Capital markets and e-fraud: policy note and concept paper for future study

The technological dependency of securities exchanges on internet-based (IP) platforms has dramatically increased the industry's exposure to reputation, market, and operational risks. In addition, the convergence of several innovations in the market are adding stress to these systems. These innovations affect everything from software to system design and architecture. These include the use of XML (extensible markup language) as the industry IP language, STP or straight through processing of data, pervasive or diffuse computing and grid computing, as well as the increased use of Internet and wireless. The fraud is not new, rather, the magnitude and speed by which fraud can be committed has grown exponentially due to the convergence of once private networks on-line. It is imperative that senior management of securities markets and brokerage houses be properly informed of the negative externalities associated with e-brokerage and the possible critical points of failure that exist in today's digitized financial sector as they grow into tomorrow's exchanges. The overwhelming issue regarding e-finance is to determine the true level of understanding that senior management has about on-line platforms, including the inherent risks and the depth of the need to use it wisely. Kellermann and McNevin attempt to highlight the various risks that have been magnified by the increasing digitalization of processes within the brokerage arena and explain the need for concerted research and analysis of these as well as the profound consequences that may entail without proper planning. An effective legal, regulatory, and enforcement framework is essential for creating the right incentive structure for market participants. The legal and regulatory framework should focus on the improvement of internal monitoring of risks and vulnerabilities, greater information sharing about these risks and vulnerabilities, education and training on the care and use of these technologies, and better reporting of risks and responses. Public/private partnerships and collaborations also are needed to create an electronic commerce (e-commerce) environment that is safe and sound.Environmental Economics&Policies,Insurance&Risk Mitigation,Financial Intermediation,ICT Policy and Strategies,Banks&Banking Reform

The Anonymous Poster: How to Protect Internet Users’ Privacy and Prevent Abuse

The threat of anonymous Internet posting to individual privacy has been met with congressional and judicial indecisiveness. Part of the problem stems from the inherent conflict between punishing those who disrespect one\u27s privacy by placing a burden on the individual websites and continuing to support the Internet\u27s development. Additionally, assigning traditional tort liability is problematic as the defendant enjoys an expectation of privacy as well, creating difficulty in securing the necessary information to proceed with legal action. One solution to resolving invasion of privacy disputes involves a uniform identification verification program that ensures user confidentiality while promoting accountability for malicious behavior

Managing cyber risk in organizations and supply chains

In the Industry 4.0, modern organizations are characterized by an extensive digitalization and use of Information Technology (IT). Even though there are significant advantages in such a technological progress, a noteworthy drawback is represented by cyber risks, whose occurrence dramatically increased over the last years. The information technology literature has shown great interested toward the topic, identifying mainly technical solutions to face these emerging risks. Nonetheless, cyber risks cause business disruption and damages to tangible and intangible corporate assets and require a major integration between technical solutions and a strategic management. Recently, the risk management domain and the supply chain literature have provided studies about how an effective cyber risk management process should be planned, to improve organizational resilience and to prevent financial drawbacks. However, the aforementioned studies are mainly theoretical and there is still a significant lack of empirical studies in the management literature, measuring the potential effects of cyber threats within single companies, and along networks of relationships, in a wider supply chain perspective. The present thesis aims at filling some of these gaps through three empirical essays. The first study has implemented a Grounded Theory approach to develop an interview targeting 15 European organizations. Afterwards, the fuzzy set Qualitative Comparative Analysis (fsQCA) has been performed, in order to ascertain how managers perceive cyber risks. Results contradict studies that focus merely on technical solution, and con\ufb01rm the dynamic capability literature, which highlights the relevance of a major integration among relational, organizational, and technical capabilities when dealing with technological issues. Moreover, the study proposes a managerial framework that draws on the dynamic capabilities view, in order to consider the complexity and dynamism of IT and cyber risks. The framework proposes to implement both technical (e.g. software, insurance, investments in IT assets) and organizational (e.g. team work, human IT resources) capabilities to protect the capability of the company to create value. The second essay extends the investigation of the drawbacks of cyber risks to supply chains. The study conducts a Grounded Theory empirical investigation toward several European organizations that rely on security and risk management standards in order to choose the drivers of systematic IT and cyber risk management (risk assessment, risk prevention, risk mitigation, risk compliance, and risk governance). The evidence gleaned from the interviews have highlighted that investments in supply chain mitigation strategies are scant, resulting in supply chains that perform like they had much higher risk appetite than managers declared. Moreover, it has emerged a general lack of awareness regarding the effects that IT and cyber risks may have on supply operations and relationships. Thus, a framework drawing on the supply chain risk management is proposed, offering a holistic risk management process, in which strategies, processes, technologies, and human resources should be aligned in coherence with the governance of each organization and of the supply chain as a whole. The \ufb01nal result should be a supply chain where the actors share more information throughout the whole process, which guarantees strategic bene\ufb01ts, reputation protection, and business continuity. The third essay draws on the Situational Crisis Communication Theory (SCCT) to ascertain whether and how different types of cyber breaches differently affect the corporate reputation, defined as a multidimensional construct in which perceptions of customers, suppliers, (potential) employees, investors and local communities converge. Data breaches have been categorized into three groups by the literature, meaning intentional and internal to the organization (e.g., malicious employees stealing customers\u2019 data), unintentional and internal to the organization (e.g., incorrect security settings that expose private information), and intentional and external to the organization (e.g., ransomware infecting companies\u2019 software). However, this is among the first study to analyse the different reputational drawbacks these types may cause. Moreover, the study considers that, in the industry 4.0 era, social media analysis may be of paramount importance for organizations to understand the market. In fact, user-generated content (UGC), meaning the content created by users, might help in understanding which dimensions of the corporate have been more attacked after a data breach. In this context, the study implements the Latent Dirichlet Allocation (LDA) automated method, a base model in the family of \u201ctopic models\u201d, to extract the reputational dimensions expressed in UGC of a sample of 35 organizations in nine industries that had a data breach incident between 2013 and 2016. The results reveal that in general, after a data breach, three dimensions\u2014perceived quality, customer orientation and corporate performance\u2014 are a subject of debate for users. However, if the data breach was intentional ad malicious, users focused more on the role of firms\u2019 human resources management, whereas if users did not identify a responsible, users focused more on privacy drawbacks. The study complements crisis communication research by categorizing, in a data breach context, stakeholders\u2019 perceptions of a crisis. In addition, the research is informative for risk management literature and reputation research, analysing corporate reputation dimensions in a data breach crisis setting

A secure cloud with minimal provider trust

Bolted is a new architecture for a bare metal cloud with the goal of providing security-sensitive customers of a cloud the same level of security and control that they can obtain in their own private data centers. It allows tenants to elastically allocate secure resources within a cloud while being protected from other previous, current, and future tenants of the cloud. The provisioning of a new server to a tenant isolates a bare metal server, only allowing it to communicate with other tenant's servers once its critical firmware and software have been attested to the tenant. Tenants, rather than the provider, control the tradeoffs between security, price, and performance. A prototype demonstrates scalable end-to-end security with small overhead compared to a less secure alternative.Published versio

Trust and Privacy in Development of Publish/Subscribe Systems

Publish/subscribe (pub/sub) is a widely deployed paradigm for information dissemination in a variety of distributed applications such as financial platforms, e-health frameworks and the Internet-of-Things. In essence, the pub/sub model considers one or more publishers generating feeds of information and a set of subscribers, the clients of the system. A pub/sub service is in charge of delivering the published information to interested clients. With the advent of cloud computing, we observe a growing tendency to externalize applications using pub/sub services to public clouds. This trend, despite its advantages, opens up multiple important data privacy and trust issues. Although multiple solutions for data protection have been proposed by the academic community, there is no unified view or framework describing how to deploy secure pub/sub systems on public clouds. To remediate this, we advocate towards a trust model which we believe can serve as basis for such deployments