Title: Mandatory Standards and Organizational Information Security
Speaker: Dr. Chul Ho Lee, Xavier University
Time: Mar. 13 2013 at 9:30am—11:00am
Location: Room 216, School of Management
Abstract:
Mandatory security standards that force firms to establish minimum levels of security controls are enforced in many domains including information security. Information security domain is characterized by multiple intertwined security controls, not all of which can be regulated by standards, but compliance with existing security standards are often used by firms to deflect liability if a security breach occurs. Furthermore, strategic attackers may use standards to target the vulnerable controls for their attacks. This paper studies when and how mandatory standards can harm a firm’s information security. We consider a setting where a firm has two security controls that are linked in either a serial or a parallel configuration. One control is directly regulated by a security standard while the other one is not. Under serial configuration, we find that the firm security can decrease in the standard when this standard is not too high. Surprisingly, such decrease is more likely to happen when the firm cares more about security. Under parallel configuration, firm security can decrease in the standard only when the standard is high enough and the firm investment on the regulated control can significantly reduce its liabilities upon breach. When the standard is not too high, we show that strategic attacking behavior can augment the effectiveness of the standard in that the firm will invest more on security (than that under nonstrategic attacks).
Job Candidate's Short Bio: Chul Ho Lee is Visiting Assistant Professor of the Department of Management Information Systems at Xavier University. He received his B.Sc. degree and M.A. degree in Business Administration from Pusan National University and Ph.D. degree from Naveen Jindal School of Management of the University of Texas at Dallas. His research interests are in the areas of Economics of Information Security. He applies game theory models to analyze issues related to double side moral hazard, security standard, and cloud security, and recommends policies that should lead to greater social welfare in the application of information security. He has a forthcoming paper in Information Systems Research.
|
