Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.1.269

An Empirical Study of Relationship between Information Security Investment and Information Security Incidents : A Focus on Information Security Training, Awareness and Education Service Sector  

Lee, Hansol (Ewha womans' university, Ewha school of Business)
Chai, Sangmi (Ewha womans' university, Ewha school of Business)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.1, 2018 , pp. 269-281 More about this Journal
Abstract
Many organizations are threatened by numerous information security attacks which are resulting in information security incidents. To prevent information security incidents, organizations invest on various information security measures like information security products, monitoring services and security training and educations. However they do not have enough knowledge about measurable utilities of information security investments. Since there is little studies empirically examining the effect of information security investments, this research aims to find out utilities of information security investment. We especially focuse on information security service investments. This study examined the data from the survey on information security for business sector which was conducted by Korean information & security agency. We utilized negative binomial regression model, which is a suitable model for over-dispersed count data. We found out that an investment on information security education and vulnerability testing have direct impact on reducing information security incidents. This research academically contributed to shed light on the utility of information security investments on reducing information security incidents. This research practically contributed to providing information security investment guideline for organizations which want to reduce information security incidents efficiently.
Keywords
information security investment; information security product; information security service; security education; training; and awareness (SETA) programs; security monitoring; vulnerability testing;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 K. Hausken, "Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability," Information Systems Frontiers, vol.8, no.5, pp. 338-349. Dec.2006.   DOI
2 C. D. Huang, Q. Hu, and R. S. Behara, "An economic analysis of the optimal information security investment in the case of a risk-averse firm," International Journal of Production Economics, vol.114, no.2, pp. 793-804. Aug. 2008.   DOI
3 L. A. Gordon, M. P. Loeb, W. Lucyshyn, and L. Zhou, "Externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model," Journal of Information Security, vol.6, no.1, pp. 24-30. Oct. 2015.   DOI
4 Young-Ok Kwon and Byung-Do Kim, "The Effect of Information Security Breach and Security Investment Announcement on the Market Value of Korean Firms," Information Systems Review, 9(1), pp. 105-120. Apr. 2007.
5 Anat Hovav and Jin-Young Han, "The Impact of Security Breach Announcements on the Stock Value of Companies in South Korea," The Journal of internet electronic commerce research, 13(3), pp. 43-67. Sep. 2013.
6 Il-Yoo Hong, Jae-Hoon Lee, and Sung-Min Kang, "The Effect of Official Announcement about Information Security Breach on Corporate Stock Value in the Market," Entrue Journal of Information Technology, 14(2), pp. 33-56. Aug. 2015.
7 S. Chai, M. Kim, and H. R. Rao, "Firms' information security investment decisions: Stock market evidence of investors' behavior," Decision Support Systems, vol.50, no. 4, pp. 651-661. Mar. 2011.   DOI
8 Hee-Kyung Kong, Hyo-Jung Jun and Tae-Sung Kim. "A Study on Information Security Investment by the Analytic Hierarchy Process," Journal of Information Technology Applications & Management, 15(1), pp. 139-152, Mar. 2008.
9 Korea Internet & security agency, Survey for Information Security Industry in Korea, Korea Internet & security agency, pp.1-345, Dec. 2014.
10 Won-Seok Yang, Tae-Sung Kim and Hyun-Min Park. "Probabilistic Modeling for Evaluation of Information Security Investment Portfolios," Journal of the Korean Operations Research and Management Science Society, 34(3), pp.155-163. Sep. 2009.
11 Se-ah Min. "Korean information securi ty market has growing - its total size is expected to grow 3,844.9 billion won until 2020," Boan news, May. 2017. http://www.boannews.com/media/view.asp?idx=54571 (Retrieved from Nov ember 10, 2017)
12 Hangbae Chang, Jun-Taek Lee, Sanghoon Kim. Industrial information security management, Beobmoonsa, Jul. 2013.
13 Seongmong Lee. Information systems security, Infodream, Oct. 2013.
14 Jung-Ae Kim. "Vulnerabilities found to be target of cyber war make information security professionals be nervous," Boan news, Sep. 2017. http://www.boannews.com/media/view.asp?idx=57015. (Retrieved from November 17, 2017)
15 M. E. Thomson and R. von Solms, "Information Security Awareness: Educating Your Users Effectively," Information Management & Computer Security, vol.6, no.4, pp. 167-173. 1998.   DOI
16 J. D'Arcy, A. Hovav, and D. Galletta, "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, vol.20, no.1, pp. 79-98. Mar. 2009.   DOI
17 M. Siponen, S. Pahnila, and M. A. Mahmood, "Compliance with information security policies: An empirical investigation," Computer, vol.43, no.2, Feb. 2010.
18 Jung-Ho Eom, Seong-Su Choi, and Tai-Myoung Chung, "introduction of cyber warfare : attack and security techniques," Hongrung publishing company, Feb. 2012.
19 Sungjin Ahn, Kyung-Ho Lee, and Won-Hyung Park. "Security monitoring and control," Ehan media, Apr. 2014.
20 Hye-Kwon Shin. "Information security incidents prevention : Finding vulner abilities is important," ET news, Jul. 2013. http://www.etnews.com/201307190248 (Retrieved from November 17, 2 017)
21 Samsung SDS. "Samsung SDS consulting - Information security monitoring and level diagnosis," Samsung SDS, 2016.
22 M. Creel and J. Loomis, "Theoretical and empirical advantages of truncated count data estimators for analysis of deer hunting in California," American Journal of Agricultural Economics, vol.72, pp.434-441, May. 1990.   DOI
23 Deloitte Anjin. "Risk management in Financial industry : Focusing on protection of information asset," Deloitte Anjin, Apr.2014.
24 Deloitte Anjin. "Cyber risk assessment," Deloitte Anjin, 2016.
25 Department for Business, Innovation and Skills, "2015 Information Security Breaches Survey," HM Government, 2015.
26 D.R. Cox, "Some remarks on overdispersion," Biometrika, vol.70, pp.269-274, Apr.1983.   DOI
27 Kwan-kyu Park "If there is another in formation security breach, it will dest roy our organization : organizations are now improving their information s ecurity," Korea times. Jul. 2014. http: //www.hankookilbo.com/v/1e8cc0b887d54ad4b7b76ec5bd4e7fa1. (Retreived fr om December 7, 2017)
28 Myeonggil Choi, Won-Joo Hwang and Myoung-Soo Kim, "An Empirical Study on Factors Affecting the Maturity of Information Security Policy," Journal of The Korea Institute of Information Security and Cryptology, 18(3), pp. 131-142. Jun. 2008.
29 Jongki Kim, & Dayeon Kang. "The Effects of Security Policies, Security Awareness and Individual Characteristics on Password Security Effectiveness," Journal of The Korea Institute of Information Security and Cryptology, 18(4), pp.123-133. Aug. 2008.
30 Dong-Keun Choi, Mi-sun Song, Jong In Im and Kyung-Ho Lee, "Study the role of information security personnel have on an organization's information security level," Journal of The Korea Institute of Information Security and Cryptology, 25(1), pp.197-209, Feb. 2015.   DOI
31 Whitman, M. E. "Enemy at the Gate: Threats to Information Security," Communications of the ACM. 46(8), pp. 91-95. Aug. 2003.   DOI
32 M. Wilson and J. Hash, "Building an Information Technology Security Awareness and Training Program," NIST Special Publication (800), p. 50. Oct. 2003.
33 B. Bulgurcu, H. Cavusoglu, and I. Benbasat, "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly, vol.34, no.3, pp. 523-548. Sep. 2010.   DOI
34 PwC. Turnaround and transformation in cybersecurity: Retail and consumer, PwC, 2016
35 Jung-Ho Lee. "Firms' "Ransomware accidents has increased 11 times," Hankyung health, Jan. 2017. http://health.hankyung.com/article/201701235 9241 (Retrieved from November 7th, 2017)
36 Yu-ji Lee. "The size of information security incidents damage is increaing- Top managements' strong support and insurance subscription help firms to reduce damage amount," Digital daily. Jun. 2015. http://www.ddaily.co.kr/news/article.html?no=131 217 (Retrieved from November 18, 2017)
37 Seung-pil Choi. "Information society and its enemy," Korea times, Oct. 2017. http://www.hankookilbo.com/v/b36ad2295d3545659ed8f3b91cd43b9c (Retrived from November 7, 2017)
38 K.Campbell, L. A. Gordon, M. P. Loeb & L. Zhou, "The economic cost of publicly announced information security breaches: empirical evidence from the stock market," Journal of Computer Security, vol.11, no.3, pp. 431-448. Jul. 2003.   DOI
39 Tae-Hyung Kim. "Information security budget management(2) - 5 factors tha t firms must consider to invest on inf ormation security," Boan news. Sep. 2015. http://www.boannews.com/media/view.asp?idx=47639 (Retrieved from November 7, 2017)
40 L. A. Gordon and M. P. Loeb, "The economics of information security investment," ACM Transactions on Information and System Security (TISSEC), vol.5, no.4, pp. 438-457. Nov.2002.   DOI