Tobias Mahler

Specifying legal risk scenarios using the CORAS threat modelling language

The paper makes two main contributions: (1) It presents experiences from using the CORAS language for security threat modelling to specify legal risk scenarios. These experiences are summarised in the form of requirements to a more expressive language providing specific support for the legal domain. (2) Its second main contribution is to present ideas towards the fulfilment of these requirements. More specifically, it extends the CORAS conceptual model for security risk analysis with legal concepts and associations. Moreover, based on this extended conceptual model, it introduces a number of promising language constructs addressing some of the identified deficiencies.

Bridging the Gap between Legal and Technical Contracts

Two or more parties typically establish a business relationship using a contract, but a large gap still exists between the provisions of contracts produced by lawyers and the details of computer security and performance addressed by technologists. Some contractual clauses address legal issues that technology can manage as well - the TrustCoM framework offers a paradigm for automating these clauses as technical operations. If a business relationship forms across a service-oriented architecture, the parties involved often manage their collaboration as a virtual organization (VO). In TrustCoM, agreements are the key means of steering VO collaborations and mitigating the risks inherent in integrating processes and resources across organizational boundaries.

The TrustCoM approach to enforcing agreements between interoperating enterprises

Abstract. To respond to market opportunities enterprises must interoperate with each other within dynamic virtual organizations (VO) when they do not control the required resources themselves. The TrustCoM project is developing a framework for trust, security and contract management for dynamic VO. The core contribution of the TrustCoM framework is its ability to define a contractual agreement between VO members at a business level and have it specified, monitored and updated at a technical, operational level within a service oriented architecture. The main innovation in TrustCoM is to apply recent research results on policy based security in distributed computing management, role based access control and reputation management to bridge the gap between VO Agreements and managed Web Services. 1. INTRODUCTION In the 1980’s the main interoperability challenge for enterprises was to support syntactic interchange of information within organisations. In the 1990’s the challenge advanced from syntax and structure to address semantics (e.g., Sheth, 1999). One solution to this is to use service oriented architectures implemented as web services or the grid where service interfaces can be clearly defined. The challenge for the early

Privacy policy referencing

Data protection legislation was originally defined for a context where personal information is mostly stored on centralized servers with limited connectivity and openness to 3rd party access. Currently, servers are connected to the Internet, where a large amount of personal information is continuously being exchanged as part of application transactions. This is very different from the original context of data protection regulation. Even though there are rather strict data protection laws in an increasing number of countries, it is in practice rather challenging to ensure an adequate protection for personal data that is communicated on-line. The enforcement of privacy legislation and policies therefore might require a technological basis, which is integrated with adequate amendments to the legal framework. This article describes a new approach called Privacy Policy Referencing, and outlines the technical and the complementary legal framework that needs to be established to support it.

Is a Picture Worth a Thousand Terms? Visualising Contract Terms and Data Protection Requirements for Cloud Computing Users

The following article evaluates two models for providing purchasers of online digital content, including cloud computing services, with visual notice of contract terms and data collection practises. Visualisation of contract terms and privacy policies has the potential to provide cloud consumers with an improved means of understanding the contract terms they are accepting when entering into an agreement with a Cloud Service Provider (CSP). The following paper examines two concrete proposals or models for the visualisation of contract terms and privacy practises as compliance tools in the European context. The article focuses primarily on consumer and data protection law. Although the visualisation models are not currently binding or legally required, they start an important conversation on how such terms can be more effectively conveyed.

Legal Risk Analysis with Respect to IPR in a Collaborative Engineering Virtual Organization

Establishing and operating a virtual organization implies a number of challenges from many different perspectives, including socio-economic, organizational, legal and computational issues. This paper focuses on the legal aspects with a particular view on legal risks with respect to intellectual property rights. A risk analysis with respect to legal issues can either be based on abstract legal reasoning or it can focus on the business reality and the specific characterizations of the virtual organization. This paper follows the latter approach; it presents selected findings of a legal risk analysis of a business scenario in the collaborative engineering field. The legal risk analysis was performed in collaboration between lawyers and other professionals in order to highlight how different legal and non-legal aspects relate to each other. Graphical models of risks and treatments were utilized in order to reduce communicational barriers between experts in this multidisciplinary setting.

An integrated method for compliance and risk assessment

This paper presents an integrated method for risk and compliance assessment and its evaluation in a case study. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modeling compliance risks have been developed. The lack of methodological and tool support means the compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. As part of the integrated method, a structured approach for the identification of compliance risks and their graphical modelling is provided. The main goal of the structured approach is to facilitate the identification and assessment of compliance risks and their subsequent documentation in a consistent and reusable fashion. The method is applied in a case study with the aim of assessing the compliance concerns in adopting cloud services. Our experience in the case study demonstrates that the integrated method enables a better structuring in the identification of compliance risks and yields reusable results. As well, the method facilitates communication among different expertise and mitigates subjectivity in making compliance decisions.

Legal issues in SME clusters

The purpose of this paper is to analyse the legal and other barriers to the formation and development of clusters of small and medium-sized enterprises (“SMEs”) using practical case studies from across the European Union to draw out common issues at various stages of the cluster development.

Modelling compliance risk: a structured approach

This article presents a structured and systematic approach for identifying and modelling compliance risks. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to increasing and diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance, where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modelling compliance risks have been developed. Due to the lack of methodological and tool support, compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. The proposed approach consists of a five-step process for the structured identification and assessment of compliance risks. This process aims at facilitating the identification of compliance risks and their documentation in a consistent and reusable fashion. As part of the process, the article provides a systematic approach for a graphical modelling of compliance risks, which aims at facilitating communication among experts from different backgrounds. The creation of graphical models can be partly automated based on natural language patterns for regulatory requirements. Furthermore, the structuring of the compliance requirement in a template aims at simplifying the modelling of compliance risks and facilitating a potential future automated model.

A gTLD right? Conceptual challenges in the expanding internet domain namespace

Many new generic top-level domains (gTLDs) are currently being added to the internet’s domain name system. It is, therefore, important to ask how we should conceptualize the legal aspects of this expansion. This article focuses on the legal position acquired by a successful applicant for a new gTLD. It examines several possible concepts and proposes a ‘gTLD right’ as a potential new addition to our conceptual framework. This is intended to denote the contractually based bundle of rights in a gTLD string. The proposal is based on the finding that several other relevant concepts do not adequately describe the legal position of a successful gTLD applicant. In particular, it is difficult to claim that the applicant acquires a property right in the gTLD string. Moreover, while it is technically adequate to say that the gTLD is ‘delegated into the internet root’, the legal concept of ‘delegation’ does not adequately capture the contractual foundation of this bundle of rights.