SUPPORTING CORPORATE GOVERNANCE ON A BLOCKCHAIN BASIS


By Dr. Katalin Szenes CISA, CISM, CGEIT, CISSP and Bence Tureczki PhD student, AI – Blockchain – Security Knowledge Center of Óbuda University

This is a review of the paper presented at the ICCECIP conference in November 2020.

According to our practical experiences, the trio of Artificial Intelligence (AI), Security and Blockchain together are able to support corporate governance very efficiently. This was proven when we founded the AI-Security-Blockchain Knowledge Center of Óbuda University. Quite a lot of companies, international and Hungarian just as well thought that it was worth to join. Another proof is, that according to our experiences, the management of the institutions are interested in any discipline, and in their introduction into the company life, only if they get support to their strategic goals. Here we give a very practical governance definition and propose excellence criteria for the corporate operations. These serve business processes. The choice of the excellence criteria to be used in a given use case depends on the nature of the activity of the institution and its environmental conditions. The blockchain principle contributes to all these with some of its specialities, e.g. its capability to ensure immutability. All these together yield a connection between excellent corporate operations and AI, security, blockchain.

ADVANTAGES RESULTING FROM THE COOPERATION OF AI, SECURITY, BLOCKCHAIN

In 2018 we already presented a useful combination of the three disciplines at the international “LEXI AI GENERATION” contest of IBM (International Business Machines) and iLex Systems. We developed a digital assistant artificial intelligence, called “eXpie”, which supported the user in providing reliable information about her / his digital payments.

To help the user, this assistant was able to search in multiple blockchain databases in a parallel fashion. This particular AI was able to approximately recognize the emotional state of the user and respond to user queries in human language with respect to the identified emotional state. The assistant responded in different ways when the user was identified as angry, sad or surprised. eXpie earned a National Special Award from iLex Systems and IBM and a Special Award from Hungarian Export Promotion Agency. [4]

The corporate interest in artificial intelligence, blockchain and security is reflected by the fact that when we established the AI-Security-Blockchain Knowledge Center in 2019, in the same year 11 corporates joined and even more subscribed to the newsletters of the Center.

Our Knowledge Center at Óbuda University focuses on the practical benefits of using these areas of knowledge – Artificial Intelligence (AI), Security and Blockchain – together. We organize regular meetings where the participants have the opportunity to present their work on the mentioned areas, roundtable discussions and digital knowledge sharing. According to the experiences of the Knowledge Center, the trio of Artificial Intelligence (AI), Security and Blockchain are able to support corporate governance very efficiently.

Besides the number of corporates who joined the Knowledge Center, another proof for this statement is that the management of the institutions seems to be interested in these disciplines and in the requirements of their introduction into the company life, only if they support their strategic goals.

GOVERNANCE SUPPORT

A corporate governance definition based on our practical experience
In this article we give a governance definition taken from everyday real life, Corporate governance can be defined in a usable way as the responsibility of the whole staff, top management included, where the top management is responsible to direct the company onto the best possible way towards continuous improvement, and market success taking every kind of environmental aspects into consideration as far, and in such a way, as it is in the interest of the enterprise, based on the strategy of the institution.[5]

To define and maintain this strategy belongs to the responsibility of the top management, while the staff is responsible for supporting the top management in these issues.[1]

A popular alternative definition for corporate governance
Besides our definition, other corporate governance definitions exist that might be usable in everyday life. For example, in his popular essay (The Corporate Governance of Iconic Executives), Tom C. W. Lin from Temple University defines governance as a set of “structures and principles to identify the distribution of rights and responsibilities among different participants in the corporation (such as the board of directors, managers, shareholders, creditors, auditors, regulators, and other stakeholders) and include the rules and procedures for making decisions in corporate affairs” and in this way control and operate the institution.[9]

An important subset of corporate governance: IT governance
The governance definitions usually agree that corporates rely more and more – among others – on the IT infrastructure to achieve the strategic goals and its use is supporting the corporate in this achievement. Thus, a strategically important subset of governance is IT governance.[11]

The COBIT (Control Objectives for Information Technologies) framework of ISACA (Information Systems Audit and Control Association) defines IT governance as “IT governance is the responsibility of executives and the board of directors and consists of the leadership, organizational structures and pro- cesses that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.” [2]

In the following, it will be shown that the corporate might choose to use artificial intelligence in the IT infrastructure to enhance the support that the IT can provide for the corporate to realize the strategic goals.

Some possible use cases of AI in IT governance
Turing test is a specific test that was invented by Alan Turing in 1950 to measure how similar the seemingly intelligent behaviour of a robot is to that of a human. Any machine that can pass the Turing test might be called as artificial intelligence is artificial intelligence is any machine that exhibits traits associated with a human mind such as acquire and apply knowledge to solve problems.

There are various systems that successfully pass the Turing test and thus can be considered as artificial intelligence. In addition to the formerly mentioned digital assistant, examples of artificial intelligence involve:

  • chat bots
  • knowledge builder tools
  • modules of CRM (Customer Relationship Management) systems
  • neural networks
  • self-driving vehicles
  • androids
  • computer-controlled characters in video games • IoT (Internet of Things)

The use of artificial intelligence for the corporate is the same as that of any other element of IT: providing support for the organization on the path that leads to the fulfilment of the strategic goals.[1]

The above research areas even presently have considerable impact not only on the industry, but also on its supporting service areas, such as the transportation, for example.

If we want to use self-driving trains, the railway monitoring should be significantly improved, e.g. with IoT facilities, as the supervisory sensors of an IoT gateway.[13]

Blockchain-based security for AI
Blockchain and shared ledger are often used as synonyms. While a blockchain could be used as a shared ledger, a blockchain is not necessarily shared and a shared ledger might not be based on blockchain. According to our experience, it is more practical to define blockchain as a database type with special transaction management than a shared ledger.

This database might be shared, e.g.: the blockchain of Bitcoin, or might be not shared, e.g.: some of the private corporate blockchains. In any case, a blockchain type of database contains blocks ordered by their timestamp in ascending order into a singly linked list data structure, where each block contains at least:

  • the hash of the previous block
  • timestamp (unique with respect to the blocks)
  • the first/top element is the oldest block and it is called: genesis block
  • as the following figure shows: the younger a block is, the further it is located from the genesis block
  • the hash function = the link function (red arrows in the following figure)
    ◦  the destination block of the arrow contains a hash, based on the block which is the source of the arrow.

Figure 1: The structure of a blockchain.

So, to delete or modify an arbitrarily chosen block, all the blocks after the chosen one also have to be deleted/modified. The more blocks that should be deleted or modified, the more costly the operation is. Practically, such an operation is usually impossible: too expensive to make it worth. Because of the hash function, the integrity of the blockchain database is secure by design.[1]

An example use case for blockchain will follow here which will ensure the integrity of the input data of artificial intelligence and in this way, contribute to the reliability of the support that the AI can provide for the corporate.[4]

EXAMPLES OF ECONOMIC ADVANTAGES

Transparency for project teams
To support the sustainable development of the company the data transparency is crucial. In order to generate the hash into the block to be added into the blockchain, the content of the previous block must be validated. Without generating such a hash, no block can be added to the blockchain (except for the genesis block).

If multiple project teams share data using the same blockchain, they can decide that new data can be written into the database only if everyone who uses that blockchain validates it based on the content of the previous block.

So, when project teams use the same blockchain, we can assume that every project team knows what kind of data is present in the blockchain and assume that all these data were formerly validated by every project team.

Smart contract based on automation of business paths
The smart contract is a set of if… then… else… rules written in an arbitrarily chosen programming language. The writer of the smart contract can upload this set onto a node of a blockchain, where each node will execute one or more operations when one or more of the programmed conditions is/are met.

The more from each other independent nodes contain the same rules, the better insurance is provided that the rules of the smart contract will be executed. That is why, corporates often choose to upload their smart contracts into global, shared blockchains such as the blockchain of Bitcoin, Ethereum or TRON.

If we upload our smart contract into one of these blockchains, we pay only once to some of the nodes for our smart contract to be stored. Then the nodes store the smart contract virtually forever, we can download it anytime and there is no additional cost for storing the contract.[1]

An artificial intelligence, such as the formerly mentioned eXpie digital assistant, might be useful in uploading smart contracts into a blockchain because of the high computation demand of such an operation. The digital assistant also could help translate a smart contract (= program code) into human language or generating a smart contract based on statements formulated in human language.[4]

Enhancing the speed of claims’ processing
If an insurer and an insured trust the same blockchain, some types of a claim of the insured can be stored in this blockchain. Since the insurer trusts this blockchain, she/he trusts all the data in it, including the claims of the insured. This trust is based on the hashing process that requires the validation of the new data based on the data that already is in the blockchain.

A limitation of this approach is that the claim has to be completely validated based on the former digital data. However, it might not be possible in all cases, but when it is, the speed of claims’ processing is enhanced in this limited set of cases.

Claims processed in this way might be settled using smart contracts. The processing and settlement of these claims are autonomously, completely and reliably documented because of the nature of blockchain.

CRITERIA FOR THE EXCELLENCE OF THE CORPORATE OPERATIONS AND THE SUPPORT OF THE CORPORATE STRATEGY

Here we propose such practical goals to be fulfilled in the operation of a company that can contribute to the fulfilment of the strategic goals of this company. We will show examples of how the blockchain database can support some of these goals. These practical goals were generalized from such well-known ISO control objectives as the confidentiality, integrity and availability of the data of company systems,[8] and others were developed from the information criteria of ISACA materials,[2][3] and the third set was derived from everyday life experiences.[7][10]

This way we can define two groups of excellence criteria:

  • operational excellence criteria:
    ◦ effectivity
    ◦ efficiency
    ◦ compliance
    ◦ reliability
    ◦ risk management excellence ◦ functionality
    ◦ order
    ◦ provenance
  • asset handling excellence criteria:
    ◦ availability
    ◦ integrity
    ◦ confidentiality

Operational activity is effective if its result(s) complies with the pre-planned requirements, that had been accepted by every relevant party.

Operational activity is efficient, if it is performed in a pre-planned, documented, and cost-effective way, concerning the optimal use of human and material resources, and the way of problem-solving.

A company operates in a compliant way, or, shortly, the operations of a company complies with the compliance criterion, if it complies, in a documented way, to any requirement of those authorities that have authority to regulate any aspect of the activities of the company.

The operations of a company are reliable, if they are organized in such a way, that they provide for the preliminary agreed service(s) in such a manner, that supports the work of the staff according to the best professional practice.

Risk management excellence is a strategy-driven managing of those risks, that are related to a given goal, requiring resource(s) and effort and where the importance of the individual excellence criteria and their relation to each other is evaluated by the top management/business delegates and by the stakeholders. The risks are always evaluated with respect to each other – there is no stand-alone risk.[6][12]

The functionality of a resource of a company is adequate, if it supports the work of the staff in such a way, that using it they can fulfil their job requirements in the best possible way.

The order in an institution is, by definition, adequate, if the top management takes up the responsibility for the well-being of the institution:

  • for the determination of the strategy, aligning it to the market success,
  • for its continuous maintenance,
  • for ensuring, that the company fulfils these strategic goals.

To the operational excellence criterion order belong, e.g.:

  • documentation
  • separation (segregation) of duties
  • access provision management for units / roles / tasks
  • dynamic inventory management
  • dynamic documentation & change management
  • business continuity planning
  • IT business continuity planning

Operations fulfil the provenance criterion if for every data that the operations use there is a record trail that accounts for the origin of this piece of data together with an explanation of how and why it got to the present place.

Confidential handling of an asset means handling confidentially every information about this asset – those, and only those who have access to it, who have job to do with it.

The integrity of an asset is said to be preserved if its handling or processing does not change it inadvertently.

Availability of an asset means, that if it has a role in a given matter, then it is available to every competent employee, who is competent in this matter, in a planned, predictable, and documented way, according to the preliminary agreements on its accessibility, that have to refer to every qualitative and quantitative prescription, that are relevant in the matter.

We have shown in our workshop[1] and the AI GENERATION competition[4] that using blockchain- based technologies can contribute to the fulfilment of some of these goals.

For example: Having stored a smart contract in a blockchain the smart contract will be completely documented by the nodes of the blockchain and – in the case of public blockchains – at no cost for the writer of the contract. So, using public blockchains for storing smart contracts might contribute to efficient, effective and compliant corporate operations.

A company can contribute to the fulfilment of the reliability criterion if it uses such a private blockchain, that is shared among project teams. Such a blockchain can provide to the whole staff such information, that:

  • was validated by all of these project teams, what is more,
  • it can be modified only in a very difficult way,
  • to make matters even more secure, any modification attempt can be seen by everybody.

Thus, every team can trust this information. ■

BIBLIOGRAPHY

[1] Szenes, K., Tureczki, B.: Blockchain basics, applications workshop presentation & article: https://nextcloud.sztaki.hu/s/ya4LRkz75Kmj4og#pdfviewer (2020.11.01.) presentation: https://www.slideshare.net/secret/IgHgKBIQ4w5ePj (2020.11.01.) Blockchain and deep learning workshop Institute for Computer Science and Control 2019 September 5 Hungary, H-1111 Budapest, XI. ker., Kende street 13-17.

[2]  COBIT (Control Objectives for Information Technologies) 2019 Framework: Control Objectives, Management Guidelines, Maturity Models ISBN 978-1-60420-644-9 Copyright© 2020 Information Systems Audit and Control Association (ISACA) 1700 E. Golf Road, Suite 400, Schaumburg IL 30173 USA Dr Katalin Szenes is an Expert Reviewer of the version COBIT 2019 as a member of the COBIT 2019 Expert Reviewer Team.

[3]  CISA Review Manual 27th edition Updated for 2019 Job Practice Copyright © 2019 ISACA 1700 E. Golf Road, Suite 400, Schaumburg IL 30173 USA ISBN 978-1-60420- 767-5 Dr Katalin Szenes was a member of the Quality Assurance Team.

[4]  Szenes, K., Tureczki, B.: eXpie – your Morning Star for exploring cryptocurrency payments 2018, an international online competition organized by IBM (International Business Machines), iLex Systems https://aigeneration.net/2018/11/23/award-ceremony-ibm-budapest-lab/ (2020.11.01.)

[5]  Szenes, K.: Experiences from the Financial Services Industry keynote lecture at Security & Integrity Seminar, October 2-4. 2018 Budapest, Hungary organized by: Security and Risk Management Committee of the World Lottery Association.

[6]  K. Szenes: Governance – Risk – Security keynote lecture at SecureCEE Conference, April 21, 2015 Budapest, Hungary organized by: International Information Systems Security Certification Consortium (ISC)2; available at: (ISC)2’s Intersec: https:/isc2intersec.leveragesoftware.com/default.aspx (2020.11.01.)

[7]  K. Szenes: Operational Security – Security Based Corporate Governance in: Procds. of IEEE 9th International Conference on Computational Cybernetics (ICCC); July 8-10, 2013 Tihany, Hungary IEEE Catalog Number: CFP13575-USB (pendrive); CFP13575-PRT (printed) ISBN: 978-1-4799-0061-9 (pendrive); 978-1- 4799-0060-2 (printed) Copyright @2013 by IEEE. p. 375-378.

[8]  International Standard ISO/IEC 27001 Second edition: 2013-10-01 Information technology – Security techniques – Information security management systems – Requirements Reference number ISO/IEC 27001:2013(E) Copyright © ISO/IEC 2013.

[9]  Lin, Tom C. W.: The Corporate Governance of Iconic Executives, 2011, SSRN: https://ssrn.com/abstract=2040922 (2020.11.01).

[10]  Szenes, K.: Enterprise Governance Against Hacking. Proceeds. of the 3rd IEEE International Symposium on Logistics and Industrial Informatics – LINDI 2011 August 25–27, 2011, Budapest, Hungary, ISBN: 978-1- 4577-1840 DOI: 10.1109/LINDI.2011.6031153 ©2011 IEEE, IEEE Catalog Number: CFP1185C-CDR [CD-ROM], http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=6026102 (2020.11.01.) p. 229-233

[11] Szenes, K.: Serving Strategy by Corporate Governance – Case Study: Outsourcing of Operational Activities Proceeds. of 17th International Business Information Management Association – IBIMA November 14-15, 2011, Milan, Italy, ed. Khalid S. Soliman, ISBN: 978-0-9821489- 6-9, DOI: 10.5171/2011.903755, index at BDI: Ebsco © 2011 IBIMA, [CD-ROM], p. 2387-2398

[12] Szenes, K.: Building a Corporate Risk Management Methodology and Practice EuroCACS 2002 – Conf. for IS Audit, Control and Security Copyright 2002 ISACA, Rolling Meadows, Illinois, USA 24-27 March 2002, Budapest, Hungary, Tutorial

[13] Tokody, D., Nyikes, Z., Kovács, T.: Using a complex monitoring system for railway structure investigation in accordance with Industry 4.0. Hungarian: Komplex monitoringrendszer használata vasúti felépítmény vizsgálatában az Ipar 4.0-val összhangban XVII. Műszaki Tudományos Ülésszak 2016, Kolozsvár, Hungary DOI: 10.33895/mtk-2017.06. 17 http://hdl.handle.net/10598/30075 (2020.11.01.)

ABOUT THE AUTHORS

Katalin Szenes, CISA, CISM, CGEIT, CCISSP, PhD founded at Obuda University the teaching of IT security and audit. As security advisor she deals with corporate strategy, secure network topologies, risk management, development of secure applications. She is Expert Reviewer of the Teams for updating the ISACA CISA Review Manual, for the development of COBIT 5, then that of COBIT 2019.

 

Bence Tureczki is a secretary of the Informatics Section in the European Organization for Quality, Hungarian National Committee. In the Hungarian Artificial Intelligence Coalition, his role is to support the Technology work team. Dr. Katalin Szenes and Bence established the AI-Security- Blockchain Knowledge Center of Obuda University and IT corporates. Their digital assistant won the industrial award at the AI GENERATION competition of IBM, 2018.


Download the article as a PDF: Szenes Tureczki article – ICCECIP – CSR online February 2021


Publication date: February 2021