Karthik Kannan

Market Reactions to Information Security Breach Announcements: An Empirical Analysis

Losses due to information security breaches are notoriously difficult to measure. An event study of the effect of such breaches on financial performance found that they do not earn significantly negative abnormal returns. To verify whether this finding resulted from the aggregation of data across different characteristics (e.g., the nature of the breaches, the types of firms, the time periods of the study) the impact of each characteristic was analyzed. Again the results were not significantly negative. The study found that a negative bias followed the events of September 11, 2001. It also found that there was a difference in investor reactions to events during the dot-com era, when firms earned higher negative abnormal returns, and after the dot-com era. The implications are discussed.

Market for Software Vulnerabilities? Think Again

Software vulnerability disclosure has become a critical area of concern for policymakers. Traditionally, a Computer Emergency Response Team (CERT) acts as an infomediary between benign identifiers (who voluntarily report vulnerability information) and software users. After verifying a reported vulnerability, CERT sends out a public advisory so that users can safeguard their systems against potential exploits. Lately, firms such as iDefense have been implementing a new market-based approach for vulnerability information. The market-based infomediary provides monetary rewards to identifiers for each vulnerability reported. The infomediary then shares this information with its client base. Using this information, clients protect themselves against potential attacks that exploit those specific vulnerabilities.The key question addressed in our paper is whether movement toward such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Our analysis demonstrates that an active unregulated market-based mechanism for vulnerabilities almost always underperforms a passive CERT-type mechanism. This counterintuitive result is attributed to the market-based infomediarys incentive to leak the vulnerability information inappropriately. If a profit-maximizing firm is not allowed to (or chooses not to) leak vulnerability information, we find that social welfare improves. Even a regulated market-based mechanism performs better than a CERT-type one, but only under certain conditions. Finally, we extend our analysis and show that a proposed mechanism--federally funded social planner--always performs better than a market-based mechanism.

The Association Between the Disclosure and the Realization of Information Security Risk Factors

Firms often disclose information security risk factors in public filings such as 10-K reports. The internal information associated with disclosures may be positive or negative. In this paper, we evaluate how the nature of the disclosed security risk factors, believed to represent the firms internal information regarding information security, is associated with future breach announcements reported in the media. For this purpose, we build a decision tree model, which classifies the occurrence of future security breaches based on the textual contents of the disclosed security risk factors. The model is able to accurately associate disclosure characteristics with breach announcements about 77% of the time. We further explore the contents of the security risk factors using text-mining techniques to provide a richer interpretation of the results. The results show that the disclosed security risk factors with risk-mitigation themes are less likely to be related to future breach announcements. We also investigate how the market interprets the nature of information security risk factors in annual reports. We find that the market reaction following the security breach announcement is different depending on the nature of the preceding disclosure. Thus, our paper contributes to the literature in information security and sheds light on how market participants can better interpret security risk factors disclosed in financial reports at the time when financial reports are released.

An Experimental Study of Information Revelation Policies in Sequential Auctions

Theoretical models of information asymmetry have identified a trade-off between the desire to learn and the desire to prevent an opponent from learning private information. This paper reports a laboratory experiment that investigates if actual bidders account for this trade-off, using a sequential procurement auction with private cost information and varying information revelation policies. Specifically, the Complete Information Revelation Policy, where all submitted bids are revealed between auctions, is compared to the Incomplete Information Revelation Policy, where only the winning bid is revealed. The experimental results are largely consistent with the theoretical predictions. For example, bidders pool with other types to prevent an opponent from learning significantly more often under a Complete Information Revelation Policy. Also as predicted, the procurer pays less when employing an Incomplete Information Revelation Policy only when the market is highly competitive. Bids are usually more aggressive than the risk-neutral quantitative prediction, which is broadly consistent with risk aversion. This paper was accepted by Teck Ho, decision analysis.

Storage optimization for a peer-to-peer video-on-demand network

This paper explores requirements for efficient pre-seeding of video-on-demand (VoD) movie data onto numerous customer set-top boxes in a cable ISP environment. The pre-seeded content will then be distributed to other set-top boxes in the same cable community using a peer-to-peer (P2P) network protocol such as BitTorrent. The challenges and solutions required for P2P VoD provided by a fixed provider such as a cable company are fundamentally different from those seen in traditional P2P networks or client-server VoD solutions. Our work pre-positions data into set-top boxes using a mathematical programming algorithm. The objective of the algorithm is to minimize uplink traffic, given a popularity model for various pieces of content and information about storage and bandwidth capacity constraints at the customer nodes. Given the complex non-linear nature of P2P interactions, these mathematical programs are solved using non-linear optimization approaches. Using a BitTorrent-like peer-to-peer data delivery system, we show through extensive simulations that our mathematical model for pre-seeding data based on object popularity and node bandwidth availability leads to noticeably greater reductions in uplink traffic and VoD server load than a weighted-random pre-seeding scheme that only considers object popularity.

Effects of Information Revelation Policies Under Cost Uncertainty

The paper presents insights regarding the key learning-related factors a buyer should consider when deciding the extent to which information about bids is revealed in a procurement auction context. It offers the insights by analyzing the following two first-price sealed-bid policies in a private-value sequential auction with no winner dropouts: (i) iis, where only the winners bid is revealed, and (ii) cis, where all bids are revealed. Our analysis identifies two important learning effects---the extraction and the deception effects---as having significant welfare implications. Both these effects arise because of a bidders desire to gain an informational advantage relative to his competitors, but their manifestations are different. The extraction effect occurs because of a bidders incentive to learn about his competitors, and the deception effect is a consequence of the incentive to prevent an opponent from gaining the information. Both effects lead to higher bid prices, and either may be dominant from a procurer surplus standpoint. With the deception effect, social welfare can decrease even when the number of suppliers increases, a result that is counterintuitive. The paper also discusses how insights regarding the learning effects might apply to other policies.

Allocating Objects in a Network of Caches: Centralized and Decentralized Analyses

We analyze the allocation of objects in a network of caches that collaborate to service requests from customers. A thorough analysis of this problem in centralized and decentralized setups, both of which occur in practice, is essential for understanding the benefits of collaboration. A key insight offered by this paper is that an efficient implementation of cooperative cache management is possible because, in the centralized scenario, the object allocation resulting in the best social welfare can be found easily as a solution to a transportation problem. For the decentralized scenario involving selfish caches, it is shown that pure equilibria exist and that the cache network always reaches a pure equilibrium in a finite number of steps, starting from any point in the strategy space. An auction mechanism is developed to derive prices that motivate the caches to hold objects in a manner such that the optimal social welfare is attained. In the special case of symmetric caches, simple algorithms are devised to find the optimal social welfare allocation, the best pure equilibrium, and the prices for sharing objects. The results obtained in this paper should be valuable in developing and evaluating cache-management policies. Resource-sharing problems with a similar cost structure exist in a variety of other domains, and the insights gained here are expected to extend to those scenarios as well.

Behavioral Experimentation and Game Theory in Engineering Systems Design

Game-theoretic models have been used to analyze design problems ranging from multi-objective design optimization to decentralized design and from design for market systems (DFMS) to policy design. However, existing studies are primarily analytical in nature, which start with a number of assumptions about the individual decisions, the information available to the players, and the solution concept (generally, the Nash equilibrium). There is a lack of studies related to engineering design, which rigorously evaluate the validity of these assumptions or that of the predictions from the models. Hence, the usefulness of these models to realistic engineering systems design has been severely limited. In this paper, we take a step toward addressing this gap. Using an example of crowdsourcing for engineering design, we illustrate how the analytical game-theoretic models and behavioral experimentation can be synergistically used to gain a better understanding of design situations. Analytical models describe what players with assumed behaviors and cognitive capabilities would do under specified conditions, and the behavioral experiments shed light on how individuals actually behave. The paper contributes to the design literature in multiple ways. First, to the best of our knowledge, it is a first attempt at integrated theoretical and experimental game-theoretic analysis in design. We illustrate how the analytical models can be used to design behavioral experiments, which, in turn, can be used to estimate parameters, refine models, and inform further development of the theory. Second, we present a simple experiment to understand behaviors of individuals in a design crowdsourcing problem. The results of the experiment show new insights on using crowdsourcing contests for design.

Digital Piracy, Teens, and the Source of Advice: An Experimental Study

The objective of our paper is to determine the effect of piracy advice from various sources on the behavior of the music consumer. Specifically, does it matter if the source of advice has a stake in the outcome of the piracy decision? Does it matter if the source of advice has a social tie with the advisee? Accordingly, we conduct a laboratory experiment using teenagers and their parents as subjects, increasing the realism of the context by sampling potential pirates and their parents. Treatments represent various sources of piracy advice (e.g., the teens parent, a record label, or an external regulator). Subjects make decisions playing our new experimental game—The Piracy Game—extended from the volunteers dilemma literature. Interestingly, subjects respond negatively to advice from record labels over time, purchasing fewer songs as compared to other sources such as the subjects parent. The existence of a social tie between the adviser and the subject assists in mitigating piracy, especially when a parent is facing potential penalties due to his or her childs behavior. An external regulator, having no social tie or stake in the decision, provides the least credible source of advice, leading to the greatest amount of piracy. Our analyses not only provide managerial insights but also develop theoretical understanding of the role of social ties in the context of advice.

Peer-to-peer video on demand: Challenges and solutions

The challenges and solutions required for peer-to-peer videoon- demand (P2P VoD) provided by a fixed provider such as a cable company are fundamentally different from those seen in traditional P2P networks or client-server VoD solutions. Unlike traditional P2P networks, the end nodes (set top boxes with DVR capabilities) are largely under control of the system provider. Consequently, issues like churn and free-loading are less substantial. Unlike client-server solutions, there is always a readily-available resource of peer nodes able to contribute even if they are not using the VoD service! This paper explores requirements for efficient preloading of VoD movie data onto numerous customer set-top boxes. This research is currently exploring mathematical programming algorithms that minimize uplink traffic, given a popularity model for various pieces of content and information about storage and bandwidth capacity constraints at the customer nodes. Given the complex non-linear nature of P2P interactions, these mathematical programs require non-linear optimization approaches or heuristic solutions. However, even heuristic solutions would likely provide substantial advantages over simple dynamic allocation.