Publication Type
Journal Article
Version
acceptedVersion
Publication Date
11-2011
Abstract
When a customer interacts with a firm, extensive personal information often is gathered without the individual's knowledge. Significant risks are associated with handling this kind of information. Providing protection may reduce the risk of the loss and misuse of private information, but it imposes some costs on both the firm and its customers. Nevertheless, customer information security breaches still may occur. They have several distinguishing characteristics: (1) typically it is hard to quantify monetary damages related to them; (2) customer information security breaches may be caused by intentional attacks, as well as through unintentional organizational and customer behaviors; and (3) the frequency of such incidents typically is low, although they can be very costly when they occur. As a result, predictive models and explanatory statistical analysis using historical data have not been effective. We present a profit optimization model for customer information security investments. Our approach is based on value-at-risk methods and operational risk modeling from financial economics. The main results of this work are that we: (1) provide guidance on the trade-offs between risk and return in customer information security investments; (2) define the range of efficient investments in technology-supported risk indemnification for sellers; (3) model how to handle government-dictated levels of investment versus self-regulation of investments in technology; and (4) characterize customer information security investment levels when the firm is able to pass some of its costs on to consumers. We illustrate our theoretical findings with empirical data from the Open Security Foundation, as a means of grounding our analysis and offering the reader intuition for the managerial interpretation of our theory and main results. The results show that we can narrow the decision set for solution providers and policy-makers based on the estimable risks and losses associated with customer information security. We also discuss the application of our approach in practice.
Keywords
Customer information, Financial economics, Information security, Managerial decision-making, Operational risks, Risk management, Value-at-risk
Discipline
Business | Computer Sciences | Information Security
Research Areas
Information Systems and Management
Publication
Decision Support Systems
Volume
51
Issue
4
First Page
904
Last Page
920
ISSN
0167-9236
Identifier
10.1016/j.dss.2011.02.009
Publisher
Elsevier
Citation
LEE, Yong Yick; KAUFFMAN, Robert J.; and SOUGSTAD, Ryan.
Profit-Maximizing Firm Investments in Customer Information Security. (2011). Decision Support Systems. 51, (4), 904-920.
Available at: https://ink.library.smu.edu.sg/sis_research/2181
Copyright Owner and License
Authors
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1016/j.dss.2011.02.009