Traditionally, IT security investment decisions are made in isolation. However, as firms that com... more Traditionally, IT security investment decisions are made in isolation. However, as firms that compete for customers in an industry are closely interlinked, a macro perspective is needed in analyzing the IT security spending decisions and this is a key contribution of the paper. We introduce the notions of direct- and cross-risk elasticity to describe the customer response to adverse IT security events in the firm and competitor, respectively, thus allowing us to analyze optimal security investment decisions. Both symmetric and asymmetric cases are examined for a duopoly in a continuous-time Markov chain (CTMC) setting. We demonstrate that optimal IT security spending, expected firm profits and willingness of firms to cooperate with competitors to improve security are highly dependent on the nature of customer response to adverse events, especially whether customer response to adverse security events in the competitor increases or decreases firm demand.
Your personal information is out there. You did not give it out, so how did it get there? Interne... more Your personal information is out there. You did not give it out, so how did it get there? Internet websites provide visitors with different levels of interaction, ranging from delivering basic information to providing sophisticated features and tools such as profile management, interactive visual communication, and of course, advertising. Like many traditional businesses, websites turn to third-party outsourcing to offer these features and tools. Such services include functionality (password and account control, social media integration, video hosting, chat and forum services, payment services, etc.), performance (backup service, security and firewalls, responsiveness tools, etc.) and targeting/advertising (advertising, lead generation, analytics, etc.).
Grooming has emerged as an active area of research within the operations research and telecommuni... more Grooming has emerged as an active area of research within the operations research and telecommunications fields and concerns the optimization of network transmissions that span multiple distinct transmission channels, protocols, or technologies. This study explores the meaning of grooming, the technical context in which it can be applied, and example situations. A new taxonomy captures key aspects of grooming problems and is used to summarize over 50 key publications on this important traffic-engineering and optimization problem class.
ACM Transactions on Management Information Systems, 2014
ABSTRACT Enterprises must manage their information risk as part of their larger operational risk ... more ABSTRACT Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically.
The Local Area Network (LAN) Implementation Project Life Cycle Model presented in this paper inte... more The Local Area Network (LAN) Implementation Project Life Cycle Model presented in this paper integrates various checklists of LAN specific implementation considerations with the critical success factors (CSFs) associated with the various stages of the project life cycle. This model addresses the sequence and the timing of various implementation tasks based on the project CSFs over the various implementation life cycle stages. This model provides a superior model for practitioners to implement their local area networks, as it provides focus in addressing the factors critical for success. This model also provides a superior basis for approaching research work in comparison with the current checklists, as it highlights the tasks associated with the CSFs over each phase of the LAN implementation project life cycle.
ABSTRACT Enterprises must manage their information risk as part of their larger operational risk ... more ABSTRACT Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically.
Traditionally, IT security investment decisions are made in isolation. However, as firms that com... more Traditionally, IT security investment decisions are made in isolation. However, as firms that compete for customers in an industry are closely interlinked, a macro perspective is needed in analyzing the IT security spending decisions and this is a key contribution of the paper. We introduce the notions of direct- and cross-risk elasticity to describe the customer response to adverse IT security events in the firm and competitor, respectively, thus allowing us to analyze optimal security investment decisions. Both symmetric and asymmetric cases are examined for a duopoly in a continuous-time Markov chain (CTMC) setting. We demonstrate that optimal IT security spending, expected firm profits and willingness of firms to cooperate with competitors to improve security are highly dependent on the nature of customer response to adverse events, especially whether customer response to adverse security events in the competitor increases or decreases firm demand.
Your personal information is out there. You did not give it out, so how did it get there? Interne... more Your personal information is out there. You did not give it out, so how did it get there? Internet websites provide visitors with different levels of interaction, ranging from delivering basic information to providing sophisticated features and tools such as profile management, interactive visual communication, and of course, advertising. Like many traditional businesses, websites turn to third-party outsourcing to offer these features and tools. Such services include functionality (password and account control, social media integration, video hosting, chat and forum services, payment services, etc.), performance (backup service, security and firewalls, responsiveness tools, etc.) and targeting/advertising (advertising, lead generation, analytics, etc.).
Grooming has emerged as an active area of research within the operations research and telecommuni... more Grooming has emerged as an active area of research within the operations research and telecommunications fields and concerns the optimization of network transmissions that span multiple distinct transmission channels, protocols, or technologies. This study explores the meaning of grooming, the technical context in which it can be applied, and example situations. A new taxonomy captures key aspects of grooming problems and is used to summarize over 50 key publications on this important traffic-engineering and optimization problem class.
ACM Transactions on Management Information Systems, 2014
ABSTRACT Enterprises must manage their information risk as part of their larger operational risk ... more ABSTRACT Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically.
The Local Area Network (LAN) Implementation Project Life Cycle Model presented in this paper inte... more The Local Area Network (LAN) Implementation Project Life Cycle Model presented in this paper integrates various checklists of LAN specific implementation considerations with the critical success factors (CSFs) associated with the various stages of the project life cycle. This model addresses the sequence and the timing of various implementation tasks based on the project CSFs over the various implementation life cycle stages. This model provides a superior model for practitioners to implement their local area networks, as it provides focus in addressing the factors critical for success. This model also provides a superior basis for approaching research work in comparison with the current checklists, as it highlights the tasks associated with the CSFs over each phase of the LAN implementation project life cycle.
ABSTRACT Enterprises must manage their information risk as part of their larger operational risk ... more ABSTRACT Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically.
Uploads