Sage Journals: Discover world-class research

Abstract

In the last decade and recently, a wide range of industries and organizations have been subject to IT-related security threats and cybersecurity breaches of varying degrees of severity at an alarming rate. A common practice adopted by organizations to ensure system and network security is to conduct regular audits and assessments. This paper takes on an organizational strategy perspective to analytically model the cost impact of random breaches in various types of networks subject to different types of audit policy. The analysis focuses on the interplay between the cost associated with a security breach on the one hand, and audit policy on the other. We develop a model for a non-stationary stochastic arrival process of security breaches and analyze the impact on mean and variance of total cost of different network configurations and audit policies. The generality of our modeling of the arrival process and the cost function permits a variety of attack and cost landscapes to be modeled and analyzed, with different breach intensities and costs (as functions of time) leading to different recommendations in terms of effective audit policy. Our analysis highlights the impact of intensity of security breach and cost of breach on the interaction between different network configurations and audit policies. One of our counter-intuitive findings is that under high security threat conditions a centralized network has a lower mean as well as a lower variance of total cost than a decentralized network, in case of cyclic and random audits; this analytically derived proposition is an interesting instance of a dual risk-pooling effect that goes beyond conventional risk-pooling. We extend our analysis to consider an asymmetric network and correlated breaches.

Keywords

Security Breaches Cost of Breach Network Audit Policies

Get full access to this article

View all access options for this article.

References

Angst

Block

D’Arcy

, et al. (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly 41(3): 893–916.

August

Dao

Kim

(2019) Market segmentation and software security: Pricing patching rights. Management Science 65(10): 4575–4597.

Bejtlich

(2013) The Practice of Network Security Monitoring: Understanding Incident Detection and Response. San Francisco, CA: No Starch Press.

Bensoussan

Mookerjee

Yue

(2020) Managing information system security under continuous and abrupt deterioration. Production and Operations Management 29(8): 1894–1917.

Blocki

Christin

Datta

, et al. (2015) Audit games with multiple defender resources. In: Proceedings of the twenty-ninth AAAI conference on artificial intelligence, pp.791–797.

Capoot

(2024) UnitedHealth Group has paid more than $3 billion to providers following cyberattack. CNBC (Mar 27). Available at: https://www.cnbc.com/2024/03/27/unitedhealth-group-paid-over-3-billion-to-providers-since-cyberattack.html (accessed 9 April 2024).

Cavusoglu

Zhang

(2008a) Security patch management: Share the burden or share the damage? Management Science 54(4): 657–670.

Cavusoglu

Mishra

Raghunathan

(2005) The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1): 28–46.

Cavusoglu

Raghunathan

Cavusoglu

(2009) Configuration of and interaction between information security technologies: The case of firewalls and intrusion detection systems. Information Systems Research 20(2): 198–217.

10.

Cavusoglu

Raghunathan

Yue

(2008b) Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems 25(2): 281–304.

11.

Cerdeiro

Dziubiński

Goyal

(2015) Contagion risk and network design. FEEM Working Paper, 65 pages.

12.

Cezar

Cavusoglu

Raghunathan

(2017) Sourcing information security operations: The role of risk interdependency and competitive externality in outsourcing decisions. Production and Operations Management 26(5): 860–879.

13.

D’Arcy

Adjerid

Angst

, et al. (2020) Too good to be true: Firm social performance and the risk of data breach. Information Systems Research 31(4): 1200–1223.

14.

Diamond

(2024) HHS opens probe into UnitedHealth’s cybersecurity as hack fallout continues. The Washington Post (Mar 13). Available at: https://www.washingtonpost.com/health/2024/03/13/patient-data-breach-hhs-probe-unitedhealth-14/02change-healthcare/ (accessed 9 April 2024).

15.

Dibbern

Goles

Hirschheim

, et al. (2004) Information systems outsourcing: A survey and analysis of the literature. ACM SIGMIS Database: the DATABASE for Advances in Information Systems 35(4): 6–102.

16.

Di Pietro

Mancini

(eds) (2008) Intrusion Detection Systems (Vol. 38). New York, NY: Springer Science & Business Media.

17.

Dziubiński

Goyal

(2017) How do you defend a network? Theoretical Economics 12(1): 331–376.

18.

Goel

Shawky

(2009) Estimating the market impact of security breach announcements on firm values. Information & Management 46(7): 404–410.

19.

Goode

Hoehle

Venkatesh

, et al. (2017) User compensation as a data breach recovery action. MIS Quarterly 41(3): 703–727.

20.

Goyal

Jabbari

Kearns

, et al. (2016) Strategic network formation with attack and immunization. In: Web and internet economics: 12th international conference, WINE 2016, Montreal, Canada, December 11-14, 2016, Proceedings 12, pp.429–443. Springer.

21.

Goyal

Vigier

(2014) Attack, defence, and contagion in networks. The Review of Economic Studies 81(4): 1518–1542.

22.

Hui

K-L

Hui

Yue

(2012) Information security outsourcing with system interdependency and mandatory security requirement. Journal of Management Information Systems 29(3): 117–156.

23.

IBM (2023) Cost of a Data Breach 2023. Available at: https://www.ibm.com/reports/data-breach (accessed 4 April 2024).

24.

Kumar

Mookerjee

(2016) When being hot is not cool: Monitoring hot lists for information security. Information Systems Research 27(4): 897–918.

25.

Kannan

Rahman

Tawarmalani

(2016) Economic and policy implications of restricted patch distribution. Management Science 62(11): 3161–3182.

26.

Kar

Nguyen

Fang

, et al. (2017) Trends and applications in Stackelberg security games. In: Başar T, Zaccour G (eds) Handbook of Dynamic Game Theory. Switzerland: Springer Cham, pp.1223–1269.

27.

Krebs

(2014) Email Attack on Vendor Set Up Breach at Target. KrebsonSecurity (Feb 2014). Available at: https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ (accessed 8 July 2023).

28.

Liu

C-W

Huang

Lucas

(2020) Centralized IT decision making and cybersecurity breaches: Evidence from U.S. higher education institutions. Journal of Management Information Systems 37(3): 758–787.

29.

McMillan

Volz

(2021) Solarwinds Hackers Continue to Hit Technology Companies, Says Microsoft. Wall Street Journal (Oct 25). Available at: https://www.wsj.com/articles/microsoft-solarwinds-hackers-continue-to-hit-technology-companies-11635145200 (accessed 28 March 2023).

30.

Ogut

Cavusoglu

Raghunathan

(2008) Intrusion-detection policies for IT security breaches. INFORMS Journal on Computing 20(1): 112–123.

31.

Pang

M-S

Tanriverdi

(2022) Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government. Journal of Strategic Information Systems 31(1): 101707.

32.

Park

Son

Angst

(2023) The value of centralized it in building resilience during crises: Evidence from us higher education’s transition to emergency remote teaching. MIS Quarterly 47(1): 451–482.

33.

Sinha

Fang

, et al. (2018) Stackelberg security games: Looking beyond a decade of success. In: Proceedings of the twenty-seventh international joint conference on artificial intelligence, pp.5494–5501. IJCAI.

34.

Sinha

Nguyen

Kar

, et al. (2015) From physical security to cybersecurity. Journal of Cybersecurity 1(1): 19–35.

35.

Stouffer

Pillitteri

Lightman

, et al. (2015) Guide to industrial control systems (ICS) security. NIST Special Publication 800(82): 1–247.

36.

Straub

(1990) Effective IS security: An empirical study. Information Systems Research 1(3): 255–276.

37.

Straub

Welke

(1998) Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22(4): 441–469.

38.

Stupak

(2023) Secure and efficient networks. The Workshop on the Economics of Information Security 2023 (WEIS 2023), 97 pages.

39.

Xue

Ray

(2011) Environmental uncertainty and it infrastructure governance: A curvilinear relationship. Information Systems Research 22(2): 389–399.

Supplementary Material

Please find the following supplemental material available below.

For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.

For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.

0.00 MB

0.45 MB

Network Structures,Audit Policies and the Cost of Security Breaches

Abstract

Keywords

Get full access to this article

References

Supplementary Material