Srinivasan Raghunathan

A model for evaluating IT security investments

A ssessing the return on investment has always been a sticking point for technology investments. Similar to IT productivity paradox [1], Return on Security Investment (ROSI) has become a controversial topic due to immense growth of e-businesses. Defining the value of security investments is challenging. However, it is clear that “security consumers will need to understand the variables that define ROSI and endure the discomfort of assigning dollar values to quantities that currently are extremely ill-defined” [12]. While calculating ROSI seems taxing, increasing possibility and scope of IT security breaches due to increasing interconnectivity makes it imperative. As the number of security breaches increases exponentially according to the CERT (see Table 1) so does their cost. The 2003 CSI/FBI Computer Crime and Security Survey revealed that 56% of respondents detected security breaches. Information Week and PricewaterhouseCoopers LLP estimated that computer viruses and hacking took a

Information Sharing in a Supply Chain: A Note on its Value when Demand Is Nonstationary

1.6 trillion toll on the worldwide economy and

Impact of demand correlation on the value of and incentives for information sharing in a supply chain

266 billion in the U.S. [5]. Security breaches have a significant impact on the market values of firms too. We have estimated that compromised firms, on average, lost approximately 2.1% of their market values within two days surrounding security breaches [3]. This translates to an average loss of

Beyond EDI: Impact of Continuous Replenishment Program (CRP) Between a Manufacturer and Its Retailers

1.65 billion in market capitalization per incident. Moitra and Konda [10] found that as investment in security increases the survivability of firms from security breaches increases rapidly at first and then more slowly at higher levels of investment. Undoubtedly these figures point to the importance of more studies on the economics and management of IT security investments. Fear, uncertainty, and doubt (FUD) strategy has been used for years to sell investments in security [1]. However, according to Earthlink security experts Lisa Ekman and Lisa Hoyt, “Crying wolf may get the first firewall, but over the long run, you need a more well-rounded perspective” [12]. Since diverse security techA Model for Evaluating IT Security Investments

Information sharing in supply chains: Incentives for information distortion

In a recent paper, Lee, So, and Tang (2000) showed that in a two-level supply chain with non-stationary AR(1) end demand, the manufacturer benefits significantly when the retailer shares point-of-sale (POS) demand data. We show in this paper, analytically and through simulation, that the manufacturers benefit is insignificant when the parameters of the AR(1) process are known to both parties, as in Lee, So, and Tang (LST). The key reason for the difference between our results and those of LST is that LST assume that the manufacturer also uses an AR(1) process to forecast the retailer order quantity. However, the manufacturer can reduce the variance of its forecast further by using the entire order history to which it has access. Thus, when intelligent use of already available internal information (order history) suffices, there is no need to invest in interorganizational systems for information sharing.

The impacts of the full returns policy on a supply chain with information asymmetry

Abstract Research on information sharing partnerships between manufacturers and retailers in a supply chain is relatively recent. The research has generally focused on models involving a single retailer or multiple retailers with independent demands. We analyze the value of demand information sharing in a one manufacturer– N retailer model in which demands at the retailers during a time period may be correlated. We use the well known Shapley value concept from game theory to analyze the expected manufacturer and retailer shares of the surplus generated from information sharing. We find that demand correlation affects the magnitude and shape of the surplus function, which, in turn, impacts the relative incentives of the manufacturer and retailers to form such partnerships. Higher correlation increases (reduces) the manufacturer (retailer) surplus. However, the declining marginal manufacturer surplus under high correlation condition may induce the manufacturer to limit the number of retailer partners. The impact of correlation among retailer demands on the value of and incentives for information sharing can be explained using the substitutable and complementary nature of demand information when they are highly and weakly correlated respectively.

Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems

Electronic data interchange (EDI), used traditionally to exchange business documents, has recently been extended to facilitate interorganizational collaborative processes such as the continuous replenishment program (CRP). The key characteristics of CRP are the sharing of real-time inventory data by retailers with manufacturers and continuous replenishment of retailer inventory by manufacturers. Prior research on EDI has focused on the transaction efficiency of EDI. We analyze the impact of information sharing and continuous replenishment in the CRP context and study the factors that affect the value of CRP. The study quantifies the value derived from CRP and the optimal number of retailers a manufacturer should partner with.

The value of information sharing in a multi-product, multi-level supply chain: Impact of product substitution, demand correlation, and partial information sharing

The existing literature on supply chain information sharing assumes that information is shared truthfully. Unless each party can verify the authenticity of the other partys information, manufacturers and retailers may divulge false information for their own benefit. These information distortions may reduce the benefit levels or even stop information sharing in supply chains. We analyze the incentives for manufacturers and retailers within a supply chain to distort information when they share it and propose a mechanism that results in truthful information sharing. We consider a make-to-order supply chain consisting of a single manufacturer and a single retailer. The manufacturer and the retailer set prices based on their private forecasts of uncertain demand. If both parties share their forecasts truthfully, the manufacturer always benefits; however, the retailer benefits only if the manufacturer sets a lower wholesale price when information is shared compared to when information is not shared. However, we show that the manufacturer and the retailer, respectively, have an incentive to overstate and understate their forecasts while sharing information. The information distortion phenomenon is the direct result of each party exploiting its private information to appropriate the gains from information sharing. We show that the incentives to distort information are eliminated and both parties benefit from information sharing if the manufacturer and the retailer can agree on their relative profit margins prior to information sharing.

Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge

Abstract In contrast to the existing return policies literature assuming that information is symmetrical between the manufacturer and the retailer, we study the full returns policy’s impact on supply chains with information asymmetry. We first study the case that the base level of the demand follows a discrete distribution with two states. We find that the retailer benefits from the full returns policy in all circumstances, while the manufacturer and the supply chain are better off under some conditions. We then consider the situation in which the base level of the demand is a type of AR(1) process.

Outsourcing Information Security: Contracting Issues and Security Implications

Proper configuration of security technologies is critical to balance the needs for access and protection of information. The common practice of using a layered security architecture that has multiple technologies amplifies the need for proper configuration because the configuration decision about one security technology has ramifications for the configuration decisions about others. Furthermore, security technologies rely on each other for their operations, thereby affecting each others contribution. In this paper we study configuration of and interaction between a firewall and intrusion detection systems (IDS). We show that deploying a technology, whether it is the firewall or the IDS, could hurt the firm if the configuration is not optimized for the firms environment. A more serious consequence of deploying the two technologies with suboptimal configurations is that even if the firm could benefit when each is deployed alone, the firm could be hurt by deploying both. Configuring the IDS and the firewall optimally eliminates the conflict between them, ensuring that if the firm benefits from deploying each of these technologies when deployed alone, it will always benefit from deploying both. When optimally configured, we find that these technologies complement or substitute each other. Furthermore, we find that while the optimal configuration of an IDS does not change whether it is deployed alone or together with a firewall, the optimal configuration of a firewall has a lower detection rate (i.e., allowing more access) when it is deployed with an IDS than when deployed alone. Our results highlight the complex interactions between firewall and IDS technologies when they are used together in a security architecture, and, hence, the need for proper configuration to benefit from these technologies.