IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v27y2016i1p70-86.html
   My bibliography  Save this article

Mandatory Standards and Organizational Information Security

Author

Listed:
  • Chul Ho Lee

    (Harbin Institute of Technology, Harbin, Heilongjiang 150001, China)

  • Xianjun Geng

    (Naveen Jindal School of Management, University of Texas at Dallas, Richardson, Texas 75080)

  • Srinivasan Raghunathan

    (Naveen Jindal School of Management, University of Texas at Dallas, Richardson, Texas 75080)

Abstract

Mandatory security standards that force firms to establish minimum levels of security controls are enforced in many domains, including information security. The information security domain is characterized by multiple intertwined security controls, not all of which can be regulated by standards, but compliance with existing security standards is often used by firms to deflect liability if a security breach occurs. We analyze a stylized setting where a firm has two security controls that are linked in either a serial or a parallel configuration. One control is directly regulated by a security standard, whereas the other one is not. We show that a higher security standard does not necessarily lead to a higher firm security. Furthermore, the conditions under which a higher standard hurts the firm security are sharply different in the two—serial and parallel—configurations. If standard compliance leads to reduced liability for a firm following a breach, such liability reduction in turn weakens the tie between the standard and firm security. Under a setting in which the firm meets the optimal standard set by a policy maker, both firm security and social welfare are higher when the damage to the firm following a breach takes a higher share of the total damage to social welfare, and also when the firm takes a larger share of liability.

Suggested Citation

  • Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2016. "Mandatory Standards and Organizational Information Security," Information Systems Research, INFORMS, vol. 27(1), pages 70-86, March.
    • Handle: RePEc:inm:orisre:v:27:y:2016:i:1:p:70-86
    DOI: 10.1287/isre.2015.0607
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2015.0607
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2015.0607?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Pierpaolo Battigalli & Giovanni Maggi, 2002. "Rigidity, Discretion, and the Costs of Writing Contracts," American Economic Review, American Economic Association, vol. 92(4), pages 798-817, September.
    2. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    3. Bernheim, B Douglas & Whinston, Michael D, 1998. "Incomplete Contracts and Strategic Ambiguity," American Economic Review, American Economic Association, vol. 88(4), pages 902-932, September.
    4. Sasha Romanosky & Rahul Telang & Alessandro Acquisti, 2011. "Do data breach disclosure laws reduce identity theft?," Journal of Policy Analysis and Management, John Wiley & Sons, Ltd., vol. 30(2), pages 256-286, March.
    5. Hausken, Kjell, 2006. "Income, interdependence, and substitution effects affecting incentives for security investment," Journal of Accounting and Public Policy, Elsevier, vol. 25(6), pages 629-665.
    6. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    7. Kjell Hausken, 2006. "Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability," Information Systems Frontiers, Springer, vol. 8(5), pages 338-349, December.
    8. Dye, Ronald A, 1993. "Auditing Standards, Legal Liability, and Auditor Wealth," Journal of Political Economy, University of Chicago Press, vol. 101(5), pages 887-914, October.
    9. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    10. Julia S. Cheney, 2010. "Heartland Payment Systems: lessons learned from a data breach," Consumer Finance Institute discussion papers 10-01, Federal Reserve Bank of Philadelphia.
    11. Hausken, Kjell, 2007. "Information sharing among firms and cyber attacks," Journal of Accounting and Public Policy, Elsevier, vol. 26(6), pages 639-688.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    2. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    3. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    4. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    5. Scott, Susan V. & Orlikowski, Wanda J., 2022. "The digital undertow: how the corollary effects of digital transformation affect industry standards," LSE Research Online Documents on Economics 112426, London School of Economics and Political Science, LSE Library.
    6. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    7. Natalie M. Scala & Allison C. Reilly & Paul L. Goethals & Michel Cukier, 2019. "Risk and the Five Hard Problems of Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 39(10), pages 2119-2126, October.
    8. Jacob Haislip & Jee-Hae Lim & Robert Pinsker, 2021. "The Impact of Executives’ IT Expertise on Reported Data Security Breaches," Information Systems Research, INFORMS, vol. 32(2), pages 318-334, June.
    9. Susan Scott & Wanda Orlikowski, 2022. "The Digital Undertow: How the Corollary Effects of Digital Transformation Affect Industry Standards," Information Systems Research, INFORMS, vol. 33(1), pages 311-336, March.
    10. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    2. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    3. Levitin, Gregory & Hausken, Kjell & Taboada, Heidi A. & Coit, David W., 2012. "Data survivability vs. security in information systems," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 19-27.
    4. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    5. Daniel Schatz & Rabih Bashroush, 2017. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 19(5), pages 1205-1228, October.
    6. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    7. Daniel Schatz & Rabih Bashroush, 0. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 0, pages 1-24.
    8. Hausken, Kjell, 2024. "Fifty Years of Operations Research in Defense," European Journal of Operational Research, Elsevier, vol. 318(2), pages 355-368.
    9. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    10. Guizhou Wang & Jonathan W. Welburn & Kjell Hausken, 2020. "A Two-Period Game Theoretic Model of Zero-Day Attacks with Stockpiling," Games, MDPI, vol. 11(4), pages 1-26, December.
    11. Xiaotong Li, 2022. "An evolutionary game‐theoretic analysis of enterprise information security investment based on information sharing platform," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(3), pages 595-606, April.
    12. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    13. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    14. Kjell Hausken & Jonathan W. Welburn, 2021. "Attack and Defense Strategies in Cyber War Involving Production and Stockpiling of Zero-Day Cyber Exploits," Information Systems Frontiers, Springer, vol. 23(6), pages 1609-1620, December.
    15. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    16. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    17. Meilin He & Laura Devine & Jun Zhuang, 2018. "Perspectives on Cybersecurity Information Sharing among Multiple Stakeholders Using a Decision‐Theoretic Approach," Risk Analysis, John Wiley & Sons, vol. 38(2), pages 215-225, February.
    18. Gao, Xing & Zhong, Weijun & Mei, Shue, 2013. "A game-theory approach to configuration of detection software with decision errors," Reliability Engineering and System Safety, Elsevier, vol. 119(C), pages 35-43.
    19. Kjell Hausken, 2017. "Information Sharing Among Cyber Hackers in Successive Attacks," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 19(02), pages 1-33, June.
    20. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:27:y:2016:i:1:p:70-86. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.