Humayun Zafar

Financial Impact of Information Security Breaches on Breached Firms and their Non-Breached Competitors

Information security breaches pose a growing threat to organizations and individuals, particularly those that are heavily involved in e-business/e-commerce. An information security breach can have wide-ranging impacts, including influencing the behaviors of competitors and vice versa within the context of a competitive marketplace. Therefore, there is a need for further exploration of implications of information security breaches beyond the focus of the breached firm. This study investigates the financial impact of publicly announced information security breaches on breached firms and their non-breached competitors. While controlling for size and the industry the firm operates in, the authors focus on specific types of information security breaches Denial of Service, Website Defacement, Data Theft, and Data Corruption. Unlike previous studies that have used event study methodology, the authors investigate information transfer effects that result from information security breaches using the matched sampling method. The study reveals statistically significant evidence of the presence of intra-industry information transfer for some types of security breaches. The authors also found evidence of contagion effects, but no similar evidence concerning competition effect.

The value of the CIO in the top management team on performance in the case of information security breaches

This study investigates whether presence of a CIO in the top management team (TMT) is an important indicator for better management of information, especially when an organization is involved in an information security breach incident. Using Upper Echelons Theory, our study relates the status of the CIO in an organization to organizational performance in the case of information security breaches using Tobin’s q. We argue that when an organization experiences an information security breach, the organization that has the CIO in the TMT can recover any damages or losses from the security breach incident quicker than the organization that does not. We categorize security breach incidents using the confidentiality, integrity, and availability (CIA) triad (Solomon and Chapple 2005), and conclude that having the CIO in the TMT has a significant positive impact on firm performance in the aftermath of security breach incidents. However, the degree of impact on performance varies, depending on the type of security breach.

Rethinking FS-ISAC: An IT Security Information Sharing Network Model for the Financial Services Sector

This study examines a critical incentive alignment issue facing FS-ISAC (the information sharing alliance in the financial services industry). Failure to encourage members to share their IT security-related information has seriously undermined the founding rationale of FS-ISAC. Our analysis shows that many information sharing alliances’ membership policies are plagued with the incentive misalignment issue and may result in a “freeriding” or “no information sharing” equilibrium. To address this issue, we propose a new information sharing membership policy that incorporates an insurance option and show that the proposed policy can align members’ incentives and lead to a socially optimal outcome. Moreover, when a transfer payment mechanism is implemented, all member firms will be better off joining the insurance network. These results are demonstrated in a simulation in which IT security breach losses are compared both with and without participating in the proposed information sharing insurance plan.

Security Risk Management at a Fortune 500 Firm: A Case Study

Abstract Information security is a naturally intrusive topic that has not been researched to its full extent in IS. Taking note of a previous information security study that failed and lessons learned from it, we successfully carry out a study of our own with some modifications. The purpose of the study was to successfully identify critical success factors for an effective security risk management program at a Fortune 500 firm. In this paper we detail the modified critical success factor method that was used, which we hope will prove beneficial for academic researchers. The study has practical implications in regard to being able to provide a method that corporations may find suitable when a sensitive subject is being investigated.

Gender-based differences in culture in the Indian IT workplace

We used Hofstedes Values Survey Module to compare Indian women and men in IT.We analyzed the gender differences and cultural preferences of 107 Indian IT workers.Using non-parametric statistics, Indian women scored lower than men on uncertainty avoidance and long-term orientation only.Managers should consider professional development, mentoring, and defined career paths to complement the Indian culture. Global outsourcing increases the complexity of managing IT projects. Gender adds another level of difficulty when managing IT projects. Understanding country and gender-level differences may improve chances for success. This paper provides opportunities to better understand underlying country and gender differences of Indian IT workers. We used Hofstedes value surveys module to analyze gender differences and cultural preferences of 107 Indian IT workers. After correcting for problems with outliers, none of the mean differences between men and women were significant at the 95% level; at the 90% level, we found differences in uncertainty avoidance and long-term orientation only. Our results suggest that women and men working in the IT industry may have more similarities in terms of national culture than differences by gender. To overcome possible differences in uncertainty avoidance and long-term orientation, IT outsourcers to India should ensure adequate professional development opportunities, mentoring programs, and clearly explained career path opportunities. Further, a focus on policies and management strategies that capitalize on the national culture of India, including group work to take advantage of collectivist tendencies, and clearly defined hierarchical systems to take advantage of masculine orientation and high power distances, may allow foreign companies to attract and retain men and women, where in many cases, national culture trumps gender differences. Future research should collect more data from women and investigate the effect of regional differences on cultural perceptions.

User Satisfaction Research in Information Systems: Historical Roots and Approaches

User satisfaction with information systems (IS) is considered an important indicator of information systems success and has been the subject of numerous research studies since the field’s inception. In this paper, we review the user satisfaction research in the IS field. We discuss the roots of user satisfaction research as it pertains to satisfaction studies in marketing research and how these studies have been used to inform the IS context. We also discuss how the study of user satisfaction and use of the construct in IS research has evolved and matured over time. Finally, we discuss antecedents and outcomes of user satisfaction identified in IS research and provide suggestions for future research.

The Russian and Ukrainian Information Technology Outsourcing Market: Potential, Barriers and Management Considerations

This study describes the advantages and disadvantages of information technology outsourcing to Ukraine and Russia. The results assist technology managers who wish to make an informed decision on whether or not to outsource information technology projects to Russia/Ukraine, considering two important issues: (1) the political, economic, and social landscape, and the advantages and disadvantages of choosing to locate information technology projects in the region and (2) the Russian/Ukrainian information technology workers’ teamwork perceptions. By understanding the countries and the potential information technology workers within that country, organizations should be able to develop management policies to improve chances of success. While the results indicate that well-educated and teamwork-oriented Russian and Ukrainian information technology employees may increase the chances of information technology outsourcing success, the authors remain skeptical regarding the political, economic, legal, social, and business environments.

Does a CIO Matter? Investigating the Impact of IT Security Breaches on Firm Performance Using Tobin's q

We empirically investigate the impact of a chief information officer (CIO) on firm performance in the event of IT security breaches. Using Resource Based View (RBV) as a theoretical base and linking it with the role of CIOs, we determine through twin generalized linear squares (GLS) regression models that a CIO indeed does have a significant impact at the macro- and micro- levels on firm performance. In this study, Tobins q is used as an indicator of firm performance in the context of IT security breach for the first time in IS. Our results have implications for both the practitioner and the academic, such as positive influences of CIOs, and an alternate strategy for computing firm performance respectively. We also set the stage for future research in this area.

Student Perceptions of Computer Use Ethics: A Decade in Comparison

This study examines student attitudes toward software piracy and questionable computer use acceptability. The study included computer use scenarios describing situations with ethical considerations and questions that examined the role of the individuals in the scenarios. Results from the current population of students were compared with the results from prior data collection. While the findings indicated only minor differences from the previous study, the true value of this research is in the provision of a set of scenarios and other perspectives that can be used in in-class discussions of ethics, policy and law.

URL Manipulation and the Slippery Slope: The Case of the Harvard 119 Revisited

While computer ethics and information security courses try to teach computer misuse and unauthorized access as clear black and white examples, when examining the use and potentially misuse of URLs the discussion becomes less clear. This paper examines a number of computer use ethical scenarios focusing on the modification of URLs within Web browsers. Using the documented case of applicants to several Ivy-league schools as a discussion point, this paper presents a survey of U.S. students enrolled in information security and computer ethics classes, asking at what point does modifying the URL become hacking, and at what point does it become unethical. The findings of this study are discussed.