26,126 research outputs found

    The Economic Incentives for Sharing Security Information

    Get PDF
    Given that Information Technology (IT) security has emerged as an important issue in the last few years, the subject of security information sharing among firms, as a tool to minimize security breaches, has gained the interest of practitioners and academics. To promote the disclosure and sharing of cyber-security information among firms, the US federal government has encouraged the establishment of many industry based Information Sharing & Analysis Centers (ISACs) under Presidential Decision Directive 63. Sharing security vulnerabilities and technological solutions related to methods for preventing, detecting and correcting security breaches, is the fundamental goal of the ISACs. However, there are a number of interesting economic issues that will affect the achievement of this goal. Using game theory, we develop an analytical framework to investigate the competitive implications of sharing security information and investments in security technologies. We find that security technology investments and security information sharing act as ``strategic complements'' in equilibrium. Our results suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. We also highlight that the benefits from such information sharing alliances increase with the size of the firm. We compare the levels of information sharing and technology investments obtained when firms behave independently (Bertrand-Nash) to those selected by an ISAC which maximizes social welfare or joint industry profits. Our results help us predict the consequences of establishing organizations such as ISACs, CERT or InfraGard by the federal government.Technology Investment, Information Sharing, Security Breaches, Externality Benefit, Spillover Effect, Social Welfare

    Risk Mitigating Strategies in the Food Supply Chain

    Get PDF
    Food safety events in the recent past have generated significant media attention and resulted in increased concerns over the food on the plate. A recent study (Degeneffe et al., 2007) on consumer perceptions of bio-terrorism and food safety risks shows increasing concern over food safety and corresponding decreasing confidence in security of the U.S. food supply. While there are some mandated safety and security practices for the firms in the food supply chain the economic incentives for the firms to actively address food safety throughout the supply chain are less clear. Security practices often require significant investments in both within the firm and across the supply chain but do not show tangible returns. Also, higher investments in securing the firms’ processes and products do not necessarily make the food products more safe if the supply chain partners exhibit higher risks. However, a risk that is realized can potentially bankrupt the firm. Some high-profile cases of food safety outbreaks have had substantial economic consequences such as, lost sales, recall and compensation costs, damaged goodwill and hence impact on future markets. Such incidents can lead the firms out of business and the impact is not contained just at the firm level but also felt throughout the food supply chain. The issues of economic incentives and disincentives for risk mitigation strategies and investments, in a highly vulnerable area such as food sector, are an emerging area of concern both in private and public sector management as well as academic research. The research questions of interest that this paper addresses are: How much should the firm invest to address the security and safety risks that it faces? The optimum investment levels, among other things, are a function of the probabilities of contamination levels exceeding the maximum acceptable standards set. We consider a specification for the contamination levels follow gamma distribution as it exhibits the fat tail property which suggests that extreme events are more likely than predicted by the normal Gaussian form. Previous work by Mohtadi and Murshid(2007) has highlighted the fat-tail nature of extreme events for chemical, biological and radionuclear (CBRn) attacks, which are of intentional nature. However, for food safety risks of unintentional nature the fat-tail nature of the distribution though suggested, is not yet established in literature. The present model leaves less scope for analytical solutions but lends itself to numerical methods, which we employ to examine the firm strategies. Our preliminary model and its analysis suggest that infact for very low levels of risk exposure no investment in security is required! However, as the standards loosen and risk increases the optimum amount of investments also increase. Though the result here are intuitively consistent, they are largely dependent on the parametric specification of the model and their sensitivity to the parameter values is yet to be tested.Agribusiness, Risk and Uncertainty, L100, L800,

    Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

    Get PDF
    The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small

    Rethinking FS-ISAC: An IT Security Information Sharing Network Model for the Financial Services Sector

    Get PDF
    This study examines a critical incentive alignment issue facing FS-ISAC (the information sharing alliance in the financial services industry). Failure to encourage members to share their IT security-related information has seriously undermined the founding rationale of FS-ISAC. Our analysis shows that many information sharing alliances’ membership policies are plagued with the incentive misalignment issue and may result in a “free-riding” or “no information sharing” equilibrium. To address this issue, we propose a new information sharing membership policy that incorporates an insurance option and show that the proposed policy can align members’ incentives and lead to a socially optimal outcome. Moreover, when a transfer payment mechanism is implemented, all member firms will be better off joining the insurance network. These results are demonstrated in a simulation in which IT security breach losses are compared both with and without participating in the proposed information sharing insurance plan

    Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling

    Get PDF
    The interdependency of information security risks poses a significant challenge for firms to manage security. Firms may over- or under-invest in security because security investments generate network externalities. In this paper, we explore how firms can use three risk management approaches, third-party cyberinsurance, managed security service (MSS) and risk pooling arrangement (RPA), to address the issue of investment inefficiency. We show that compared with cyberinsurance, MSS is more effective in mitigating the security investment inefficiency because the MSS provider (MSSP) serving multiple firms can endogenize the externalities of security investments. However, the investment externalities may discourage a for-profit MSSP from serving all firms even on a monopoly market. We then show that firms can use RPA as a complement to cyberinsurance to address risk interdependency for all firms. However, the adoption of RPA is incentive-compatible for firms only when the security investments generate negative externalities

    The Extreme Risk of Personal Data Breaches & The Erosion of Privacy

    Full text link
    Personal data breaches from organisations, enabling mass identity fraud, constitute an \emph{extreme risk}. This risk worsens daily as an ever-growing amount of personal data are stored by organisations and on-line, and the attack surface surrounding this data becomes larger and harder to secure. Further, breached information is distributed and accumulates in the hands of cyber criminals, thus driving a cumulative erosion of privacy. Statistical modeling of breach data from 2000 through 2015 provides insights into this risk: A current maximum breach size of about 200 million is detected, and is expected to grow by fifty percent over the next five years. The breach sizes are found to be well modeled by an \emph{extremely heavy tailed} truncated Pareto distribution, with tail exponent parameter decreasing linearly from 0.57 in 2007 to 0.37 in 2015. With this current model, given a breach contains above fifty thousand items, there is a ten percent probability of exceeding ten million. A size effect is unearthed where both the frequency and severity of breaches scale with organisation size like s0.6s^{0.6}. Projections indicate that the total amount of breached information is expected to double from two to four billion items within the next five years, eclipsing the population of users of the Internet. This massive and uncontrolled dissemination of personal identities raises fundamental concerns about privacy.Comment: 16 pages, 3 sets of figures, and 4 table

    Expanding the Gordon-Loeb Model to Cyber-Insurance

    Get PDF
    We present an economic model for decisions on competing cyber-security and cyber-insurance investment based on the Gordon-Loeb model for investment in information security. We consider a one-period scenario in which a firm may invest in information security measures to reduce the probability of a breach, in cyber-insurance or in a combination of both. The optimal combination of investment and insurance under the assumptions of the Gordon-Loeb model is investigated via consideration of the costs and benefits of investment in security alongside purchasing insurance at an independent premium rate. Under both exponential (constant absolute risk aversion) and logarithmic (constant relative risk aversion) utility functions it is found that when the insurance premium is below a certain value, utility is maximised with insurance and security investment. These results suggest that cyber-insurance is a worthwhile undertaking provided it is not overly costly. We believe this model to be the first attempt to integrate the Gordon-Loeb model into a classical microeconomic analysis of insurance, particularly using the Gordon-Loeb security breach functions to determine the probability of an insurance claim. The model follows the tradition of the Gordon-Loeb model in being accessible to practitioners and decision makers in information security
    • …
    corecore