A policy model for secure information flow

When a computer program requires legitimate access to confidential data, the question arises whether such a program may illegally reveal sensitive information. This paper proposes a policy model to specify what information flow is permitted in a computational system. The security definition, which is based on a general notion of information lattices, allows various representations of information to be used in the enforcement of secure information flow in deterministic or nondeterministic systems. A flexible semantics-based analysis technique is presented, which uses the input-output relational model induced by an attacker's observational power, to compute the information released by the computational system. An illustrative attacker model demonstrates the use of the technique to develop a termination-sensitive analysis. The technique allows the development of various information flow analyses, parametrised by the attacker's observational power, which can be used to enforce what declassification policies.

Accounting information systems as institutional carriers: a case study of regulatory compliance in UK asset management houses

Previously, governments have responded to the impacts of economic failures and consequently have developed more regulations to protect employees, customers, shareholders and the economic wellbeing of the state. Our research addresses how Accounting Information Systems (AIS) may act as carriers for institutionalised practices associated with maintaining regulatory compliance within the context of UK Asset Management Houses. The AIS was found to be a strong conduit for institutionalized compliance related practices, utilising symbolic systems, relational systems, routines and artefacts to carry approaches relating to regulative, normative and cultural-cognitive strands of institutionalism. Thus, AIS are integral to the development and dissipation of best practice for the management of regulatory compliance. As institutional elements are clearly present we argue that AIS and regulatory compliance provide a rich context to further institutionalism. Since AIS may act as conduits for regulatory approaches, both systems adopters and clients may benefit from actively seeking to codify and abstract best practices into AIS. However, the application of generic institutionalized approaches, which may be applied across similar organizations, must be tempered with each firm’s business environment and associated regulatory exposure. A balance should be sought between approaches specific enough to be useful but generic enough to be universally applied.

Training and the commitment of outsourced information technologies' workers: psychological contract fulfillment as a mediator

Outsourced workers in information technologies (IT) generally have high skills and a high value on the job market. Their IT outsourcing organizations are likely to provide them with training, in the first place for skill development, but perhaps also as a way to bind the workers to them. This can be understood along the role of the psychological contract. Outsourced IT workers may see training as a fulfillment of their psychological contract. Accordingly, we hypothesize that psychological contract fulfillment mediates the relationship between training and affective commitment to the IT outsourcer. This was tested in a sample of 158 Portuguese outsourced IT workers. The results showed that employees who considered that they were receiving good training opportunities felt a greater affective commitment to their IT outsourcers. This relationship was mediated by the fulfillment of the relational psychological contract.