Dialectic tensions in the financial markets: a longitudinal study of pre- and post-crisis regulatory technology

This article presents the findings from a longitudinal research study on regulatory technology in the UK financial services industry. The financial crisis with serious corporate and mutual fund scandals raised the profile of compliance as governmental bodies, institutional and private investors introduced a ‘tsunami’ of financial regulations. Adopting a multi-level analysis, this study examines how regulatory technology was used by financial firms to meet their compliance obligations, pre- and post-crisis. Empirical data collected over 12 years examine the deployment of an investment management system in eight financial firms. Interviews with public regulatory bodies, financial institutions and technology providers reveal a culture of compliance with increased transparency, surveillance and accountability. Findings show that dialectic tensions arise as the pursuit of transparency, surveillance and accountability in compliance mandates is simultaneously rationalized, facilitated and obscured by regulatory technology. Responding to these challenges, regulatory bodies continue to impose revised compliance mandates on financial firms to force them to adapt their financial technologies in an ever-changing multi-jurisdictional regulatory landscape

Contingency-Constrained Unit Commitment with Post-Contingency Corrective Recourse

We consider the problem of minimizing costs in the generation unit commitment problem, a cornerstone in electric power system operations, while enforcing an N-k-e reliability criterion. This reliability criterion is a generalization of the well-known $N$-$k$ criterion, and dictates that at least $(1-e_ j)$ fraction of the total system demand must be met following the failures of $k$ or fewer system components. We refer to this problem as the Contingency-Constrained Unit Commitment problem, or CCUC. We present a mixed-integer programming formulation of the CCUC that accounts for both transmission and generation element failures. We propose novel cutting plane algorithms that avoid the need to explicitly consider an exponential number of contingencies. Computational studies are performed on several IEEE test systems and a simplified model of the Western US interconnection network, which demonstrate the effectiveness of our proposed methods relative to current state-of-the-art

General data protection regulation: a study on attitude and emotional empowerment

\ua9 2023 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group.Over the last few years, digitalisation has accelerated its pace, fuelling the creation of a massive amount of data. This has resulted in a need to introduce legal mechanisms to protect the privacy and security of data being exchanged between people and organisations. However, little is known about the individuals’ perspective on such mechanisms. Given the gap in the literature, this research investigated the drivers and the implications of individuals’ attitude towards GDPR compliance. To test the research model, structural equational modelling was employed using 540 responses. The result showed that perceived threat severity, self-efficacy and response efficacy determine a positive attitude towards GDPR compliance, which results in emotional empowerment. The findings contribute to the literature on legal privacy-preserving mechanisms, by providing a user’s view on the coping and threat appraisal factors underpinning attitude and demonstrating the implications for driving confidence in control over personal data. The findings also contribute to the literature on protection motivation by demonstrating that attitude towards adaptive behaviour drives emotional empowerment. The study offers suggestions to policymakers on how to enhance public perception of the GDPR. The findings also provide guidelines for organisations on how to inform individuals’ understanding of compliance with the legal framework

Privacy-by-Design Regulatory Compliance Automation in Cloud Environment

The proposed Master's thesis revolves around the development of a privacy-preserving Attribute Verifier for regulatory compliance, first designed cryptographically, and then implemented in a Cloud Environment. The Attribute Verifier makes use of the Attribute Verification Protocol and its underlying encryption scheme, composed of Decentralized Attribute-Based Encryption (DABE) combined with a Zero- Knowledge Proof (ZKP) approach. The contribution of this work was integrating a ticketing system, concerning tickets of compliance, with the existing protocol, and automating the whole workflow, simulating all the actors involved, in AWS Cloud Environment. The major goal was to improve the security and privacy of sensitive data kept in the cloud as well as to comply with Cloud Regulatory, Standards, and different Data Protection Regulations. In particular, the use case covered in this Thesis refers to the General Protection Data Regulation (GDPR), specifically the compliance with Article 32. The word "Automation" in the title refers to the achievement of having automated in AWS Cloud Environment, through code, three main security objectives: Privacy, Identity and Access Management, and Attribute-based Access Control. A goal that was pursued because, in the majority of the cases, adherence to a Regulatory still requires heavy manual effort, especially when it's about pure Data Protection Regulations, i.e. in a legal setting. And when the manual effort is not required, confidentiality can be still heavily affected, and that's where the need for a privacy-by-design solution comes from. The Attribute Verifier was developed to verify the attributes of a Prover (e.g. a company, an institution, a healthcare provider, etc.) without revealing the actual attributes or assets and to grant access to encrypted data only if the verification is successful. The proposed example, among many applicable, it's the one a National Bank attempting to demonstrate to a Verifier, i.e. the European Central Bank, compliance with Article 32 of the GDPR

Organizational Violations of Externally Governed Privacy and Security Rules: Explaining and Predicting Selective Violations under Conditions of Strain and Excess

Privacy and security concerns are pervasive because of the ease of access to information. Recurrent negative cases in the popular press attest to the failure of current privacy regulations to keep consumer and protected health information sufficiently secure in today’s climate of increased IT use. One reason for such failure is that organizations violate these regulations for multiple reasons. To address this issue, we propose a theoretical model to explain the likelihood that organizations will select an externally governed privacy or security rule for violation in response to organizational strain or slack resources. Our proposed theoretical model, the selective organizational information privacy and security violations model (SOIPSVM), explains how organizational structures and processes, along with characteristics of regulatory rules, alter perceptions of risk when an organization’s performance does not match its aspiration levels and, thereby, affects the likelihood of rule violations. Importantly, we contextualize SOIPSVM to organizational privacy and security violations. SOIPSVM builds on and extends the selective organizational rule violations model (SORVM), which posits that organizational rule violations are selective. SOIPSVM provides at least four contributions to the privacy and security literature that can further guide empirical research and practice. First, SOIPSVM introduces the concept of selectivity in rule violations to privacy and security research. This concept can improve privacy and security research by showing that organizational violations of privacy and security rules are dynamic and selective yet influenced by external forces. Second, SOIPSVM extends the boundaries of SORVM, which is limited to explaining the behavior of organizations under strain, such as economic hardship. We contribute to the theory of selective deviance by proposing that selectivity extends to organizations with slack resources. Third, we address ideas of non-economic risk and strain in addition to economic risk and strain. Thus, SOIPSVM explains organizational rule-violating behavior as an attempt to protect core organizational values from external entities that pressure organizations to change their values to comply with rules. Fourth, we broaden the theoretical scope of two important constructs (namely, structural secrecy and procedural emphasis) to improve the model’s explanatory power. Fifth, we identify important elements of rule enforcement by drawing from the tenets of general deterrence theory. We also discuss how one can study constructs from general deterrence theory at the organizational level. To conclude, we offer recommendations for the structuring of organizations and external regulations to decrease organizational rule violations, which often lead to the abuse of consumer information

Value-driven Security Agreements in Extended Enterprises

Today organizations are highly interconnected in business networks called extended enterprises. This is mostly facilitated by outsourcing and by new economic models based on pay-as-you-go billing; all supported by IT-as-a-service. Although outsourcing has been around for some time, what is now new is the fact that organizations are increasingly outsourcing critical business processes, engaging on complex service bundles, and moving infrastructure and their management to the custody of third parties. Although this gives competitive advantage by reducing cost and increasing flexibility, it increases security risks by eroding security perimeters that used to separate insiders with security privileges from outsiders without security privileges. The classical security distinction between insiders and outsiders is supplemented with a third category of threat agents, namely external insiders, who are not subject to the internal control of an organization but yet have some access privileges to its resources that normal outsiders do not have. Protection against external insiders requires security agreements between organizations in an extended enterprise. Currently, there is no practical method that allows security officers to specify such requirements. In this paper we provide a method for modeling an extended enterprise architecture, identifying external insider roles, and for specifying security requirements that mitigate security threats posed by these roles. We illustrate our method with a realistic example