The impact of information systems on organizations and markets
Communications of the ACM
The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Price-at-Risk: A methodology for pricing utility computing services
IBM Systems Journal
Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model
Information Systems Research
Information and Management
An Extended Privacy Calculus Model for E-Commerce Transactions
Information Systems Research
International Journal of Electronic Commerce
The Black Swan: The Impact of the Highly Improbable
The Black Swan: The Impact of the Highly Improbable
Overcoming Online Information Privacy Concerns: An Information-Processing Theory Approach
Journal of Management Information Systems
Risk Management of Contract Portfolios in IT Services: The Profit-at-Risk Approach
Journal of Management Information Systems
Interoperability of E-Government Information Systems: Issues of Identification and Data Sharing
Journal of Management Information Systems
Research Note---A Value-at-Risk Approach to Information Security Investment
Information Systems Research
Selection of optimal countermeasure portfolio in IT security planning
Decision Support Systems
Hi-index | 0.00 |
When a customer interacts with a firm, extensive personal information often is gathered without the individual's knowledge. Significant risks are associated with handling this kind of information. Providing protection may reduce the risk of the loss and misuse of private information, but it imposes some costs on both the firm and its customers. Nevertheless, customer information security breaches still may occur. They have several distinguishing characteristics: (1) typically it is hard to quantify monetary damages related to them; (2) customer information security breaches may be caused by intentional attacks, as well as through unintentional organizational and customer behaviors; and (3) the frequency of such incidents typically is low, although they can be very costly when they occur. As a result, predictive models and explanatory statistical analysis using historical data have not been effective. We present a profit optimization model for customer information security investments. Our approach is based on value-at-risk methods and operational risk modeling from financial economics. The main results of this work are that we: (1) provide guidance on the trade-offs between risk and return in customer information security investments; (2) define the range of efficient investments in technology-supported risk indemnification for sellers; (3) model how to handle government-dictated levels of investment versus self-regulation of investments in technology; and (4) characterize customer information security investment levels when the firm is able to pass some of its costs on to consumers. We illustrate our theoretical findings with empirical data from the Open Security Foundation, as a means of grounding our analysis and offering the reader intuition for the managerial interpretation of our theory and main results. The results show that we can narrow the decision set for solution providers and policy-makers based on the estimable risks and losses associated with customer information security. We also discuss the application of our approach in practice.