Auditor independence and audit risk: a reconceptualisation

The principles-based U.K. regulatory framework for auditor independence (Chartered Accountants Joint Ethics Committee 1996), which was adopted in 1997, identifies threats to independence in fact, independence in appearance, and the safeguards that control these threats. These principles are incorporated in the International Federation of Accountants (IFAC 2001) ethics framework. Drawing on six case studies of interactions involving significant accounting issues between audit engagement partners and finance directors in U.K.-listed companies, we analyze the threats and safeguards to auditor independence in fact that are relevant to the outcome of each interaction. Despite the U.K.'s comprehensive regulatory framework for independence, audit quality control, and independent inspection of firms, not all the interactions have a fully compliant outcome. Independence in fact is compromised where the safeguards in the framework are insufficient defense against the threats, particularly regarding intimidation and bullying during the audit process. Further examples of existing threats are identified and additional threats emerge, in particular an urgency threat, and a loss of face threat. Management motivation is found to be a key driver of pressure. Threats to independence arising within audit firms are not recognized in the current U.K. audit risk model. An extended risk model incorporating within-firm risk is suggested. This study demonstrates the need for continual improvement to regulatory frameworks; in particular it supports the recent U.S. Securities and Exchange Commission (SEC) rule on improper influence on the conduct of audits (Securities and Exchange Commission 2003a)

A probabilistic analysis framework for malicious insider threats

Malicious insider threats are difficult to detect and to mitigate. Many approaches for explaining behaviour exist, but there is little work to relate them to formal approaches to insider threat detection. In this work we present a general formal framework to perform analysis for malicious insider threats, based on probabilistic modelling, verification, and synthesis techniques. The framework first identifies insiders' intention to perform an inside attack, using Bayesian networks, and in a second phase computes the probability of success for an inside attack by this actor, using probabilistic model checking

A probabilistic analysis framework for malicious insider threats

Malicious insider threats are difficult to detect and to mitigate. Many approaches for explaining behaviour exist, but there is little work to relate them to formal approaches to insider threat detection. In this work we present a general formal framework to perform analysis for malicious insider threats, based on probabilistic modelling, verification, and synthesis techniques. The framework first identifies insiders' intention to perform an inside attack, using Bayesian networks, and in a second phase computes the probability of success for an inside attack by this actor, using probabilistic model checking

Security, Privacy and Safety Risk Assessment for Virtual Reality Learning Environment Applications

Social Virtual Reality based Learning Environments (VRLEs) such as vSocial render instructional content in a three-dimensional immersive computer experience for training youth with learning impediments. There are limited prior works that explored attack vulnerability in VR technology, and hence there is a need for systematic frameworks to quantify risks corresponding to security, privacy, and safety (SPS) threats. The SPS threats can adversely impact the educational user experience and hinder delivery of VRLE content. In this paper, we propose a novel risk assessment framework that utilizes attack trees to calculate a risk score for varied VRLE threats with rate and duration of threats as inputs. We compare the impact of a well-constructed attack tree with an adhoc attack tree to study the trade-offs between overheads in managing attack trees, and the cost of risk mitigation when vulnerabilities are identified. We use a vSocial VRLE testbed in a case study to showcase the effectiveness of our framework and demonstrate how a suitable attack tree formalism can result in a more safer, privacy-preserving and secure VRLE system.Comment: Tp appear in the CCNC 2019 Conferenc

Border Security: Understanding Threats at U.S. Borders

[Excerpt] The United States confronts a wide array of threats at U.S. borders, ranging from terrorists who may have weapons of mass destruction, to transnational criminals smuggling drugs or counterfeit goods, to unauthorized migrants intending to live and work in the United States. Given this diversity of threats, how may Congress and the Department of Homeland Security (DHS) set border security priorities and allocate scarce enforcement resources? In general, DHS’s answer to this question is organized around risk management, a process that involves risk assessment and the allocation of resources based on a cost-benefit analysis. This report focuses on the first part of this process by identifying border threats and describing a framework for understanding risks at U.S. borders. DHS employs models to classify threats as relatively high- or low-risk for certain planning and budgeting exercises and to implement certain border security programs. Members of Congress may wish to use similar models to evaluate the costs and benefits of potential border security policies and to allocate border enforcement resources. This report discusses some of the issues involved in modeling border-related threats

Hybrid threats, cyber warfare and NATO's comprehensive approach for countering 21st century threats: mapping the new frontier of global risk and security management

The end of the so-called ‘Cold War’ has seen a change in the nature of present threats and with it to the overall role and mission of NATO, the North Atlantic Treaty Organization. The collapse of the Soviet Union and the Warsaw Pact in 1991 also removed the original raison d’etre of the Alliance: the prospect of having to repel a Soviet led attack by the Warsaw Pact on the West through the so called ‘Fulda gap’ in Germany (referring to the German lowlands between Frankfurt am Main and the former East German border which was regarded as the most likely terrain for an armour led Soviet breakout) was replaced by the recognition of the need to counter new – often hybrid – threats, which have little in common with bygone acts of interstate aggression. These new, modern threats to global peace, prosperity and security seriously threaten the present steady state environment at home (before the backdrop of the ongoing asymmetric conflicts in Afghanistan, Pakistan and Iraq) and warrant a comprehensive, multi-stakeholder driven response. Multimodal, low intensity, kinetic as well as non-kinetic threats to international peace and security including cyber war, low intensity asymmetric conflict scenarios, global terrorism, piracy, transnational organized crime, demographic challenges, resources security, retrenchment from globalization and the proliferation of weapons of mass destruction were identified by NATO as so called “Hybrid Threats” (cf BI-SC Input for a New NATO Capstone Concept for The Military Contribution to Countering Hybrid Enclosure 1 to 1500/CPPCAM/FCR/10-270038 and 5000 FXX/0100/TT-0651/SER: NU0040, dated 25 August 2010). NATO’s Bi-Strategic Command Capstone Concept describes these Hybrid Threats as ‘those posed by adversaries, with the ability to simultaneously employ conventional and non-conventional means adaptively in pursuit of their objectives.’ (See Hybrid Threats Description in 1500/CPPCAM/FCR/10-270038 and 5000 FXX/0100/TT-0651/SER: NU0040 dated 25 August 2010: Paragraph 7). Having identified this kind of emerging threat, NATO is working on a comprehensive conceptual framework, (the Capstone Concept) which provides the framework for identifying and discussing such threats and possible multi-stakeholder responses. In essence, Hybrid Threats faced by NATO and its non-military partners require a comprehensive approach allowing a wide spectrum of responses, kinetic and non-kinetic by military and non-military actors (see “Updated List of Tasks for the Implementation of the Comprehensive Approach Action Plan and the Lisbon Summit Decisions on the Comprehensive Approach”, dated 4 march 2011, p 1-10, paragraph 1). NATO Allied Command Transformation (ACT) supported by the US Joint Forces Command Joint Irregular Warfare Centre (USJFCOM JIWC) and the US National Defence University (NDU) conducted specialised workshops related to “Assessing Emerging Security Challenges in the Globalised Environment (Countering Hybrid Threats) Experiment” in 2011(cf NATO’s Transnet network on Countering Hybrid Threats (CHT) at https://transnet.act.nato.int/WISE/Transforma1/ACTIPT/JOUIPT). The workshops of the experiment took place in Brussels, Belgium and Tallinn, Estonia and had the aim of identifying possible threats and to discuss some or the key implications that need to be addressed in countering such risks & challenges. Essential is the hypothesis that such a response will have to be in partnership with other stakeholders such as international and regional organizations as well as representatives of business and commerce. This short article introduces the reader to a new form of global threat scenario and the possibilities of response and deterrence within their wider legal and political context