The Experts below are selected from a list of 360 Experts worldwide ranked by ideXlab platform
Cecilia Feng - One of the best experts on this subject based on the ideXlab platform.
-
the impact of information Security Breach incidents on cio turnover
Journal of Information Systems, 2019Co-Authors: Rajiv D Banker, Cecilia FengAbstract:ABSTRACT We investigate the relationship between Security Breaches and chief information officer (CIO) turnover. Because CIOs are directly responsible for IT performance, we argue that their turnov...
-
does cio risk appetite matter evidence from information Security Breach incidents
Social Science Research Network, 2018Co-Authors: Cecilia Feng, Tawei WangAbstract:After a series of recent high-profile information Security Breach incidents, practitioners have engaged in heated debates about the role of the chief information officer (CIO), particularly his/her role in information Security risk management. However, little is known in the academic literature about how a CIO’s appetite for risk affects the effectiveness of information Security management. We address this gap by examining how a CIO’s risk appetite is associated with information Security Breach incidents. We show that the level of CIO risk aversion is negatively associated with the likelihood of Breach incidents. Furthermore, we find that this association is stronger if the company’s chief executive officer (CEO) is also risk averse. In additional analyses, we show that the relationship between CIO risk aversion and Breach incidents varies depending on Breach type and the strategic position of the company and is moderated by the CIO’s power.
-
the impact of information Security Breach incidents on cio turnover
Social Science Research Network, 2018Co-Authors: Rajiv D Banker, Cecilia FengAbstract:We investigate the relationship between Security Breaches and chief information officer (CIO) turnover. Because CIOs are directly responsible for IT performance, we argue that their turnover likelihood is higher when they fail to meet IT performance expectations, as reflected by Security Breaches. Specifically, we find that Breaches caused by system deficiency increase CIO turnover likelihood by 72 percent. However, we find no such association for Breaches caused by criminal fraud or human error. We extend our analyses to other executives and document that CEOs are more likely to turn over following Breaches caused by both system deficiency and human error, consistent with their broader role within the firm. By contrast, we find no evidence suggesting that CFOs are more likely to turn over following Breaches. The findings indicate negative labor market consequences for executives who fail to meet performance expectations within the scope of their duties.
Srinivasan Raghunathan - One of the best experts on this subject based on the ideXlab platform.
-
mandatory standards and organizational information Security
Information Systems Research, 2016Co-Authors: Chul Ho Lee, Xianjun Geng, Srinivasan RaghunathanAbstract:Mandatory Security standards that force firms to establish minimum levels of Security controls are enforced in many domains, including information Security. The information Security domain is characterized by multiple intertwined Security controls, not all of which can be regulated by standards, but compliance with existing Security standards is often used by firms to deflect liability if a Security Breach occurs. We analyze a stylized setting where a firm has two Security controls that are linked in either a serial or a parallel configuration. One control is directly regulated by a Security standard, whereas the other one is not. We show that a higher Security standard does not necessarily lead to a higher firm Security. Furthermore, the conditions under which a higher standard hurts the firm Security are sharply different in the two—serial and parallel—configurations. If standard compliance leads to reduced liability for a firm following a Breach, such liability reduction in turn weakens the tie between...
-
information Security investment strategies in supply chain firms interplay between Breach propagation shared information assets and chain topology
Americas Conference on Information Systems, 2005Co-Authors: Tridib Bandyopadhyay, Varghese S Jacob, Srinivasan RaghunathanAbstract:Firms in a supply chain share information assets among them, and make use of inter-firm network connections to enable quick information sharing. Both of these approaches have significant implications when a Security Breach occurs. One, the interconnections may become conduits for Security Breach propagation. Two, shared information assets now become vulnerable at the owner as well as at the partner firms’ sites. Therefore, an effective Security investment strategy in a supply chain must take into account vulnerability issues arising out of propagation of Security Breaches and sharing of information assets. Investments in perimeter Security technologies reduce direct vulnerability of information assets, but are ineffective in countering indirect Breaches, which originate from partnering firms. Our research investigates interdependent Security investment strategies of supply chain firms in a game-theoretic framework, and analyze non-cooperative and centrally administered investment equilibria. We also provide comparative static of these investments under specific value chain topologies.
-
the effect of internet Security Breach announcements on market value capital market reactions for Breached firms and internet Security developers
International Journal of Electronic Commerce, 2004Co-Authors: Huseyin Cavusoglu, Birendra K Mishra, Srinivasan RaghunathanAbstract:Assessing the value of information technology (IT) Security is challenging because of the difficulty of measuring the cost of Security Breaches. An event-study analysis, using market valuations, was used to assess the impact of Security Breaches on the market value of Breached firms. The information-transfer effect of Security Breaches (i.e., their effect on the market value of firms that develop Security technology) was also studied. The results show that announcing an Internet Security Breach is negatively associated with the market value of the announcing firm. The Breached firms in the sample lost, on average, 2.1 percent of their market value within two days of the announcement--an average loss in market capitalization of $1.65 billion per Breach. Firm type, firm size, and the year the Breach occurred help explain the cross-sectional variations in abnormal returns produced by Security Breaches. The effects of Security Breaches are not restricted to the Breached firms. The market value of Security developers is positively associated with the disclosure of Security Breaches by other firms. The Security developers in the sample realized an average abnormal return of 1.36 percent during the two-day period after the announcement--an average gain of $1.06 billion in two days. The study suggests that the cost of poor Security is very high for investors. rity, information technology Security management, Internet Security, Security Breach an-
Ravi S. Behara - One of the best experts on this subject based on the ideXlab platform.
-
economics of information Security investment in the case of concurrent heterogeneous attacks with budget constraints
International Journal of Production Economics, 2013Co-Authors: Derrick C Huang, Ravi S. BeharaAbstract:In this study we develop an analytic model for information Security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the Breach probability functions based on the theory of scale-free networks. The relationships among the major variables, such as network exposure, potential loss due to a Security Breach, investment effectiveness, and Security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited information Security budget to defend against two classes of Security attacks (targeted and opportunistic) concurrently. Among the results of these analyses, we find that a firm with a limited Security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, we find that managers should focus the Security investment on preventing targeted attacks when the information systems are highly connected and relatively open and when the potential loss is large relative to the Security budget.
-
an economic analysis of the optimal information Security investment in the case of a risk averse firm
International Journal of Production Economics, 2008Co-Authors: Derrick C Huang, Ravi S. BeharaAbstract:Abstract This paper presents an analysis of information Security investment from the perspective of a risk-averse decision maker following common economic principles. Using the expected utility theory, we find that for a risk-averse decision maker, the maximum Security investment increases with, but never exceeds, the potential loss from a Security Breach, and there exists a minimum potential loss below which the optimal investment is zero. Our model also shows that the investment in information Security does not necessarily increase with increasing level of risk aversion of the decision maker. Relationships between vulnerability and investment effectiveness and two broad classes of Security Breach probability functions are examined, leading to interesting insights that can be used as guidelines for managers to determine the optimal level of Security investment for certain types of Security threats faced by risk-averse firms. Future research directions are discussed based on the limitations and possible extensions of this study.
-
economics of information Security investment in the case of simultaneous attacks
WEIS, 2006Co-Authors: Derrick C Huang, Qing Hu, Ravi S. BeharaAbstract:ABSTRACT With billions of dollars being spent on information Security related products and services each year, the economics of information Security investment has become an important area of research, with significant implications for management practices. Drawing on recent studies that examine optimal Security investment levels under various attack scenarios, we propose an economic model that considers simultaneous attacks from multiple external agents with distinct characteristics, and derive optimal investments based on the principle of benefit maximization. The relationships among the major variables, such as systems vulnerability, Security Breach probability, potential loss of Security Breach, and Security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited Security budget to defend against two types of Security attacks (distributed and targeted) simultaneously. Among the results of these analyses, we find that a firm with a small Security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, when the potential loss from the targeted attacks and the system vulnerability are relatively large, the focal firm should allocate most of its budget to such attacks.
Rajiv D Banker - One of the best experts on this subject based on the ideXlab platform.
-
the impact of information Security Breach incidents on cio turnover
Journal of Information Systems, 2019Co-Authors: Rajiv D Banker, Cecilia FengAbstract:ABSTRACT We investigate the relationship between Security Breaches and chief information officer (CIO) turnover. Because CIOs are directly responsible for IT performance, we argue that their turnov...
-
the impact of information Security Breach incidents on cio turnover
Social Science Research Network, 2018Co-Authors: Rajiv D Banker, Cecilia FengAbstract:We investigate the relationship between Security Breaches and chief information officer (CIO) turnover. Because CIOs are directly responsible for IT performance, we argue that their turnover likelihood is higher when they fail to meet IT performance expectations, as reflected by Security Breaches. Specifically, we find that Breaches caused by system deficiency increase CIO turnover likelihood by 72 percent. However, we find no such association for Breaches caused by criminal fraud or human error. We extend our analyses to other executives and document that CEOs are more likely to turn over following Breaches caused by both system deficiency and human error, consistent with their broader role within the firm. By contrast, we find no evidence suggesting that CFOs are more likely to turn over following Breaches. The findings indicate negative labor market consequences for executives who fail to meet performance expectations within the scope of their duties.
Derrick C Huang - One of the best experts on this subject based on the ideXlab platform.
-
economics of information Security investment in the case of concurrent heterogeneous attacks with budget constraints
International Journal of Production Economics, 2013Co-Authors: Derrick C Huang, Ravi S. BeharaAbstract:In this study we develop an analytic model for information Security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the Breach probability functions based on the theory of scale-free networks. The relationships among the major variables, such as network exposure, potential loss due to a Security Breach, investment effectiveness, and Security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited information Security budget to defend against two classes of Security attacks (targeted and opportunistic) concurrently. Among the results of these analyses, we find that a firm with a limited Security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, we find that managers should focus the Security investment on preventing targeted attacks when the information systems are highly connected and relatively open and when the potential loss is large relative to the Security budget.
-
an economic analysis of the optimal information Security investment in the case of a risk averse firm
International Journal of Production Economics, 2008Co-Authors: Derrick C Huang, Ravi S. BeharaAbstract:Abstract This paper presents an analysis of information Security investment from the perspective of a risk-averse decision maker following common economic principles. Using the expected utility theory, we find that for a risk-averse decision maker, the maximum Security investment increases with, but never exceeds, the potential loss from a Security Breach, and there exists a minimum potential loss below which the optimal investment is zero. Our model also shows that the investment in information Security does not necessarily increase with increasing level of risk aversion of the decision maker. Relationships between vulnerability and investment effectiveness and two broad classes of Security Breach probability functions are examined, leading to interesting insights that can be used as guidelines for managers to determine the optimal level of Security investment for certain types of Security threats faced by risk-averse firms. Future research directions are discussed based on the limitations and possible extensions of this study.
-
economics of information Security investment in the case of simultaneous attacks
WEIS, 2006Co-Authors: Derrick C Huang, Qing Hu, Ravi S. BeharaAbstract:ABSTRACT With billions of dollars being spent on information Security related products and services each year, the economics of information Security investment has become an important area of research, with significant implications for management practices. Drawing on recent studies that examine optimal Security investment levels under various attack scenarios, we propose an economic model that considers simultaneous attacks from multiple external agents with distinct characteristics, and derive optimal investments based on the principle of benefit maximization. The relationships among the major variables, such as systems vulnerability, Security Breach probability, potential loss of Security Breach, and Security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited Security budget to defend against two types of Security attacks (distributed and targeted) simultaneously. Among the results of these analyses, we find that a firm with a small Security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, when the potential loss from the targeted attacks and the system vulnerability are relatively large, the focal firm should allocate most of its budget to such attacks.
