Divakaran Liginlal

Modeling attitude to risk in human decision processes: An application of fuzzy measures

Abstract Several models of the human decision process have been proposed, classical examples of which are utility theory and prospect theory. In recent times, the theory of fuzzy measures and integrals has emerged as an alternative meriting further investigation. Specifically, one is interested in the degrees of disjunction and conjunction and the veto and favor indices that represent the tolerance measure of the decision maker. Though several theoretical expositions have appeared in contemporary literature, empirical studies applying these concepts to the real world are scarce. This paper reports two studies based on a model of strategic telecommunication investment decisions from a research work involving a survey of executives. The first study involves building fuzzy models corresponding to each individual decision maker with the results grouped based on the decision makers’ propensity to risk as determined by their degrees of disjunction. The Shapley indices and the interaction effects are determined for each pooled dataset corresponding to each group. To contrast this approach with those of conventional nomothetic comparisons of decision policies, the decision makers are grouped based on a clustering analysis of the individual linear regression models. The data for each cluster are pooled and the fuzzy measures learned from the dataset are analyzed for comparison purposes. The results not only serve as a demonstration of fuzzy measure analysis as a viable approach to studying qualitative decision making but also provide useful methodological insights into applying fuzzy measures to strategic investment decisions under risk.

How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management

Privacy breaches and their regulatory implications have attracted corporate attention in recent times. An often overlooked cause of privacy breaches is human error. In this study, we first apply a model based on the widely accepted GEMS error typology to analyze publicly reported privacy breach incidents within the U.S. Then, based on an examination of the causes of the reported privacy breach incidents, we propose a defense-in-depth solution strategy founded on error avoidance, error interception, and error correction. Finally, we illustrate the application of the proposed strategy to managing human error in the case of the two leading causes of privacy breach incidents. This study finds that mistakes in the information processing stage constitute the most cases of human error-related privacy breach incidents, clearly highlighting the need for effective policies and their enforcement in organizations.

Valuing the flexibility of investing in security process innovations

In this paper, we develop a decision model of a firms optimal strategy for investment in security process innovations (SPIs) when confronted with a sequence of malicious attacks. The model incorporates real options as a methodology to capture the flexibility embedded in such investment decisions. SPIs, when seamlessly integrated with the organizations overall business dynamics, induce organizational learning and provide the flexibility of switching to more suitable technologies as the environment of malicious attacks changes. The theoretical contribution of this paper is a mathematical model of the invest-to-learn and switching options generated upon early investment in flexible SPIs. The practical significance of the paper is the application of a binomial lattice model to approximate the continuous-time model, resulting in an easy to use decision aid for managers.

A maximum entropy approach to feature selection in knowledge-based authentication

Feature selection is critical to knowledge-based authentication. In this paper, we adopt a wrapper method in which the learning machine is a generative probabilistic model, and the objective is to maximize the Kullback-Leibler divergence between the true empirical distribution defined by the legitimate knowledge and the approximating distribution representing an attacking strategy, both in the same feature space. The closed-form solutions to this optimization problem lead to three adaptive algorithms, unified under the principle of maximum entropy. Our experimental results show that the proposed adaptive methods are superior to the commonly used random selection method.

Quantifying the benefits of investing in information security

by Lara Khansa and divaKaran LiginLaL based model to value the flexibility of switching among compatible information security technologies. Other researchers have exposed the detrimental effects of security breaches on the market value of affected firms. For instance, Ettredge and Richardson found that the stock price of both B2C and B2B firms dropped significantly around the February 2000 denial-ofservice attack. Campbell et al. found that breaches related to confidential information had a significant negative effect on the stock price of firms. Prior research has also reported an information-transfer effect of malicious attacks on the market value of information security firms. In particular, Cavusoglu et al. showed that the stock price of information security firms is positively associated with the disclosure of security breaches by other firms. We measure overall investment in information security by the aggregated revenues of information security firms who control a prominent share of the various information security market segments. We propose to show the following. 1. Investment in information security is effective in reducing the severity of malicious attacks, which are known to adversely affect the stock price of breached firms. 2. Higher demand for information security products and services conveys a positive outlook for the information security sector and is associated with an increase in the stock price of information security firms.

On policy capturing with fuzzy measures

Policy capturing methods generally apply linear regression analysis to model human judgment. In this paper, we examine the application of fuzzy set and fuzzy measure theories to obtain subjective descriptions of cue importance for policy capturing. At the heart of the approach is a method of learning fuzzy measures. The Shapley values associated with the fuzzy measures provide a basis for comparison with the results of linear regression. However, the fuzzy measure-theoretical approach provides additional insight into interaction effects corresponding to the nonlinear, noncompensatory nature of the underlying decision model. To illustrate the methodology, we estimated the importance of factors and the interactions among them that influence decisions related to strategic investments in telecommunications infrastructure and compared the results from the fuzzy approach to those obtained from traditional statistical methods.

Understanding Members’ Active Participation in Online Question-and-Answer Communities: A Theory and Empirical Analysis

Abstract Community-based question-and-answer (Q&A) websites have become increasingly popular in recent years as an alternative to general-purpose Web search engines for open-ended complex questions. Despite their unique contextual characteristics, only a handful of Q&A websites have been successful in sustaining members’ active participation that, unlike lurking, consists of not only posting questions but also answering others’ inquiries. Because the specific design of the information technology artifacts on Q&A websites can influence their level of success, studying leading Q&A communities such as Yahoo! Answers (YA) provides insights into more effective design mechanisms. We tested a goal-oriented action framework using data from 2,920 YA users, and found that active online participation is largely driven by artifacts (e.g., incentives), membership (e.g., levels of membership and tenure), and habit (e.g., past behavior). This study contributes to the information systems literature by showing that active participation can be understood as the setting, pursuit, and automatic activation of goals.

Predicting stock market returns from malicious attacks: A comparative analysis of vector autoregression and time-delayed neural networks

With the growing importance of Internet-based businesses, malicious code attacks on information technology infrastructures have been on the rise. Prior studies have indicated that these malicious attacks are associated with detrimental economic effects on the attacked firms. On the other hand, we conjecture that more intense malicious attacks boost the stock price of information security firms. Furthermore, we use artificial neural networks and vector autoregression analyses as complementary methods to study the relationship between the stock market returns of information security firms and the intensity of malicious attacks, computed as the product of the number of malicious attacks and their severity levels. A major contribution of this work is the resulting time-delayed artificial neural network model that allows stock return predictions and is particularly useful as an investment decision support system for hedge funds and other investors, whose portfolios are at risk of losing market value during malicious attacks.

Fuzzy measure theoretical approach to screening product innovations

Variety of decision models have been proposed in contemporary literature to tackle the problem of screening product innovations. Although linear models have gained considerable attention and recommendation, contemporary literature contains strong evidence in support of nonlinear noncompensatory models. In this paper, the authors first demonstrate how fuzzy measures, which are defined on subsets of decision attributes, and their Choquet-integral formulation, which exhibits both compensatory and noncompensatory properties, have meaningful behavioral interpretations within the context of new-product screening. Then, they show how to address the complex problem of building such measures by applying a learning algorithm that relies on methods of judgment analysis. An accompanying case study demonstrates how organizations may customize a new product decision aid and fine tune their business strategy as actual results accrue. Finally, the authors present the results of analytical studies to compare the Choquet-integral model with other noncompensatory models, such as Martinos extended scoring model and Einhorns conjunctive model, and heuristic approaches, such as Tverskys EBA and the lexicographic method. For the new-product-decision scenario considered in the study, the Choquet-integral model provided the best fit, measured by Pearsons rank order correlation coefficient, with all of the competing models

Whither information security? Examining the complementarities and substitutive effects among IT and information security firms☆

Abstract The last few years have seen an increase in the mergers and acquisitions (M&A) activity among information security firms and other information technology (IT) firms offering complementary technologies. Using social network analysis methods, we investigate the characteristics and underlying dynamics of these M&A activities in the United States (US) over the period 1996–2008. Our results reveal a 400% increase from 1996 to 2006 in the cohesiveness of the network linking the information security firms and IT firms considered in our analysis. This, in turn, implies a move towards industry convergence. In particular, we show that M&As involving identity and access management (IAM) firms have become twice more central to M&As by IT firms in 2003 (compared to 2002), reflecting an increasing trend among IT firms to integrate IAM technologies within their products. The results in this paper provide M&A managers of IT firms with strategic insights into which complementary information security firms ought to be acquired.