Adaptive Privacy Management System Design For Context-Aware Mobile Devices

While mobile technologies can provide great personalized services for mobile users, they also threaten their privacy. Such personalization-privacy paradox are particularly salient for context aware technology based mobile applications where user's behaviors, movement and habits can be associated with a consumer's personal identity. In this thesis, I studied the privacy issues in the mobile context, particularly focus on an adaptive privacy management system design for context-aware mobile devices, and explore the role of personalization and control over user's personal data. This allowed me to make multiple contributions, both theoretical and practical. In the theoretical world, I propose and prototype an adaptive Single-Sign On solution that use user's context information to protect user's private information for smartphone. To validate this solution, I first proved that user's context is a unique user identifier and context awareness technology can increase user's perceived ease of use of the system and service provider's authentication security. I then followed a design science research paradigm and implemented this solution into a mobile application called "Privacy Manager". I evaluated the utility by several focus group interviews, and overall the proposed solution fulfilled the expected function and users expressed their intentions to use this application. To better understand the personalization-privacy paradox, I built on the theoretical foundations of privacy calculus and technology acceptance model to conceptualize the theory of users' mobile privacy management. I also examined the role of personalization and control ability on my model and how these two elements interact with privacy calculus and mobile technology model. In the practical realm, this thesis contributes to the understanding of the tradeoff between the benefit of personalized services and user's privacy concerns it may cause. By pointing out new opportunities to rethink how user's context information can protect private data, it also suggests new elements for privacy related business models.

Address by Michea¡l Martin to the Conference - Legislating for Tobacco Free Society

Thank you Chairman I would like to extend a warm welcome to our keynote speakers, David Byrne of the European Commission, Derek Yach from the World Health Organisation, and Paul Quinn representing Congressman Marty Meehan who sends his apologies. When we include the speakers who will address later sessions, this is, undoubtedly, one of the strongest teams that have been assembled on tobacco control in Europe. The very strength of the team underlines what I see as a shift – a very necessary shift – in the way we perceive the tobacco issue. For the last twenty years, we have lived out a paradox. It isn´t a social side issue. I make no apology for the bluntness of what I´m saying, and will come back, a little later, to the radicalism I believe we need to bring – nationally – to this issue. For starters, though, I want to lay it on the line that what we´re talking about is an epidemic as deadly as any suffered by human kind throughout the centuries. Slower than some of those epidemics in its lethal action, perhaps. But an epidemic, nonetheless. According to the World Health Organisation tobacco accounted for just over 3 million annual deaths in 1990, rising to 4.023 million annual deaths in 1998. The numbers of deaths due to tobacco will rise to 8.4 million in 2020 and reach roughly 10 million annually by 2030. This is quite simply ghastly. Tobacco kills. It kills in many different ways. It kills increasing numbers of women. It does its damage directly and indirectly. For children, much of the damage comes from smoking by adults where children live, study, play and work. The very least we should be able to offer every child is breathable air. Air that doesn´t do them damage. We´re now seeing a global public health response to the tobacco epidemic. The Tobacco Free Initiative launched by the World Health Organisation was matched by significant tobacco control initiatives throughout the world. During this conference we will hear about the experiences our speakers had in driving these initiatives. This Tobacco Free Initiative poses unique challenges to our legal frameworks at both national and international levels; in particular it raises challenges about the legal context in which tobacco products are traded and asks questions about the impact of commercial speech especially on children, and the extent of the limitations that should be imposed on it. Politicians, supported by economists and lawyers as well as the medical profession, must continue to explore and develop this context to find innovative ways to wrap public health considerations around the trade in tobacco products – very tightly. We also have the right to demand a totally new paradigm from the tobacco industry. Bluntly, the tobacco industry plays the PR game at its cynical worst. The industry sells its products without regard to the harm these products cause. At the same time, to gain social acceptance, it gives donations, endowments and patronage to high profile events and people. Not good enough. This model of behaviour is no longer acceptable in a modern society. We need one where the industry integrates social responsibility and accountability into its day-to-day activities. We have waited for this change in behaviour from the tobacco industry for many decades. Unfortunately the documents disclosed during litigation in the USA and from other sources make very depressing reading; it is clear from them that any trust society placed in the tobacco industry in the past to address the health problems associated with its products was misplaced. This industry appears to lack the necessary leadership to guide it towards just and responsible action. Instead, it chooses evasion, deception and at times illegal activity to protect its profits at any price and to avoid its responsibilities to society and its customers. It has engaged in elaborate ´spin´ to generate political tolerance, scientific uncertainty and public acceptance of its products. Legislators must act now. I see no reason why the global community should continue to wait. Effective legal controls must be laid on this errant industry. We should also keep these controls under review at regular intervals and if they are failing to achieve the desired outcomes we should be prepared to amend them. In Ireland, as Minister for Health and Children, I launched a comprehensive tobacco control policy entitled “Towards a Tobacco Free Society“. OTT?Excessive?Unrealistic? On the contrary – I believe it to be imperative and inevitable. I honestly hold that, given the range of fatal diseases caused by tobacco use we have little alternative but to pursue the clear objective of creating a tobacco free society. Aiming at a tobacco free society means ensuring public and political opinion are properly informed. It requires help to be given to smokers to break the addiction. It demands that people are protected against environmental tobacco smoke and children are protected from any inducement to experiment with this product. Over the past year we have implemented a number of measures which will support these objectives; we have established an independent Office of Tobacco Control, we have introduced free nicotine replacement therapy for low-income earners, we have extended our existing prohibitions on tobacco advertising to the print media with some minor derogations for international publications. We have raised the legal age at which a person can be sold tobacco products to eighteen years. We have invested substantially more funds in health promotion activities and we have mounted sustained information campaigns. We have engaged in sponsorship arrangements, which are new and innovative for public bodies. I have provided health boards with additional resources to let them mount a sustained inspection and enforcement service. Health boards will engage new Directors of Tobacco Control responsible for coordinating each health board´s response and for liasing with the Tobacco Control Agency I set up earlier this year. Most recently, I have published a comprehensive Bill – The Public Health (Tobacco) Bill, 2001. This Bill will, among other things, end all forms of product display and in-store advertising and will require all retailers to register with the new Tobacco Control Agency. Ten packs of cigarettes will be banned and transparent and independent testing procedures of tobacco products will be introduced. Enforcement officers will be given all the necessary powers to ensure there is full compliance with the law. On smoking in public places we will extend the existing areas covered and it is proposed that I, as Minister for Health and Children, will have the powers to introduce further prohibitions in public places such as pubs and the work place. I will also provide for the establishment of a Tobacco Free Council to advise and assist on an ongoing basis. I believe the measures already introduced and those additional ones proposed in the Bill have widespread community support. In fact, you´re going to hear a detailed presentation from the MRBI which will amply illustrate the extent of this support. The great thing is that the support comes from smokers and non-smokers alike. Bottom line, Ladies and Gentlemen, is that we are at a watershed. As a society (if you´ll allow me to play with a popular phrase) we´ve realised it´s time to ´wake up and smell the cigarettes.´ Smell them. See them for what they are. And get real about destroying their hold on our people. The MRBI survey makes it clear that the single strongest weapon we have when it comes to preventing the habit among young people is price. Simple as that. Price. Up to now, the fear of inflation has been a real impediment to increasing taxes on tobacco. It sounds a serious, logical argument. Until you take it out and look at it a little more closely. Weigh it, as it were, in two hands. I believe – and I believe this with a great passion – that we must take cigarettes out of the equation we use when awarding wage increases. I am calling on IBEC and ICTU, on employers and trade unions alike, to move away from any kind of tolerance of a trade that is killing our citizens. At one point in industrial history, cigarettes were a staple of the workingman´s life. So it was legitimate to include them in the ´basket´ of goods that goes to make up the Consumer Price Index. It isn´t legitimate to include them any more. Today, I´m saying that society collectively must take the step to remove cigarettes from the basket of normality, from the list of elements which constitute necessary consumer spending. I´m saying: “We can no longer delude ourselves. We must exclude cigarettes from the considerations we address in central wage bargaining. We must price cigarettes out of the reach of the children those cigarettes will kill.” Right now, in the monthly Central Statistics Office reports on consumer spending, the figures include cigarettes. But – right down at the bottom of the page – there´s another figure. Calculated without including cigarettes. I believe that if we continue to use the first figure as our constant measure, it will be an indictment of us as legislators, as advocates for working people, as public health professionals. If, on the other hand, we move to the use of the second figure, we will be sending out a message of startling clarity to the nation. We will be saying “We don´t count an addictive, killer drug as part of normal consumer spending.” Taking cigarettes out of the basket used to determine the Consumer Price Index will take away the inflation argument. It will not be easy, in its implications for the social partners. But it is morally inescapable. We must do it. Because it will help us stop the killer that is tobacco. If we can do it, we will give so much extra strength to health educators and the new Tobacco Control Association. This new organisation of young people who already have branches in over fifteen counties, is represented here today. The young adults who make up its membership are well placed to advise children of the dangers of tobacco addiction in a way that older generations cannot. It would strengthen their hand if cigarettes move – in price terms – out of the easy reach of our children Finally, I would like to commend so many public health advocates who have shown professional and indeed personal courage in their commitment to this critical public health issue down through the years. We need you to continue to challenge and confront this grave public health problem and to repudiate the questionable science of the tobacco industry. The Research Institute for a Tobacco Free Society represents a new and dynamic form of partnership between government and civil society. It will provide an effective platform to engage and mobilise the many different professional and academic skills necessary to guide and challenge us. I wish the conference every success.

ARCHITECTING USER-CENTRIC PRIVACY-AS-A-SET-OF-SERVICES: DIGITAL IDENTITY RELATED PRIVACY FRAMEWORK

AbstractDigitalization gives to the Internet the power by allowing several virtual representations of reality, including that of identity. We leave an increasingly digital footprint in cyberspace and this situation puts our identity at high risks. Privacy is a right and fundamental social value that could play a key role as a medium to secure digital identities. Identity functionality is increasingly delivered as sets of services, rather than monolithic applications. So, an identity layer in which identity and privacy management services are loosely coupled, publicly hosted and available to on-demand calls could be more realistic and an acceptable situation. Identity and privacy should be interoperable and distributed through the adoption of service-orientation and implementation based on open standards (technical interoperability). Ihe objective of this project is to provide a way to implement interoperable user-centric digital identity-related privacy to respond to the need of distributed nature of federated identity systems. It is recognized that technical initiatives, emerging standards and protocols are not enough to guarantee resolution for the concerns surrounding a multi-facets and complex issue of identity and privacy. For this reason they should be apprehended within a global perspective through an integrated and a multidisciplinary approach. The approach dictates that privacy law, policies, regulations and technologies are to be crafted together from the start, rather than attaching it to digital identity after the fact. Thus, we draw Digital Identity-Related Privacy (DigldeRP) requirements from global, domestic and business-specific privacy policies. The requirements take shape of business interoperability. We suggest a layered implementation framework (DigldeRP framework) in accordance to model-driven architecture (MDA) approach that would help organizations' security team to turn business interoperability into technical interoperability in the form of a set of services that could accommodate Service-Oriented Architecture (SOA): Privacy-as-a-set-of- services (PaaSS) system. DigldeRP Framework will serve as a basis for vital understanding between business management and technical managers on digital identity related privacy initiatives. The layered DigldeRP framework presents five practical layers as an ordered sequence as a basis of DigldeRP project roadmap, however, in practice, there is an iterative process to assure that each layer supports effectively and enforces requirements of the adjacent ones. Each layer is composed by a set of blocks, which determine a roadmap that security team could follow to successfully implement PaaSS. Several blocks' descriptions are based on OMG SoaML modeling language and BPMN processes description. We identified, designed and implemented seven services that form PaaSS and described their consumption. PaaSS Java QEE project), WSDL, and XSD codes are given and explained.

The CFSP/ESDP, Parliamentary Accountability, and the ´Future of Europe´ Convention debate

This paper examines the importance that the current Convention on the Future of Europe is giving (or not) to the question of democratic accountability in European foreign and defence policy. As all European Union (EU) member states are parliamentary democracies1, and as there is a European Parliament (EP) which also covers CFSP (Common Foreign and Security Policy) and ESDP (European Security and Defence Policy2) matters, I will concentrate on parliamentary accountability rather than democratic accountability more widely defined. Where appropriate, I will also refer to the work of other transnational parliamentary bodies such as the North Atlantic Assembly or NAA (NATO´s Parliamentary Assembly) or the Western European Union (WEU) Parliamentary Assembly3. The article will consist of three sections. First, I will briefly put the question under study within its wider context (section 1). Then, I will examine the current level of parliamentary accountability in CFSP and defence matters (section 2). Finally, I will consider the current Convention debate and assess how much attention is being given to the question of accountability in foreign and defence policies (section 3). This study basically argues that, once again, there is very little interest in an issue that should be considered as vital for the future democratic development of a European foreign and defence policy. It is important to note however that this paper does not cover the wider debate about how to democratise and make the EU more transparent and closer to its citizens. It concentrates on its Second Pillar because its claim is that very little if any attention is being given to this question

International nursing : cultivating a culture of empowerment

International nursing has been a growing phenomenon throughout the globe. International nurses have been found to be an asset to healthcare organizations and an important part of the health care team. However, growing concern for the plight of international nurses facing obstacles such as professional stagnation and exploitation has spurred the development of strategies to mitigate and ameliorate the experiences of nurses working abroad. In this respect, the purpose of this study was to explore the management-influenced factors and the nurse team-influenced factors that promote the empowerment of the international nurse in the health care setting. The methodology used in this study was a systemic review. After a rigorous search for relevant empirical studies using OVID database, eight empirical research studies were selected using systematic review methodology to collect, analyze and synthesize data. The selected eight empirical studies were then subjected to a content analysis. The results suggested that the empowerment of an international nurse is inseparable from the empowerment of the health care organization. Based on the findings in this study, strategies to promote international nurses were found to mirror strategies evidenced to empower the nursing organization. Some of the management-influenced factors which were found to facilitate empowerment included a diversity rich work culture, transformational leadership at the management level, and a responsibility to foster the values of the organization. The team-influenced factors which were found to contribute to the empowerment of the international nurse included a united mutually-interdependent nurse team, shared accountability among the members of the nurse team, and the building of trust in work relationships. To conlude, this study indicates that efforts to empower international nurses without considering the work culture and the organization as a whole are futile because empowerment cannot take place in an environment that lacks antecedent conditions. Strategies to empower the international nurse should not focus on the deficits and special needs of the international nurse, but should focus on the similarities and commonalities of the nursing body. Empowerment of the international nurse mean open honest communication, supportive work environment, and a firm policy to quell disruptive elements that threaten the organization's values, mission, and philosophy of care.

China´s Economic Security Police Towards ASEAN From

After the economic reforms of 1978, China started rising very fast and started engaging other countries in the region which has served to increase its confidence in the region. In the post cold war period, China was seen as a big threat for the region because of its claims on the South China Sea. Nevertheless, this image was eliminated when China engaged ASEAN and other multilateral and regional organizations. This paper is studying China’s economic and security policies towards ASEAN. Globalization Theory is the theory being used to explain the nature of China-ASEAN relations. This research paper argues that China’s rise is promoting peace in the region. With the engagement policy, China started promoting trade and security co operations based on mutual benefits and dialogues for the peaceful resolutions of the disputes in the region. This contributed greatly to improve China’s image in the region. Additionally, China’s posture during the economic crises of 1997 also greatly contributed to improve its image. Thus, the rise of China is providing opportunity to the other countries in East Asia. Chapter One: Background On China-ASEAN Relations The use of Soft Power and engagement policy by the Chinese government has helped to change China’s image in the region. By using these policies China has been able to clear the feeling of suspicion and mistrust among the Asian states. China has increased its participation in multilateral and regional organizations, such as ASEAN. Due to this China has been able to promote economic and security co-operation among countries in the region. Thus, from being a potential threat China became a potential co-operative partner. Chapter Two: A Look into ASEAN ASEAN was originally formed on 8th August 1967 in Bangkok, Thailand, by Indonesia, Malaysia, the Philippines, Singapore and Thailand. Nevertheless, ASEAN was not the first regional group created to act as forum for dialogue between the leaders of different countries. Thought, it is the only one which could work in the region. The aim of the foundation of ASEAN was to promote peace and stability in the Abstract 2 region and also contain the spread of communism in Southeast Asia. For this reason, China did not engage ASEAN until 1990. However, in 1978 with the establishment of the open up policy China started engaging other countries. It started building trust among its neighboring countries by using soft power. By 1992, China formalized its diplomatic ties with ASEAN as a group. The diplomatic ties between China and ASEAN focus on multilateralism and co-operation as the best way for a more peaceful Asia and the search for common security. Thus, security in the region is promoted through economic co-operation among the states. Therefore the relation between China – ASEAN emphasizes the five principles of peaceful coexistence, mutual benefits in economic co-operation, dialogue promoting trust and the peaceful settlement of disputes. Chapter Three: China-ASEAN Economic Relations Since 1978 The economic reform of 1978 has greatly contributed to the economic development of China. After the adoption of the open up policy, China has been able to establish economic and trade relations with the outside world. The realist school of thought had predicted that Asia will not be stable in the post cold war period. Nevertheless, this has not been the case in Asia. China is growing peacefully with the co-operation of countries in the region. China is establishing strong ties with its neighboring countries. China and ASEAN relations focus on mutual benefit instead of being a zero sum game. Thus these relations are aimed at encouraging trust and economic co-operation in the region. China and ASEAN have agreed on Free Trade to assure that the two parties benefit from the co-operation. The ACFTA will have a great impact on economic, political and security issues. This will enable China to increase its influence in Asia and counterbalance the influences that Japan and U.S have in the region. Chapter Four: China ASEAN Relations in the Security Perspective This Chapter is about China and ASEAN relations on security issue. The new security issues of the post cold war period need to be solved in multilateral way. China as a major power in the region, through its engagement policy has solved most Abstract 3 of the disputes in the region using multilateral means. China has also found ways to solve the dispute over Spratly Islands peacefully, through dialogue using ASEAN. Additionally, China signed the Treaty of Amity in 2003, promoted security initiatives through ARF, Declaration on Conduct of Parties in the South China Sea and documents covering non-traditional security threats, economic co-operation and agricultural co-operation in November 2002, and the Joint Declaration on Strategic. Chapter Five: Finding and Analysis This chapter provides a quantitative and qualitative analysis of the date collected throughout this research. It provides an analysis of how the rise of China is promoting peace in the region. China has been promoting mutual beneficial trade and security co-operation which has increased its influence in the region. China has also been able to solve most of the territorial and border dispute in the region through ASEAN. Thus, ASEAN has amended China’s relations with other countries in the region. Therefore, China’s foreign policy in the region has a big impact in shaping the dynamic relations in East Asia. Conclusion and Recommendations This paper concluded that the relationships between China and ASEAN are contributing to peace in the region. After China engaged ASEAN, it has been able to promote multilateral trade based on mutual benefit. This is clearly emphasized by the CAFTA. Additionally, China has solved most of the dispute in the region. It has also found way for a peaceful resolution of the dispute over Spratly Island. Nowadays, the ASEAN countries don’t see China as a threat to the region. Nevertheless, they’ve adopted deterrence measures such as establishing diplomatic relations with other big powers in the region to assure that the region continues to grow peacefully. Concerning this deterrence measures, I recommend as another way for a continued peaceful growth, the resolution of the outstanding dispute.

Generating Brand Equity through Corporate Social Responsibility to Key Stakeholders

In this paper we argue that socially responsible policies have a positive impact on a firm's brand equity in the short-term as well as in the long-term. Moreover, once we distinguish between different stakeholders, we posit that secondary stakeholders such as community are even more important than primary stakeholders (customers, shareholders, workers and suppliers) in generating brand equity. Policies aimed at satisfied community interests act as a mechanism to reinforce trust that gives further credibility to social responsible polices with other stakeholders. The result is a decrease in conflicts among stakeholders and greater stakeholder willingness to provide intangible resources that enhance brand equity. We provide support of our theoretical contentions making use of a panel data composed of 57 firms from 10 countries (the US, Japan, South Korea, France, the UK, Italy, Germany, Finland, Switzerland and the Netherlands) for the period 2002 to 2007. We use detailed information on brand equity obtained from Interbrand and on corporate social responsibility (CSR) provided by the SiRi Global Profile database, as compiled by the Sustainable Investment Research International Company (SiRi).

Improving telecommunication security level by integrating quantum key distribution in communication protocols

Résumé La cryptographie classique est basée sur des concepts mathématiques dont la sécurité dépend de la complexité du calcul de l'inverse des fonctions. Ce type de chiffrement est à la merci de la puissance de calcul des ordinateurs ainsi que la découverte d'algorithme permettant le calcul des inverses de certaines fonctions mathématiques en un temps «raisonnable ». L'utilisation d'un procédé dont la sécurité est scientifiquement prouvée s'avère donc indispensable surtout les échanges critiques (systèmes bancaires, gouvernements,...). La cryptographie quantique répond à ce besoin. En effet, sa sécurité est basée sur des lois de la physique quantique lui assurant un fonctionnement inconditionnellement sécurisé. Toutefois, l'application et l'intégration de la cryptographie quantique sont un souci pour les développeurs de ce type de solution. Cette thèse justifie la nécessité de l'utilisation de la cryptographie quantique. Elle montre que le coût engendré par le déploiement de cette solution est justifié. Elle propose un mécanisme simple et réalisable d'intégration de la cryptographie quantique dans des protocoles de communication largement utilisés comme les protocoles PPP, IPSec et le protocole 802.1li. Des scénarios d'application illustrent la faisabilité de ces solutions. Une méthodologie d'évaluation, selon les critères communs, des solutions basées sur la cryptographie quantique est également proposée dans ce document. Abstract Classical cryptography is based on mathematical functions. The robustness of a cryptosystem essentially depends on the difficulty of computing the inverse of its one-way function. There is no mathematical proof that establishes whether it is impossible to find the inverse of a given one-way function. Therefore, it is mandatory to use a cryptosystem whose security is scientifically proven (especially for banking, governments, etc.). On the other hand, the security of quantum cryptography can be formally demonstrated. In fact, its security is based on the laws of physics that assure the unconditional security. How is it possible to use and integrate quantum cryptography into existing solutions? This thesis proposes a method to integrate quantum cryptography into existing communication protocols like PPP, IPSec and the 802.l1i protocol. It sketches out some possible scenarios in order to prove the feasibility and to estimate the cost of such scenarios. Directives and checkpoints are given to help in certifying quantum cryptography solutions according to Common Criteria.

The social disembedding of business theory and practice. A (neo-)institutional analysis of the homo economicus and corporate social responsibility, and the inherent responsibility of business scholars

Aim Structure of the Thesis In the first article, I focus on the context in which the Homo Economicus was constructed - i.e., the conception of economic actors as fully rational, informed, egocentric, and profit-maximizing. I argue that the Homo Economicus theory was developed in a specific societal context with specific (partly tacit) values and norms. These norms have implicitly influenced the behavior of economic actors and have framed the interpretation of the Homo Economicus. Different factors however have weakened this implicit influence of the broader societal values and norms on economic actors. The result is an unbridled interpretation and application of the values and norms of the Homo Economicus in the business environment, and perhaps also in the broader society. In the second article, I show that the morality of many economic actors relies on isomorphism, i.e., the attempt to fit into the group by adopting the moral norms surrounding them. In consequence, if the norms prevailing in a specific group or context (such as a specific region or a specific industry) change, it can be expected that actors with an 'isomorphism morality' will also adapt their ethical thinking and their behavior -for the 'better' or for the 'worse'. The article further describes the process through which corporations could emancipate from the ethical norms prevailing in the broader society, and therefore develop an institution with specific norms and values. These norms mainly rely on mainstream business theories praising the economic actor's self-interest and neglecting moral reasoning. Moreover, because of isomorphism morality, many economic actors have changed their perception of ethics, and have abandoned the values prevailing in the broader society in order to adopt those of the economic theory. Finally, isomorphism morality also implies that these economic actors will change their morality again if the institutional context changes. The third article highlights the role and responsibility of business scholars in promoting a systematic reflection and self-critique of the business system and develops alternative models to fill the moral void of the business institution and its inherent legitimacy crisis. Indeed, the current business institution relies on assumptions such as scientific neutrality and specialization, which seem at least partly challenged by two factors. First, self-fulfilling prophecy provides scholars with an important (even if sometimes undesired) normative influence over practical life. Second, the increasing complexity of today's (socio-political) world and interactions between the different elements constituting our society question the strong specialization of science. For instance, economic theories are not unrelated to psychology or sociology, and economic actors influence socio-political structures and processes, e.g., through lobbying (Dobbs, 2006; Rondinelli, 2002), or through marketing which changes not only the way we consume, but more generally tries to instill a specific lifestyle (Cova, 2004; M. K. Hogg & Michell, 1996; McCracken, 1988; Muniz & O'Guinn, 2001). In consequence, business scholars are key actors in shaping both tomorrow's economic world and its broader context. A greater awareness of this influence might be a first step toward an increased feeling of civic responsibility and accountability for the models and theories developed or taught in business schools.

An assurance-based model to holistically assess the information security posture

EXECUTIVE SUMMARY : Evaluating Information Security Posture within an organization is becoming a very complex task. Currently, the evaluation and assessment of Information Security are commonly performed using frameworks, methodologies and standards which often consider the various aspects of security independently. Unfortunately this is ineffective because it does not take into consideration the necessity of having a global and systemic multidimensional approach to Information Security evaluation. At the same time the overall security level is globally considered to be only as strong as its weakest link. This thesis proposes a model aiming to holistically assess all dimensions of security in order to minimize the likelihood that a given threat will exploit the weakest link. A formalized structure taking into account all security elements is presented; this is based on a methodological evaluation framework in which Information Security is evaluated from a global perspective. This dissertation is divided into three parts. Part One: Information Security Evaluation issues consists of four chapters. Chapter 1 is an introduction to the purpose of this research purpose and the Model that will be proposed. In this chapter we raise some questions with respect to "traditional evaluation methods" as well as identifying the principal elements to be addressed in this direction. Then we introduce the baseline attributes of our model and set out the expected result of evaluations according to our model. Chapter 2 is focused on the definition of Information Security to be used as a reference point for our evaluation model. The inherent concepts of the contents of a holistic and baseline Information Security Program are defined. Based on this, the most common roots-of-trust in Information Security are identified. Chapter 3 focuses on an analysis of the difference and the relationship between the concepts of Information Risk and Security Management. Comparing these two concepts allows us to identify the most relevant elements to be included within our evaluation model, while clearing situating these two notions within a defined framework is of the utmost importance for the results that will be obtained from the evaluation process. Chapter 4 sets out our evaluation model and the way it addresses issues relating to the evaluation of Information Security. Within this Chapter the underlying concepts of assurance and trust are discussed. Based on these two concepts, the structure of the model is developed in order to provide an assurance related platform as well as three evaluation attributes: "assurance structure", "quality issues", and "requirements achievement". Issues relating to each of these evaluation attributes are analysed with reference to sources such as methodologies, standards and published research papers. Then the operation of the model is discussed. Assurance levels, quality levels and maturity levels are defined in order to perform the evaluation according to the model. Part Two: Implementation of the Information Security Assurance Assessment Model (ISAAM) according to the Information Security Domains consists of four chapters. This is the section where our evaluation model is put into a welldefined context with respect to the four pre-defined Information Security dimensions: the Organizational dimension, Functional dimension, Human dimension, and Legal dimension. Each Information Security dimension is discussed in a separate chapter. For each dimension, the following two-phase evaluation path is followed. The first phase concerns the identification of the elements which will constitute the basis of the evaluation: ? Identification of the key elements within the dimension; ? Identification of the Focus Areas for each dimension, consisting of the security issues identified for each dimension; ? Identification of the Specific Factors for each dimension, consisting of the security measures or control addressing the security issues identified for each dimension. The second phase concerns the evaluation of each Information Security dimension by: ? The implementation of the evaluation model, based on the elements identified for each dimension within the first phase, by identifying the security tasks, processes, procedures, and actions that should have been performed by the organization to reach the desired level of protection; ? The maturity model for each dimension as a basis for reliance on security. For each dimension we propose a generic maturity model that could be used by every organization in order to define its own security requirements. Part three of this dissertation contains the Final Remarks, Supporting Resources and Annexes. With reference to the objectives of our thesis, the Final Remarks briefly analyse whether these objectives were achieved and suggest directions for future related research. Supporting resources comprise the bibliographic resources that were used to elaborate and justify our approach. Annexes include all the relevant topics identified within the literature to illustrate certain aspects of our approach. Our Information Security evaluation model is based on and integrates different Information Security best practices, standards, methodologies and research expertise which can be combined in order to define an reliable categorization of Information Security. After the definition of terms and requirements, an evaluation process should be performed in order to obtain evidence that the Information Security within the organization in question is adequately managed. We have specifically integrated into our model the most useful elements of these sources of information in order to provide a generic model able to be implemented in all kinds of organizations. The value added by our evaluation model is that it is easy to implement and operate and answers concrete needs in terms of reliance upon an efficient and dynamic evaluation tool through a coherent evaluation system. On that basis, our model could be implemented internally within organizations, allowing them to govern better their Information Security. RÉSUMÉ : Contexte général de la thèse L'évaluation de la sécurité en général, et plus particulièrement, celle de la sécurité de l'information, est devenue pour les organisations non seulement une mission cruciale à réaliser, mais aussi de plus en plus complexe. A l'heure actuelle, cette évaluation se base principalement sur des méthodologies, des bonnes pratiques, des normes ou des standards qui appréhendent séparément les différents aspects qui composent la sécurité de l'information. Nous pensons que cette manière d'évaluer la sécurité est inefficiente, car elle ne tient pas compte de l'interaction des différentes dimensions et composantes de la sécurité entre elles, bien qu'il soit admis depuis longtemps que le niveau de sécurité globale d'une organisation est toujours celui du maillon le plus faible de la chaîne sécuritaire. Nous avons identifié le besoin d'une approche globale, intégrée, systémique et multidimensionnelle de l'évaluation de la sécurité de l'information. En effet, et c'est le point de départ de notre thèse, nous démontrons que seule une prise en compte globale de la sécurité permettra de répondre aux exigences de sécurité optimale ainsi qu'aux besoins de protection spécifiques d'une organisation. Ainsi, notre thèse propose un nouveau paradigme d'évaluation de la sécurité afin de satisfaire aux besoins d'efficacité et d'efficience d'une organisation donnée. Nous proposons alors un modèle qui vise à évaluer d'une manière holistique toutes les dimensions de la sécurité, afin de minimiser la probabilité qu'une menace potentielle puisse exploiter des vulnérabilités et engendrer des dommages directs ou indirects. Ce modèle se base sur une structure formalisée qui prend en compte tous les éléments d'un système ou programme de sécurité. Ainsi, nous proposons un cadre méthodologique d'évaluation qui considère la sécurité de l'information à partir d'une perspective globale. Structure de la thèse et thèmes abordés Notre document est structuré en trois parties. La première intitulée : « La problématique de l'évaluation de la sécurité de l'information » est composée de quatre chapitres. Le chapitre 1 introduit l'objet de la recherche ainsi que les concepts de base du modèle d'évaluation proposé. La maniéré traditionnelle de l'évaluation de la sécurité fait l'objet d'une analyse critique pour identifier les éléments principaux et invariants à prendre en compte dans notre approche holistique. Les éléments de base de notre modèle d'évaluation ainsi que son fonctionnement attendu sont ensuite présentés pour pouvoir tracer les résultats attendus de ce modèle. Le chapitre 2 se focalise sur la définition de la notion de Sécurité de l'Information. Il ne s'agit pas d'une redéfinition de la notion de la sécurité, mais d'une mise en perspectives des dimensions, critères, indicateurs à utiliser comme base de référence, afin de déterminer l'objet de l'évaluation qui sera utilisé tout au long de notre travail. Les concepts inhérents de ce qui constitue le caractère holistique de la sécurité ainsi que les éléments constitutifs d'un niveau de référence de sécurité sont définis en conséquence. Ceci permet d'identifier ceux que nous avons dénommés « les racines de confiance ». Le chapitre 3 présente et analyse la différence et les relations qui existent entre les processus de la Gestion des Risques et de la Gestion de la Sécurité, afin d'identifier les éléments constitutifs du cadre de protection à inclure dans notre modèle d'évaluation. Le chapitre 4 est consacré à la présentation de notre modèle d'évaluation Information Security Assurance Assessment Model (ISAAM) et la manière dont il répond aux exigences de l'évaluation telle que nous les avons préalablement présentées. Dans ce chapitre les concepts sous-jacents relatifs aux notions d'assurance et de confiance sont analysés. En se basant sur ces deux concepts, la structure du modèle d'évaluation est développée pour obtenir une plateforme qui offre un certain niveau de garantie en s'appuyant sur trois attributs d'évaluation, à savoir : « la structure de confiance », « la qualité du processus », et « la réalisation des exigences et des objectifs ». Les problématiques liées à chacun de ces attributs d'évaluation sont analysées en se basant sur l'état de l'art de la recherche et de la littérature, sur les différentes méthodes existantes ainsi que sur les normes et les standards les plus courants dans le domaine de la sécurité. Sur cette base, trois différents niveaux d'évaluation sont construits, à savoir : le niveau d'assurance, le niveau de qualité et le niveau de maturité qui constituent la base de l'évaluation de l'état global de la sécurité d'une organisation. La deuxième partie: « L'application du Modèle d'évaluation de l'assurance de la sécurité de l'information par domaine de sécurité » est elle aussi composée de quatre chapitres. Le modèle d'évaluation déjà construit et analysé est, dans cette partie, mis dans un contexte spécifique selon les quatre dimensions prédéfinies de sécurité qui sont: la dimension Organisationnelle, la dimension Fonctionnelle, la dimension Humaine, et la dimension Légale. Chacune de ces dimensions et son évaluation spécifique fait l'objet d'un chapitre distinct. Pour chacune des dimensions, une évaluation en deux phases est construite comme suit. La première phase concerne l'identification des éléments qui constituent la base de l'évaluation: ? Identification des éléments clés de l'évaluation ; ? Identification des « Focus Area » pour chaque dimension qui représentent les problématiques se trouvant dans la dimension ; ? Identification des « Specific Factors » pour chaque Focus Area qui représentent les mesures de sécurité et de contrôle qui contribuent à résoudre ou à diminuer les impacts des risques. La deuxième phase concerne l'évaluation de chaque dimension précédemment présentées. Elle est constituée d'une part, de l'implémentation du modèle général d'évaluation à la dimension concernée en : ? Se basant sur les éléments spécifiés lors de la première phase ; ? Identifiant les taches sécuritaires spécifiques, les processus, les procédures qui auraient dû être effectués pour atteindre le niveau de protection souhaité. D'autre part, l'évaluation de chaque dimension est complétée par la proposition d'un modèle de maturité spécifique à chaque dimension, qui est à considérer comme une base de référence pour le niveau global de sécurité. Pour chaque dimension nous proposons un modèle de maturité générique qui peut être utilisé par chaque organisation, afin de spécifier ses propres exigences en matière de sécurité. Cela constitue une innovation dans le domaine de l'évaluation, que nous justifions pour chaque dimension et dont nous mettons systématiquement en avant la plus value apportée. La troisième partie de notre document est relative à la validation globale de notre proposition et contient en guise de conclusion, une mise en perspective critique de notre travail et des remarques finales. Cette dernière partie est complétée par une bibliographie et des annexes. Notre modèle d'évaluation de la sécurité intègre et se base sur de nombreuses sources d'expertise, telles que les bonnes pratiques, les normes, les standards, les méthodes et l'expertise de la recherche scientifique du domaine. Notre proposition constructive répond à un véritable problème non encore résolu, auquel doivent faire face toutes les organisations, indépendamment de la taille et du profil. Cela permettrait à ces dernières de spécifier leurs exigences particulières en matière du niveau de sécurité à satisfaire, d'instancier un processus d'évaluation spécifique à leurs besoins afin qu'elles puissent s'assurer que leur sécurité de l'information soit gérée d'une manière appropriée, offrant ainsi un certain niveau de confiance dans le degré de protection fourni. Nous avons intégré dans notre modèle le meilleur du savoir faire, de l'expérience et de l'expertise disponible actuellement au niveau international, dans le but de fournir un modèle d'évaluation simple, générique et applicable à un grand nombre d'organisations publiques ou privées. La valeur ajoutée de notre modèle d'évaluation réside précisément dans le fait qu'il est suffisamment générique et facile à implémenter tout en apportant des réponses sur les besoins concrets des organisations. Ainsi notre proposition constitue un outil d'évaluation fiable, efficient et dynamique découlant d'une approche d'évaluation cohérente. De ce fait, notre système d'évaluation peut être implémenté à l'interne par l'entreprise elle-même, sans recourir à des ressources supplémentaires et lui donne également ainsi la possibilité de mieux gouverner sa sécurité de l'information.

Privacy as a Tradeoff: Introducing the Notion of Privacy Calculus for Context-Aware Mobile Applications

Evidences collected from smartphones users show a growing desire of personalization offered by services for mobile devices. However, the need to accurately identify users' contexts has important implications for user's privacy and it increases the amount of trust, which users are requested to have in the service providers. In this paper, we introduce a model that describes the role of personalization and control in users' assessment of cost and benefits associated to the disclosure of private information. We present an instantiation of such model, a context-aware application for smartphones based on the Android operating system, in which users' private information are protected. Focus group interviews were conducted to examine users' privacy concerns before and after having used our application. Obtained results confirm the utility of our artifact and provide support to our theoretical model, which extends previous literature on privacy calculus and user's acceptance of context-aware technology.

Use of scenario analysis in studying emerging technology – Case Grid computing

Tutkimuksen selvitettiin miten skenaarioanalyysia voidaan käyttää uuden teknologian tutkimisessa. Työssä havaittiin, että skenaarioanalyysin soveltuvuuteen vaikuttaa eniten teknologisen muutoksen taso ja saatavilla olevan tiedon luonne. Skenaariomenetelmä soveltuu hyvin uusien teknologioiden tutkimukseen erityisesti radikaalien innovaatioiden kohdalla. Syynä tähän on niihin liittyvä suuri epävarmuus, kompleksisuus ja vallitsevan paradigman muuttuminen, joiden takia useat muut tulevaisuuden tutkimuksen menetelmät eivät ole tilanteessa käyttökelpoisia. Työn empiirisessä osiossa tutkittiin hilaverkkoteknologian tulevaisuutta skenaarioanalyysin avulla. Hilaverkot nähtiin mahdollisena disruptiivisena teknologiana, joka radikaalina innovaationa saattaa muuttaa tietokonelaskennan nykyisestä tuotepohjaisesta laskentakapasiteetin ostamisesta palvelupohjaiseksi. Tällä olisi suuri vaikutus koko nykyiseen ICT-toimialaan erityisesti tarvelaskennan hyödyntämisen ansiosta. Tutkimus tarkasteli kehitystä vuoteen 2010 asti. Teorian ja olemassa olevan tiedon perusteella muodostettiin vahvaan asiantuntijatietouteen nojautuen neljä mahdollista ympäristöskenaariota hilaverkoille. Skenaarioista huomattiin, että teknologian kaupallinen menestys on vielä monen haasteen takana. Erityisesti luottamus ja lisäarvon synnyttäminen nousivat tärkeimmiksi hilaverkkojen tulevaisuutta ohjaaviksi tekijöiksi.

Can the administration be trusted? An analysis of the concept of trust, applied to the public sector

In the first part of this paper, we present the various academic debates and, where applicable, questions that remain open in the literature, particularly regarding the nature of trust, the distinction between trust and trustworthiness, its role in specific relationships and its relationship to control. We then propose a way of demarcating and operationalizing the concepts of trust and trustworthiness. In the second part, on the basis of the conceptual clarifications we present, we put forward a number of "anchor points" regarding how trust is apprehended in the public sector with regard to the various relations hips that can be studied. Schematically, we distinguish between two types of relations hips in the conceptual approach to trust: on one hand, the trust that citizens, or third parties, place in the State or in various public sector authorities or entities, and on the other hand, trust within the State or the public sector, between its various authorities, entities, and actors. While studies have traditionally focused on citizens' trust in their institutions, the findings, limitations and problems observed in public - sector coordination following the reforms associated with New Public Management have also elicited growing interest in the study of trust in the relationships between the various actors within the public sector. Both the theoretical debates we present and our propositions have been extracted and adapted from an empirical comparative study of coordination between various Swiss public - service organizations and their politico - administrative authority. Using the analysis model developed for this specific relationship, between various actors within the public service, and in the light of theoretical elements on which development of this model was based, we propose some avenues for further study - questions that remain open - regarding the consideration and understanding of citizens' trust in the public sector.