Skip to main content

Marc-Andre Leger

Concordia University (Canada), Supply Chain and Business Technology Management, Part-Time Faculty

Université du Québec en Outaouais, Département d'informatique et d'ingénierie, Graduate Student

Université de Sherbrooke (University of Sherbrooke), École De Gestion, Lecturer

Followers

267

Following

201

Public Views

Marc-André Léger has been working in Business Technology Management since 1983. Since 1987, he has specialized in information security, risk management and IT governance. These days, he teaches at the undergraduate and graduate levels at Concordia University and Université de Sherbrooke. It has a long track record that includes programming, network management, project management and information security. He worked in the National Defense, Federal Public Service, Financial and Insurance, Health and Education sectors in France, the United States and several Canadian provinces. From 2009 to 2015 he was curator of Québec's computer history museum and was a founding member of a Fab Lab and a MakerSpace. Geek and Maker, he actively contributes to the makers movement as a trainer and advisor. Marc-André has an MBA, an Executive MBA, a Masters in MIS, three graduate certificates and is currently persuing a PhD.

less

InterestsView All (9)

Uploads

Papers by Marc-Andre Leger

An Innovative Framework to Integrate CIO Competencies Within the Business Technology Management Body of Knowledge

International Journal of Organizational and Collective Intelligence, Jul 1, 2019

Leveraging the OpenAI API with R for Cybersecurity Risk Assessment

In the ever-expanding domain of cybersecurity, risk management remains a critical concern for org... more In the ever-expanding domain of cybersecurity, risk management remains a critical concern for organizations. Traditional methods are increasingly unable to address the complex nature of modern threats, leading to an urgent need for innovative methodologies. This article elaborates on a methodology that utilizes a sequence of R scripts in tandem with the OpenAI API to perform automated generation of cybersecurity risk scenarios. The framework presented herein is meticulously designed to cover every stage of risk assessment, from scenario creation to Key Risk Indicator (KRI) calculations, thereby contributing to an organization's robust cybersecurity posture.

Chapter 2 CybersecurityGovernance course V1-1d (1)

Creating Scenarios ChatGPT v1-0a

Cybersecurity competency management ontology validation

Ontology engineering methodology for cybersecurity requirements in Business Technology Management

Examples of the use of the Emerging Technology Assessment Canvas

This paper presents multiple examples of the use of the Emerging Technology Assessment Canvas (ET... more

Maker-entrepreneurs or the Makers dream of Startups

Draft article on Maker-entrepreneurship and the project many Makers that I have met have to creat... more

The competency requirements of cybersecurity professionals in Canadian financial sector organizations

This article presents the competencies and competency elements that are required of cybersecurity... more This article presents the competencies and competency elements that are required of cybersecurity professionals that were identified during a study on cybersecurity competencies in Canadian financial institutions, between 2019 and 2021. The main goal of this article is to help financial institutions and educational institutions design and implement competency-based continuous education programs. Financial institutions can use this article and the data that supports the recommendations to help them to increase the expertise of cybersecurity workers. Colleges and Universities may find this article interesting to assist them in the design of new programs or the improvement of existing programs.

Utilisation de COBIT 5 for risk

En 2009, l'ISACA a lancé un premier référentiel de risque informationnel : Risk IT. Risk IT s'app... more En 2009, l'ISACA a lancé un premier référentiel de risque informationnel : Risk IT. Risk IT s'appuie alors sur COBIT 4, le référentiel de gouvernance TI offrant, selon ISACA, le maillon manquant entre la gestion traditionnelle du risque d'entreprise et la gestion et le contrôle du risque informationnel. Une des idées principales derrière l'approche de l'ISACA est que les entreprises obtiennent un retour sur investissement (ROI) en prenant des risques, mais que parfois elles tentent d'éliminer des risques qui contribuent réellement à la création d'un profit.

Risk definitions.docx

schémas-cigale-v1-0b.pptx

Litterature review 6-0a.doc

Échelles de mesure

CHUS Gouvernance TIen Sante v1 1b

Introduction à la

Books by Marc-Andre Leger

Utilisation de COBIT 5 for risk

Dans ce texte, je propose une technique pour appliquer COBIT 5GR afin de réaliser une analyse de ... more Dans ce texte, je propose une technique pour appliquer COBIT 5GR afin de réaliser une analyse de risque dans une organisation. Cette technique est basée sur l’utilisation d’indicateurs de risque (KRI) génériques qui devront être adaptés pour une utilisation dans un contexte spécifique. Ce texte est présenté ici à des fins de formation et pour susciter la discussion auprès de membres de l’ISACA et des gestionnaires de risque informationnels. Le texte complet sera présenté dans la prochaine édition de mon livre sur la gestion de risque informationnel. Si vous avez des commentaires: [email protected]

Drafts by Marc-Andre Leger

Cybersecurity risk management

Introduction to Cybersecurity Governance for Business Technology Management, 2023

This chapter presents cybersecurity risk management, a vital aspect of cybersecurity governance. ... more This chapter presents cybersecurity risk management, a vital aspect of cybersecurity governance. As mentioned previously, cybersecurity governance is a continuum of three activities, called GRC, Governance, Risk Management and Compliance. Cybersecurity governance sets the framework, risk management helps support the decision-making process, and compliance is used to demonstrate that obligations are met, and that controls and risk mitigation activities are working. This chapter investigates the second activity, or the R in GRC, more specifically, risk management and risk assessments. The next chapter presents a scenario-based approach to implement was is discussed in this chapter.

Cybersecurity compliance

Introduction to Cybersecurity Governance for Business Technology Management, 2023

This chapter presents cybersecurity compliance, a vital aspect of cybersecurity governance. As me... more This chapter presents cybersecurity compliance, a vital aspect of cybersecurity governance. As mentioned previously, cybersecurity governance is a continuum of three activities, called GRC. In the cybersecurity context, the acronym GRC refers to Governance, Risk Management and Compliance. Cybersecurity governance sets the framework and tone for cybersecurity in the organization, while identifying the cybersecurity goals and obligations. From there, risk management helps support the decision-making process, arbitrage, and identification of potential strategies to deal with unacceptable risks. However, cybersecurity also depends on the ability of demonstrating the organization's compliance with its obligations, the efficiency of controls and risk mitigation activities. Compliance is essential for the cybersecurity of an organization's systems, networks, and data. It helps ensure that the organization follows the applicable laws, regulations, and standards. It is important to keep up to date with the latest compliance requirements. Governance was presented in chapter 2. In this chapter, we go in-depth on, compliance. Risk management is presented in a later chapter, along with a later chapter on risk assessments.

Intro to Cybersecurity Governance

Cybersecurity Governance coursebook, 2023

In this chapter, we examine cybersecurity governance. Chapter 1 discussed cybersecurity fundament... more In this chapter, we examine cybersecurity governance. Chapter 1 discussed cybersecurity fundamentals, which are expanded in this chapter to examine how organizations can plan cybersecurity based on strategic needs. Strategic perspective will apply cybersecurity risk management to Business Technology Management. This allows for a variety of solutions selected and implemented to deal with unacceptable risks based on this information.

An Innovative Framework to Integrate CIO Competencies Within the Business Technology Management Body of Knowledge

International Journal of Organizational and Collective Intelligence, Jul 1, 2019

Leveraging the OpenAI API with R for Cybersecurity Risk Assessment

In the ever-expanding domain of cybersecurity, risk management remains a critical concern for org... more In the ever-expanding domain of cybersecurity, risk management remains a critical concern for organizations. Traditional methods are increasingly unable to address the complex nature of modern threats, leading to an urgent need for innovative methodologies. This article elaborates on a methodology that utilizes a sequence of R scripts in tandem with the OpenAI API to perform automated generation of cybersecurity risk scenarios. The framework presented herein is meticulously designed to cover every stage of risk assessment, from scenario creation to Key Risk Indicator (KRI) calculations, thereby contributing to an organization's robust cybersecurity posture.

Chapter 2 CybersecurityGovernance course V1-1d (1)

Creating Scenarios ChatGPT v1-0a

Cybersecurity competency management ontology validation

Ontology engineering methodology for cybersecurity requirements in Business Technology Management

Examples of the use of the Emerging Technology Assessment Canvas

This paper presents multiple examples of the use of the Emerging Technology Assessment Canvas (ET... more

Maker-entrepreneurs or the Makers dream of Startups

Draft article on Maker-entrepreneurship and the project many Makers that I have met have to creat... more

The competency requirements of cybersecurity professionals in Canadian financial sector organizations

This article presents the competencies and competency elements that are required of cybersecurity... more This article presents the competencies and competency elements that are required of cybersecurity professionals that were identified during a study on cybersecurity competencies in Canadian financial institutions, between 2019 and 2021. The main goal of this article is to help financial institutions and educational institutions design and implement competency-based continuous education programs. Financial institutions can use this article and the data that supports the recommendations to help them to increase the expertise of cybersecurity workers. Colleges and Universities may find this article interesting to assist them in the design of new programs or the improvement of existing programs.

Utilisation de COBIT 5 for risk

En 2009, l'ISACA a lancé un premier référentiel de risque informationnel : Risk IT. Risk IT s'app... more En 2009, l'ISACA a lancé un premier référentiel de risque informationnel : Risk IT. Risk IT s'appuie alors sur COBIT 4, le référentiel de gouvernance TI offrant, selon ISACA, le maillon manquant entre la gestion traditionnelle du risque d'entreprise et la gestion et le contrôle du risque informationnel. Une des idées principales derrière l'approche de l'ISACA est que les entreprises obtiennent un retour sur investissement (ROI) en prenant des risques, mais que parfois elles tentent d'éliminer des risques qui contribuent réellement à la création d'un profit.

Risk definitions.docx

schémas-cigale-v1-0b.pptx

Litterature review 6-0a.doc

Échelles de mesure

CHUS Gouvernance TIen Sante v1 1b

Introduction à la

Utilisation de COBIT 5 for risk

Dans ce texte, je propose une technique pour appliquer COBIT 5GR afin de réaliser une analyse de ... more Dans ce texte, je propose une technique pour appliquer COBIT 5GR afin de réaliser une analyse de risque dans une organisation. Cette technique est basée sur l’utilisation d’indicateurs de risque (KRI) génériques qui devront être adaptés pour une utilisation dans un contexte spécifique. Ce texte est présenté ici à des fins de formation et pour susciter la discussion auprès de membres de l’ISACA et des gestionnaires de risque informationnels. Le texte complet sera présenté dans la prochaine édition de mon livre sur la gestion de risque informationnel. Si vous avez des commentaires: [email protected]

Cybersecurity risk management

Introduction to Cybersecurity Governance for Business Technology Management, 2023

This chapter presents cybersecurity risk management, a vital aspect of cybersecurity governance. ... more This chapter presents cybersecurity risk management, a vital aspect of cybersecurity governance. As mentioned previously, cybersecurity governance is a continuum of three activities, called GRC, Governance, Risk Management and Compliance. Cybersecurity governance sets the framework, risk management helps support the decision-making process, and compliance is used to demonstrate that obligations are met, and that controls and risk mitigation activities are working. This chapter investigates the second activity, or the R in GRC, more specifically, risk management and risk assessments. The next chapter presents a scenario-based approach to implement was is discussed in this chapter.

Cybersecurity compliance

Introduction to Cybersecurity Governance for Business Technology Management, 2023

This chapter presents cybersecurity compliance, a vital aspect of cybersecurity governance. As me... more This chapter presents cybersecurity compliance, a vital aspect of cybersecurity governance. As mentioned previously, cybersecurity governance is a continuum of three activities, called GRC. In the cybersecurity context, the acronym GRC refers to Governance, Risk Management and Compliance. Cybersecurity governance sets the framework and tone for cybersecurity in the organization, while identifying the cybersecurity goals and obligations. From there, risk management helps support the decision-making process, arbitrage, and identification of potential strategies to deal with unacceptable risks. However, cybersecurity also depends on the ability of demonstrating the organization's compliance with its obligations, the efficiency of controls and risk mitigation activities. Compliance is essential for the cybersecurity of an organization's systems, networks, and data. It helps ensure that the organization follows the applicable laws, regulations, and standards. It is important to keep up to date with the latest compliance requirements. Governance was presented in chapter 2. In this chapter, we go in-depth on, compliance. Risk management is presented in a later chapter, along with a later chapter on risk assessments.

Intro to Cybersecurity Governance

Cybersecurity Governance coursebook, 2023

In this chapter, we examine cybersecurity governance. Chapter 1 discussed cybersecurity fundament... more In this chapter, we examine cybersecurity governance. Chapter 1 discussed cybersecurity fundamentals, which are expanded in this chapter to examine how organizations can plan cybersecurity based on strategic needs. Strategic perspective will apply cybersecurity risk management to Business Technology Management. This allows for a variety of solutions selected and implemented to deal with unacceptable risks based on this information.

Introduction to Cybersecurity Governance for Business Technology Management Chapter 1

Introduction to Cybersecurity Governance for Business Technology Management, 2023

Introduction to Cybersecurity Governance for Business Technology Management Chapter 1: Basic conc... more Introduction to Cybersecurity Governance for Business Technology Management Chapter 1: Basic concepts of cybersecurity This chapter presents an introduction to cybersecurity from a strategic, or business, point of view. It is geared towards future managers, to give them an outlook on the me of the concepts of cybersecurity that they need to be aware of, many of them being non-IT practitioners, but who will obviously be involved in dealing with information technology and the security aspects related to these. As part of the new reality of the business landscape, managers need to understand the basic tenants of information security and cybersecurity. Cybersecurity being information security applied to cyberspace, the connected world that organizations all live in. Cybersecurity is a critical concern for organizations of all sizes across all industries. Fundamentally, it refers to the protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Today, with the increasing use of information technology (IT) and the overwhelming reliance on the digital world, cybersecurity has become an essential component of modern business operations. From personal information of employees and customers, financial data, trade secrets and critical infrastructure, organizations need to take proactive measures to safeguard their sensitive information and the information systems that manipulation this information from cyber threats. Cybersecurity involves a combination of technologies, practices, and policies aimed at preventing, detecting, and responding to cyber-attacks. It requires organizations to stay informed about emerging cyber threats, implement robust security measures, and have a well-planned response in place in the event of a breach. By investing in cybersecurity at an appropriate level, considering their risk appetite but also available human and finance resources, organizations can reduce the risk of financial loss, damage to their reputation, and the compromise of sensitive information. Organizations need to minimize, or ideally eliminate, unacceptable risks. The CIA triangle The first thig that organizations must define is their cybersecurity objectives. They must determine their requirements in relation to the assets that they are trying to protect. These assets can be data, also called information when it has structure and context, business technologies, business processes and other related assets. For this book, we prefer talking about business technologies, which we define as information technologies used in a business environment, combining business processes, information used in the business processes, and software, hardware, and networks. Business technologies contribute to create value to the organization, more today than ever before. But from a

The competency requirements of cybersecurity professionals in Canadian financial sector organizations

This article presents the competencies and competency elements that are required of cybersecurity... more This article presents the competencies and competency elements that are required of cybersecurity professionals that were identified during a study on cybersecurity competencies in Canadian financial institutions, between 2019 and 2021. The main goal of this article is to help financial institutions and educational institutions design and implement competency-based continuous education programs. Financial institutions can use this article and the data that supports the recommendations to help them to increase the expertise of cybersecurity workers. Colleges and Universities may find this article interesting to assist them in the design of new programs or the improvement of existing programs.

Pedagogical Engineering Model Canvas

This is a proposed pedagogical engineering tool being developed based on the Business Model Canvas

Maker-entrepreneurs or the Makers dream of Startups

Maker-entrepreneurs or the Makers dream of Startups, 2019

Draft article on Maker-entrepreneurship and the project many Makers that I have met have to creat... more

Mon monde de Makers

Aujourd'hui, plusieurs d'entre nous définissons comme Makers, des créateurs qui fabriquent des ch... more Aujourd'hui, plusieurs d'entre nous définissons comme Makers, des créateurs qui fabriquent des choses nous mêmes, à notre manière. Nous avons maintenant un accès abordable à des outils manuels, électriques ou électroniques. Entre notre réseau d'amis réels et virtuels, Google et YouTube, tous ont accès aux connaissances qui permettent de fabriquer presque n'importe quoi. Cet article présente une exploration du milieu des Makers afin de mieux comprendre qui sont les Makers et quelles sont leurs motivations. En voyageant pour participer à des événements et en rencontrant des participants, j'ai fait quelques découvertes qui sont présentés dans cet article et d'autres qui devront être écrits durant les prochain mois

I live in a world of make.

Today, many of us are makers, we all make stuff in our own way. We now have affordable access to ... more Today, many of us are makers, we all make stuff in our own way. We now have affordable access to tools. Between our network of friends, Google and YouTube, almost everyone can find instructions on how to make almost anything. In person or virtually, makers meet with other makers, exchange trick, ideas and discuss their latest projects. We join other makers in a third place, a shared space dedicated to make together. We meet in meetups, Maker Faire, Fab conferences and various festivals. During about one year I travelled to many of these places and observed. In this article I start to present some of my observations.

Using COBIT 5 for risk

In 2009, ISACA launched a first information risk repository: Risk IT. Risk IT relies on COBIT 4, ... more In 2009, ISACA launched a first information risk repository: Risk IT. Risk IT relies on COBIT 4, the IT governance framework that, according to ISACA, provides the missing link between traditional business risk management and information risk management and control. One of the main ideas behind ISACA's approach is that companies get a return on investment (ROI) by taking risks, but sometimes they try to eliminate risks that really contribute to the creation of a profit. Risk IT was designed to help companies maximize their return on opportunities by managing risks more effectively than trying to eliminate them entirely. In April 2012, ISACA released the new COBIT 5 version of its repository. She presented this new version as a major evolution of the IS governance and management framework. One of the main novelties of COBIT 5 is to approach the Information System (IS), beyond the processes already put forward by COBIT 4.1, through complementary themes, as part of a holistic approach (holistic or systemic). As part of this upgrade, the COBIT 5 processes were adapted to better converge with other repositories such as ISO 27002, CMMI and ITIL. With COBIT 5, Risk IT was integrated with COBIT 5 for Risk Management (COBIT 5 for risk or COBIT 5GR in this text). In the spirit of COBIT, this version defines computer risk as an element of business risk, in particular, business risk related to the use, possession, exploitation and adoption of the business. in a company. COBIT 5GR is interested in: • to enable stakeholders to gain a better understanding of the current state and effects of risk across the enterprise • advise on how to manage risk at all levels, including a broad set of risk mitigation measures • to advise on how to put the appropriate risk culture in place • Risk assessment guidance that allows stakeholders to consider the cost of mitigation measures and the resources needed to counter the risk of loss • opportunities to integrate IT risk management with enterprise risk management. • Improving communication and understanding between all internal and external stakeholders In this text, I propose a technique to apply COBIT 5GR to perform a risk analysis in an organization. This technique is based on the use of generic risk indicators (KRIs) that will need to be adapted for use in a specific context. This text is presented here for training purposes and to stimulate discussion with ISACA members and information risk managers. The full text will be presented in the next edition of my book on Information Risk Management. If you have comments: [email protected]

Examples of the use of the Emerging Technology Assessment Canvas

This paper presents multiple examples of the use of the Emerging Technology Assessment Canvas (ET... more

Using the Emerging Technology Analysis Canvas

This is a class presentation on the Emerging Technology Analysis Canvas (ETAC), a framework to as... more

The case for 3D printing in the Always-On supply chain

Case 10-1 in the course book: Turban, Efraim. INFORMATION TECHNOLOGY FOR MANAGEMENT: On-Demand St... more Case 10-1 in the course book: Turban, Efraim. INFORMATION TECHNOLOGY FOR MANAGEMENT: On-Demand Strategies for Performance, Growth and Sustainability. Eleventh Edition. WILEY, 2018. I also created a youtube video of a class presentation of this PowerPoint: https://youtu.be/-iZ0HkRDSHs

Pedagogical engineering for STEAM education in Fab Labs and makerspaces

This is a conference I presented on pedagogical engineering applied to STEAM education in Fab Lab... more This is a conference I presented on pedagogical engineering applied to STEAM education in Fab Labs and makerspaces. This was used in a workshop at FAB 14 EDUcation in Bataville France in 2018. It also introduces the idea of the Course engineering canvas model, inspired by the Business Model Canvas proposed by Alexander Osterwalder.