The Economic Incentives for Sharing Security Information

Given that Information Technology (IT) security has emerged as an important issue in the last few years, the subject of security information sharing among firms, as a tool to minimize security breaches, has gained the interest of practitioners and academics. To promote the disclosure and sharing of cyber-security information among firms, the US federal government has encouraged the establishment of many industry based Information Sharing & Analysis Centers (ISACs) under Presidential Decision Directive 63. Sharing security vulnerabilities and technological solutions related to methods for preventing, detecting and correcting security breaches, is the fundamental goal of the ISACs. However, there are a number of interesting economic issues that will affect the achievement of this goal. Using game theory, we develop an analytical framework to investigate the competitive implications of sharing security information and investments in security technologies. We find that security technology investments and security information sharing act as ``strategic complements'' in equilibrium. Our results suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. We also highlight that the benefits from such information sharing alliances increase with the size of the firm. We compare the levels of information sharing and technology investments obtained when firms behave independently (Bertrand-Nash) to those selected by an ISAC which maximizes social welfare or joint industry profits. Our results help us predict the consequences of establishing organizations such as ISACs, CERT or InfraGard by the federal government.Technology Investment, Information Sharing, Security Breaches, Externality Benefit, Spillover Effect, Social Welfare

The Economic Incentives for Sharing Security Information

Given that information technology (IT) security has emerged as an important issue in the last few years, the subject of security information sharing among firms, as a tool to minimize security breaches, has gained the interest of practitioners and academics. To promote the disclosure and sharing of cyber security information among firms, the U.S. federal government has encouraged the establishment of many industry-based Information Sharing and Analysis Centers (ISACs) under Presidential Decision Directive (PDD) 63. Sharing security vulnerabilities and technological solutions related to methods for preventing, detecting, and correcting security breaches is the fundamental goal of the ISACs. However, there are a number of interesting economic issues that will affect the achievement of this goal. Using game theory, we develop an analytical framework to investigate the competitive implications of sharing security information and investments in security technologies. We find that security technology investments and security information sharing act as “strategic complements” in equilibrium. Our results suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. We also highlight that the benefits from such information-sharing alliances increase with the size of the firm. We compare the levels of information sharing and technology investments obtained when firms behave independently (Bertrand-Nash) to those selected by an ISAC, which maximizes social welfare or joint industry profits. Our results help us predict the consequences of establishing organizations such as ISACs, Computer Emergency Response Team (CERT), or InfraGard by the federal government.NYU, Stern School of Business, IOMS Department, Center for Digital Economy Researc

Firm size and information technology investment appraisal: evidence from commercial banks in Kenya

The paper was presented at the The International Academy of Business and Public Administration Disciplines (IABPAD) Conference, Dallas, Texas, 7 – 10 April 2011Information technology expenditure in banks consumes an ever increasing portion of operating costs and revenues. As organisations continue increasing their investment in IS, the process of evaluating potential Information Technology (IT) investments becomes an important activity for an organisation’s management. This study attempts to establish whether the choice of IT investment appraisal approaches is associated with the size of a firm using evidence from commercial banking institutions in Kenya. Results of the survey show that there is a correlation between choice of approach and firm size. Among the banking institutions in Kenya, medium-sized banks focus the most on both the strategic and analytical approaches to IT investment appraisal. Majority of small banks have adopted relatively simple economic techniques such as payback period and cost-benefit analysis, and they do not focus on the more sophisticated analytical and integrated approaches as much as the medium-sized and large banks. Finally, large banks have adopted all of the appraisal approaches explored in this study. The results of this study help to establish banking industry-wide benchmarks and best practices in IT investment evaluation, thereby assisting IT executives to make more informed decisions for future investments.Information technology expenditure in banks consumes an ever increasing portion of operating costs and revenues. As organisations continue increasing their investment in IS, the process of evaluating potential Information Technology (IT) investments becomes an important activity for an organisation’s management. This study attempts to establish whether the choice of IT investment appraisal approaches is associated with the size of a firm using evidence from commercial banking institutions in Kenya. Results of the survey show that there is a correlation between choice of approach and firm size. Among the banking institutions in Kenya, medium-sized banks focus the most on both the strategic and analytical approaches to IT investment appraisal. Majority of small banks have adopted relatively simple economic techniques such as payback period and cost-benefit analysis, and they do not focus on the more sophisticated analytical and integrated approaches as much as the medium-sized and large banks. Finally, large banks have adopted all of the appraisal approaches explored in this study. The results of this study help to establish banking industry-wide benchmarks and best practices in IT investment evaluation, thereby assisting IT executives to make more informed decisions for future investments

Network Security and Contagion

We develop a theoretical model of security investments in a network of interconnected agents. Network connections introduce the possibility of cascading failures due to an exogenous or endogenous attack depending on the profile of security investments by the agents. The general presumption in the literature, based on intuitive arguments or analysis of symmetric networks, is that because security investments create positive externalities on other agents, there will be underinvestment in security. We show that this reasoning is incomplete because of a first-order economic force: security investments are also strategic substitutes. In a general (non-symmetric) network, this implies that underinvestment by some agents will encourage overinvestment by others. We demonstrate by means of examples there can be overinvestment by some agents and also that aggregate probabilities of infection can be lower in equilibrium compared to the social optimum. We then provide sufficient conditions for underinvestment. This requires both sufficiently convex cost functions (convexity alone is not enough) and networks that are either symmetric or locally tree-like. We also characterize the impact of network structure on equilibrium and optimal investments. Finally, we show that when the attack location is endogenized (by assuming that the attacker chooses a probability distribution over the location of the attack in order to maximize damage), there is an additional incentive for overinvestment: greater investment by an agent shifts the attack to other parts of the network.We thank various numerous seminar and conference participants for useful suggestions. We gratefully acknowledge financial support from the Toulouse Network with Information Technology and Army Research Office

IS-Related Operational Risk: An Exploratory Analysis

Past research concerning information systems (IS) risk has mainly focused on development risk. However, the impact of any risk event that occurs once the system is operational can be far more extensive. Such events are due to what has been termed operational risk. Our research is concerned with operational risk that involves an IS – or IS-related operational risk – which has received little attention in the academic literature. Specifically, we seek to offer a comprehensive exploratory analysis of IS-related operational risk based on a database documenting hundreds of actual IS-related operational risk events. Our findings could help managers and researchers to achieve a better understanding of the risk exposure associated with operational ISs in their current business environment and with new information technology (IT) investments under consideration. This research could also assist organizations in achieving a higher level of strategic and economic alignment, through the use of a systematic IS risk management approach

Applying concepts of fuzzy cognitive mapping to model IT/IS investment evaluation factors

The justification process is a major concern for many organisations that are considering the adoption of Information Technology (IT) and Information Systems (IS), and is a barrier to its implementation. As a result, the competitive advantage of many companies is being put at risk because of management's inability to evaluate the holistic implication of adopting new technology, both in terms of on the benefit and cost portfolios. This paper identifies a number of well-known project appraisal techniques used in IT/IS investment justification. Furthermore, the concept of multivalent, or fuzzy logic, is used to demonstrate how inter-relationships can be modeled between key dimensions identified in the proposed conceptual evaluation model. This is highlighted using fuzzy cognitive mapping (FCM) as a technique to model each IT/IS evaluation factor (integrating strategic, tactical, operational and investment considerations). The use of an FCM is then shown to be as a complementary tool which can serve to highlight interdependencies between contributory justification factors

A Survey on Economic-driven Evaluations of Information Technology

The economic-driven evaluation of information technology (IT) has become an important instrument in the management of IT projects. Numerous approaches have been developed to quantify the costs of an IT investment and its assumed profit, to evaluate its impact on business process performance, and to analyze the role of IT regarding the achievement of enterprise objectives. This paper discusses approaches for evaluating IT from an economic-driven perspective. Our comparison is based on a framework distinguishing between classification criteria and evaluation criteria. The former allow for the categorization of evaluation approaches based on their similarities and differences. The latter, by contrast, represent attributes that allow to evaluate the discussed approaches. Finally, we give an example of a typical economic-driven IT evaluation

Developing a frame of reference for ex-ante IT/IS investment evaluation

Investment appraisal techniques are an integral part of many traditional capital budgeting processes. However, the adoption of Information Systems (IS) and the development of resulting infrastructures are being increasingly viewed on the basis of consumption. Consequently, decision-makers are now moving away from the confines of rigid capital budgeting processes, which have traditionally compared IS with non-IS-related investments. With this in mind, the authors seek to dissect investment appraisal from the broader capital budgeting process to allow a deeper understanding of the mechanics involved with IS justification. This analysis presents conflicting perspectives surrounding the scope and sensitivity of traditional appraisal methods. In contributing to this debate, the authors present taxonomies of IS benefit types and associated natures, and discuss the resulting implications of using traditional appraisal techniques during the IS planning and decision-making process. A frame of reference that can be used to navigate through the variety of appraisal methods available to decision-makers is presented and discussed. Taxonomies of appraisal techniques that are classified by their respective characteristics are also presented. Perspectives surrounding the degree of involvement that financial appraisal should play during decision making and the limitations surrounding investment appraisal techniques are identifie

New Hampshire University Research and Industry Plan: A Roadmap for Collaboration and Innovation

This University Research and Industry plan for New Hampshire is focused on accelerating innovation-led development in the state by partnering academia’s strengths with the state’s substantial base of existing and emerging advanced industries. These advanced industries are defined by their deep investment and connections to research and development and the high-quality jobs they generate across production, new product development and administrative positions involving skills in science, technology, engineering and math (STEM)

Not Featherbedding, but Feathering the Nest: Human Resource Management and Investments in Information Technology

This study draws on employment relations and management theory, claiming that certain innovative employment practices and work structures pave the way for organizational innovation, namely investments in information technology (IT). It then finds support for the theory in a cross-section of UK workplaces. The findings suggest that firms slow to adopt IT realize that their conventional employment model hinders their ability to make optimal use of new technologies. Therefore, the paper advances the literature beyond studies of unionization’s impact on business investment to a broader set of issues on the employment relations features that make organizations ripe for innovation