Huseyin Cavusoglu

The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers

Assessing the value of information technology (IT) security is challenging because of the difficulty of measuring the cost of security breaches. An event-study analysis, using market valuations, was used to assess the impact of security breaches on the market value of breached firms. The information-transfer effect of security breaches (i.e., their effect on the market value of firms that develop security technology) was also studied. The results show that announcing an Internet security breach is negatively associated with the market value of the announcing firm. The breached firms in the sample lost, on average, 2.1 percent of their market value within two days of the announcement--an average loss in market capitalization of

A model for evaluating IT security investments

1.65 billion per breach. Firm type, firm size, and the year the breach occurred help explain the cross-sectional variations in abnormal returns produced by security breaches. The effects of security breaches are not restricted to the breached firms. The market value of security developers is positively associated with the disclosure of security breaches by other firms. The security developers in the sample realized an average abnormal return of 1.36 percent during the two-day period after the announcement--an average gain of

The Value of Intrusion Detection Systems in Information Technology Security Architecture

1.06 billion in two days. The study suggests that the cost of poor security is very high for investors. rity, information technology security management, Internet security, security breach an-

Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment

A ssessing the return on investment has always been a sticking point for technology investments. Similar to IT productivity paradox [1], Return on Security Investment (ROSI) has become a controversial topic due to immense growth of e-businesses. Defining the value of security investments is challenging. However, it is clear that “security consumers will need to understand the variables that define ROSI and endure the discomfort of assigning dollar values to quantities that currently are extremely ill-defined” [12]. While calculating ROSI seems taxing, increasing possibility and scope of IT security breaches due to increasing interconnectivity makes it imperative. As the number of security breaches increases exponentially according to the CERT (see Table 1) so does their cost. The 2003 CSI/FBI Computer Crime and Security Survey revealed that 56% of respondents detected security breaches. Information Week and PricewaterhouseCoopers LLP estimated that computer viruses and hacking took a

Security Patch Management: Share the Burden or Share the Damage?

1.6 trillion toll on the worldwide economy and

Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems

266 billion in the U.S. [5]. Security breaches have a significant impact on the market values of firms too. We have estimated that compromised firms, on average, lost approximately 2.1% of their market values within two days surrounding security breaches [3]. This translates to an average loss of

Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge

1.65 billion in market capitalization per incident. Moitra and Konda [10] found that as investment in security increases the survivability of firms from security breaches increases rapidly at first and then more slowly at higher levels of investment. Undoubtedly these figures point to the importance of more studies on the economics and management of IT security investments. Fear, uncertainty, and doubt (FUD) strategy has been used for years to sell investments in security [1]. However, according to Earthlink security experts Lisa Ekman and Lisa Hoyt, “Crying wolf may get the first firewall, but over the long run, you need a more well-rounded perspective” [12]. Since diverse security techA Model for Evaluating IT Security Investments

Outsourcing Information Security: Contracting Issues and Security Implications

The increasing significance of information technology (IT) security to firms is evident from their growing IT security budgets. Firms rely on security technologies such as firewalls and intrusion detection systems (IDSs) to manage IT security risks. Although the literature on the technical aspects of IT security is proliferating, a debate exists in the IT security community about the value of these technologies. In this paper, we seek to assess the value of IDSs in a firms IT security architecture. We find that the IDS configuration, represented by detection (true positive) and false alarm (false positive) rates, determines whether a firm realizes a positive or negative value from the IDS. Specifically, we show that a firm realizes a positive value from an IDS only when the detection rate is higher than a critical value, which is determined by the hackers benefit and cost parameters. When the firm realizes a positive (negative) value, the IDS deters (sustains) hackers. However, irrespective of whether the firm realizes a positive or negative value from the IDS, the IDS enables the firm to better target its investigation of users, while keeping the detection rate the same. Our results suggest that the positive value of an IDS results not from improved detection per se, but from an increased deterrence enabled by improved detection. Finally, we show that the firm realizes a strictly nonnegative value if the firm configures the IDS optimally based on the hacking environment.

Selecting a Customization Strategy Under Competition: Mass Customization, Targeted Mass Customization, and Product Proliferation

Firms have been increasing their information technology (IT) security budgets significantly to deal with increased security threats. An examination of current practices reveals that managers view security investment as any other and use traditional decision-theoretic risk management techniques to determine security investments. We argue in this paper that this method is incomplete because of the problems strategic nature—hackers alter their hacking strategies in response to a firms investment strategies. We propose game theory for determining IT security investment levels and compare game theory and decision theory approaches on several dimensions such as the investment levels, vulnerability, and payoff from investments. We show that the sequential game results in the maximum payoff to the firm, but requires that the firm move first before the hacker. Even if a simultaneous game is played, the firm enjoys a higher payoff than that in the decision theory approach, except when the firms estimate of the hacker effort in the decision theory approach is sufficiently close to the actual hacker effort. We also show that if the firm learns from prior observations of hacker effort and uses these to estimate future hacker effort in the decision theory approach, then the gap between the results of decision theory and game theory approaches diminishes over time. The rate of convergence and the extent of loss the firm suffers before convergence depend on the learning model employed by the firm to estimate hacker effort.

Institutional pressures in security management

Patch management is a crucial component of information security management. An important problem within this context from a vendors perspective is to determine how to release patches to fix vulnerabilities in its software. From a firms perspective, the issue is how to update vulnerable systems with available patches. In this paper, we develop a game-theoretic model to study the strategic interaction between a vendor and a firm in balancing the costs and benefits of patch management. Our objective is to examine the consequences of time-driven release and update policies. We first study a centralized system in a benchmark scenario to find the socially optimal time-driven patch management. We show that the social loss is minimized when patch-release and update cycles are synchronized. Next, we consider a decentralized system in which the vendor determines its patch-release policy and the firm selects its patch-update policy in a Stackelberg framework, assuming that release and update policies are either time driven or event driven. We develop a sufficient condition that guarantees that a time-driven release by the vendor and a time-driven update by the firm is the equilibrium outcome for patch management. However, in this equilibrium, the patch-update cycle of the firm may not be synchronized with the patch-release cycle of the vendor, making it impossible to achieve the socially optimal patch management in the decentralized system. Therefore, we next examine cost sharing and liability as possible coordination mechanisms. Our analysis shows that cost sharing itself may achieve synchronization and social optimality. However, liability by itself cannot achieve social optimality unless patch-release and update cycles are already synchronized without introducing any liability. Our results also demonstrate that cost sharing and liability neither complement nor substitute each other. Finally, we show that an incentive-compatible contract on cost sharing can be designed to achieve coordination in case of information asymmetry.