Title

Profit-Maximizing Firm Investments in Customer Information Security

Publication Type

Journal Article

Publication Date

2011

Abstract

When a customer interacts with a firm, extensive personal information often is gathered without the individual's knowledge. Significant risks are associated with handling this kind of information. Providing protection may reduce the risk of the loss and misuse of private information, but it imposes some costs on both the firm and its customers. Nevertheless, customer information security breaches still may occur. They have several distinguishing characteristics: (1) typically it is hard to quantify monetary damages related to them; (2) customer information security breaches may be caused by intentional attacks, as well as through unintentional organizational and customer behaviors; and (3) the frequency of such incidents typically is low, although they can be very costly when they occur. As a result, predictive models and explanatory statistical analysis using historical data have not been effective. We present a profit optimization model for customer information security investments. Our approach is based on value-at-risk methods and operational risk modeling from financial economics. The main results of this work are that we: (1) provide guidance on the trade-offs between risk and return in customer information security investments; (2) define the range of efficient investments in technology-supported risk indemnification for sellers; (3) model how to handle government-dictated levels of investment versus self-regulation of investments in technology; and (4) characterize customer information security investment levels when the firm is able to pass some of its costs on to consumers. We illustrate our theoretical findings with empirical data from the Open Security Foundation, as a means of grounding our analysis and offering the reader intuition for the managerial interpretation of our theory and main results. The results show that we can narrow the decision set for solution providers and policy-makers based on the estimable risks and losses associated with customer information security. We also discuss the application of our approach in practice.

Keywords

Customer information, Financial economics, Information security, Managerial decision-making, Operational risks, Risk management, Value-at-risk

Discipline

Business | Computer Sciences | Information Security

Research Areas

Information Systems and Management

Publication

Decision Support Systems

Volume

51

Issue

4

First Page

904

Last Page

920

ISSN

0167-9236

Identifier

10.1016/j.dss.2011.02.009

Publisher

Elsevier

Additional URL

http://dx.doi.org/10.1016/j.dss.2011.02.009