Browse > Article
http://dx.doi.org/10.7838/jsebs.2011.16.4.053

Analysis of the Impact of Security Liability and Compliance on a Firm's Information Security Activities  

Shim, Woo-Hyun (Synthesys, Inc.)
Publication Information
The Journal of Society for e-Business Studies / v.16, no.4, 2011 , pp. 53-73 More about this Journal
Abstract
Many governments have tried to develop a liability and compliance law that can improve cyber security in a sustainable way. This paper explores whether a liability and compliance law is effective in motivating firms' information security activities. In particular, I empirically investigate the impact of the 2007 Electronic Financial Transaction Act (EFTA), a liability and compliance law in Korea, on the information security activities of financial institutions and services providers. In spite of various criticisms of the effectiveness of EFTA, the empirical findings of this study clearly show that EFTA is having a positive impact on information security activities. From these findings, this article concludes that a liability and compliance law is likely to contribute to a certain degree to the achievement of sustainable development of cyber security.
Keywords
Electronic Financial Transaction Act (EFTA); Cyber-Security; Information Security Investment; Financial and Insurance Industry; Liability; Compliance;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Varian, H., "Managing Online Security Risks," in The New York Times, ed, 2000.
2 Wooldridge, J., Introductory econometrics : A modern approach, 2nd ed. Mason, OH : Thomson South-Western, 2003.
3 Zhao, X., "Economic analysis on information security and risk management," Ph. D. Dissertation, The University of Texas at Austin, Texas, 2007.
4 Johnson, V. R., "Cybersecurity, Identity Theft, and the Limits of Tort Liability," South Carolina Law Review, Vol. 53, pp. 255-311, 2005.
5 Korean Internet and Security Agency, "Korean Information Security Survey," Korean Internet and Security Agency, Seoul, Korea, 2007.
6 Korean Internet and Security Agency, "2008 Korean Information Security Survey," Korean Internet and Security Agency, Seoul, Korea, 2008.
7 Kunreuther, H. and Heal, G., "Interdependent security," Journal of Risk and Uncertainty, Vol. 26, pp. 231-249, 2003.   DOI   ScienceOn
8 Liu, W., Tanaka, H., and Matsuura, K., "Empirical-analysis methodology for information-security investment and its application to reliable survey of Japanese firms," Information and Media Technologies, Vol. 3, pp. 464-478, 2008.
9 Majuca, R. P., "Three essays on the law and economics of information technology security," University of Illinois at Urbana-Champaign, 2006.
10 National Information Society Agency, "Information Society Statistics," National Information Society Agency, Seoul, Korea, 2006.
11 Ogut, H., Menon, N., and Raghunathan, S., "Cyber insurance and IT security investment : Impact of interdependent risk," University of Texas at Dallas, 2005.
12 Reich, P. C., "Cybercrime, Cybersecurity, and Financial Institutions Worldwide," in Cyberlaw for Global E-business : Finance, Payments and Dispute Resolution, Kubota, T., Ed., ed Hershey, PA : IGI Global, 2008.
13 Richardson, R., "CSI computer crime and security survey," Computer Security Institute, 2007.
14 Richardson, R., "CSI Computer Crime and Security Survey," Computer Security Institute, 2008.
15 Schneier, B., "Computer security : Itʼs the economics, stupid," in 1st Annual Workshop on Economics of Information Security, Barkeley, CA, 2002.
16 Statistics Korea, "Korean Census on Basic Characteristics of Establishments," Statistics Korea, Daejon, Korea, 2006.
17 Tanaka, H., Matsuura, K., and Sudoh, O., "Vulnerability and information security investment : An empirical analysis of elocal government in Japan," Journal of Accounting and Public Policy, Vol. 24, pp. 37-59, 2005.   DOI   ScienceOn
18 Acquisti, A., Friedman, A., and Telang, R., "Is there a cost to privacy breaches? An event study," in 5th Workshop on the Economics of Information Security, Cambridge, England, 2006.
19 Anderson, J., "Why We Need a New Definition of Information Security," Computers and Security, Vol. 22, pp. 308-313, 2003.   DOI   ScienceOn
20 Baker, W. H. and Wallace, L., "Is information security under control? : Investigating quality in information security management," Security and Privacy, IEEE, Vol. 5, pp. 36-44, 2007.   DOI
21 Campbell, K., Gordon, L., Loeb, M., and Zhou, L., "The economic cost of publicly announced information security breaches : empirical evidence from the stock market," Journal of Computer Security, Vol. 11, pp. 431-448, 2003.   DOI
22 Christie, A. A., "Aggregation of test statistics : An evaluation of the evidence on contracting and size hypotheses," Journal of Accounting and Economics, Vol. 12, pp. 15-36, 1990.   DOI   ScienceOn
23 Gordon, L. and Loeb, M., "The economic of information security investment," in Economics of Information Security, Camp, L. and Lewis, S., Eds., pp. 105-127, Boston : Kluwer Academic Publishers, 2004.
24 Gordon, L., Loeb, M., Lucyshyn, W., and Richardson, R., "CSI/FBI computer crime and security survey," COMPUTER SECURITY JOURNAL, Vol. 20, pp. 33-51, 2004.
25 Gordon, L., Loeb, M., Lucyshyn, W., and Richardson, R., "CSI/FBI computer crime and security survey," Computer Security Institute, 2005.
26 Gordon, L., Loeb, M., Lucyshyn, W., and Richardson, R., "CSI/FBI Computer crime and security survey," Computer Security Institute, 2006.
27 Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Sohail, T., "The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities," Journal of Accounting and Public Policy, Vol. 25, pp. 503-530, 2006.   DOI   ScienceOn
28 Hoo, K. J. S., "How Much Security is Enough : A Risk Management Approach to Computer Security," Ph. D. Dissertation, Stanford University, Stanford, California, 2000.