Identity, addressing, authenticity and audit requirements for trust in ERP, analytics and big/open data in a “Cloud” computing environment : a review and proposal

Enterprises, both public and private, have rapidly commenced using the benefits of enterprise resource planning (ERP) combined with business analytics and “open data sets” which are often outside the control of the enterprise to gain further efficiencies, build new service operations and increase business activity. In many cases, these business activities are based around relevant software systems hosted in a “cloud computing” environment. “Garbage in, garbage out”, or “GIGO”, is a term long used to describe problems in unqualified dependency on information systems, dating from the 1960s. However, a more pertinent variation arose sometime later, namely “garbage in, gospel out” signifying that with large scale information systems, such as ERP and usage of open datasets in a cloud environment, the ability to verify the authenticity of those data sets used may be almost impossible, resulting in dependence upon questionable results. Illicit data set “impersonation” becomes a reality. At the same time the ability to audit such results may be an important requirement, particularly in the public sector. This paper discusses the need for enhancement of identity, reliability, authenticity and audit services, including naming and addressing services, in this emerging environment and analyses some current technologies that are offered and which may be appropriate. However, severe limitations to addressing these requirements have been identified and the paper proposes further research work in the area.

Trust in merged ERP and open data schemes in the “Cloud”

Enterprise resource planning (ERP) systems are rapidly being combined with “big data” analytics processes and publicly available “open data sets”, which are usually outside the arena of the enterprise, to expand activity through better service to current clients as well as identifying new opportunities. Moreover, these activities are now largely based around relevant software systems hosted in a “cloud computing” environment. However, the over 50- year old phrase related to mistrust in computer systems, namely “garbage in, garbage out” or “GIGO”, is used to describe problems of unqualified and unquestioning dependency on information systems. However, a more relevant GIGO interpretation arose sometime later, namely “garbage in, gospel out” signifying that with large scale information systems based around ERP and open datasets as well as “big data” analytics, particularly in a cloud environment, the ability to verify the authenticity and integrity of the data sets used may be almost impossible. In turn, this may easily result in decision making based upon questionable results which are unverifiable. Illicit “impersonation” of and modifications to legitimate data sets may become a reality while at the same time the ability to audit any derived results of analysis may be an important requirement, particularly in the public sector. The pressing need for enhancement of identity, reliability, authenticity and audit services, including naming and addressing services, in this emerging environment is discussed in this paper. Some current and appropriate technologies currently being offered are also examined. However, severe limitations in addressing the problems identified are found and the paper proposes further necessary research work for the area. (Note: This paper is based on an earlier unpublished paper/presentation “Identity, Addressing, Authenticity and Audit Requirements for Trust in ERP, Analytics and Big/Open Data in a ‘Cloud’ Computing Environment: A Review and Proposal” presented to the Department of Accounting and IT, College of Management, National Chung Chen University, 20 November 2013.)

Climate change and financial regulation : challenges for the financial sector post the Global Financial Crisis

Regulation has played a significant role in shaping the financial services sector in Australia over the past few decades. Regulatory changes have included the establishment of the Australian Prudential Regulation Authority (APRA), floating the Australian dollar, allowing foreign financial institutions to operate domestically, the introduction of the superannuation guarantee charge, and the removal of interest rate controls. As the economy emerges from the worst financial crisis since the great depression, a new force of change that is recognised as one of the most significant sources of risk and opportunity facing the business community in the foreseeable future is that of climate change. Climate change is expected to be a significant change agent in the financial services sector as extreme weather patterns, sea level rises, and atmospheric changes impact on asset values (both investment and lending), project finance, and risk products. The financial services industry will be particularly affected by these developments, both as a provider of financial products (capital, credit, investment, advice, and insurance), and also through its powerful influence on the economy in terms of capital allocation. In addition, industry constituents will be heavily impacted by government regulation in this area (reporting, emissions trading and environmental policies), with respect to their own business practices and also those of their clients. This study reports the results of interviews conducted with senior members of the finance sector working in the sustainability area to gauge their perceptions of the challenges facing the sector with respect to climate change. Our results confirm that that regulatory intervention will be critical to climate change response gaining traction and momentum. In particular, regulatory certainty will promote engagement, particularly in relation to the Carbon Pollution Reduction Scheme (CPRS), with other developments needed in terms of information disclosure, performance and remuneration, and incentive programs. Accordingly, the significant potential risks and opportunities that climate change presents to the sector, and the broader economy, will in part be managed/realised only if a swift and significant regulatory response is achieved.

Determining safety climate factors in the repair, maintenance, minor alteration, and addition sector of Hong Kong

The accident record of the repair, maintenance, minor alteration, and addition (RMAA) sector has been alarmingly high; however, research in the RMAA sector remains limited. Unsafe behavior is considered one of the key causes of accidents. Thus, the organizational factors that influence individual safety behavior at work continue to be the focus of many studies. The safety climate, which reflects the true priority of safety in an organization, has drawn much attention. Safety climate measurement helps to identify areas for safety improvement. The current study aims to identify safety climate factors in the RMAA sector. A questionnaire survey was conducted in the RMAA sector in Hong Kong. Data were randomly split into the calibration and the validation samples. The RMAA safety climate factors were determined by exploratory factor analysis on the calibration sample. Three safety climate factors of the RMAA works were identified: (1) management commitment to occupational health and safety (OHS) and employee involvement, (2) application of safety rules and work practices, and; (3) responsibility for health and safety. Confirmatory factor analysis (CFA) was then conducted on the validation sample. The CFA model showed satisfactory goodness of fit, reliability, and validity. The suggested RMAA safety climate factors can be utilized by construction industry practitioners in developed economies to measure the safety climate of their RMAA projects, thereby enhancing the safety of RMAA works.

Security analysis of Australian and E.U. e-passport implementation

This paper makes a formal security analysis of the current Australian e-passport implementation using model checking tools CASPER/CSP/FDR. We highlight security issues in the current implementation and identify new threats when an e-passport system is integrated with an automated processing system like SmartGate. The paper also provides a security analysis of the European Union (EU) proposal for Extended Access Control (EAC) that is intended to provide improved security in protecting biometric information of the e-passport bearer. The current e-passport specification fails to provide a list of adequate security goals that could be used for security evaluation. We fill this gap; we present a collection of security goals for evaluation of e-passport protocols. Our analysis confirms existing security weaknesses that were previously identified and shows that both the Australian e-passport implementation and the EU proposal fail to address many security and privacy aspects that are paramount in implementing a secure border control mechanism. ACM Classification C.2.2 (Communication/Networking and Information Technology – Network Protocols – Model Checking), D.2.4 (Software Engineering – Software/Program Verification – Formal Methods), D.4.6 (Operating Systems – Security and Privacy Protection – Authentication)

On the (in)security of IDEA in various hashing modes

In this article, we study the security of the IDEA block cipher when it is used in various simple-length or double-length hashing modes. Even though this cipher is still considered as secure, we show that one should avoid its use as internal primitive for block cipher based hashing. In particular, we are able to generate instantaneously free-start collisions for most modes, and even semi-free-start collisions, pseudo-preimages or hash collisions in practical complexity. This work shows a practical example of the gap that exists between secret-key and known or chosen-key security for block ciphers. Moreover, we also settle the 20-year-old standing open question concerning the security of the Abreast-DM and Tandem-DM double-length compression functions, originally invented to be instantiated with IDEA. Our attacks have been verified experimentally and work even for strengthened versions of IDEA with any number of rounds.

Privacy enhancements for hardware-based security modules

The increasing growth in the use of Hardware Security Modules (HSMs) towards identification and authentication of a security endpoint have raised numerous privacy and security concerns. HSMs have the ability to tie a system or an object, along with its users to the physical world. However, this enables tracking of the user and/or an object associated with the HSM. Current systems do not adequately address the privacy needs and as such are susceptible to various attacks. In this work, we analyse various security and privacy concerns that arise when deploying such hardware security modules and propose a system that allow users to create pseudonyms from a trusted master public-secret key pair. The proposed system is based on the intractability of factoring and finding square roots of a quadratic residue modulo a composite number, where the composite number is a product of two large primes. Along with the standard notion of protecting privacy of an user, the proposed system offers colligation between seemingly independent pseudonyms. This new property when combined with HSMs that store the master secret key is extremely beneficial to a user, as it offers a convenient way to generate a large number of pseudonyms using relatively small storage requirements.

On the security of PAS (predicate-based authentication service)

Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

Factors for IT-enabled public sector process improvements in developing economies

IT resources are indispensable in the management of Public Sector Organizations (PSOs) around the world. We investigate the factors that could leverage the IT resources in PSOs in developing economies. While research on ways to leverage IT resources in private sector organizations of developed countries is substantial, our understanding on ways to leverage the IT resources in the public sector in developing countries is limited. The current study aspires to address this gap in the literature by seeking to determine the key factors required to create process value from public sector IT investments in developing countries. We draw on the resource-centric theories to imply the nature of factors that could leverage the IT resources in the public sector. Employing an interpretive design, we identified three factors necessary for IT process value generation in the public sector. We discuss these factors and state their implications to theory and practice.

Formal security analysis of Australian e-passport implementation

This paper provides a detailed description of the current Australian e-passport implementation and makes a formal verification using model checking tools CASPER/CSP/FDR. We highlight security issues present in the current e-passport implementation and identify new threats when an e-passport system is integrated with an automated processing systems like SmartGate. Because the current e-passport specification does not provide adequate security goals, to perform a rational security analysis we identify and describe a set of security goals for evaluation of e-passport protocols. Our analysis confirms existing security issues that were previously informally identified and presents weaknesses that exists in the current e-passport implementation.

Evolving a design driven ‘hybrid’ research approach to inform and advance sustainable outcomes in the built environment sector

A significant reduction in global greenhouse gas (GHG) emissions is a priority, and the preservation of existing building stock presents a significant opportunity to reduce the carbon footprint of our built environment. Within this ‘wicked’ problem context, and moving beyond the ad hoc and incremental performance improvements that have been made to date, collaborative and multidisciplinary efforts are required to find rapid and transformational solutions. Design has emerged as a strategic and redirective practice, and lessons can therefore be learned about transformation and potentially applied in the built environment. The purpose of this paper is to discuss a pragmatic and novel research approach for undertaking such applied design driven research. This paper begins with a discussion of key contributions from design science (rational) and action research (reflective) philosophies in creating an emerging methodological ‘hybrid design approach’. This research approach is then discussed in relation to its application to specific research exploring the processes, methods and lessons from design in heritage building retrofit projects. Drawing on both industry and academic knowledge to ensure relevance and rigour, it is anticipated that the hybrid design approach will be useful for others tackling such complex wicked problems that require context-specific solutions.

A game theoretical approach to construction safety in the Repair, Maintenance, Alteration and Addition (RMAA) sector

Safety has long been a problem in the construction industry. Repair, maintenance, alteration and addition (RMAA) sector has emerged to play an important role in the construction industry. It accounted for 53% of the total construction market in Hong Kong in 2007. Safety performance of the RMAA words has been alarming. Statistics indicate that the percentage of fatal industrial accidents arising from RMAA work in Hong Kong was over 56% in 2006 while the remaining 44% was from new works. Effective safety measures to address the safety problems and improve safety performance of the RMAA sector are urgently needed. Unsafe behaviour has been attributed to one of the major causes of accidents. Traditional cost-benefit analysis of workers' safety behaviour seems to be inadequate. This paper proposes to adopt a game theoretical approach to analyse safety behaviour of RMAA workers. Game theory is concerned with the decision-making process in situations where outcomes depend upon choices made by one or more players. A game theoretical model between contractor and worker has been proffered. Mathematical analysis of this game model has been done and implications of the analysis have been discussed.

Airports of the future : improving operation, security and experience

The final report for the ARC project "Airports of the Future". It contains the findings and recommendations provided by the various teams to the industry partners.

Entrepreneurship in the public sector : new possibilities?

Previous research has described potential roles for entrepreneurs in public sector organisations as either closely related to corporate entrepreneurship, or as normative prescriptions regarding the importance of entrepreneurship in the public sector (Ireland, Covin & Kuratko, 2009: Morris & Jones, 1999). While some might argue that entrepreneurship in the public sector context is an oxymoron, recent studies have demonstrated that entrepreneurship in the public sector is alive and well (Currie, Humphreys, Ucbasaran & McManus 2008; Kim, 2010). Entrepreneurship in the public sector can take many forms and generate a range of benefits but to date less attention has been given to the potential to generate new public value (Moore, 1995). The purpose of this paper is to increase our knowledge and understanding of the types of strategies and activities the public sector is using to capture initiative, create new public value, and generate new economic activity for the benefit of multiple stakeholders. This paper explores entrepreneurship in one public sector context. Findings indicate that entrepreneurship and commercialisation is more likely to be encouraged in contexts where contestability in develop and exploit capabilities.