IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v19y2008i1p106-120.html
   My bibliography  Save this article

Research Note ---A Value-at-Risk Approach to Information Security Investment

Author

Listed:
  • Jingguo Wang

    (College of Business Administration, University of Texas at Arlington, Arlington, Texas 76019)

  • Aby Chaudhury

    (Bryant University, Smithfield, Rhode Island 02917)

  • H. Raghav Rao

    (School of Management, State University of New York at Buffalo, Buffalo, New York 14260)

Abstract

Information security investment has been getting increasing attention in recent years. Various methods have been proposed to determine the effective level of security investment. However, traditional expected value methods (such as annual loss expectancy) cannot fully characterize the information security risk confronted by organizations, considering some extremal yet perhaps relatively rare cases in which a security failure may be critical and cause high losses. In this research note we introduce the concept of value-at-risk to measure the risk of daily losses an organization faces due to security exploits and use extreme value analysis to quantitatively estimate the value at risk. We collect a set of internal daily activity data from a large financial institution in the northeast United States and then simulate its daily losses with information based on data snapshots and interviews with security managers at the institution. We illustrate our methods using these simulated daily losses. With this approach, decision makers can make a proper investment choice based on their own risk preference instead of pursuing a solution that minimizes only the expected cost.

Suggested Citation

  • Jingguo Wang & Aby Chaudhury & H. Raghav Rao, 2008. "Research Note ---A Value-at-Risk Approach to Information Security Investment," Information Systems Research, INFORMS, vol. 19(1), pages 106-120, March.
  • Handle: RePEc:inm:orisre:v:19:y:2008:i:1:p:106-120
    DOI: 10.1287/isre.1070.0143
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.1070.0143
    Download Restriction: no

    File URL: https://libkey.io/10.1287/isre.1070.0143?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Dickey, David A & Fuller, Wayne A, 1981. "Likelihood Ratio Statistics for Autoregressive Time Series with a Unit Root," Econometrica, Econometric Society, vol. 49(4), pages 1057-1072, June.
    2. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    3. Paul Embrechts, 1996. "Actuarial versus Financial Pricing of Insurance," Center for Financial Institutions Working Papers 96-17, Wharton School Center for Financial Institutions, University of Pennsylvania.
    4. Mark R. Manfredo & Raymond M. Leuthold, 1998. "Agricultural Applications of Value-at-Risk Analysis: A Perspective," Finance 9805002, University Library of Munich, Germany.
    5. Ely Dahan & Haim Mendelson, 2001. "An Extreme-Value Model of Concept Testing," Management Science, INFORMS, vol. 47(1), pages 102-116, January.
    6. Winfried Hallerbach & Bert Menkveld, 1999. "Value at Risk as a Diagnostic Tool for Corporates: The Airline Industry," Tinbergen Institute Discussion Papers 99-023/2, Tinbergen Institute.
    7. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Elmar Kiesling & Andreas Ekelhart & Bernhard Grill & Christine Strauss & Christian Stummer, 2016. "Selecting security control portfolios: a multi-objective simulation-optimization approach," EURO Journal on Decision Processes, Springer;EURO - The Association of European Operational Research Societies, vol. 4(1), pages 85-117, June.
    2. Margareta Heidt & Jin P. Gerlach & Peter Buxmann, 2019. "Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments," Information Systems Frontiers, Springer, vol. 21(6), pages 1285-1305, December.
    3. Xue Bai & Ramayya Krishnan & Rema Padman & Harry Jiannan Wang, 2013. "On Risk Management with Information Flows in Business Processes," Information Systems Research, INFORMS, vol. 24(3), pages 731-749, September.
    4. Nicole L. Beebe & Diana K. Young & Frederick R. Chang, 2013. "Framing Information Security Budget Requests to Maximize Investments," Working Papers 0217is, College of Business, University of Texas at San Antonio.
    5. Tawei Wang & Karthik N. Kannan & Jackie Rees Ulmer, 2013. "The Association Between the Disclosure and the Realization of Information Security Risk Factors," Information Systems Research, INFORMS, vol. 24(2), pages 201-218, June.
    6. Bahram Alidaee & Haibo Wang & Jun Huang & Lutfu S. Sua, 2023. "Integrating Statistical Simulation and Optimization for Redundancy Allocation in Smart Grid Infrastructure," Energies, MDPI, vol. 17(1), pages 1-13, December.
    7. Stoel, M. Dale & Muhanna, Waleed A., 2011. "IT internal control weaknesses and firm performance: An organizational liability lens," International Journal of Accounting Information Systems, Elsevier, vol. 12(4), pages 280-304.
    8. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    9. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    10. Loic Mar'echal & Alain Mermoud & Dimitri Percia David & Mathias Humbert, 2024. "Measuring the performance of investments in information security startups: An empirical analysis by cybersecurity sectors using Crunchbase data," Papers 2402.04765, arXiv.org, revised Feb 2024.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    2. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    3. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    4. Nizovtsev, Dmitri & Thursby, Marie, 2007. "To disclose or not? An analysis of software user behavior," Information Economics and Policy, Elsevier, vol. 19(1), pages 43-64, March.
    5. Fabio BISOGNI & Simona CAVALLINI & Sara DI TROCCHIO, 2011. "Cybersecurity at European Level: The Role of Information Availability," Communications & Strategies, IDATE, Com&Strat dept., vol. 1(81), pages 105-124, 1st quart.
    6. Muhammad Zia Ullah Khan & Muhammad Illyas & Muqqadas Rahman & Chaudhary Abdul Rahman, 2015. "Money Monetization and Economic Growth in Pakistan," International Journal of Economics and Empirical Research (IJEER), The Economics and Social Development Organization (TESDO), vol. 3(4), pages 184-192, April.
    7. Yap, Wei Yim & Lam, Jasmine S.L., 2006. "Competition dynamics between container ports in East Asia," Transportation Research Part A: Policy and Practice, Elsevier, vol. 40(1), pages 35-51, January.
    8. Erasmia Kotroni & Dimitra Kaika & Efthimios Zervas, 2020. "Environmental Kuznets Curve in Greece in the period 1960-2014," International Journal of Energy Economics and Policy, Econjournals, vol. 10(4), pages 364-370.
    9. Shyh-Wei Chen, 2008. "Non-stationarity and Non-linearity in Stock Prices: Evidence from the OECD Countries," Economics Bulletin, AccessEcon, vol. 3(11), pages 1-11.
    10. Ely, David & Salehizadeh, Mehdi, 2001. "American depositary receipts: An analysis of international stock price movements," International Review of Financial Analysis, Elsevier, vol. 10(4), pages 343-363.
    11. Kazem Yavari & Mina Mehrnoosh, 2005. "The Welfare Cost of Inflation in Iran," Iranian Economic Review (IER), Faculty of Economics,University of Tehran.Tehran,Iran, vol. 10(2), pages 111-117, fall.
    12. Choi-Meng Leong & Chin-Hong Puah & Shazali Abu Mansor & Evan Lau, 2010. "Testing the Effectiveness of Monetary Policy in Malaysia Using Alternative Monetary Aggregation," Margin: The Journal of Applied Economic Research, National Council of Applied Economic Research, vol. 4(3), pages 321-338, August.
    13. Ali MNA & Moheddine YOUNSI, 2018. "A monetary conditions index and its application on Tunisian economic forecasting," Journal of Economics and Political Economy, KSP Journals, vol. 5(1), pages 38-56, March.
    14. Jan Babecký & Fabrizio Coricelli & Roman Horváth, 2009. "Assessing Inflation Persistence: Micro Evidence on an Inflation Targeting Economy," Czech Journal of Economics and Finance (Finance a uver), Charles University Prague, Faculty of Social Sciences, vol. 59(2), pages 102-127, June.
    15. Hauser, Shmuel & Kedar-Levy, Haim & Milo, Orit, 2022. "Price discovery during parallel stocks and options preopening: Information distortion and hints of manipulation," Journal of Financial Markets, Elsevier, vol. 59(PA).
    16. Rocha, Roberto de Rezende, 1991. "Inflation and stabilization in Yugoslavia," Policy Research Working Paper Series 752, The World Bank.
    17. Dhanya Jothimani & Ravi Shankar & Surendra S. Yadav, 2016. "Discrete Wavelet Transform-Based Prediction of Stock Index: A Study on National Stock Exchange Fifty Index," Papers 1605.07278, arXiv.org.
    18. Maria Soledad Martinez Peria, 2002. "The Impact of Banking Crises on Money Demand and Price Stability," IMF Staff Papers, Palgrave Macmillan, vol. 49(3), pages 1-1.
    19. Chi-Wei Su, 2012. "The relationship between exchange rate and macroeconomic variables in China," Zbornik radova Ekonomskog fakulteta u Rijeci/Proceedings of Rijeka Faculty of Economics, University of Rijeka, Faculty of Economics and Business, vol. 30(1), pages 33-56.
    20. Apergis, Nicholas, 2005. "An estimation of the natural rate of unemployment in Greece," Journal of Policy Modeling, Elsevier, vol. 27(1), pages 91-99, February.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:19:y:2008:i:1:p:106-120. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.