Tridib Bandyopadhyay

Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest

Recent supply chain reengineering efforts have focused on integrating firms’ production, inventory and replenishment activities with the help of communication networks. While communication networks and supply chain integration facilitate optimization of traditional supply chain functions, they also exacerbate the information security risk: communication networks propagate security breaches from one firm to another, and supply chain integration causes breach on one firm to affect other firms in the supply chain. We study the impact of network security vulnerability and supply chain integration on firms’ incentives to invest in information security. We find that even though an increase in either the degree of network vulnerability or the degree of supply chain integration increases the security risk, they have different impacts on firms’ incentives to invest in security. If the degree of supply chain integration is low, then an increase in network vulnerability induces firms to reduce, rather than increase, their security investments. A sufficiently high degree of supply chain integration alters the impact of network vulnerability into one in which firms have an incentive to increase their investments when the network vulnerability is higher. Though an increase in the degree of supply integration enhances firms’ incentives to invest in security, private provisioning for security always results in a less than socially optimal security level. A liability mechanism that makes the responsible party partially compensate for the other party’s loss induces each firm to invest at the socially optimal level. If firms choose the degree of integration, in addition to security investment, then firms may choose a higher degree of integration when they decide individually than when they decide jointly, suggesting an even greater security risk to the supply chain.

Dynamic competition in IT security: A differential games approach

Hackers evaluate potential targets to identify poorly defended firms to attack, creating competition in IT security between firms that possess similar information assets. We utilize a differential game framework to analyze the continuous time IT security investment decisions of firms in such a target group. We derive the steady state equilibrium of the duopolistic differential game, show how implicit competition induces overspending in IT defense, and then demonstrate how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. We show that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to elicit participation of the other firm. Our analysis indicates that IT security planning should not remain an internal, firm-level decision, but also incorporate the actions of those firms that hackers consider as alternative targets.

Simulation model development in information security education

The value of modeling and simulation for education, training, and testing in information security has been documented in several studies. In this paper, we suggest that it is important not only to include the general use of simulation in various courses of the security curriculum, but also to include the theory and development of simulation models. We describe briefly the general features of simulation models and tools for model development that we are using in computing education. A collection of educational simulation tools have been created in the OOPsim project, for developing discrete-event simulation models. The principal goal of this project is to develop newer simulation tools and approaches for education in computing. The Object Oriented Simulation Language, OOSimL, was recently developed with partial support from an NSF CPATH grant. Two object-oriented simulation models are discussed as typical examples discussed in a simulation course on security: a model of a distributed denial of service (DDoS) and a model of simple firewall system. These models were developed with educational simulation tools created in OOPsim project. We have also developed a course that emphasizes an approach to early introduction to object-oriented discrete-event simulation. The DDoS simulation model is implemented using the OOSimL simulation language. The Firewall simulation model was implemented in Java with the PsimJ2 object oriented simulation package; other models have been implemented in C++ using the Psim3 object oriented simulation package. The simulation tools and model development are very useful for educating and training students and professionals in information security, computer science, software engineering, information technology, and in other related disciplines.

Understanding Optimal Investment in Cyber Terrorism: A Decision Theoretic Approach

In this work, the author develops and explains a set of economic models under the decision theoretic framework to conceptualize the requisite levels of investment in the defense against cyber terrorism. This paper begins with a naïve model of cyber defense, on which the author progressively implements aspects of layered defense and domain conditionality to investigate practicable investment levels for countering cyber terrorism related risks. The proposed model characterizes the minimum budget below which a defending nation cannot feasibly contemplate to deploy more than one layer of defense against cyber terrorism. Beyond budgetary considerations, the paper also calculates the relative technological capabilities that the defending nation must possess to deploy a detection regime behind the first layer of protection regime. Finally, the author calculates and presents the optimal bifurcation of budget between the prevention and detection regimes should the defending nation possesses adequate funds to deploy layered defense in cyber terrorism. DOI: 10.4018/ijcwt.2011040103 International Journal of Cyber Warfare and Terrorism, 1(2), 18-34, April-June 2011 19 Copyright

ICT Integration Efforts in Higher Education in Developing Economies: The Case of Addis Ababa University, Ethiopia

A situational modified version of Tearle’s model (2004) is utilized in this study to understand the integration of ICTs in the educational process. The study evaluated self efficacy beliefs, institutional support and policy in the context of developing economies where challenges of inadequate resources and insufficient skills persist. We assess the state of affairs, and the challenges faced by teachers and management at Addis Ababa University, Ethiopia. The results show that educators are generally appreciative of ICTs role in the teaching/learning process.

Mobile healthcare services adoption

Recent penetration of mobile technologies opens exciting potential for e-healthcare in low-income countries - e-healthcare services can now reach the populations of rural and far away locations in a cost effective and timely manner. The final challenge however rests on successful user acceptance of the technologies of e-healthcare, which we investigate in this work. Our research enhance the basic TAM model with two additional context appropriate constructs from extant research to arrive at an extended TAM model that is suitable for understanding e-healthcare adoption in low-income countries. We operationalise the model with the help of a validated survey questionnaire in the health extensions workers of Ethiopia, a Sub-Saharan low-income country. Our result shows that compatibility positively affects adoption intention. These results demonstrate that inclusion of additional constructs of compatibility and network quality enhances the richness of the model and explain adoption intention in a more effective manner.

Mobile IT in health – the case of short messaging service in an HIV awareness program

ABSTRACT This study aims to augment our understanding of user intention to use mobile IT in health. Experiential dispositions and technology perceptions around a mobile service that is currently in use to access other value-seeking services are integrated to present an enriched characterization of intention to use m-health. Primary data from a pressing health context in a developing economy are collected to validate the model. The results demonstrate that previous experience from value services received on a mobile service enhances user attention, which in turn positively impacts the perceived usefulness of an incoming m-health program, which then influences user intention to adopt m-health services delivered on that mobile service. Overall, the findings provide a comprehensive understanding of user intention to accept m-health. Additionally, our results provide insights toward the choice of mobile technology and indicate aspects of message framing that may ensure practicable deployment and successful implementation of m-health programs.

Role of Intelligence Inputs in Defending Against Cyber Warfare and Cyberterrorism

This article examines the role of espionage in defending against cyber attacks on infrastructural firms. We analyze the problem using a game between a government, an infrastructural firm, and an attacker. If the attacker successfully breaches the IT security defenses of the infrastructural firm, primary losses accrue to that firm, while widespread collateral losses accrue to the rest of the economy. The government assists the infrastructural firm by providing intelligence inputs about an impending attack. We find that subject to some conditions, expenditure on intelligence adds value only when its amount exceeds a threshold level. Also, the nature of the equilibrium depends on the level of government expenditure in intelligence. We find that the optimal level of intelligence expenditure can change in seemingly unexpected ways in response to a shift in parameters. For example, reduced vulnerability of the infrastructural firm does not necessarily imply a reduction in intelligence-gathering effort. We also ...