Browse > Article
http://dx.doi.org/10.7838/jsebs.2017.22.2.099

Security Standardization for Social Welfare in the Presence of Unverifiable Control  

Lee, Chul Ho (Department of Business and Technology Management, College of Business Korea Advanced Institute of Science and Technology)
Publication Information
The Journal of Society for e-Business Studies / v.22, no.2, 2017 , pp. 99-121 More about this Journal
Abstract
Standard makers in both private and public sectors have been increasingly mandating security standards upon organizations to protect organizational digital assets. A major issue in security standardization is that standards often cannot regulate all possible security efforts by the standard maker because some efforts are unverifiable by nature. This paper studies from an analytical perspective how a standard maker should design the standard using a verifiable security control in the presence of another related unverifiable one. We compare it with two benchmark standards; $na{\ddot{i}}ve$-standard which refers to the standard maker who ignores the existence of the unverifiable control, and complete-information standard which refers to the maker sets standards on both controls. Optimal standard and benchmark standard depend critically on how the two controls are configured. Under parallel configuration, the existence of the unverifiable control induces the policy maker to set a higher standard (the complete-information standard is optimal); under serial configuration, a lower standard is applied (neither benchmark works). Under best-shot configuration and if the verifiable control is more cost-efficient, the existence of the unverifiable control has no impact on the optimal standard (the $na{\ddot{i}}ve$ standard is optimal).
Keywords
Information Security; Standard; Unverifiability; $Na{\ddot{i}}ve$ Standard; Complete-Information;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Hausken, K., "Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability," Information Systems Frontiers, Vol. 8, No. 5, pp. 338-349, 2006.   DOI
2 Hausken, K., "Information sharing among firms and cyber attacks," Journal Accounting Public Policy, Vol. 26, No. 6, pp. 639-688, 2007.   DOI
3 Hendricks, K. and McAfee, R. P., "Feints," Journal of Economics & Management Strategy, Vol. 15, No. 2, pp. 431-456, 2006.   DOI
4 Hui, K. L., Hui, W., and Yue, W. T., "Information Security Outsourcing with System Interdependency and Mandatory Security Requirement," Journal of Management Information Systems, Vol. 29, No. 3, pp. 117-155, 2012.   DOI
5 Keblawi, F. and Sullivan, D., "The Case for Flexible NIST Security Standards," IEEE Computer Society, June, pp. 19-26, 2007.
6 Krebs, R., Hackers Test Limits of Credit Card Security Standards, Washington Post, April 16, 2009, available at voices. washingtonpost.com/securityfix/2009/04/ the_number_scale_and_sophistic.html.
7 Lee, C. Geng, X., and Raghunathan, S., "Mandatory Standards and Organizational Information Security," Information Systems Research, Vol. 27, No. 1, pp. 70-86, 2016.   DOI
8 Lee, C., Geng, X., and Raghunathan, S., "Contracting Information Security in the Presence of Double Moral Hazard," Information Systems Research, Vol. 24, No. 2, pp. 295-311, 2013.   DOI
9 Loch, K., Carr, H., and Warkentin, M., "Threats to Information Systems: Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol. 16, No. 2, pp. 173-186, 1992.   DOI
10 Miller, A. R. and Tucker, C. E., "Encryption and Data Loss, The Ninth Workshop on the Economics of Information Security," Harvard University, USA, p. 29, 2010.
11 Schwartz, R., "Legal Regimes, Audit Quality and Investment," The Accounting Review, Vol. 72, No. 3, pp. 385-406, 1997.
12 Narasimhan, H., Varadarajan, V., and Rangan, C. P., "Towards a Cooperative Defense Model Against Network Security Attacks," Tenth Workshop on the Economics of Information Security, 2010.
13 Romanosk, S., Telang, R., and Acquisti, A., "Do Data Breach Disclosure Laws Reduce Identity Theft?," Seventh Workshop on the Economics of Information Security, June 25-28, 2008.
14 Ross, R., "Managing Enterprise Security Risk with NIST Standards," IEEE Computer Society, August, pp. 88-91, 2007.
15 Rothke, B. and Mundhenk, D., Sue the Auditor and Shut Down the Firm (July 9), 2009, Available at http://www.csoonline.com/ar ticle/496923/Sue_the_Auditor_and_Shut_Down_the_Firm.
16 Schechter, S. E. and Smith, M. D., "How Much Security is Enough to Stop a Thief?," Lecture Notes in Computer Science, Vol. 2742, pp. 122-137, 2003.
17 Shim, W., "An Ex Ante Evaluation Method for Assessing a Government Enforced Security Measure," The Journal of Society for e-Business Studies, Vol. 20, No. 4, pp. 241-256, 2015.   DOI
18 Tirole, J., "Cognition and Incomplete Contracts," The American Economic Review, Vol. 99, No. 1, pp. 265-294, 2009.   DOI
19 Varian, H., "System Reliability and Free Riding," Economics of Information Security, Kluwer, pp 1-15, 2004.
20 Willekens, M., Steele, A., and Miltz, D., "Audit Standards and Auditor Liability: A Theoretical Model," Accounting and Business Research, Vol. 26, No. 3, pp. 249-264, 1996.   DOI
21 Morse, E. A. and Raval, V., "PCI DSS: Payment card industry data security standards in context," Computer Law& Security Report, Vol. 24, pp. 540-554, 2008.   DOI
22 Crawford, V., "Lying for Strategic Advantage: Rational and Boundedly Rational Misrepresentation of Intentions," The American Economic Review, Vol. 93, No. 1, pp. 133-149, 2003.   DOI
23 Adams, A. and Sasse, M. A., "Users are Not the Enemy," Communications of the ACM, Vol. 42, No. 12, pp. 41-46, 1999.
24 Battigalli, P. and Maggi, G., "Rigidity, Discretion, and the Costs of Writing Contracts," The American Economic Review, Vol. 92, No. 4, pp. 798-817, 2002.   DOI
25 Zetter, K., In Legal First, Data-Breach Suit Targets Auditor, Wired (June 2), 2009, Available at http://www.wired.com/ threatlevel/2009/06/auditor_sued/.
26 Zhao, X, Xue, L., and Whinston, A. B., "Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling," International Conference on Information Systems, Phoenix, AZ, 2009.
27 Bernheim B. D. and Whinston, M. D., "Incomplete Contracts and Strategic Ambiguity," The American Economic Review, Vol. 88, No. 4, pp. 902-932, 1998.
28 Cavusoglu, H., Mishra, B., and Raghunathan, S., "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, Vol. 16, No. 1, pp. 28-46, 2005.   DOI
29 Cavusoglu, H., Raghunathan, S., and Cavusoglu, H., "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, Vol. 20, No. 2, pp. 198-217, 2009.   DOI
30 Culnan, M. J. and Williams, C. C., "How ethics can enhance organizational privacy: Lessons from the choicepoint and TJX data breaches," MIS Quarterly, Vol. 33, No. 4, pp. 673-687, 2009.   DOI
31 Dey, D., Fan, M., and Zhang, C., "Design and Analysis of Contracts for Software Outsourcing," Information Systems Research, Vol. 21, No. 1, pp. 93-114, 2010.   DOI
32 Dye, R. A., "Auditing Standards, Legal Liability, and Auditor Wealth," The Journal of Political Economy, Vol. 101, No. 5, pp. 887-914, 1993.   DOI
33 Ewert, R. and Wagenhofer, A., "Economic Effects of Tightening Accounting Standards to Restrict Earnings Management," The Accounting Review, Vol. 80, pp. 1101-1024, 2005.   DOI
34 Geng, X., Huang, Y., and Whinston, A. B., "Defending Wireless Infrastructure Against the Challenge of DDoS Attacks," ACM Journal on Mobile Networking and Applications, Vol. 7, No. 3, pp. 213-223, 2002.   DOI
35 Grossklags, J., Christin, N., and Chuang, J., "Secure or Insure? A Game-Theoretic Analysis of Information Security Games," Proceedings of the 17th International World Wide Web Conference, 2008.
36 Gordon, L. A., Loeb, M., and Lucyshyn, W., "Sharing Information on Computer Systems Security: An Economic Analysis," Journal of Accounting Public Policy, Vol. 22, No. 6, pp. 461-485, 2003.   DOI