Hasan Cavusoglu

Security Patch Management: Share the Burden or Share the Damage?

Patch management is a crucial component of information security management. An important problem within this context from a vendors perspective is to determine how to release patches to fix vulnerabilities in its software. From a firms perspective, the issue is how to update vulnerable systems with available patches. In this paper, we develop a game-theoretic model to study the strategic interaction between a vendor and a firm in balancing the costs and benefits of patch management. Our objective is to examine the consequences of time-driven release and update policies. We first study a centralized system in a benchmark scenario to find the socially optimal time-driven patch management. We show that the social loss is minimized when patch-release and update cycles are synchronized. Next, we consider a decentralized system in which the vendor determines its patch-release policy and the firm selects its patch-update policy in a Stackelberg framework, assuming that release and update policies are either time driven or event driven. We develop a sufficient condition that guarantees that a time-driven release by the vendor and a time-driven update by the firm is the equilibrium outcome for patch management. However, in this equilibrium, the patch-update cycle of the firm may not be synchronized with the patch-release cycle of the vendor, making it impossible to achieve the socially optimal patch management in the decentralized system. Therefore, we next examine cost sharing and liability as possible coordination mechanisms. Our analysis shows that cost sharing itself may achieve synchronization and social optimality. However, liability by itself cannot achieve social optimality unless patch-release and update cycles are already synchronized without introducing any liability. Our results also demonstrate that cost sharing and liability neither complement nor substitute each other. Finally, we show that an incentive-compatible contract on cost sharing can be designed to achieve coordination in case of information asymmetry.

Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems

Proper configuration of security technologies is critical to balance the needs for access and protection of information. The common practice of using a layered security architecture that has multiple technologies amplifies the need for proper configuration because the configuration decision about one security technology has ramifications for the configuration decisions about others. Furthermore, security technologies rely on each other for their operations, thereby affecting each others contribution. In this paper we study configuration of and interaction between a firewall and intrusion detection systems (IDS). We show that deploying a technology, whether it is the firewall or the IDS, could hurt the firm if the configuration is not optimized for the firms environment. A more serious consequence of deploying the two technologies with suboptimal configurations is that even if the firm could benefit when each is deployed alone, the firm could be hurt by deploying both. Configuring the IDS and the firewall optimally eliminates the conflict between them, ensuring that if the firm benefits from deploying each of these technologies when deployed alone, it will always benefit from deploying both. When optimally configured, we find that these technologies complement or substitute each other. Furthermore, we find that while the optimal configuration of an IDS does not change whether it is deployed alone or together with a firewall, the optimal configuration of a firewall has a lower detection rate (i.e., allowing more access) when it is deployed with an IDS than when deployed alone. Our results highlight the complex interactions between firewall and IDS technologies when they are used together in a security architecture, and, hence, the need for proper configuration to benefit from these technologies.

Information Technology Diffusion with Influentials, Imitators, and Opponents

Information technology (IT) innovations follow a diverse set of diffusion patterns. Early diffusion models explaining technology diffusion patterns assumed that there is a single homogeneous segment of potential adopters. It was later shown that a two-segment model considering two groups of adopters explains variations in diffusion patterns better than the existing one-segment models. While the two-segment model considers a group of adopters promoting adoption by exerting a positive influence on prospective adopters, it does not consider the members of society who aim to inhibit the adoption process by exerting a negative influence on prospective adopters. In fact, most IT innovations face opposition. Yet it is not clear how opposition affects the diffusion process. In this paper, we model the diffusion of an IT innovation through its target population with three types of actors: influentials, who are autonomous in adopting new technology and promote its adoption; opponents, who are opposed to the technology and inhibit its adoption; and imitators, who are information seekers, thus affected by both influentials and opponents. We show that opponents play a crucial role in determining the diffusion path of an innovation. The empirical tests using real as well as simulated data sets demonstrate the ability of our model to fit the data better and to identify the segments of adopters correctly.

Sociotechnical Challenges and Progress in Using Social Media for Health

Social media tools that connect patients, caregivers, and health providers offer great potential for helping people access health advice, receive and give social support, manage or cope with chronic conditions, and make day-to-day health decisions. These systems have seen widespread adoption, but often fail to support the goals as fully as designers and users would like. Through Ackerman’s lens of the “sociotechnical gap” and computer supported cooperative work (CSCW) as a science of the artificial, we review contemporary sociotechnical challenges and progress for using social media to support health. These challenges include a tension between privacy and sharing, policy information credibility, accessibility, and tailoring in social spaces. Those studying, building, deploying, and using social media systems to further health goals will benefit from approaching this work by borrowing from Ackerman’s framing of CSCW. In particular, this requires acknowledgment that technical systems will not fully meet our social goals, and then adopting design and educational approaches that are appropriate to fill this gap, building less-nuanced systems as partial solutions and tools for advancing our understanding, and by working with the CSCW research community to develop and pursue key lines of inquiry.

Institutional pressures in security management

Organizations invest in three types of information security control resources (ISCR).Internal security needs assessment (ISNA) affects the level of ISCR in organizations.Key activities of ISNA are security investment rationale and risk analysis.Institutional pressures affect ISCR directly and indirectly through ISNA.Coercive and normative pressures are two critical institutional pressures. To offer theoretical explanations of why differences exist in the level of information security control resources (ISCR) among organizations, we develop a research model by applying insights obtained from resource-based theory of the firm and institutional theory. The results, based on data collected through a survey of 241 organizations, generally support our research model. Institutional pressures and internal security needs assessment (ISNA) significantly explain the variation in organizational investment in ISCR. Specifically, coercive and normative pressures are found to have not only a direct impact but also an indirect impact through ISNA on organizational investment in ISCR.

Early mover advantage in e-commerce platforms with low entry barriers

This research investigates whether early mover advantage (EMA) exists among entrepreneurial e-tailers operating on third-party e-commerce platforms. Contrary to traditional wisdom, the current research hypothesizes that e-tailers may enjoy early mover advantages because of the consumer demand inertia amplified by the nature of the Internet and the system design characteristics of e-commerce platforms. We also argue that customer relationship management capabilities help enhance early mover advantages in an online setting. We employ panel data on 7309 e-tailers to perform analyses and find empirical evidence that strongly supports the abovementioned hypotheses.

Effects of Individual and Organization Based Beliefs and the Moderating Role of Work Experience on Insiders' Good Security Behaviors

This research aims to identify the factors that drive an employee to comply with requirements of the Information Security Policy (ISP) with regard to protecting her organization’s information and technology resources. Two different research models are proposed for an employee’s individual based beliefs and organization based beliefs. An employee’s attitude is traced to its underlying foundational beliefs in each model, namely, benefit of compliance, cost of non-compliance, and cost of compliance, which are beliefs that represent the perceived effects of compliance or non-compliance. It is also postulated that these beliefs along with an employee’s attitude are affected by her Information Security Awareness (ISA). Besides the structural model testing of individual and organizational models of compliance, the moderating role of an employee’s work experience is investigated. Our results show that, while individual benefit of compliance and cost of compliance are not significant in the low experience group, all individual based beliefs are significant in the high experience group. Similarly, organizational benefit of compliance is not significant in the low experience group, while all organization based beliefs are significant in the high experience group. Furthermore, ISA is found to affect an employee’s attitude and all her individual and organization based beliefs. As organizations strive to get their employees to follow their information security rules and regulations, our study mainly sheds light on the moderating role of an employee’s work experience in changing the strength of individual and organization based beliefs on employees’ attitude as well as her ISA.

Assessing the Impact of Granular Privacy Controls on Content Sharing and Disclosure on Facebook

We examine the role of granular privacy controls on dynamic content-sharing activities and disclosure patterns of Facebook users based on the exogenous policy change in December 2009. Using a unique panel data set, we first conduct regression discontinuity analyses to verify a discontinuous jump in context generation activities and disclosure patterns around the time of the policy change. We next estimate unobserved effects models to assess the short-run and long-run effects of the change. Results show that Facebook users, on average, increase use of wall posts and decrease use of private messages after the introduction of granular privacy controls. Also, users’ disclosure patterns change to reflect the increased openness in content sharing. These effects are realized immediately and over time. More importantly, we show that user-specific factors play crucial roles in shaping users’ varying reactions to the policy change. While more privacy sensitive users (those who do not reveal their gender and/or thos...

The strategic knowledge-based dependency diagrams: a tool for analyzing strategic knowledge dependencies for the purposes of understanding and communicating

The role of knowledge in organizations has been conceptualized in ways that range from viewing it as a primary input to the production process, to offering a knowledge-based view of the whole organization. While divergent in their approaches, the differing views increasingly emphasize the role of inter-functional and inter-organizational knowledge linkages in determining the performance of a firm (Grant and Baden-Fuller in J Manag Stud 41(1):61–84, 2004). This paper offers a conceptualization of these linkages in what is termed a knowledge dependency. Adopting the view of knowledge as the primary organizational resource (Grant in Strateg Manag J 17(Winter Special Issue):109–122, 1996), we use ideas and concepts from the resource dependency theory (Pfeffer and Salancik in The external control of organizations: a resource dependence perspective, 1978) and knowledge transformation cycle (Carlile and Rebentisch in Manag Sci 49(9):1180–1195, 2003) to identify relevant constructs and relationships needed to model these knowledge dependencies. Building on a number of already established modeling techniques, we propose a new modeling grammar that explicitly captures the appropriation of knowledge in activities needed to realize the identified goals, and the knowledge flows between the different actors in an application domain. The resulting script (strategic knowledge-based dependency diagram) is a conceptual model that aids in the analysis stage preceding the design of an information system that supports knowledge-based processes across organizations.

Small and medium sized manufacturer performance on third party B2B electronic marketplaces

This research investigates the determinants of the performance of small and medium sized manufacturers on business-to-business electronic marketplaces (B2B EMs). Based on the resource-based view, the framework proposed suggests that a manufacturing firms performance on a B2B EM is determined by EM enabling capabilities, namely the online marketing capability, flexible manufacturing capability and content management capability. Further, the framework posits that these EM enabling capabilities are in turn determined by the firms IT capability. Data from 358 online manufacturers participating in a B2B EM is collected and analyzed. The results confirm our hypotheses that the online marketing capability, flexible manufacturing capability and content management capability fully mediate the impact of the IT capability on the firms online performance. Furthermore, the online marketing capability is found to be a stronger factor in influencing the manufacturers online performance than the others. Performance of manufacturers operating on B2B electronic marketplaces is studied.The model explaining the performance includes IT capability and EM enabling capabilities of the manufacturers.The research model was tested using data from 358 online manufacturers.IT capability positively affect the performance of manufacturers through the mediation of EM enabling capabilities.