UH2C is composed of several applications, for example, APOGEE: Application for the management of students and teaching mainly the administrative and pedagogical management of schooling, a platform dedicated to MOOCs and Moodle: e-learning platform intended for distance education.For our case study, we will focus on the study of risks related to the latest application, namely the Moodle platform.The educational platform of the UH2C is accessible from the ENT (see Fig. 2).The educational platform (Moodle) is a teaching/learning environment.It is made available to teachers to enrich and accompany classroom teaching.This study, therefore, concerns the analysis of the risks that such a platform may experience when used in the service of distance education.The risk assessment is quite complicated and multidimensional.It is a question of categorizing the goods, the processes and the activities of the organization, to identify the perimeters of the risks, to define the risks and to establish the typology of the latter for example, there are the economic risks and financial (hosting), environmental risks Energy consumption (data center), technical risks (data loss, migration of data from existing courses on a platform to a new platform).Legal risks (copyright, disclosure, legislation and regulations) and Risks related to new pedagogical approaches integrating new technologies (not available online tutors/neglect of the interactivity aspect of the learning process).To evaluate the risks related to the Moodle platform (see Fig. 3), the auditor of the information system aims to:  constitute a database  inventory all identified risks  evaluate the criticality of these risks (gravities and frequency)  propose corrective actions  define the aspects to be strengthened about the control structures (organization, attributions and functioning of these entities, training and competent human resources, methods and tools for work )  propose an action plan and audits to programme in the next five years.www.ijacsa.thesai.org These steps have integrated into the platform (PGRE) (see Fig. 4).The application executes an input questionnaire, which utilized for asset impact evaluation.Risk values are computed, and in light of threats, assets and risks, suitable measures proposed by the system.By these attributes, the manager can choose to implement them or not.At last, the system produces a study summary report and an action plan suggesting the manager countermeasures to implement.This section discusses its components.

A. Risk Identification
Risk identification is a process that can necessarily be done from a knowledge base.MEHARI proposes a knowledge base of risk scenarios that can be used by the vast majority of organizations.Nevertheless, it is possible to develop variants, to complete this base, or to develop new ones, relying on a specific guide.We will then work on the MEHARI 2010 knowledge base.The MEHARI 2010 knowledge base contains nearly 800 standard risk scenarios [5].Of all these scenarios, some may be genuinely critical and deserve detailed consideration, while others may not be relevant to the entity or deserve attention.It may, therefore, be considered desirable to make a selection of scenarios before addressing a detailed assessment of their severity and a risk treatment plan.
We will present in the following paragraph some risk categories related to the Moodle platform.The significant threats are as follows :  Economic and financial risks: Hosting internally inducing very high costs.
 Environmental risks: excessive storage volume increase, in the absence of an outsourcing policy, leading to an increase in energy consumption by adding database servers.

 Technical risks:
Inoperative features: Business interruption of local network services, due to a long-term absence of (internal) staff.
The hijacking of application data files in operation, by an unauthorized third party, connecting from outside to the local network.
The obligation to leave the platform for further investigation, through the search engines, to locate the titles of the appropriate short.
 Legal risks: Non-compliance with legislation or regulations relating to the protection of intellectual property due to non-application of procedures, by lack of knowledge.

 Risks related to new pedagogical approaches integrating new technologies:
Risks of business as usual (Neglect of the interactivity aspect of the learning process).Not available online tutors (Keeping online tutors unsatisfied) [7].

B. Risk estimation (Impact * probability)
The manager must select the threats and indicate its frequency.The frequency of the threat is never exact.The manager should be based on specific information such as attacks and incidents detected on the threat that the organization is facing.By using these parameters, the manager can provide a rough estimate of the frequency of a particular threat.Risk Estimation handles the execution of the impact and the probability calculation.

C. Risk Evaluation
Risk Evaluation has the part of characterizing the risk given the ISO27005 risk assessment matrix.This part is to classify risk levels according to different levels of gravity.Using this matrix, the manager has an on-screen overview of all risks and their classifications.

D. Risk Treatment
Risk Treatment presents all the threats to each asset.Each line of the application also contains the level of risk and a dropdown menu offering the following options [6]: attenuate, transfer, accept and avoid :  Risk mitigation: If the manager chose to mitigate the risk, the system suggests administrative controls, technical or physical to be applied within the Moodle platform according to their effectiveness and cost of implementation.
 Risk avoidance: Decide to avoid the risk by eliminating the risk situation by structural measures.
 Risk acceptance: the manager accepts the risk as it is.
 For any risk accepted or reduced causing residual risks after the traditional preventive measures will be transferred after that to other organizations able to better manage these risks (Risk transfer).
Users of the Moodle platform of UH2C face different risks or threats, as indicated in the paragraph above.The following measures are proposed by the application (PGRE) to minimize these risks:

 Remedies of economic and financial risks:
Outsourcing hosting

IV. ANALYSIS AND DISCUSSION
The contribution of our work consists in proposing a risk management tool PGRE in e-learning (PGRE, the platform of risk management in e-learning) adapted to university establishment based on international methods and standards.This tool covers the entire methodology of risk analysis from assessment to risk management.In this article, we have detailed the components of the PGRE platform.
The experimentation with the tool constituted the first phase of the deployment of our platform.We did the first experiment via the Moodle application.Also, this phase of experimentation allowed us to realize the modalities of the concrete use of the tool and to reveal the contributions and the limits.Also, the experimentation of the PGRE platform has encountered many difficulties: Forgetting a risk: One of the issues of recurring concern is the fear of having forgotten a risk or of having made an error of appreciation in the analysis.The causes of error are many: lack of a critical element in the inventory of assets related to elearning, the problem of identification of threats and error in the valuation of an asset.
Lack of monitoring of the implementation of security measures: Experience shows that once a project is completed, the risk assessment that has been carried out during the project is classified, with no updating work planned.
Lack of communication: Communication in the field of risk management in academic institutions remains delicate and is often hampered by a number of problems : Communication is often hampered by the geographical dispersion of university campuses (for example the University Hassan II of Casablanca (UH2C) contains 18 educational establishments spread over 6 university campuses) and the breakdown of the interveners within the directorates or services that can hinder or prevent the holding meetings.
In perspective, we are continuing our work to finalize the experimental PGRE platform, adding a measurement evaluation module after their implementation and follow-up.

TABLE I .
RISK MANAGEMENT METHODOLOGIES AND TOOLS AVAILABLE Fig. 1.PGRE Platform.
Remedies of environmental risks: the implementation of ventilation devices and more efficient cooling systems the server room must be well ventilated; Free cooling of Datacenter.www.ijacsa.thesai.org Remedies of technical risks: Replacement by a resource person whose presence is sustainable ; Install debugger programs to help programmers detect bugs and send them later ; Reduce the size of the Moodle platform exposed to hackers by adding a proxy server upstream ; Raise awareness about the use of internal search engines.