Birendra K. Mishra

The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers

Assessing the value of information technology (IT) security is challenging because of the difficulty of measuring the cost of security breaches. An event-study analysis, using market valuations, was used to assess the impact of security breaches on the market value of breached firms. The information-transfer effect of security breaches (i.e., their effect on the market value of firms that develop security technology) was also studied. The results show that announcing an Internet security breach is negatively associated with the market value of the announcing firm. The breached firms in the sample lost, on average, 2.1 percent of their market value within two days of the announcement--an average loss in market capitalization of

A model for evaluating IT security investments

1.65 billion per breach. Firm type, firm size, and the year the breach occurred help explain the cross-sectional variations in abnormal returns produced by security breaches. The effects of security breaches are not restricted to the breached firms. The market value of security developers is positively associated with the disclosure of security breaches by other firms. The security developers in the sample realized an average abnormal return of 1.36 percent during the two-day period after the announcement--an average gain of

The Value of Intrusion Detection Systems in Information Technology Security Architecture

1.06 billion in two days. The study suggests that the cost of poor security is very high for investors. rity, information technology security management, Internet security, security breach an-

Information sharing in supply chains: Incentives for information distortion

A ssessing the return on investment has always been a sticking point for technology investments. Similar to IT productivity paradox [1], Return on Security Investment (ROSI) has become a controversial topic due to immense growth of e-businesses. Defining the value of security investments is challenging. However, it is clear that “security consumers will need to understand the variables that define ROSI and endure the discomfort of assigning dollar values to quantities that currently are extremely ill-defined” [12]. While calculating ROSI seems taxing, increasing possibility and scope of IT security breaches due to increasing interconnectivity makes it imperative. As the number of security breaches increases exponentially according to the CERT (see Table 1) so does their cost. The 2003 CSI/FBI Computer Crime and Security Survey revealed that 56% of respondents detected security breaches. Information Week and PricewaterhouseCoopers LLP estimated that computer viruses and hacking took a

Open source versus closed source: software quality in monopoly and competitive markets

1.6 trillion toll on the worldwide economy and

The differential information hypothesis, firm size, and earnings information transfer: An empirical investigation

266 billion in the U.S. [5]. Security breaches have a significant impact on the market values of firms too. We have estimated that compromised firms, on average, lost approximately 2.1% of their market values within two days surrounding security breaches [3]. This translates to an average loss of

Minimizing retail shrinkage due to employee theft

1.65 billion in market capitalization per incident. Moitra and Konda [10] found that as investment in security increases the survivability of firms from security breaches increases rapidly at first and then more slowly at higher levels of investment. Undoubtedly these figures point to the importance of more studies on the economics and management of IT security investments. Fear, uncertainty, and doubt (FUD) strategy has been used for years to sell investments in security [1]. However, according to Earthlink security experts Lisa Ekman and Lisa Hoyt, “Crying wolf may get the first firewall, but over the long run, you need a more well-rounded perspective” [12]. Since diverse security techA Model for Evaluating IT Security Investments

Strategic Analysis of Corporate Software Piracy Prevention and Detection

The increasing significance of information technology (IT) security to firms is evident from their growing IT security budgets. Firms rely on security technologies such as firewalls and intrusion detection systems (IDSs) to manage IT security risks. Although the literature on the technical aspects of IT security is proliferating, a debate exists in the IT security community about the value of these technologies. In this paper, we seek to assess the value of IDSs in a firms IT security architecture. We find that the IDS configuration, represented by detection (true positive) and false alarm (false positive) rates, determines whether a firm realizes a positive or negative value from the IDS. Specifically, we show that a firm realizes a positive value from an IDS only when the detection rate is higher than a critical value, which is determined by the hackers benefit and cost parameters. When the firm realizes a positive (negative) value, the IDS deters (sustains) hackers. However, irrespective of whether the firm realizes a positive or negative value from the IDS, the IDS enables the firm to better target its investigation of users, while keeping the detection rate the same. Our results suggest that the positive value of an IDS results not from improved detection per se, but from an increased deterrence enabled by improved detection. Finally, we show that the firm realizes a strictly nonnegative value if the firm configures the IDS optimally based on the hacking environment.

Budgeting for information technology

The existing literature on supply chain information sharing assumes that information is shared truthfully. Unless each party can verify the authenticity of the other partys information, manufacturers and retailers may divulge false information for their own benefit. These information distortions may reduce the benefit levels or even stop information sharing in supply chains. We analyze the incentives for manufacturers and retailers within a supply chain to distort information when they share it and propose a mechanism that results in truthful information sharing. We consider a make-to-order supply chain consisting of a single manufacturer and a single retailer. The manufacturer and the retailer set prices based on their private forecasts of uncertain demand. If both parties share their forecasts truthfully, the manufacturer always benefits; however, the retailer benefits only if the manufacturer sets a lower wholesale price when information is shared compared to when information is not shared. However, we show that the manufacturer and the retailer, respectively, have an incentive to overstate and understate their forecasts while sharing information. The information distortion phenomenon is the direct result of each party exploiting its private information to appropriate the gains from information sharing. We show that the incentives to distort information are eliminated and both parties benefit from information sharing if the manufacturer and the retailer can agree on their relative profit margins prior to information sharing.

Autonomic-computing approach to secure knowledge management: a game-theoretic analysis

The open source model of software development has received substantial attention in the industry and popular media; nevertheless, critics frequently contend that open source softwares are inferior in quality compared to closed source software because of lack of incentives and project management, while proponents argue the opposite. This paper examines this quality debate by modeling and analyzing software quality, demand, profitability, and welfare under open and closed source environments in monopoly and competitive markets. The results show no dominant quality advantage of one method over another under all circumstances. Both open source and closed source qualities decrease in a competitive market. Conditions under which each method can generate higher quality software are examined.