Fariborz Farahmand

A Management Perspective on Risk of Security Threats to Information Systems

Electronic commerce and the Internet have enabled businesses to reduce costs, attain greater market reach, and develop closer partner and customer relationships. However, using the Internet has led to new risks and concerns. This paper provides a management perspective on the issues confronting CIO’s and IT managers: it outlines the current state of the art for security in e-commerce, the important issues confronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. This methodology may be used to assess the probability of success of attacks on information assets in organizations, and to evaluate the expected damages of these attacks. The paper also outlines some possible remedies, suggested controls and countermeasures. Finally, it proposes the development of cost models which quantify damages of these attacks and the effort of confronting these attacks. The construction of one such cost model for security risk assessment is also outlined. It helps decision makers to select the appropriate choice of countermeasure(s) to minimize damages/losses due to security incidents. Finally, some recommendations for future work are provided to improve the management of security in organizations on the whole.

Understanding insiders: An analysis of risk-taking behavior

There is considerable research being conducted on insider threats directed to developing new technologies. At the same time, existing technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues related to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and characteristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also investigated decision theories, leading to a conclusion that prospect theory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. Our results indicate that there is an inverse relationship between perceived risk and benefit by insiders and that their behavior cannot be explained well by the models that are based on the traditional methods of engineering risk analysis and expected utility. We discuss the results of validating that model with forty-two senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insiders’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions. Finally, we recommend understanding risk of detection and creating a fair working environment to reduce the likelihood of committing criminal acts by insiders.

Understanding and Improving Cross-Cultural Decision Making in Design and Use of Digital Media: A Research Agenda

In the global economy, design of digital media often involves teams of individuals from a variety of cultures who must function together. Similarly, products must be designed and marketed taking specific cultural characteristics into account. Much is known about decision processes, culture and cognition, design of products and interfaces for human interaction with machines, and organizational processes, but this knowledge is dispersed across several disciplines and research areas. This article reviews current work in these areas and proposes a research agenda for fostering increased understanding of the ways in which cultural differences influence decision making and action in design and use of digital media.

Incentive Alignment and Risk Perception: An Information Security Application

Technologies and procedures for effectively securing the enterprise in cyberspace exist, but are largely underdeployed. Reasons for this shortcoming include the neglect of the role of stakeholder perceptions in organizational reward systems, and misaligned incentives for effective allocation of resources. We present a methodology for practitioners to employ, with examples for identification of perverse incentives—situations where the interests of a manager or employee are not aligned with those of the organization—and for estimation of the damage caused by incentive misalignment. We present our revision to the risk perception model developed by Fischhoff and Slovic. We also present the results of our findings from our interviews of 42 information security executives across the U.S. about the role of risk perception and incentives in information security decisions. We discuss how to identify and to correct misalignments, to develop efficient incentive structures, and to include perceptual principles and security governance in making information security a property of the organizational environment. This research contributes to the practice and theory of information security, and has several implications for practitioners and researchers in the alignment of incentives and symmetrization of information across organizations.

Evaluating Damages Caused by Information Systems Security Incidents

As organizations adopt increasingly sophisticated information systems, the challenge of protecting those systems becomes enormous. Accordingly, the single critical decision security managers have to make is the amount an organization is willing to spend on security measures to protect assets of the organization. To arrive at this decision, security mangers need to know explicitly about the assets of their organizations, the vulnerability of their information systems to different threats, and their potential damages. Each threat and vulnerability must be related to one or more of the assets requiring protection. This means that prior to assessing damages we need to identify assets. Logical and physical assets can be grouped into five categories: 1) InformationDocumented (paper or electronic) data or intellectual property used to meet the mission of an organization, 2) SoftwareSoftware applications and services that process, store, or transmit information, 3) HardwareInformation technology physical devices considering their replacement costs, 4) PeopleThe people in an organization who posses skills, knowledge, and experience that are difficult to replace and, 5) SystemsInformation systems that process and store information (systems being a combination of information, software, and hardware assets and any host, client, or server being considered a system). Various units of value or metrics for valuation of assets may be used. The common metric is monetary, which is generally used for data that represent money where the threat is direct financial theft or fraud. Some assets are difficult to measure in absolute terms but can be measured in relative ways, for example information. The value of information can be measured as a fraction or percentage of total budget, assets, or worth of a business in relative fashion. Assets may also be ranked by sensitivity or

Risk Perceptions of Information Security: A Measurement Study

This paper discusses research-in-progress to identify and to assess information security and privacy risk perceptions. Our model is based upon previous psychometric models that include understanding and consequences as two main characteristics of perceptions of information security and privacy risks; and this work introduces ordinal scales to the identified characteristics. It also acknowledges the dynamics of perception by including the time element. The robustness of the model is that it is flexible enough to assess an individual’s perception of a risk, a user group’s perception of a risk, or the overall corporate perception of a risk and allows for the comparison of individual, group, and corporate risk perceptions. Using computer-related incidents identified in the Final Report of the Computer Incident Factor and Categorization Project, example situations were developed to guide the development and testing of our model for measuring information security and privacy risk perceptions. As part of our research-in-progress, this paper also presents an instrument that will be used to measure the perceptions of risk in online environments.

Risks and uncertainties in virtual worlds: An educators' perspective

Virtual worlds present tremendous advantages to cyberlearning. For example, in virtual worlds users can socialize with others, build objects and share them, customize parts of the world and hold lectures, do experiments, or share data. However, virtual worlds pose a wide range of security, privacy, and safety concerns. This may lead educators to become (or not) apprehensive of the virtual worlds in using and adapting them as learning technologies. This study examined how educators perceive risks and uncertainties in virtual worlds. We also investigated how educators’ level of use of virtual worlds influences their risk perception level. Our results indicate a divergence between risk perception and reality in the virtual worlds. We use the seminal risk perception model developed by Fischhoff and his colleagues, and our revision to this model to explain these results. Finally, we discuss implications of our research for education management, and make recommendations to educators and policy makers who consider using virtual worlds as a learning technology.

Decision and Experienced Utility: Computational Applications in Privacy Decision Making

The existing computational models of privacy decisions are derived from expected utility theory, and can be equated with the von Neumann-Morgenstern (1953) perspective on decision utility. Here, I introduce experienced utility to privacy research, and shed light on the computational relations of experienced utility and decision utility, and computational applications of behavioral economics theories and concepts.

The Importance of Human Information Processing: A Behavioral Economics Model for Predicting Domain Name Choice

Studying the decisions of 25,646 domain name registrants reveals that behavioral economics models more accurately predict name choice than models based on expected utility theory. These findings have implications for Internet governance, and organizations that measure similarity and competition in domain name registration.