Profit-maximizing firm investments in customer information security

When a customer interacts with a firm, extensive personal information often is gathered without the individual's knowledge. Significant risks are associated with handling this kind of information. Providing protection may reduce the risk of the loss and misuse of private information, but it imposes some costs on both the firm and its customers. Nevertheless, customer information security breaches still may occur. They have several distinguishing characteristics: (1) typically it is hard to quantify monetary damages related to them; (2) customer information security breaches may be caused by intentional attacks, as well as through unintentional organizational and customer behaviors; and (3) the frequency of such incidents typically is low, although they can be very costly when they occur. As a result, predictive models and explanatory statistical analysis using historical data have not been effective. We present a profit optimization model for customer information security investments. Our approach is based on value-at-risk methods and operational risk modeling from financial economics. The main results of this work are that we: (1) provide guidance on the trade-offs between risk and return in customer information security investments; (2) define the range of efficient investments in technology-supported risk indemnification for sellers; (3) model how to handle government-dictated levels of investment versus self-regulation of investments in technology; and (4) characterize customer information security investment levels when the firm is able to pass some of its costs on to consumers. We illustrate our theoretical findings with empirical data from the Open Security Foundation, as a means of grounding our analysis and offering the reader intuition for the managerial interpretation of our theory and main results. The results show that we can narrow the decision set for solution providers and policy-makers based on the estimable risks and losses associated with customer information security. We also discuss the application of our approach in practice.     

Economic incentives in security information sharing: the effects of market structures

The past few years have witnessed numerous information security incidents throughout the world, which unfortunately become increasingly tough to be completely addressed just by technology solutions such as advanced firewalls and intrusion detection systems. In addition to technology components, Internet environment can be viewed as a complex economic system consisting of firms, hackers, government sectors and other participants, whose economic incentives should be taken into account carefully when security solutions are formulated. In order to better protect information assets, information security economics as an emerging and thriving research branch emerges aiming at attempting to solve the problems of distorted incentives of such stakeholders by means of economic approaches. However, how these participants’ economic incentives for information security improvement change when they evolve between different market structures has remained unknown yet. Using game theory, we develop an analytical framework to investigate the effects of market structures on security investments, information sharing, attack investments, expected profits, expected consumer surplus and expected social welfare. We demonstrate that the levels of security investments, information sharing, attack investments, and expected profits are higher while expected consumer surplus and expected social welfare are lower under Cournot competition than under Bertrand competition. In particular, we surprisingly find that under either type of competition, the demand switch ratio caused by security breaches may benefit firms, consumers, government sectors and harm hackers. Our results provide some relevant managerial insights into formulating the strategies of security investments and information sharing for the firms transforming from one type of competition to the other.     

Estimating the market impact of security breach announcements on firm values

Security breaches can have a significant economic impact on a firm. With public disclosure laws passed, security breaches involving disclosure of private client information can both damage the firms’ reputation and lead to fines by US government agencies. We examined the impact of security breaches of US firms, as measured by their impact on the firm's market value. Data on security breaches were collected over the period 2004–2008. Reports and news articles corresponding to these breaches were obtained from public sources. Using event-study methodology, we estimate the impact of security breaches on the market value of publicly traded firms. Daily stock returns for firms impacted were obtained. Our results indicated that, on average, the announcement of a corporate security breach had a negative impact of about 1% of the market value of the firm during the days surrounding the event.     

Information Systems Offshore Outsourcing: An Exploratory Study of Motivations and Risks in Large Spanish Firms

Prior research has documented that IT investment increases market returns. Economic theories predict such returns to be recognized in accounting profitability; this relationship remains ambiguous in prior literature. We reexamine the relationship between IT investment and firm profitability. Our approach is unique in that we examine complementarities between distinct IT components. We document that a firm’s investments in IT components exhibit different impacts on its profitability conditional on the level of investments in complementary components.     

IT investments disclosure,information quality,and factors influencing managers’ choices

We explored how IT disclosure affects information quality in the market and identified the factors that influence managers’ choices in IT disclosure quality. Adopting a comprehensive view of IT investments disclosure mechanisms, we found that IT disclosure quality was positively associated with information quality. Specifically, our results showed that an increase in quantitative information in IT disclosure could improve the information environment in the market, thereby reducing the perception of information risk among market participants. We also found that managers’ disclosures were less quantitative when the IT investment was more asset-specific in relation to higher agency costs.     

Negligence and sanctions in information security investments in a cloud environment

The Learned Hand’s rule, comparing security investments against the expected loss from data breaches, can be used as a simple tool to determine the negligence of the company holding the data. On the other hand, companies may have several incentives to distribute their data over a cloud. In order to analyze the conflict between the sanctioning behavior and the search for economic profit, we employ the well known Gordon-Loeb models, as well as the more recent Huang-Behara models, for the relationship between investments and the probability of money loss due to malicious attacks. In this paper we determine the optimal amount of investments when data are distributed over a cloud and Hand’s rule is applied. We find that the net benefit of investing in security shrinks as the number of repositories making up the cloud grows, till investing becomes non profitable. An implication of our study is that, unless the cloud provider may guarantee a higher security investment productivity, the cloud solution provides a lower net benefit than the centralized one. By the application of Hand’s rule, we show that the company is held negligent if it does not invest just in the case it uses a centralized storage infrastructure or a cloud made of a limited number of repositories: Hand’s rule sanctions the lack of security investments by cloud providers with a limited number of repositories.     

Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest

Recent supply chain reengineering efforts have focused on integrating firms’ production, inventory and replenishment activities with the help of communication networks. While communication networks and supply chain integration facilitate optimization of traditional supply chain functions, they also exacerbate the information security risk: communication networks propagate security breaches from one firm to another, and supply chain integration causes breach on one firm to affect other firms in the supply chain. We study the impact of network security vulnerability and supply chain integration on firms’ incentives to invest in information security. We find that even though an increase in either the degree of network vulnerability or the degree of supply chain integration increases the security risk, they have different impacts on firms’ incentives to invest in security. If the degree of supply chain integration is low, then an increase in network vulnerability induces firms to reduce, rather than increase, their security investments. A sufficiently high degree of supply chain integration alters the impact of network vulnerability into one in which firms have an incentive to increase their investments when the network vulnerability is higher. Though an increase in the degree of supply integration enhances firms’ incentives to invest in security, private provisioning for security always results in a less than socially optimal security level. A liability mechanism that makes the responsible party partially compensate for the other party’s loss induces each firm to invest at the socially optimal level. If firms choose the degree of integration, in addition to security investment, then firms may choose a higher degree of integration when they decide individually than when they decide jointly, suggesting an even greater security risk to the supply chain.     

Dynamic competition in IT security: A differential games approach

Hackers evaluate potential targets to identify poorly defended firms to attack, creating competition in IT security between firms that possess similar information assets. We utilize a differential game framework to analyze the continuous time IT security investment decisions of firms in such a target group. We derive the steady state equilibrium of the duopolistic differential game, show how implicit competition induces overspending in IT defense, and then demonstrate how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. We show that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to elicit participation of the other firm. Our analysis indicates that IT security planning should not remain an internal, firm-level decision, but also incorporate the actions of those firms that hackers consider as alternative targets.     

Bridging the cognitive-cellular neuroscience gap empirically: a study combining physiology,modelling and fMRI

In this article, we present a mixed qualitative and quantitative approach for evaluation of information technology (IT) security investments. For this purpose, we model security scenarios by using defense trees, an extension of attack trees with countermeasures and we use economic quantitative indexes for computing the defender's return on security investment and the attacker's return on attack. We show how our approach can be used to evaluate economic profitability of countermeasures and their deterrent effect on attackers, thus providing decision makers with a useful tool for performing better evaluation of IT security investments during the risk management process.     

The role of R&D and corporate governance in Korea: IT firms versus non-IT firms

Recent economic development in Korea was mostly driven by companies in the IT sector. Also, it is widely argued that R&D investment has a positive impact on firm value, especially for IT firms. In this paper, we analyze how R&D investment has contributed to the growth of Korea’s economy by examining the effect of R&D investment on firms’ market value, measured as Tobin’s Q, and investigate whether this effect is different between firms in the IT sector and firms in the non-IT sector. We also account for the effect of another major change experienced by Korean firms: changes in corporate governance structure. We find that for firms in the IT industry, higher R&D investment coupled with high foreign ownership results in higher firm valuation.     

Information systems resources and information security

Recent studies suggest that the number of information security incidents has increased dramatically and has caused significant economic loss worldwide. Awareness of the significance of information security is evidenced by a rapid increase in information security investments. Despite the fact that information security has taken on a new level of importance, academic research on this subject is still in its infancy. A review of literature indicated that past studies largely took a resource based view, suggesting that organizations invest and develop a variety of IS resources so as to ease potential threats caused by information security breaches. However, the resource-based perspective as used in previous studies was somewhat limited. Based on and extending from previous work, this study employed the resource-based view as a theoretical lens to examine the role that IS resources play in determining the level of information security. A field study was conducted to test the hypotheses. The results of the model testing show that IT human, relational, and infrastructure resources have significant impacts on information security.     

Exploring the relationship between information technology investments and firm performance using regression splines analysis

Identifying the business value of information technology (IT) investments has been a major concern of managers and researchers. Various studies have addressed this issue but have provided contradictory results. Here, we explore the relationship between IT investments and firm performance using a relatively new technique, multivariate adaptive regression splines (MARS), and attempt to answer two questions: (1) do investments in IT have a positive impact on organizational productivity? and (2) for a given level of investment, what portion of the total should be invested in IT to maximize organizational productivity? Our results suggest that depending on the conditions that applied, an unbiased observer could either conclude that investments in IT has a positive statistically significant effect on productivity, or that there is a ‘productivity’ paradox. This suggests that the relationship between IT investments and organizational performance is much more complex than that found in some other studies. Our results could also provide guidance to managers who are responsible for determining the allocation of organizational resources.     

To outsource or not: The impact of information leakage risk on information security strategy

Emerging studies advocate that firms shall completely outsource their information security for cost and technical advantages. However, the risk of information leakage in outsourcing to managed security service providers (MSSPs) is overlooked and poses a confidentiality threat. We develop analytical models to describe several strategies for firms to consider when they decide to outsource to MSSPs. Based on our results, we suggest partial outsourcing as an alternative strategy when the firm faces information leakage risk. Besides, we suggest that in-house information security strategy is the optimal solution when the risk of being attacked is low regardless of the risk of information leakage. We then extend scenarios to the competitive environment where firms that are in the same market are highly likely to choose the same strategy.     

Exploring the characteristics of Internet security breaches that impact the market value of breached firms

The impact of Internet security breaches on firms has been a concern to both researchers and practitioners. One measure of the damage to the breached firm is the observed cumulative abnormal stock market return (CAR) when there is announcement of the attack in the public media. To develop effective Internet security investment strategies for preventing such damage, firms need to understand the factors that lead to the occurrence of CAR. While previous research have involved the use of regression analysis to explore the relationship between firm and attack characteristics and the occurrence of CAR, in this paper we use decision tree (DT) induction to explore this relationship. The results of our DT-based analysis indicate that both attack and firm characteristics determine CAR. While each of our results is consistent with that of at least one previous study, no previous single study has provided evidence that both firm and attack characteristics are determinants of CAR. Further, the DT-based analysis provides an interpretable model in the form of understandable and actionable rules that may be used by decision makers. The DT-based approach thus provides additional insights beyond what may be provided by the regression approach that has been employed in previous research. The paper makes methodological, theoretical and practical contribution to understanding the predictors of damage when a firm is breached.     

Exploring the relationship between information technology investments and firm performance using regression splines analysis

Identifying the business value of information technology (IT) investments has been a major concern of managers and researchers. Various studies have addressed this issue but have provided contradictory results. Here, we explore the relationship between IT investments and firm performance using a relatively new technique, multivariate adaptive regression splines (MARS), and attempt to answer two questions: (1) do investments in IT have a positive impact on organizational productivity? and (2) for a given level of investment, what portion of the total should be invested in IT to maximize organizational productivity? Our results suggest that depending on the conditions that applied, an unbiased observer could either conclude that investments in IT has a positive statistically significant effect on productivity, or that there is a ‘productivity’ paradox. This suggests that the relationship between IT investments and organizational performance is much more complex than that found in some other studies. Our results could also provide guidance to managers who are responsible for determining the allocation of organizational resources.     

Information technology investments and firm value

Our objective in this paper is to develop a firm value model to assist IT managers and researchers in understanding the multiple effects that IT investments have on firm value. This firm value approach adds to the process-oriented approach through simultaneous evaluation of all of the factors that affect firm value. It is crucial for IT professionals to recognize the complex and diverse implications of IT investments on firm value. The implications of the firm value approach include forcing IT managers to think in terms of both industry and company-specific effects of IT investments, to consider both the magnitude and duration of competitive advantage due to IT investments, and the implications of the effect that IT investments have on risk and its relation to firm value. We demonstrate an application of the firm value framework by evaluating a major stream of research in MIS—event studies of IT investment announcements. Appendices to this paper can be found at http://www.itandfirmvalue.com.     

Did IT consulting firms gain when their clients were breached?

Despite all the research investigating the impact of data and information technology (IT) breaches to the market value of the breached firms, few studies explore the effects of breach events on the stock price of consulting firms that supplies the know-how and infrastructure to create, implement and maintain those information systems that were hacked. Information transfer theory and capital market expectation suggest that as more data breaches occur every year, investors, clients and customers may well look beyond the faults of the individual firms, and place some responsibility on the shoulders of these IT providers. In this study, we investigated a total of 83 breach events affecting a wide range of US firms in various industries in year 2006 and 2007. We found that the market value of the IT consulting firms is positively associated with the disclosure of IT security breaches. The IT consulting firms realized an average abnormal return of 4.01% during the 2-day period after the announcement. Using the event-study method and Ordinary Least Squares Regression to calculate and analyze these firms’ abnormal returns, we found evidence that as the number of breached records increased, the IT consulting firms tended to suffer negative returns. In addition, the observed impact was more salient for breaches that affect technology intensive firms than retailing or other firms. In other words, generally speaking, the IT consulting firms have similar experiences with the attacked firms.     

Information Technology Investments: Characteristics, Choices, Market Risk and Value

The decisions confronting information technology (IT) managers have changed a great deal since the early 1970s. The key decisions three decades ago were related to the management of application development projects and operations centers. Today, the key decisions are quite different. What level of service should the firm provide end-users? Should IT services, development projects and the ownership and management of operations centers be outsourced? IT investments attempt to satisfy specific needs. Because of environmental differences and differences in the cost structure and benefits of alternative ways in which these needs can be met, the answers to these questions may differ across firms. Modern financial analysis can provide insights to help managers deal with many of the problems they currently face. We use modern financial theory to show how the value of IT investments can be affected by some of the choices made by managers. We show how the market risk of demand and the market risk of costs affect the market risk and value of IT investments. We consider three types of investment decisions: outsourcing versus in-house services; investments in interorganizational systems; and determining the optimal level of IT services that should be provided. Our analysis indicates that: (1) as the market risk of demand for operations decreases, firms are less likely to outsource operations; (2) the value of an investment in an interorganizational system increases as the market risk of costs increases; and (3) the optimal level of user service is inversely related to service demand risk and is directly related to the market risk of service costs.     

Reexamining the impact of information technology investment on productivity using regression tree and multivariate adaptive regression splines (MARS)

As health care costs increased significantly in the 1990s, investments in information technology (IT) in the health care industry have also increased continuously in order to improve the quality of patient care and to respond to government pressure to reduce costs. Several studies have investigated the impact of IT on productivity with mixed conclusions. In this paper, we revisit this issue and re-examine the impact of investments in IT on hospital productivity using two data mining techniques, which allowed us to explore interactions between the input variables as well as conditional impacts. The results of our study indicated that the relationship between IT investment and productivity is very complex. We found that the impact of IT investment is not uniform and the rate of IT impact varies contingent on the amounts invested in the IT Stock, Non-IT Labor, Non-IT Capital, and possibly time.     

Digital systems and competitive responsiveness: The dynamics of IT business value

The mechanics of competition involve perception and reaction to competitor moves. Both incur delays that can be reduced by digital systems. Using system dynamics and the Red Queen paradigm, we modeled the impact of IT investments on response delays and business value, with the following results: (a) value has significant transient components; (b) value depends on investment level and the relative delays of competitors; and (c) relative delays affect the first-mover advantage. These results show that when assessing the value of IT investments, it is important to consider (a) the temporal pattern of benefits, not just their total magnitude, and (b) the impact of ongoing moves by competitors.