An assurance-based model to holistically assess the information security posture

EXECUTIVE SUMMARY : Evaluating Information Security Posture within an organization is becoming a very complex task. Currently, the evaluation and assessment of Information Security are commonly performed using frameworks, methodologies and standards which often consider the various aspects of security independently. Unfortunately this is ineffective because it does not take into consideration the necessity of having a global and systemic multidimensional approach to Information Security evaluation. At the same time the overall security level is globally considered to be only as strong as its weakest link. This thesis proposes a model aiming to holistically assess all dimensions of security in order to minimize the likelihood that a given threat will exploit the weakest link. A formalized structure taking into account all security elements is presented; this is based on a methodological evaluation framework in which Information Security is evaluated from a global perspective. This dissertation is divided into three parts. Part One: Information Security Evaluation issues consists of four chapters. Chapter 1 is an introduction to the purpose of this research purpose and the Model that will be proposed. In this chapter we raise some questions with respect to "traditional evaluation methods" as well as identifying the principal elements to be addressed in this direction. Then we introduce the baseline attributes of our model and set out the expected result of evaluations according to our model. Chapter 2 is focused on the definition of Information Security to be used as a reference point for our evaluation model. The inherent concepts of the contents of a holistic and baseline Information Security Program are defined. Based on this, the most common roots-of-trust in Information Security are identified. Chapter 3 focuses on an analysis of the difference and the relationship between the concepts of Information Risk and Security Management. Comparing these two concepts allows us to identify the most relevant elements to be included within our evaluation model, while clearing situating these two notions within a defined framework is of the utmost importance for the results that will be obtained from the evaluation process. Chapter 4 sets out our evaluation model and the way it addresses issues relating to the evaluation of Information Security. Within this Chapter the underlying concepts of assurance and trust are discussed. Based on these two concepts, the structure of the model is developed in order to provide an assurance related platform as well as three evaluation attributes: "assurance structure", "quality issues", and "requirements achievement". Issues relating to each of these evaluation attributes are analysed with reference to sources such as methodologies, standards and published research papers. Then the operation of the model is discussed. Assurance levels, quality levels and maturity levels are defined in order to perform the evaluation according to the model. Part Two: Implementation of the Information Security Assurance Assessment Model (ISAAM) according to the Information Security Domains consists of four chapters. This is the section where our evaluation model is put into a welldefined context with respect to the four pre-defined Information Security dimensions: the Organizational dimension, Functional dimension, Human dimension, and Legal dimension. Each Information Security dimension is discussed in a separate chapter. For each dimension, the following two-phase evaluation path is followed. The first phase concerns the identification of the elements which will constitute the basis of the evaluation: ? Identification of the key elements within the dimension; ? Identification of the Focus Areas for each dimension, consisting of the security issues identified for each dimension; ? Identification of the Specific Factors for each dimension, consisting of the security measures or control addressing the security issues identified for each dimension. The second phase concerns the evaluation of each Information Security dimension by: ? The implementation of the evaluation model, based on the elements identified for each dimension within the first phase, by identifying the security tasks, processes, procedures, and actions that should have been performed by the organization to reach the desired level of protection; ? The maturity model for each dimension as a basis for reliance on security. For each dimension we propose a generic maturity model that could be used by every organization in order to define its own security requirements. Part three of this dissertation contains the Final Remarks, Supporting Resources and Annexes. With reference to the objectives of our thesis, the Final Remarks briefly analyse whether these objectives were achieved and suggest directions for future related research. Supporting resources comprise the bibliographic resources that were used to elaborate and justify our approach. Annexes include all the relevant topics identified within the literature to illustrate certain aspects of our approach. Our Information Security evaluation model is based on and integrates different Information Security best practices, standards, methodologies and research expertise which can be combined in order to define an reliable categorization of Information Security. After the definition of terms and requirements, an evaluation process should be performed in order to obtain evidence that the Information Security within the organization in question is adequately managed. We have specifically integrated into our model the most useful elements of these sources of information in order to provide a generic model able to be implemented in all kinds of organizations. The value added by our evaluation model is that it is easy to implement and operate and answers concrete needs in terms of reliance upon an efficient and dynamic evaluation tool through a coherent evaluation system. On that basis, our model could be implemented internally within organizations, allowing them to govern better their Information Security. RÉSUMÉ : Contexte général de la thèse L'évaluation de la sécurité en général, et plus particulièrement, celle de la sécurité de l'information, est devenue pour les organisations non seulement une mission cruciale à réaliser, mais aussi de plus en plus complexe. A l'heure actuelle, cette évaluation se base principalement sur des méthodologies, des bonnes pratiques, des normes ou des standards qui appréhendent séparément les différents aspects qui composent la sécurité de l'information. Nous pensons que cette manière d'évaluer la sécurité est inefficiente, car elle ne tient pas compte de l'interaction des différentes dimensions et composantes de la sécurité entre elles, bien qu'il soit admis depuis longtemps que le niveau de sécurité globale d'une organisation est toujours celui du maillon le plus faible de la chaîne sécuritaire. Nous avons identifié le besoin d'une approche globale, intégrée, systémique et multidimensionnelle de l'évaluation de la sécurité de l'information. En effet, et c'est le point de départ de notre thèse, nous démontrons que seule une prise en compte globale de la sécurité permettra de répondre aux exigences de sécurité optimale ainsi qu'aux besoins de protection spécifiques d'une organisation. Ainsi, notre thèse propose un nouveau paradigme d'évaluation de la sécurité afin de satisfaire aux besoins d'efficacité et d'efficience d'une organisation donnée. Nous proposons alors un modèle qui vise à évaluer d'une manière holistique toutes les dimensions de la sécurité, afin de minimiser la probabilité qu'une menace potentielle puisse exploiter des vulnérabilités et engendrer des dommages directs ou indirects. Ce modèle se base sur une structure formalisée qui prend en compte tous les éléments d'un système ou programme de sécurité. Ainsi, nous proposons un cadre méthodologique d'évaluation qui considère la sécurité de l'information à partir d'une perspective globale. Structure de la thèse et thèmes abordés Notre document est structuré en trois parties. La première intitulée : « La problématique de l'évaluation de la sécurité de l'information » est composée de quatre chapitres. Le chapitre 1 introduit l'objet de la recherche ainsi que les concepts de base du modèle d'évaluation proposé. La maniéré traditionnelle de l'évaluation de la sécurité fait l'objet d'une analyse critique pour identifier les éléments principaux et invariants à prendre en compte dans notre approche holistique. Les éléments de base de notre modèle d'évaluation ainsi que son fonctionnement attendu sont ensuite présentés pour pouvoir tracer les résultats attendus de ce modèle. Le chapitre 2 se focalise sur la définition de la notion de Sécurité de l'Information. Il ne s'agit pas d'une redéfinition de la notion de la sécurité, mais d'une mise en perspectives des dimensions, critères, indicateurs à utiliser comme base de référence, afin de déterminer l'objet de l'évaluation qui sera utilisé tout au long de notre travail. Les concepts inhérents de ce qui constitue le caractère holistique de la sécurité ainsi que les éléments constitutifs d'un niveau de référence de sécurité sont définis en conséquence. Ceci permet d'identifier ceux que nous avons dénommés « les racines de confiance ». Le chapitre 3 présente et analyse la différence et les relations qui existent entre les processus de la Gestion des Risques et de la Gestion de la Sécurité, afin d'identifier les éléments constitutifs du cadre de protection à inclure dans notre modèle d'évaluation. Le chapitre 4 est consacré à la présentation de notre modèle d'évaluation Information Security Assurance Assessment Model (ISAAM) et la manière dont il répond aux exigences de l'évaluation telle que nous les avons préalablement présentées. Dans ce chapitre les concepts sous-jacents relatifs aux notions d'assurance et de confiance sont analysés. En se basant sur ces deux concepts, la structure du modèle d'évaluation est développée pour obtenir une plateforme qui offre un certain niveau de garantie en s'appuyant sur trois attributs d'évaluation, à savoir : « la structure de confiance », « la qualité du processus », et « la réalisation des exigences et des objectifs ». Les problématiques liées à chacun de ces attributs d'évaluation sont analysées en se basant sur l'état de l'art de la recherche et de la littérature, sur les différentes méthodes existantes ainsi que sur les normes et les standards les plus courants dans le domaine de la sécurité. Sur cette base, trois différents niveaux d'évaluation sont construits, à savoir : le niveau d'assurance, le niveau de qualité et le niveau de maturité qui constituent la base de l'évaluation de l'état global de la sécurité d'une organisation. La deuxième partie: « L'application du Modèle d'évaluation de l'assurance de la sécurité de l'information par domaine de sécurité » est elle aussi composée de quatre chapitres. Le modèle d'évaluation déjà construit et analysé est, dans cette partie, mis dans un contexte spécifique selon les quatre dimensions prédéfinies de sécurité qui sont: la dimension Organisationnelle, la dimension Fonctionnelle, la dimension Humaine, et la dimension Légale. Chacune de ces dimensions et son évaluation spécifique fait l'objet d'un chapitre distinct. Pour chacune des dimensions, une évaluation en deux phases est construite comme suit. La première phase concerne l'identification des éléments qui constituent la base de l'évaluation: ? Identification des éléments clés de l'évaluation ; ? Identification des « Focus Area » pour chaque dimension qui représentent les problématiques se trouvant dans la dimension ; ? Identification des « Specific Factors » pour chaque Focus Area qui représentent les mesures de sécurité et de contrôle qui contribuent à résoudre ou à diminuer les impacts des risques. La deuxième phase concerne l'évaluation de chaque dimension précédemment présentées. Elle est constituée d'une part, de l'implémentation du modèle général d'évaluation à la dimension concernée en : ? Se basant sur les éléments spécifiés lors de la première phase ; ? Identifiant les taches sécuritaires spécifiques, les processus, les procédures qui auraient dû être effectués pour atteindre le niveau de protection souhaité. D'autre part, l'évaluation de chaque dimension est complétée par la proposition d'un modèle de maturité spécifique à chaque dimension, qui est à considérer comme une base de référence pour le niveau global de sécurité. Pour chaque dimension nous proposons un modèle de maturité générique qui peut être utilisé par chaque organisation, afin de spécifier ses propres exigences en matière de sécurité. Cela constitue une innovation dans le domaine de l'évaluation, que nous justifions pour chaque dimension et dont nous mettons systématiquement en avant la plus value apportée. La troisième partie de notre document est relative à la validation globale de notre proposition et contient en guise de conclusion, une mise en perspective critique de notre travail et des remarques finales. Cette dernière partie est complétée par une bibliographie et des annexes. Notre modèle d'évaluation de la sécurité intègre et se base sur de nombreuses sources d'expertise, telles que les bonnes pratiques, les normes, les standards, les méthodes et l'expertise de la recherche scientifique du domaine. Notre proposition constructive répond à un véritable problème non encore résolu, auquel doivent faire face toutes les organisations, indépendamment de la taille et du profil. Cela permettrait à ces dernières de spécifier leurs exigences particulières en matière du niveau de sécurité à satisfaire, d'instancier un processus d'évaluation spécifique à leurs besoins afin qu'elles puissent s'assurer que leur sécurité de l'information soit gérée d'une manière appropriée, offrant ainsi un certain niveau de confiance dans le degré de protection fourni. Nous avons intégré dans notre modèle le meilleur du savoir faire, de l'expérience et de l'expertise disponible actuellement au niveau international, dans le but de fournir un modèle d'évaluation simple, générique et applicable à un grand nombre d'organisations publiques ou privées. La valeur ajoutée de notre modèle d'évaluation réside précisément dans le fait qu'il est suffisamment générique et facile à implémenter tout en apportant des réponses sur les besoins concrets des organisations. Ainsi notre proposition constitue un outil d'évaluation fiable, efficient et dynamique découlant d'une approche d'évaluation cohérente. De ce fait, notre système d'évaluation peut être implémenté à l'interne par l'entreprise elle-même, sans recourir à des ressources supplémentaires et lui donne également ainsi la possibilité de mieux gouverner sa sécurité de l'information.

Information and risk management during the first trimester care for pregnant women: Some reflections about the ethical challenges and the legal framework in Switzerland. [L'information et la gestion des risques dans le suivi de la grossesse lors du 1er trimestre : quelques réflexions sur le défi éthique et le cadre légal en Suisse.]

The progress in prenatal medicine raises complex questions with respect to the physician-patient relationship. The physician needs to reconcile medical aspects, ethical principles as well as judicial norms. Already, during the first trimester, the physician has to put into practice the schedule combining for each individual pregnancy physical, laboratory and other appropriate exams. Physicians are under the obligation to inform in a clear and comprehensive way without creating unnecessary anxiety for their patients. Legal requirements include informed consent, the respect for the patient's right to self-determination, and compliance with the Swiss federal law on genetic testing, especially with its articles on prenatal screening and diagnosis. This article discusses the complexity of obstetrical practice when it comes to delivering adequate information within the scope of ethical and legal requirements in Switzerland. L'évolution de la médecine prénatale soulève des enjeux complexes dans la relation médecin-patient. Il s'agit de concilier à la fois les aspects médicaux, les principes éthiques et les normes juridiques. Dès le premier trimestre de la grossesse le médecin doit poser le cadre du suivi et des examens appropriés pour chaque grossesse. Son devoir est d'informer de manière claire et précise sans inquiéter inutilement, en respectant l'exigence légale d'un consentement éclairé et plus largement le droit de la patiente à l'autodétermination ainsi que le cadre de la loi fédérale suisse sur l'analyse génétique humaine dans le domaine du dépistage et du diagnostic prénatal. Cet article discute de la complexité de l'information et de l'application des principes éthiques et légaux dans la pratique obstétricale en Suisse.

A comparison of Bayesian and frequentist approaches to incorporating external information for the prediction of prostate cancer risk.

We present the most comprehensive comparison to date of the predictive benefit of genetics in addition to currently used clinical variables, using genotype data for 33 single-nucleotide polymorphisms (SNPs) in 1,547 Caucasian men from the placebo arm of the REduction by DUtasteride of prostate Cancer Events (REDUCE®) trial. Moreover, we conducted a detailed comparison of three techniques for incorporating genetics into clinical risk prediction. The first method was a standard logistic regression model, which included separate terms for the clinical covariates and for each of the genetic markers. This approach ignores a substantial amount of external information concerning effect sizes for these Genome Wide Association Study (GWAS)-replicated SNPs. The second and third methods investigated two possible approaches to incorporating meta-analysed external SNP effect estimates - one via a weighted PCa 'risk' score based solely on the meta analysis estimates, and the other incorporating both the current and prior data via informative priors in a Bayesian logistic regression model. All methods demonstrated a slight improvement in predictive performance upon incorporation of genetics. The two methods that incorporated external information showed the greatest receiver-operating-characteristic AUCs increase from 0.61 to 0.64. The value of our methods comparison is likely to lie in observations of performance similarities, rather than difference, between three approaches of very different resource requirements. The two methods that included external information performed best, but only marginally despite substantial differences in complexity.

Information, learning, and risk in financial markets

Cette thèse comprend trois essais qui abordent l'information le processus d'ap-prentissage ainsi que le risque dans les marchés finances. Elle se concentre d'abord sur les implications à l'équilibre de l'hétérogénéité des agents à travers un processus d'apprentissage comprtemental et de mise à jour de l'information. De plus, elle examine les effets du partage des risques dans un reseau entreprise-fournisseur. Le premier chapitre étudie les effets du biais de disponibili sur l'évaluation des actifs. Ce biais décrit le fait que les agents surestiment l'importance de l'information acquise via l'expérience personnelle. L'hétérogénéité restante des différentes perceptions individuelles amène à une volonté d'échanges. Conformé¬ment aux données empiriques, les jeunes agents échangent plus mais en même temps souffrent d'une performance inférieure. Le deuxième chapitre se penche sur l'impact qu'ont les différences de modelisation entre les agents sur leurs percevons individuelles du processus de prix, dans le contexte des projections de modèles. Les agents sujets à un biais de projection pensent être représentatifs et interprètent les opinions des autres agents comme du bruit. Les agents, avec des modèles plus persistants, perçoivent que les prix réagissent de façon excessive lors des périodes de turbulence. Le troisième chapitre analyse l'impact du partage des risques dans la relation entreprise-fournisseur sur la décision optimale de financement de l'entreprise. Il étudie l'impact sur l'optimisation de la structure du capital ainsi que sur le coût du capital. Les résultats indiquent en particulier qu'un fournisseur avec un effet de levier faible est utile pour le financement d'un nouveau projet d'investissement. Pour des projets très rentables et des fournisseurs à faible effet de levier, le coût des capitaux propres de l'entreprise peut diminuer.

Risk prediction of prevalent diabetes in a Swiss population using a weighted genetic score--the CoLaus Study.

AIMS/HYPOTHESIS: Several susceptibility genes for type 2 diabetes have been discovered recently. Individually, these genes increase the disease risk only minimally. The goals of the present study were to determine, at the population level, the risk of diabetes in individuals who carry risk alleles within several susceptibility genes for the disease and the added value of this genetic information over the clinical predictors. METHODS: We constructed an additive genetic score using the most replicated single-nucleotide polymorphisms (SNPs) within 15 type 2 diabetes-susceptibility genes, weighting each SNP with its reported effect. We tested this score in the extensively phenotyped population-based cross-sectional CoLaus Study in Lausanne, Switzerland (n = 5,360), involving 356 diabetic individuals. RESULTS: The clinical predictors of prevalent diabetes were age, BMI, family history of diabetes, WHR, and triacylglycerol/HDL-cholesterol ratio. After adjustment for these variables, the risk of diabetes was 2.7 (95% CI 1.8-4.0, p = 0.000006) for individuals with a genetic score within the top quintile, compared with the bottom quintile. Adding the genetic score to the clinical covariates improved the area under the receiver operating characteristic curve slightly (from 0.86 to 0.87), yet significantly (p = 0.002). BMI was similar in these two extreme quintiles. CONCLUSIONS/INTERPRETATION: In this population, a simple weighted 15 SNP-based genetic score provides additional information over clinical predictors of prevalent diabetes. At this stage, however, the clinical benefit of this genetic information is limited.

Rockfall hazard and risk assessments along roads at a regional scale: Example in Swiss Alps

Unlike fragmental rockfall runout assessments, there are only few robust methods to quantify rock-mass-failure susceptibilities at regional scale. A detailed slope angle analysis of recent Digital Elevation Models (DEM) can be used to detect potential rockfall source areas, thanks to the Slope Angle Distribution procedure. However, this method does not provide any information on block-release frequencies inside identified areas. The present paper adds to the Slope Angle Distribution of cliffs unit its normalized cumulative distribution function. This improvement is assimilated to a quantitative weighting of slope angles, introducing rock-mass-failure susceptibilities inside rockfall source areas previously detected. Then rockfall runout assessment is performed using the GIS- and process-based software Flow-R, providing relative frequencies for runout. Thus, taking into consideration both susceptibility results, this approach can be used to establish, after calibration, hazard and risk maps at regional scale. As an example, a risk analysis of vehicle traffic exposed to rockfalls is performed along the main roads of the Swiss alpine valley of Bagnes.

Withdrawal, "serosorting" and "strategic positioning": use of risk reduction strategies with casual sex partners in men who have sex with men (MSM) in Switzerland, 2007

Introduction: 1) Withdrawal before ejaculation, "serosorting" (to choose a partner of same serostatus) and "strategic positioning" (only insertive vs. only receptive role in anal sex according to serostatus) are known to be used by MSM as alternatives to condom use. 2) Despite their questionable levels of effectiveness they are collectively labelled as "risk reduction strategies" (RRS). Objectives: The aim of this study is to estimate the prevalence and factors related to RRS in men who report unprotected anal intercourse (UAI) with occasional partners in the last 12 months. Methods: 1) In 2007, a module on RRS was included in a repeated national survey conducted among readers of gay newspapers, members of gay organizations and visitors of gay websites (N=2953). 2) Using an anonymous self-completed questionnaire, participants were asked whether, with the aim of avoiding HIV infection, RRS were used with occasional partners. Analysis: 1) Prevalences were calculated in participants who reported UAI with occasional partners in the last 12 months (n=416). 2) A logistic regression was performed, using "at least one RRS" as dependent variable. Number of partners in the last 12 months, HIV-status and usual socio-demographic characteristics were used as independent factors. Result : 1) 70% (292/416) of the participants reporting UAI used at least one RRS when they had unprotected sex with casual partners in the last 12 months (Table 1). 2) Withrawal before ejaculation was the most frequently reported strategy, followed by serosorting and strategic positioning (Table 1). 3) Participants who reported at least one RRS were more likely to be over 30 years and to belong to a gay organisation. HIV-positive and non-tested participants were less likely to report RRS than HIV-negative participants (Table 2). Conclusions: 1) The majority of MSM who reported UAI in the last 12 months tried to reduce risk of HIV transmission by using specific strategies (withdrawal, serosorting, strategic positioning). It is not known, however, to what extent the use of these strategies was systematic. 2) It is necessary to provide MSM with balanced information on these strategies and their respective level of effectiveness. 3) It is important to monitor the use of RRS in HIV behavioural surveillance surveys in MSM.

Predictors of HIV-protection behaviour in HIV-positive men who have sex with casual male partners: a test of the explanatory power of an extended Information-Motivation-Behavioural Skills model.

This prospective study applies an extended Information-Motivation-Behavioural Skills (IMB) model to establish predictors of HIV-protection behaviour among HIV-positive men who have sex with men (MSM) during sex with casual partners. Data have been collected from anonymous, self-administered questionnaires and analysed by using descriptive and backward elimination regression analyses. In a sample of 165 HIV-positive MSM, 82 participants between the ages of 23 and 78 (M=46.4, SD=9.0) had sex with casual partners during the three-month period under investigation. About 62% (n=51) have always used a condom when having sex with casual partners. From the original IMB model, only subjective norm predicted condom use. More important predictors that increased condom use were low consumption of psychotropics, high satisfaction with sexuality, numerous changes in sexual behaviour after diagnosis, low social support from friends, alcohol use before sex and habitualised condom use with casual partner(s). The explanatory power of the calculated regression model was 49% (p<0.001). The study reveals the importance of personal and social resources and of routines for condom use, and provides information for the research-based conceptualisation of prevention offers addressing especially people living with HIV ("positive prevention").

Bone mineral density (BMD), micro-architecture estimation (TBS) and vertebral fracture assessment (VFA) extracted from a single DXA device in combination with clinical risk factors improve significantly the identification of women at high risk of fracture

Introduction: Osteoporosis (OP) is a systemic skeletal disease characterized by a low bone mineral density (BMD) and a micro-architectural (MA) deterioration. Clinical risk factors (CRF) are often used as a MA approximation. MA is yet evaluable in daily practice by the Trabecular Bone Score (TBS) measure. TBS is a novel grey-level texture measurement reflecting bone micro-architecture based on the use of experimental variograms of 2D projection images. TBS is very simple to obtain, by reanalyzing a lumbar DXA-scan. TBS has proven to have diagnosis and prognosis value, partially independent of CRF and BMD. The aim of the OsteoLaus cohort is to combine in daily practice the CRF and the information given by DXA (BMD, TBS and vertebral fracture assessment (VFA)) to better identify women at high fracture risk. Method: The OsteoLaus cohort (1400 women 50 to 80 years living in Lausanne, Switzerland) started in 2010. This study is derived from the cohort COLAUS who started in Lausanne in 2003. The main goals of COLAUS is to obtain information on the epidemiology and genetic determinants of cardiovascular risk in 6700 men and women. CRF for OP, bone ultrasound of the heel, lumbar spine and hip BMD, VFA by DXA and MA evaluation by TBS are recorded in OsteoLaus. Preliminary results are reported. Results: We included 631 women: mean age 67.4±6.7 y, BMI 26.1±4.6, mean lumbar spine BMD 0.943±0.168 (T-score -1.4 SD), TBS 1.271±0.103. As expected, correlation between BMD and site matched TBS is low (r2=0.16). Prevalence of VFx grade 2/3, major OP Fx and all OP Fx is 8.4%, 17.0% and 26.0% respectively. Age- and BMI-adjusted ORs (per SD decrease) are 1.8 (1.2- 2.5), 1.6 (1.2-2.1), 1.3 (1.1-1.6) for BMD for the different categories of fractures and 2.0 (1.4-3.0), 1.9 (1.4-2.5), 1.4 (1.1-1.7) for TBS respectively. Only 32 to 37% of women with OP Fx have a BMD < -2.5 SD or a TBS < 1.200. If we combine a BMD < -2.5 SD or a TBS < 1.200, 54 to 60% of women with an osteoporotic Fx are identified. Conclusion: As in the already published studies, these preliminary results confirm the partial independence between BMD and TBS. More importantly, a combination of TBS subsequent to BMD increases significantly the identification of women with prevalent OP Fx which would have been miss-classified by BMD alone. For the first time we are able to have complementary information about fracture (VFA), density (BMD), micro- and macro architecture (TBS & HAS) from a simple, low ionizing radiation and cheap device: DXA. Such complementary information is very useful for the patient in the daily practice and moreover will likely have an impact on cost effectiveness analysis.

Essays in higher moment asset pricing and liquidity risk

This thesis focuses on theoretical asset pricing models and their empirical applications. I aim to investigate the following noteworthy problems: i) if the relationship between asset prices and investors' propensities to gamble and to fear disaster is time varying, ii) if the conflicting evidence for the firm and market level skewness can be explained by downside risk, Hi) if costly learning drives liquidity risk. Moreover, empirical tests support the above assumptions and provide novel findings in asset pricing, investment decisions, and firms' funding liquidity. The first chapter considers a partial equilibrium model where investors have heterogeneous propensities to gamble and fear disaster. Skewness preference represents the desire to gamble, while kurtosis aversion represents fear of extreme returns. Using US data from 1988 to 2012, my model demonstrates that in bad times, risk aversion is higher, more people fear disaster, and fewer people gamble, in contrast to good times. This leads to a new empirical finding: gambling preference has a greater impact on asset prices during market downturns than during booms. The second chapter consists of two essays. The first essay introduces a foramula based on conditional CAPM for decomposing the market skewness. We find that the major market upward and downward movements can be well preadicted by the asymmetric comovement of betas, which is characterized by an indicator called "Systematic Downside Risk" (SDR). We find that SDR can efafectively forecast future stock market movements and we obtain out-of-sample R-squares (compared with a strategy using historical mean) of more than 2.27% with monthly data. The second essay reconciles a well-known empirical fact: aggregating positively skewed firm returns leads to negatively skewed market return. We reconcile this fact through firms' greater response to negative maraket news than positive market news. We also propose several market return predictors, such as downside idiosyncratic skewness. The third chapter studies the funding liquidity risk based on a general equialibrium model which features two agents: one entrepreneur and one external investor. Only the investor needs to acquire information to estimate the unobservable fundamentals driving the economic outputs. The novelty is that information acquisition is more costly in bad times than in good times, i.e. counter-cyclical information cost, as supported by previous empirical evidence. Later we show that liquidity risks are principally driven by costly learning. Résumé Cette thèse présente des modèles théoriques dévaluation des actifs et leurs applications empiriques. Mon objectif est d'étudier les problèmes suivants: la relation entre l'évaluation des actifs et les tendances des investisseurs à parier et à crainadre le désastre varie selon le temps ; les indications contraires pour l'entreprise et l'asymétrie des niveaux de marché peuvent être expliquées par les risques de perte en cas de baisse; l'apprentissage coûteux augmente le risque de liquidité. En outre, des tests empiriques confirment les suppositions ci-dessus et fournissent de nouvelles découvertes en ce qui concerne l'évaluation des actifs, les décisions relatives aux investissements et la liquidité de financement des entreprises. Le premier chapitre examine un modèle d'équilibre où les investisseurs ont des tendances hétérogènes à parier et à craindre le désastre. La préférence asymétrique représente le désir de parier, alors que le kurtosis d'aversion représente la crainte du désastre. En utilisant les données des Etats-Unis de 1988 à 2012, mon modèle démontre que dans les mauvaises périodes, l'aversion du risque est plus grande, plus de gens craignent le désastre et moins de gens parient, conatrairement aux bonnes périodes. Ceci mène à une nouvelle découverte empirique: la préférence relative au pari a un plus grand impact sur les évaluations des actifs durant les ralentissements de marché que durant les booms économiques. Exploitant uniquement cette relation générera un revenu excédentaire annuel de 7,74% qui n'est pas expliqué par les modèles factoriels populaires. Le second chapitre comprend deux essais. Le premier essai introduit une foramule base sur le CAPM conditionnel pour décomposer l'asymétrie du marché. Nous avons découvert que les mouvements de hausses et de baisses majeures du marché peuvent être prédits par les mouvements communs des bêtas. Un inadicateur appelé Systematic Downside Risk, SDR (risque de ralentissement systématique) est créé pour caractériser cette asymétrie dans les mouvements communs des bêtas. Nous avons découvert que le risque de ralentissement systématique peut prévoir les prochains mouvements des marchés boursiers de manière efficace, et nous obtenons des carrés R hors échantillon (comparés avec une stratégie utilisant des moyens historiques) de plus de 2,272% avec des données mensuelles. Un investisseur qui évalue le marché en utilisant le risque de ralentissement systématique aurait obtenu une forte hausse du ratio de 0,206. Le second essai fait cadrer un fait empirique bien connu dans l'asymétrie des niveaux de march et d'entreprise, le total des revenus des entreprises positiveament asymétriques conduit à un revenu de marché négativement asymétrique. Nous décomposons l'asymétrie des revenus du marché au niveau de l'entreprise et faisons cadrer ce fait par une plus grande réaction des entreprises aux nouvelles négatives du marché qu'aux nouvelles positives du marché. Cette décomposition révélé plusieurs variables de revenus de marché efficaces tels que l'asymétrie caractéristique pondérée par la volatilité ainsi que l'asymétrie caractéristique de ralentissement. Le troisième chapitre fournit une nouvelle base théorique pour les problèmes de liquidité qui varient selon le temps au sein d'un environnement de marché incomplet. Nous proposons un modèle d'équilibre général avec deux agents: un entrepreneur et un investisseur externe. Seul l'investisseur a besoin de connaitre le véritable état de l'entreprise, par conséquent, les informations de paiement coutent de l'argent. La nouveauté est que l'acquisition de l'information coute plus cher durant les mauvaises périodes que durant les bonnes périodes, comme cela a été confirmé par de précédentes expériences. Lorsque la récession comamence, l'apprentissage coûteux fait augmenter les primes de liquidité causant un problème d'évaporation de liquidité, comme cela a été aussi confirmé par de précédentes expériences.

Assessing the associations between mental disorders, cardiovascular risk factors, and cardiovascular disease : the CoLaus/PsyCoLaus study

Background: Cardio-vascular diseases (CVD), their well established risk factors (CVRF) and mental disorders are common and co-occur more frequently than would be expected by chance. However, the pathogenic mechanisms and course determinants of both CVD and mental disorders have only been partially identified.Methods/Design: Comprehensive follow-up of CVRF and CVD with a psychiatric exam in all subjects who participated in the baseline cross-sectional CoLaus study (2003-2006) (n=6'738) which also included a comprehensive genetic assessment. The somatic investigation will include a shortened questionnaire on CVRF, CV events and new CVD since baseline and measurements of the same clinical and biological variables as at baseline. In addition, pro-inflammatory markers, persistent pain and sleep patterns and disorders will be assessed. In the case of a new CV event, detailed information will be abstracted from medical records. Similarly, data on the cause of death will be collected from the Swiss National Death Registry. The comprehensive psychiatric investigation of the CoLaus/PsyCoLaus study will use contemporary epidemiological methods including semi-structured diagnostic interviews, experienced clinical interviewers, standardized diagnostic criteria including threshold according to DSM-IV and sub-threshold syndromes and supplementary information on risk and protective factors for disorders. In addition, screening for objective cognitive impairment will be performed in participants older than 65 years.Discussion: The combined CoLaus/PsyCoLaus sample provides a unique opportunity to obtain prospective data on the interplay between CVRF/CVD and mental disorders, overcoming limitations of previous research by bringing together a comprehensive investigation of both CVRF and mental disorders as well as a large number of biological variables and a genome-wide genetic assessment in participants recruited from the general population.

Trabecular bone score improves fracture risk prediction in non-osteoporotic women: the OFELY study.

The use of areal bone mineral density (aBMD) for fracture prediction may be enhanced by considering bone microarchitectural deterioration. Trabecular bone score (TBS) helped in redefining a significant subset of non-osteoporotic women as a higher risk group. INTRODUCTION: TBS is an index of bone microarchitecture. Our goal was to assess the ability of TBS to predict incident fracture. METHODS: TBS was assessed in 560 postmenopausal women from the Os des Femmes de Lyon cohort, who had a lumbar spine (LS) DXA scan (QDR 4500A, Hologic) between years 2000 and 2001. During a mean follow-up of 7.8 ± 1.3 years, 94 women sustained 112 fragility fractures. RESULTS: At the time of baseline DXA scan, women with incident fracture were significantly older (70 ± 9 vs. 65 ± 8 years) and had a lower LS_aBMD and LS_TBS (both -0.4SD, p < 0.001) than women without fracture. The magnitude of fracture prediction was similar for LS_aBMD and LS_TBS (odds ratio [95 % confidence interval] = 1.4 [1.2;1.7] and 1.6 [1.2;2.0]). After adjustment for age and prevalent fracture, LS_TBS remained predictive of an increased risk of fracture. Yet, its addition to age, prevalent fracture, and LS_aBMD did not reach the level of significance to improve the fracture prediction. When using the WHO classification, 39 % of fractures occurred in osteoporotic women, 46 % in osteopenic women, and 15 % in women with T-score > -1. Thirty-seven percent of fractures occurred in the lowest quartile of LS_TBS, regardless of BMD. Moreover, 35 % of fractures that occurred in osteopenic women were classified below this LS_TBS threshold. CONCLUSION: In conclusion, LS_aBMD and LS_TBS predicted fractures equally well. In our cohort, the addition of LS_TBS to age and LS_aBMD added only limited information on fracture risk prediction. However, using the lowest quartile of LS_TBS helped in redefining a significant subset of non-osteoporotic women as a higher risk group which is important for patient management.

Information seeking activity and adherence to therapy: Findings from the Swiss Inflammatory Bowel Disease Cohort Study

Background: In spite of the relapsing nature of inflammatory bowel diseases (IBD), on average, 40% of IBD patients are nonadherent to treatments. On the other hand, they are often actively seeking information on their disease. The relationship between information seeking behaviour and adherence to treatment is poorly documented. The main aim of this study was to examine this association among IBD patients. Methods: We used data from the Swiss IBD cohort study. Baseline data included questions on adherence to ongoing treatments. A survey was conducted in October 2009 to assess information sources and themes searched by patients. Crude odds ratio (OR) and 95% CI were calculated for the association between adherence and information seeking. Adjustment for potential confounders and main known risk factors was performed using multivariate logistic regression. Differences in the proportions of information sources and themes were compared between adherent and non-adherent patients. Results: The number of patients eligible was 488. Nineteen percent (N = 99) were non-adherent to treatment and one third (N = 159) were active information seekers. Crude OR for being non-adherent was 69% higher among information seekers compared to non-seekers (OR = 1.69; 95%CI 0.99 2.87). Adjusted OR for non-adherence was OR = 2.39 (95%CI 1.32 4.34) for information seekers compared to non-seekers. Family doctors were 15.2% more often consulted (p = 0.019) among patients who were adherent to treatment compared to those who were not, as were books and TV (+13.1%; p = 0.048). No difference was observed for internet or gastroenterologists as sources of information. Themes of information linked to tips for disease management were 14.2% more often searched among non-adherent patients (p = 0.028) compared to adherent. No difference was observed for the other themes (research and development on IBD, therapies, basic information on the disease, patients' experiences sharing, miscellaneous). Conclusions: Active information seeking was shown to be strongly associated with non-adherence to treatment in a population of IBD patients in Switzerland. Surprisingly themes related to therapies were not especially those on which nonadherent patients focused. Indeed, management of symptoms and everyday life with the disease seemed to be the most pressing information concerns of patients. Results suggest that the family doctor plays an important role in the multidisciplinary care approach needed for IBD patients.

Catastrophic medical expenditure risk

Medical expenditure risk can pose a major threat to living standards. We derive decomposable measures of catastrophic medical expenditure risk from reference-dependent utility with loss aversion. We propose a quantile regression based method of estimating risk exposure from cross-section data containing information on the means of financing health payments. We estimate medical expenditure risk in seven Asian countries and find it is highest in Laos and China, and is lowest in Malaysia. Exposure to risk is generally higher for households that have less recourse to self-insurance, lower incomes, wealth and education, and suffer from chronic illness.