Publication database

The Federal Chancellery recently finished its first draft of the revised Foreign Intelligence Service Law (BND-Gesetz) that has become necessary subsequent to the judgment of the Federal Constitutional Court in May of 2020. While the draft bill contains numerous improvements, some crucial provisions pertaining to the treatment of journalists and their trusted sources remain insufficient. The article analyses some of the problems.

GitLab is a software company that works “all remote” at the scale of more than 1000 employees located in more than 60 countries. GitLab has no physical office and its employees can work from anywhere they choose. Any step of the organizational life of a GitLab employee (e.g., hiring, onboarding and firing) is performed remotely, except for a yearly companywide gathering. GitLab strongly relies on asynchronous coordination, allowing employees to work anytime they want. After highlighting some of the main practices implemented by GitLab to effectively work all remotely and asynchronously, I asked renowned organizational scientists their thoughts on this interesting case and to question the generalizability of the all remote asynchronous model. Understanding whether and under what conditions this model can succeed can be of guidance for organizational designers that are now considering different remote models in response of the COVID-19 shock and its aftermath.

Over the past two decades, the progressing digital transformation has brought along a growing number of challenges in the context of security: internet crime, cyberwar and espionage, surveillance and autonomous weapons systems. While increased security measures seem indispensable, they need to be weighed against individual human rights guarantees. This chapter provides an overview of the pertinent questions.

The World Health Organization seeks effective ways to alert its member states about global pandemics. Motivated by this challenge, we study a public agency’s problem of designing warning policies to mitigate potential disasters that occur with advance notice. The agency privately receives early information about recurring harmful events and issues warnings to induce an uninformed stakeholder to take preemptive actions. The agency’s decision to issue a warning critically depends on its reputation, which we define as the stake- holder’s belief regarding the accuracy of the agency’s information. The agency faces then a trade-off between eliciting a proper response today and maintaining its reputation in order to elicit responses to future events.
We formulate this problem as a dynamic Bayesian persuasion game, which we solve in closed form. We find that the agency sometimes strategically misrepresents its advance information about a current threat in order to cultivate its future reputation. When its reputation is sufficiently low, the agency downplays the risk and actually downplays more as its reputation improves. By contrast, when its reputation is high, the agency sometimes exaggerates the threat and exaggerates more as its reputation deteriorates. Only when its reputation is moderate does the agency send warning messages that fully disclose its private information.
Our study suggests a plausible and novel rationale for some of the false alarms or omissions observed in practice. We further test the robustness of our findings to imperfect advance information, disasters without advance notice, and heterogeneous receivers.

Copyright © 2020, INFORMS

How can a company commit to maximizing stakeholder value while maintaining financial performance? Companies increasingly have the ambition to provide stakeholder value to their owners and shareholders, employees, consumers, suppliers, partners, the environment, and future generations. However, such companies often face difficulties in demonstrating the value they bring to stakeholders, due to the lack of universal methods for assessing their impact. Besides the practical need to develop a method for impact valuation, we researched the existing literature and discovered the lack of a holistic method to evaluate all impacts of a company using a common currency with flexible adaptations at different levels. We developed a new method called Sustainable Business Value (SBV) to address these gaps and enable companies to evaluate their impacts. We tested the SBV in two pilots. The SBV method differs from currently used methods, including sustainability reporting, sustainability rating and indices, and sustainability accounting. SBV can be used for decision-making, portfolio management, benchmarking, stakeholder communication, investor communication, and business development and also provides a comprehensive perspective of a company’s impact across six standardized dimensions. However, further development and standardization of proxies and cross-industry standards are needed.

The chapter summarises the current state of the application of international law to cyberspace and reviews attempts to find consensus among the community of states. While virtually all states agree that international law applies to state conduct in cyberspace, the 'how' remains a hotly contested issue. The chapter focuses on the prohibition of the use of force, the prohibition of intervention, and the principle of sovereignty and assesses their legal status vis-à-vis cyber operations. It follows a brief treatment of further international efforts to increase transnational cybersecurity, such as internet governance and arms control treaties.

Dieses Kapitels im Praxishandbuch "IT-Sicherheitsrecht" analysiert Verfahren zur Messung, Prüfung und dem Nachweis von IT-Sicherheit zur Erfüllung von rechtlichen Anforderungen. Zunächst gibt das Kapitel einen Überblick über Prüf-, Bewertungs- und Nachweisverfahren, sowie rechtliche Grundlagen und Zuständigkeiten im IT-Sicherheitsrecht. Anschließend unterscheidet es systematisch zwischen unterschiedlichen Prüf- und Bewertungsebenen bzw. -gegenständen im Sinne der Sicherheit von IT-Systemen in Institutionen und der IT-Sicherheit von Software und Hardware. Im zweiten Abschnitt erläutert es die Messung, Prüfung und den Nachweis von IT-Sicherheit in Institutionen, fasst die einschlägigen Standards für Systeme zum Management von Informationssicherheit zusammen, benennt Methoden zur Messung von IT-Sicherheit innerhalb von Risikoanalysen und erläutert Audits und Zertifizierungen und zeigt anschließend, in welchen Bereichen des IT-Sicherheitsrechts diese Methoden verlangt werden. Der dritte Teil widmet sich der Messung, Prüfung und dem Nachweis von IT-Sicherheit von Software und Hardware, einschließlich IT-Produkten, -Diensten und -Prozessen. Er bietet eine Übersicht über Kriterien zur Messung, Evaluation und Prüfung von Software und Hardware und über Zertifizierungsverfahren. Darauf aufbauend erläutert der Abschnitt, wie diese Verfahren bei der Prüfung und Zertifizierung von IT-Produkten, -Diensten und -Prozessen im allgemeinen und fachspezifischen IT-Sicherheitsrecht zum Einsatz kommen. Ein kurzer abschließender Abschnitt zeigt die Grenzen der bestehenden Ansätze und zukünftige Herausforderungen auf.