520 research outputs found

    UNITED STATES V. O\u27HAGAN: THE SUPREME COURT ABANDONS TEXTUALISM TO ADOPT THE MISAPPROPRIATION THEORY

    Get PDF
    This article analyzes the Supreme Courts ruling in United States v. O\u27Hagen holding that Section 10(b) of the Securities and Exchange Act can be applied to insider trading by corporate outsiders. The article argues that the Supreme Court incorrectly expanded the reach of the statute beyond that which Congress had intended

    Informed Trading and Cybersecurity Breaches

    Get PDF
    Cybersecurity has become a significant concern in corporate and commercial settings, and for good reason: a threatened or realized cybersecurity breach can materially affect firm value for capital investors. This paper explores whether market arbitrageurs appear systematically to exploit advance knowledge of such vulnerabilities. We make use of a novel data set tracking cybersecurity breach announcements among public companies to study trading patterns in the derivatives market preceding the announcement of a breach. Using a matched sample of unaffected control firms, we find significant trading abnormalities for hacked targets, measured in terms of both open interest and volume. Our results are robust to several alternative matching techniques, as well as to both cross-sectional and longitudinal identification strategies. All told, our findings appear strongly consistent with the proposition that arbitrageurs can and do obtain early notice of impending breach disclosures, and that they are able to profit from such information. Normatively, we argue that the efficiency implications of cybersecurity trading are distinct – and generally more concerning – than those posed by garden-variety information trading within securities markets. Notwithstanding these idiosyncratic concerns, however, both securities fraud and computer fraud in their current form appear poorly adapted to address such concerns, and both would require nontrivial re-imagining to meet the challenge (even approximately)

    An annotated bibliography of multidisciplinary information security resources, for the purpose of maintaining privacy and confidentiality in New Zealand government records management

    No full text
    Research Problem Maintaining privacy and confidentiality of data in an age of e-government and electronic recordkeeping is one of the key challenges for records management staff today. In New Zealand this issue has attracted negative attention through several recent public sector privacy and security breaches, raising questions about systemic issues, accountability, and a disconnect between strategy and implementation. How government responds will depend in large measure on the advice received regarding solutions to information security. A bibliographic gap on the relationship between records management and information security has been identified in the academic literature. Methodology Using targeted search strategies this annotated bibliography draws together articles from a range of journals with the aim of developing a consolidated resource for practitioners to become acquainted with the multifaceted and multidisciplinary nature of information security. The outcome is a resource directly relevant to the New Zealand context, which identifies key perspectives, relationships, technical issues, and shortcomings in research. Results Key findings relate to publishing trends, divided disciplines, and shortcomings in research pertaining to records management relationships with IT groups and engagement in e-government. Implications Includes the development of more comprehensive e-government information and security strategies, the re-examination and utilisation of existing relationships, and the strengthening of records management's position as a contributor to research and leadership in the array of possible responses to information security

    Knowledge sharing and information security: a paradox?

    Get PDF
    This paper presents the findings of a knowledge sharing and information security literature review and identifies an interesting research gap in the intersection of the two practices. In a fast changing environment where there is increasing need to understand customers’ demands and competitors’ strategies (Lin et al, 2012), knowledge sharing is recognised as an essential activity for organisational success (Wasko and Faraj, 2005; Renzl, 2008). Organisations continuously aim to exploit existing knowledge, seek new ways to improve and increase knowledge sharing activities, as well as to identify and reduce possible knowledge sharing barriers. However, albeit the integral role and benefits of knowledge sharing having been widely recognised, the security or protection of knowledge has not received the same level of attention. Although the importance of protecting knowledge has been stressed by some researchers (e.g. Gold et al, 2001; Desouza and Awazu, 2004; Desouza 2006; Ryan, 2006), research into the ‘softer’ or the human behaviour aspects of knowledge protection is scarce. Information security is another field that has grown tremendously and is now a globally recognised discipline (Gifford, 2009) receiving attention from academics and practitioners (Wiant, 2005). Information security measures aim to prevent the loss or leakage of an organisation’s valuable information and manage the resulting cost of any loss. Despite organisations’ investments in prevention measures, information security breaches are still common where humans are often seen as the weakest link and ‘incorrect’ human behaviour as the most common point of failure. However, much of the research carried out to prevent information security breaches focuses on technical facets (Gordon and Loeb, 2006; Coles-Kemp, 2009). From the literature review, it is evident that knowledge sharing and information security have become well-established concepts in academia and within organisations. However, the middle ground between these two equally important, and adjacent, practices, has received inadequate attention. Knowledge sharing aims to encourage individuals to share knowledge with colleagues, organisational partners and suppliers; on the other hand, information security initiatives aim to apply controls and restrictions to the knowledge that can be shared and how it is shared. This paper draws attention to the perceived paradoxical nature of knowledge sharing and information security and raises awareness of the potential conflict that could compromise the protection of knowledge, or alternatively, reduce the openness of knowledge sharing

    Developing a Typological Theory Using a Quantitative Approach: A Case of Information Security Deviant Behavior

    Get PDF
    Different from classification and taxonomy, typology meets the criteria of a theory and is a unique form of theory building. Typology is a good first step in exploring a research topic, and, therefore, we are concerned with building typological theories for underdeveloped topics with limited studies. We propose a four-step approach involving content analysis, multidimensional scaling, judgmental analysis, and empirical testing to guide researchers in developing typological theories in their domains of interest using a quantitative approach that rides on empirical methods and industry wisdom. Previous research in information security has paid little attention to employees’ deviant behavior in the workplace. We, therefore, built a typology of information security deviant behavior as an example to illustrate the theory development process. We discuss the theoretical, methodological, and practical implications of this study

    Legal Risks of Adversarial Machine Learning Research

    Get PDF
    Adversarial machine learning is the systematic study of how motivated adversaries can compromise the confidentiality, integrity, and availability of machine learning (ML) systems through targeted or blanket attacks. The problem of attacking ML systems is so prevalent that CERT, the federally funded research and development center tasked with studying attacks, issued a broad vulnerability note on how most ML classifiers are vulnerable to adversarial manipulation. Google, IBM, Facebook, and Microsoft have committed to investing in securing machine learning systems. The US and EU are likewise putting security and safety of AI systems as a top priority.Now, research on adversarial machine learning is booming but it is not without risks. Studying or testing the security of any operational system may violate the Computer Fraud and Abuse Act (CFAA), the primary United States federal statute that creates liability for hacking. The CFAA’s broad scope, rigid requirements, and heavy penalties, critics argue, has a chilling effect on security research. Adversarial ML security research is likely no different. However, prior work on adversarial ML research and the CFAA is sparse and narrowly focused. In this article, we help address this gap in the literature. For legal practitioners, we describe the complex and confusing legal landscape of applying the CFAA to adversarial ML. For adversarial ML researchers, we describe the potential risks of conducting adversarial ML research. We also conclude with an analysis predicting how the US Supreme Court may resolve some present inconsistencies in the CFAA’s application in Van Buren v. United States, an appeal expected to be decided in 2021. We argue that the court is likely to adopt a narrow construction of the CFAA, and that this will actually lead to better adversarial ML security outcomes in the long term

    An Information Security Policy Compliance Reinforcement and Assessment Framework

    Get PDF
    The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64% converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21%

    Identifying at-risk employees: A behavioral model for predicting potential insider threats

    Full text link

    Three Essays on Managing Information Security Using the Fraud Triangle

    Get PDF
    Managing information security has increasingly become more important as information security breaches, computer fraud, and other devastating events are increasingly more frequent and disrupting business processes. Information is one of the most important enterprise assets. Therefore, information is valuable and should be properly protected. Accounting employees are tasked with specific responsibilities of information risk management. Therefore, ineffectively managing accountants may result in countless problems for the company, not the least of which are reputational problems, loss of stock value, material financial reporting errors, and financial losses. In Essay 1, I examine the elements of the fraud triangle and the impact to specific information security policy violations of copying sensitive financial information. In Essay 2, I find the unexpected effects of implementing higher demands on accountants. In Essay 3, I explore a deeper dimension of the accountant’s internal justification when considering a violation in information security policies. This dissertation considers the challenges of managing the human aspect especially the role of accountants in information security. Security techniques and management tools have caught the attention from both academia and practitioners. This dissertation examines the fraud triangle as a theoretical framework for information security risk management among accountants. In the three essays’, I attempt to integrate security policy theory, management system theory, the fraud triangle, and moral disengagement theory to provide a deeper understanding of information security management. The findings carry implications for not only for future research on security violation behaviors, but also for continuation of broadening the theoretical foundation of the fraud triangle for further empirical research and application
    • …
    corecore