Mandatory Standards and Organizational Information Security
Full Paper submitted to WISE 2012. Word count: 9,846
Chul Ho Lee, Xianjun Geng, Srinivasan Raghunathan
The University of Texas at Dallas
{irontiger, geng, sraghu}@utdallas.edu
Abstract
Mandatory security standards that force firms to establish minimum levels of security controls are
enforced in many domains including information security. Information security domain is characterized
by multiple intertwined security controls, not all of which can be regulated by standards, but compliance
with existing security standards are often used by firms to deflect liability if a security breach occurs.
Furthermore, strategic attackers may use standards to target the vulnerable controls for their attacks.
This paper studies when and how mandatory standards can harm a firm’s information security. We
consider a setting where a firm has two security controls that are linked in either a serial or a parallel
configuration. One control is directly regulated by a security standard while the other one is not. Under
serial configuration, we find that the firm security can decrease in the standard when this standard is not
too high. Surprisingly, such decrease is more likely to happen when the firm cares more about security.
Under parallel configuration, firm security can decrease in the standard only when the standard is high
enough and the firm investment on the regulated control can significantly reduce its liabilities upon
breach. When the standard is not too high, we show that strategic attacking behavior can augment the
effectiveness of the standard in that the firm will invest more on security (than that under nonstrategic
attacks).
Keywords: Information security, security regulation, unverifiability, strategic attack
1. Introduction
In this networked economy, when an organization's digital asset or online service is compromised by
attacks, damages often go beyond the organizational boundary. For example, in 2009 the information
1
system of a large payment card processor, Heartland Payment Systems (HPS hereafter), was breached and
millions of consumers were affected (Krebs 2009b, Cheney 2010).1 Security incidents similar to the one
at HPS in which the breach of a single firm resulted in large-scale damages to consumers and business
ecosystems in general have been occurring on a regular basis -- see MacCarthy (2010) for detailed
accounts of some high-profile incidents. Increasingly, policy makers in both private and public sectors
mandate information security standards upon organizations with the intention to not only to protect these
organizations, but also to protect the value of all stakeholders who entrust their sensitive information to
these organizations. Two such prominent policy makers are PCI Security Standards Council in the private
sector that mandates information security standards – collectively referred to as PCI-DSS -- upon all
merchants that use major payment cards, and the National Institute of Standards and Technology (NIST)
that mandates information security standards upon all US governmental agencies.
But are mandatory standards effective in improving organizational information security? Anecdotal
evidence in the private sector seems to paint a puzzling picture where tighter standards have not
necessarily led to better security. For example, PCI-DSS as a major standard intended to tighten security
related to all payment card transactions was first implemented in 2004. Nevertheless, the number of
annual publicized security breaches in the business sector in U.S. increased for three out of four years
from 2004 to 2008.2 Interestingly, in 2008 the PCI Council loosened several mandates within PCI-DSS,3
and the number of security breaches has declined significantly since 2008. 4 The seeming lack of
connection between tighter standards and better security has also caught the attention of academia. For
example, Miller and Tucker (2010) empirically show that mandatory adoption of encryption software
does not decrease publicized data loss cases.
This paper analytically studies the impact of mandatory standards on overall firm security, and in
1
Though consumers who were affected by the breach received financial compensation, it did not fully cover the
damages they incurred (Vijayan 2010).
2
Data from Open Security Foundation (www.datalossdb.org).
3
For example, the frequency of mandatory rule-set reviews was down from quarterly to biannually (Vijayan 2008).
4
One plausible argument for loosening of standards is cost saving on security investment. However, this argument
does not explain why there are less amount of breaches following the loosening of standards.
2
particular we pay attention to when and how mandatory standards can harm firm security. Our
investigation starts with the observation that, in industrial practices, a mandatory standard can influence a
firm's overall security through multiple intertwined mechanisms as listed below. First, a mandatory
security standard directly influences firm investment on any security control that is explicitly regulated
(hereafter, verifiable control).5 For example, U.S. companies that accept credit cards need to invest in
encrypting outgoing transaction data, as required under PCI-DSS.6
Second and interestingly, security standards do not regulate all possible security controls. For
example, PCI-DSS does not regulate the security of internal communication within a firm, even though
past attacks -- such as the aforementioned one to HPS -- provide evidence that internal communication
can be a target for attackers (Krebs 2009a, Cheney 2010). Hereafter we refer to any security control not
regulated an unverifiable control.7 For a firm that deploys multiple security controls in a comprehensive
protection plan, its investment on each of those controls can be interdependent. Therefore, even if a
standard does not explicitly regulate a control, it may still indirectly affect firm investment on this
unverifiable control due to the firm's strategic balancing of investments on all controls.
There are a variety of reasons why security standards do not cover all possible controls. Costs for
writing and enforcing standards can be economically prohibitive for some controls. For example, given
the large variety, complexity and environmental-contingency of exceptions (also called tickets) generated
by an Intrusion Detection System (IDS), it would be cost-prohibitive for a policy maker to write a detailed
enough standard regulating what the correct response to every possible exception should be.8 In addition,
information security is a fast-evolving field where new security threats constantly emerge. Policy makers,
as boundedly-rational agents, may overlook the importance of some existing controls or simply cannot
5
"Security control" is a widely-adopted term that refers to "the management, operational, and technical safeguards
or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of
the system and its information." (csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf, page 1)
6
Penalty for noncompliance is hefty and includes $5,000 to $100,000 per month for PCI compliance violations and
increase in transaction fees. If a merchant is found to be non-compliant when data is compromised, additional
penalty includes fines up to $500,000 per incident, cost of alerting all affected consumers, and even discontinuation
of credit card services by the according merchant bank.
7
By "unverifiable" we mean "unverifiable from a policy maker's perspective."
8
We are unaware of any security standard that regulates in detail how exceptions should be dealt with. Also see
Coase (1937), Williamson (1975) and Battigalli and Maggi (2002) for similar arguments for contracts in general.
3
foresee security controls not yet invented at the time of a security standard's inception.9 Finally, security
controls involving human diligence -- especially ones that deal with social engineering -- are difficult to
measure or to use as court evidence (Whitman and Mattord 2009, pages 443-447).
Third, after a breach happens and if a court is involved in deciding liabilities of all involved parties, it
is not rare for a firm to cite their compliance with existing security standards for self-defense (Navetta
2009). Such ex post usage of standard compliance as a liability reduction tool can have ex ante
implications on firm investment on any unverifiable security control.
Fourth, one unique aspect of information security is the possible presence of attackers who
strategically react to standards by changing their attack strategy. Such strategic adversaries are not present
in contexts such as accounting and auditing which rely heavily on standards. Strategic attacker behavior
not only can directly affect firm security, it may also incentivize a firm to adjust its investments on its
portfolio of controls to optimally account for expected attacking pattern.
In this research we explicitly acknowledge all four above mechanisms through which a mandatory
standard can directly or indirectly affect firm security. We ask the following specific research questions:
1. How does a standard affect firm security when both verifiable and unverifiable controls exist? In
particular, when and how can a tighter standard harm firm security?
2. How does the liability reduction effect affect firm security?
3. How do strategic attacks react to a standard, and eventually affect firm security?
In this paper we address these research questions using a game-theoretical model in which the overall
firm security is dependent on two security controls. One control is verifiable, i.e., this control is explicitly
regulated in a verifiable manner by the policy maker. The other is unverifiable and cannot be regulated by
the policy maker.
It turns out the answer to how a standard affects firm security depends critically on how the two
controls are connected to each other and to the digital asset to be protected – which we refer to as security
configuration. We compare two fundamental configurations: serial, under which the digital asset is
9
See Simon (1981) on the relationship between bounded rationality and contract incompleteness.
4
compromised only if both security controls are breached; and parallel, under which the digital asset is
compromised if either security control is breached.
Our first finding is that, under serial configuration, firm security can decrease in the standard when
the standard is not too high. Intuitively, a tighter standard directly results in more investment by the firm
on the verifiable control, yet indirectly results in less investment on the unverifiable control due to a
substitution effect between the two controls. It turns out that the latter can dominate the former (thus
resulting in lower overall firm security) only if the standard is not too high. Furthermore, if the firm's
investment on the verifiable control can reduce its share of liability should a breach happen, the firm's
overall security can decrease more in the standard.
On the other hand, our second finding is that, under parallel configuration, firm security decreases in
the standard only when both of the following conditions hold: the firm’s investment on the verifiable
control significantly reduces its liabilities upon breach, and the standard is already high enough (note that
this contrasts with the requirement of an upper bound on the standard under the serial configuration).
Intuitively, under parallel configuration and without the liability reduction mechanism, the firm
investments on the two controls are complements: a tighter standard both directly induces more
investment on the verifiable control and indirectly induces more investment on the unverifiable control.
When there is a strong liability reduction effect, however, it diminishes the firm's incentive to invest on
the unverifiable control. We show that, only when the standard is high enough, it is possible for the
liability reduction effect to dominate the complementarily effect, thus resulting in lower overall security.
Our third finding concerns the relationship between the damage a firm suffers from a security breach
and its investment on security controls. One might intuitively think that the higher the damage is, the
more a firm cares about its security, and thus the less likely the firm will reduce its own overall security in
face of a tighter standard. Strikingly, our third finding overturns this intuition for a serial configuration:
we show that a firm that cares more about security may react to a tighter standard by reducing its overall
security even when a firm that cares less does not.
5
Our fourth major finding is that, under parallel configuration, whether security attacks are strategic
(i.e. targeting the weakest link) or not has a significant influence on how security standard affects a firm’s
security. In particular, strategic attackers can surprisingly lead to better firm security (than that under
nonstrategic attacks) as long as the standard is not too high. Intuitively, to counter strategic attacks that
target the weakest link should one exist, the firm will respond by significantly improving its investment
on the unverifiable control to match that on the verifiable control (so neither one is the apparent weakest
link). Therefore, overall the firm invests heavily on both security controls.
The rest of the paper is organized as follows. In Section 2 we review relevant literatures. We present
our model in Section 3. Section 4 contains the main results for parallel configuration and serial
configuration with nonstrategic attacks. We discuss the impact of strategic attacks in Section 5. We
discuss managerial implications and conclude the paper in Section 6.
2. Literature Review
Since security standards as a strategy to manage information security is a recent development, the extant
research on this topic is limited. Much of the prior work on security standards has taken a descriptive
approach to the standard setting problem and focused on principles that should govern information
security standards (Keblawi and Sullivan 2007, Ross 2007, Morse and Raval 2008, Culnan and Williams
2009). Some of the recent work has empirically examined the impact of standards and laws related to
breach disclosure and data encryption on security incidents. Romanosky et al. (2011) show that the
adoption of data breach disclosure laws has marginal effect on the reduction in incidences of identity
thefts. Miller and Tucker (2010) show that adoption of encryption software because of safe harbor
provisions in breach notification regulations increases the incidents of publicized data losses, partly
because of carelessness with respect to other protection activities on the part of those that should protect
the information asset.
To our knowledge, Hui et al. (2012) is the only other paper that uses an analytical approach to show
that an overly stringent security regulation can harm the security of firms. Our research differs from Hui
et al. in several aspects. Hui et al. considers an outsourcing context in which multiple firms contract with
6
a common security service provider, while we do not consider outsourcing. The key dynamic in Hui et al.
that leads to the result that tighter regulation harming firm security is a spillover effect: a shared security
infrastructure at the common security provider implies that security risks are also shared. In contrast, we
focus on the interplay between a single firm’s investments on verifiable and unverifiable security controls.
While the extant literature on security standards is sparse, extensive work has been done on standards
in other settings. Of particular relevance is the literature on financial auditing standards. Dye (1993)
shows that the average quality of audits may decline as auditing standard becomes tougher. Willekens et
al. (1996) argue that the increased difficulty of firing a compliant auditor that follows standards can
reduce rather than increase the quality of audit work supplied. Schwarts (1998) finds that the socially
optimal commitment according to auditing standards is achievable if the auditor’s legal liability regime is
one of strict liability and is independent of the actual investment. While research in the auditing standards
literature models auditing as a single observable activity on which standards can be imposed, we consider
a model in which multiple security controls exist and standards cannot be imposed on all of them.
One unique aspect of information security is the presence of strategic hackers who may use
information about standards and change their attack strategy. Such strategic adversaries are not present in
contexts such as auditing. The literature on information security economics has analyzed scenarios with
strategic attackers. Cavusoglu et al. (2005) analyze the value of IDS and show that IDS offer a positive
value only when they deter hackers. Cavusoglu et al. (2009) highlight the complex interactions between
firewall and IDS technologies when they are used together in a security architecture, and, hence, the need
for proper configuration to benefit from these technologies. They show that every technology has
different optimal configuration level according to their performance and circumstances. Starting with
Varian (2004), several papers have examined the economic incentive of agents which have
interdependency on security (Grossklags et al. 2008, Narasimhan et al. 2010). Narasimhan et al.(2010)
show that the success of cooperative security efforts depends on the nature of the attack and the attitude of
the defenders. On the other hand, Schechter and Smith (2003) analyze how much security is required
7
when attackers focus on only one attractive target or penetrate as many systems as possible. However, this
stream of work does not consider security standards.
Our work is also related to the literature on incomplete contracts with unverifiable services. Bernheim
and Whinston (1998) show it is often optimal to specify an incomplete contract, when some aspects of
performance are unverifiable. Battigalli and Maggi (2002) further propose optimal contracts with rigidity
and discretion if writing contract is very costly. Our research differs in that we consider security
configurations and strategic adversaries, two dynamics specific to the information security context.
3. The Model
The model consists of a firm that is responsible for protecting a digital asset using two security controls, a
representative attacker that may assail the security controls in order to compromise the digital asset, and
one policy maker that sets security standards that the firm must follow.
Security Controls. As modern information systems are getting increasingly complex, organizations
often find themselves having a multitude of security weaknesses to address. Accordingly, a common
practice is for organizations to deploy multiple security controls (controls in short) in a comprehensive
protection plan, such as multiple firewalls to safeguard all entrances to a corporate network. In this paper
we consider a parsimonious case in which, in order to protect the digital asset, the firm invests in two
security controls, V and N.10 Let ei represent the probability that the firm can successfully prevent breach
of security control i, i {V , N} . Hereafter we refer to ei as firm effort on control i. The cost of effort ei
for the firm is Ci (ei ) , which is a monotonically increasing and convex function with Ci (0) 0 and
Ci (1) for i {V , N} (see, for example, Gordon and Loeb 2002 for a similar stylized cost model). For
notational convenience, denote marginal cost function as ci Ci and inverse marginal cost function as
ri ci1 . We make the following assumptions regarding the marginal cost functions:
Assumption 1:
10
(1 eN )cN (eN )
e c (e )
is weakly-decreasing in eN , and N N N is weakly-increasing in eN .
cN (eN )
cN (eN )
Shortly we will see that "V" stands for "verifiable control," and "N" stands for "unverifiable control."
8
Assumption 1 is not very restrictive in that it holds for commonly used cost function forms including
power functions of any order, exponential functions, and polynomial functions with positive coefficients.
Security Configurations. We next describe the relationship between the two security controls and
the security of the digital asset, which we refer to as security configuration. Let function (eV , eN ) denote
the probability that security controls do not successfully protect the digital asset. We consider two basic
and commonly-seen relationships: serial and parallel configurations. Under serial configuration, the
digital asset is compromised only if both security controls are breached, i.e.,
(eV , eN ) (1 eV )(1 eN ) .
(1)
The serial configuration fits situations where attackers have to break through a combination of
security controls in order to reach a digital asset. One example is the popular practice by firms to adopt
both a firewall and an IDS to guard a network entrance, where a hacker has to render both ineffective in
order to get access to internal data. Serial configuration also fits situations where firms are more
concerned about service disruptions rather than unauthorized access of information (Loch et al. 1992). For
example, a popular defense against Denial-of-Service (DoS) attacks for web service operators is to mirror
their services to multiple distributed web servers. If one server experiences service outage due to DoS
attacks, other redundant servers can takeover and resume the service. Therefore, attackers will have to
successfully take down all mirror sites in order to black out a web service.
Under parallel configuration, the digital asset is compromised if either security control is breached,
(eV , eN ) 1 eV eN .
(2)
One commonly seen example of the parallel configuration is a corporate network that is linked to the
Internet at multiple access points, where each access point is secured by a separate firewall. Breaking any
such firewall will then expose internal data to an attacker. Another example is when the digital asset is
stored or can be assessed at multiple venues, e.g. one in an operational database and another in a backup
server; breaching either server will lead to the leak of the digital asset.
9
Note that in business practice, security configurations can be a complex combination of the
aforementioned basic ones. As a first theoretical exploration on understanding the impact of security
configurations on the effectiveness of security regulation in the presence of an unverifiable control, we
focus on the above two basic security configurations.
Nonstrategic and Strategic Attacks. Attacks against the security controls can be broadly classified
into two categories: ones that are independent of the security efforts by the firm, and ones that are
dependent. We refer to the former as nonstrategic attacks and the latter as strategic attacks.
Intuitively, a security attack can be most effective when it is against a firm's weakest point of defense.
Therefore, an attacker may find it beneficial to first analyze a firm's security efforts before taking any
strategic action. We will analyze such strategic "weakest-link" attack strategy in Section 5.
There are, nevertheless, two other widely applicable cases where attacks are nonstrategic. First, it is
popular for hackers to blanket the Internet with automated attacks, such as virus, worms, and port scan
attacks. The frequency with which a firm receives Port Scan Attacks to any of its security controls has
little to do with the relative strength among these security controls given the automated nature of the
attacks. Second, many security risks are due to non-strategic factors such as equipment deterioration,
accidental man-made disasters or adverse environmental conditions (e.g. power outage or natural
disasters). We consider nonstrategic attacks in Section 4.
Security Regulation and Verifiability of Security Controls. While the direct control of security
efforts is in the hands of the firm, a policy maker can indirectly affect firm efforts through regulatory
standards (such as PCI-DSS) on any verifiable security control. In this paper we consider the case where
security control V is verifiable to the policy maker while N is not. For example and in the context of
reducing firewall breaches, control V can be the frequency of external review of firewall rule sets that is
contractually verifiable and thus enforceable by the policy maker;11 control N can be a firm's managerial
effort spent on discouraging employees from visiting external websites that are irrelevant to their jobs,
11
This is standard 1.1.6 in PCI-DSS version 1.2.1.
10
whereas such effort is hard to monitor, quantify, and to later use as court evidence should a breach
happens.
As a result, the policy maker can only mandate a standard s for control V, which is a verifiable effort
threshold that the firm must match or exceed.12 In other words, once the policy maker sets s , the firm
cannot pick any eV s . For the scope of this paper, we focus on security standards that have strict
enforcement power, so that the affected firm has to unconditionally confirm. Two widely applicable
examples are NIST security standards and PCI-DSS: NIST standards are mandatory for all affected U.S.
governmental agencies (Keblawi and Sullivan 2007); PCI-DSS is mandatory for all merchants that
"accepts, transmits or stores any (credit or debit) cardholder data."13
Payoff Structure of the Firm. Note that the firm's primary business can be (and in practice often is)
different from security provision. For example, the primary business function of HPS is to process
payment card transactions, whereas it invests in security to protect this primary function. We focus on
security issues in this paper and assume that, notwithstanding a security compromise, the firm earns a
positive business profit of VF . We further assume that VF is large enough so that the firm will not exit the
market merely due to information security concerns.14 We model the firm's payoff structure as follows:
U F VF (eV , eN )(1 keV ) DF CV (eV ) CN (eN )
(3)
In (3), term (1 keV ) DF represents the damage to the firm if the digital asset is compromised. This
damage consists of two components: 1 keV and DF . The first component 1 keV captures the liability
reduction effect of a security standard: the higher eV is, the lower the damage to the firm is. Because eN
is unverifiable, this liability reduction effect only depends on eV . We refer to k as liability reduction
factor. 0 k 1 . The second component DF is the firm's maximum damage under full liability.15
12
For example, standard 1.1.6 in PCI-DSS version 1.2.1 requires a firm to "review firewall and router rule sets at
least every six months."
13
http://www.pcicomplianceguide.org/pcifaqs.php#2 .
14
Modeling individual rationality does not offer significantly new insights beyond what this paper currently offers.
15
Let DF include opportunity costs (what the firm would have gained should the compromise not take place).
11
Figure 1 shows the timing of the model. The policy maker first announces the standard, s, for control
V. In this paper we focus on firm and attacker behavior, and thus take s as exogenously given. The firm
then chooses its investments eV and eN on the security controls. Possible security attacks then take place.
policy maker
announces standard
s for control V
firm exerts efforts eV and
eN in security controls V
and N, respectively
attacks take place
period 3
period 2
period 1
payoff/damages realized
depending on whether
information asset is
compromised
period 4
Figure 1. Timing of the Model
4. The Impact of Standard on Firm Security
In this section we study how the security standard influences a firm’s overall security. We first consider
serial configuration, and then consider parallel configuration.
4.1. Serial Configuration
We use subscript “SC” to denote results for the serial configuration. Given any standard sSC for control V
that is imposed by the policy maker, the firm’s optimization problem is:
max U F VF (1 eV )(1 eN )(1 keV ) DF CV (eV ) CN (eN ) s.t. eV sSC .
eV , eN
(4)
Let eˆV and eˆN denote the firm’s optimal effort on controls V and N respectively when there is no security
standard, i.e. when constraint eV sSC
is not binding. That is, eˆV
is the solution to
(1 rN ((1 eˆV )(1 keˆV ) DF ))(1 k 2keˆV ) DF cV (eˆV ) , and eˆN rN ((1 eˆV )(1 keˆV ) DF ) .
Lemma 1: Under the serial configuration and given standard sSC for control V,
i.
ii.
if sSC eˆV , the firm’s optimal efforts are eV* eˆV and e*N eˆN , and are independent of sSC .
*
if sSC eˆV ,the firm’s effort on the verifiable control matches the standard, i.e. eV sSC , and its
effort on the unverifiable control is
e*N rN ((1 sSC )(1 ksSC ) DF ) .
12
(5)
All proofs are in the Appendix. Part (i) of Lemma 1 shows that a security standard matters only when
it is above a minimal threshold eˆV . We refer to any standard higher than eˆV an "effective standard" (and
accordingly any standard lower or equal to eˆV "ineffective standard"). Unless noted otherwise, hereafter
we focus on the relatively more interesting case where the policy maker’s standard is effective. In other
words, hereafter we assume that sSC eˆV always holds.
Part (ii) of Lemma 1 establishes two results. First, an effective standard directly dictates the firm
effort on the verifiable control, as they match. Second, this effective standard also indirectly and
negatively influences the firm effort on the unverifiable control, eN , through two distinct dynamics, which
we refer to as the substitution effect and the liability reduction effect. Intuitively, under serial
configuration the firm investments on the two controls are substitutes: an increase of investment on one
control reduces the marginal impact of the other control on firm security. The substitution effect refers to
the dynamic that a higher standard sSC (and thus a higher effort on the verifiable control) decreases the
*
marginal value of eN on reducing the breach probability (i.e. on ), thus leading to a diminished eN . This
is evident from term (1 sSC ) on the right-hand side of (5). The effective standard also influences the
firm effort through a liability reduction effect: because a higher investment on control V reduces the
firm's share of liability should a breach happen, it reduces the firm's incentive in further securing its
digital asset through control N, thus resulting in a reduced e*N . This is evident from term (1 ksSC ) on the
right-hand side of (5).
Now we analyze how the standard affects the firm’s overall security (or firm security in short), as
measured by 1 (eV , eN ) 1 (1 eV )(1 eN ) . Given any sSC , from Lemma 1 we know this overall
security under serial configuration can be expressed as:
1 (eV* (sSC ), e*N (sSC )) 1 (1 sSC )(1 rN ((1 sSC )(1 ksSC ) DF )) .
13
(6)
A key insight we have under the serial configuration is that it is possible for the substitution effect
alone to generate the result that tightening the security standard can surprisingly reduce overall firm
security, as shown in the next proposition. Denote s as the unique solution to
1 rN ((1 s )(1 ks ) DF )
rN ((1 s )(1 ks ) DF )(1 s )(1 ks ) DF
2
1 k
.
1 ks
Proposition 1: Given serial configuration and that (1 rN ( DF )) / (rN ( DF ) DF ) 1 , a higher effective
standard results in lower firm security as long as the standard is upper-bounded by s .
Proposition 1 shows that, when (1 rN ( DF )) / (rN ( DF ) DF ) 1 , tightening the standard -- as long as it
does not get too high -- can harm firm security regardless of whether the liability reduction effect exists or
not. To understand why standard being upper bounded by s is a necessary condition for this interesting
result, we next isolate and then compare the direct effect of the standard on control V and the indirect
effect of it on control N. Because firm security contains a multiplicative function as in (6), we use a
logarithm transformation of the overall breach probability (i.e. as shown below) for easier graphical
comparison:
ln() ln(1 eV* (sSC ))(1 eN* (sSC )) ln(1 sSC ) ln(1 rN ((1 sSC )(1 ksSC ) DF ))
Figure 2 illustrates the direct effect ( ln(1 sSC ) ), the indirect effect ( ln(1 rN ((1 sSC )(1 ksSC ) DF )) ) and the
overall breach probability ln( ) -- all with logarithm transformation.16 Intuitively, the smaller sSC is, the
faster (slower) the indirect (direct) effect changes in sSC -- i.e., the solid (dashed) line in Figure 2 is
steeper
(flatter)
when
sSC
is
smaller.
Formally,
d ln(1 e*N (sSC )) / dsSC
rN ((1 sSC )(1 ksSC ) DF )(1 k 2ksSC ) DF
increases in sSC , while d ln(1 eV* (sSC )) / dsSC 1/ (1 sSC ) decreases
1 rN ((1 sSC )(1 ksSC ) DF )
in sSC . Notice that s is the threshold value where d ln(1 e*N (sSC )) / dsSC | d ln(1 eV* (sSC )) / dsSC | .
Parameter values used for Figure 2 are DF 2500 , CV (eV ) e20eV 20eV 1 , CN (eN ) e6eN 6eN 1 , k 0.1 . We
tried various parameter combinations, and the results are consistent.
16
14
Therefore, for any standard s s , the change in the indirect effect dominates the opposite change in the
direct effect (i.e., d ln(1 e*N (sSC )) / dsSC | d ln(1 eV* (sSC )) / dsSC | ), thus resulting in a reduction of overall
firm security.
ln(breach probability)
s
sSC
ln(1 sSC )
ln(1 rN ((1 sSC )(1 ksSC ) DF ))
ln( )
Figure 2. Breach probabilities of the verifiable and the unverifiable controls as a function of sSC
When (1 rN ( DF )) / (rN ( DF ) DF ) 1 , the substitution effect alone is not sufficient in driving the
result that security decreases in standard for any standard range:
Proposition 2: Given serial configuration and that (1 rN ( DF )) / (rN ( DF ) DF ) 1 , a higher effective
standard results in lower firm security only if both following conditions hold: the liability reduction factor
k is large enough (i.e. k (1 rN ( DF )) / (rN ( DF ) DF ) 1 ), and the standard is upper-bounded by s .
As shown in the left side of Figure 3, a strong liability reduction effect (i.e. a large k) -- on top of the
substitution effect -- further dampens the firm's incentive to invest in control N. When k is large enough
and the standard is not too high, the firm's scaling-back of investment on control N can be significant
enough to pull down its overall security as shown by the solid line in the right side of Figure 3.
Interestingly, if the standard is very high, it is less likely that a strong liability reduction effect can
harm overall firm security. Intuitively, when the standard is very high, the firm invests heavily on control
V, which is then the primary driver of overall firm security. Consequently the firm's investment on
control N is always minimal regardless how strong the liability reduction effect is; this diminishes the role
of the liability reduction effect in driving firm security.
15
*
The impact of sSC on firm security
The impact of sSC on eN
e*N
Firm security
k
=0.6
k
=0
k
=0.6
k
=0
sSC
sSC
Figure 3. The impact of standard sSC on e*N and firm security 17
We next turn our attention to the role of DF in influencing firm security. A higher DF means the
firm suffers more when a security breach takes place -- ceteris paribus, a higher DF then implies that the
firm cares more about security. One might then intuitively think that, the higher DF is, the less likely a
higher standard will harm the firm's overall security. The next proposition shows that, surprisingly, this
intuition is not accurate.
Proposition 3. Given serial configuration and effective standard sSC , s / DF 0 .
Recall that s is the threshold standard level below which a tighter standard hurts firm security.
Proposition 3 says that, the more a firm cares about its security (i.e., the higher DF is), the higher this
threshold level is. This proposition thus implies, surprisingly, that when the policy maker tightens the
security standard, a firm that cares more about security may react by reducing its overall security even
when a firm that cares less does not. This surprising result is illustrated in Figure 4. In this example,
DF 5,000 ( DF 20,000 ) represents the case where the firm cares less (more) about its own security.
When sSC 0.875 , the firm that cares less about security always responds to a marginally tighter standard
by increasing its overall security (see the solid line), while the firm that cares more responds to a
marginally tighter standard by decreasing its overall security (see the dashed line).
17
DF 20 , cV (eV ) eV / (1 eV ) , cN (eN ) eN / (1 eN ) .
16
Firm Security
DF =5,000
DF =20,000
s
sSC
Figure 4. Firm security under different levels of damage DF
18
The intuition behind this striking result lies in how a tighter standard marginally affects firm security.
For notational convenience, let f (sSC , DF ) denote firm security (i.e., 1 ) under serial configuration
for any given standard sSC and damage DF . By partially differentiating firm security with respect to sSC ,
we see that the marginal firm security consists of three components: a constant (the first term of the righthand side in equation (7)), the marginal value of a firm’s investment on the unverifiable control (the
second term), and the investment on the unverifiable control (the third term).
f (sSC , DF ) / sSC 1 (1 sSC )(eN* (sSC , DF ) / sSC ) eN* (sSC , DF )
(7)
We now check how the last two terms on the right-hand side of equation (7) react to the damages and
provide the intuition and illustrative figures for these terms.
Regarding the second term: ceteris paribus, the more a firm cares about its security, the more it scales
back its marginal investment on the unverifiable control (than the firm that cares less), i.e.,
(e*N (sSC , DF ) / sSC ) / DF 0 . This change in diminishing marginal value of a firm’s investment on the
unverifiable control is illustrated in Figure 5(a) on the first-order differentiation of e*N over sSC : in
absolute term, this change is always larger under DF 20,000 (see the dashed line) than that under
DF 5,000 (see the solid line). Intuitively, the firm that cares more always invests at a much higher cost
level on the unverifiable control. When the standard tightens, however, the increased investment on the
18
k 0.9 , CV (eV ) e
20eV
20eV 1 , CN (eN ) e6eN 6eN 1 .
17
verifiable control diminishes the marginal value of a firm’s investment on the unverifiable one, and a
higher DF amplifies this diminishing marginal value thus resulting in more scaling-back of investment.
Regarding the third term: The firm that cares more about security has a higher investment on the
unverifiable control (than the firm that cares less), i.e., e*N (sSC , DF ) / DF 0 . As illustrated in Figure
5(b), e*N ( s) is larger under DF 20,000 (dashed line) than under DF 5,000 (solid line). When the
standard tightens, the increased investment on the verifiable control discourages a firm from making
investment on the unverifiable control due to the substitution effect, and a higher DF strengthens this
substitution effect. To summarize, a higher DF discourages the firm more in terms of investing in the
unverifiable control in face of a tighter security standard because of both the diminishing marginal value
(the second term) and the diminishing value (the third term) with respect to e*N .
The impact of sSC on e*N / sSC
The impact of sSC on e*N
e*N
e*N / sSC
DF =5,000
DF =5,000
DF =20,000
DF =20,000
sSC
sSC
5(a)
5(b)
Figure 5. Investment and marginal investment on unverifiable control under different levels of DF
4.2. Parallel Configuration
We now analyze how the security standard influences firm security under parallel configuration. We use
subscript “PC” for this case. For any given standard sPC on control V, the firm’s optimization problem is:
max U F VF (1 eV eN )(1 keV ) DF CV (eV ) CN (eN ) s.t. eV sPC .
eV , eN
(8)
There are two similarities between serial and parallel configurations in terms of the firm’s response to
18
a security standard. First, a low enough standard has no impact on firm investments. Without causing
ambiguity, in this subsection we still use eˆV and eˆV to represent firm efforts under no or low enough
standard. eˆV is now the solution to rN (eˆV (1 keˆV ) DF )(1 keˆV ) DF (1 eˆV rN (eˆV (1 keˆV ) DF ))kDF cV (eˆV )
and
eˆN rN (eˆV (1 keˆV ) DF ) . Second, if the standard is high enough, the firm’s investment on the
verifiable control will match the standard, i.e. eV* sPC . These two security configurations, nevertheless,
differ fundamentally in how the standard influences the firm investment on the unverifiable control:
Lemma 2: Under the parallel configuration and given standard sPC for control V, if sPC eˆV , the
firm’s effort on the verifiable control matches the standard, i.e. eV* sPC , and its effort on the unverifiable
control is
e*N rN (sPC (1 ksPC ) DF ) .
(9)
Lemma 2 shows that the liability reduction effect continues to influence investment on the nonverifiable control under the parallel configuration, as evident from term (1 ksPC ) on the right-hand side
of (9). The parallel configuration differs from the serial configuration in that, under the former, the
effective standard indirectly and positively influences the firm effort on the unverifiable control -- evident
from term sPC on the right-hand side of (9). We refer to this indirect effect the "complementarity effect."
Intuitively, under parallel configuration the firm's investment on one control is effective only if the
investment on the other control is not disproportionally low.
Taking both liability reduction effect and complementarity effect together, (9) implies that the firm
investment on the unverifiable control is decreasing in standard when sPC 1/ (2k ) . Intuitively, a higher
standard reduces the firm’s share of liability more, and thus disincentivizes it from investing in the
unverifiable control.
The next proposition summarizes how the standard affects overall firm security under parallel
*
*
*
*
configuration, as measured by 1 (eV (sPC ), eN (sPC )) eV (sPC )eN (sPC ) sPC rN (sPC (1 ksPC ) DF ) . Denote
19
k as the unique solution to
rN ((1 k ) DF )
1
2 and s as the unique solution to
(1 k ) DF rN ((1 k ) DF ) 1 k
rN ( s (1 ks ) DF )
1
2.
s (1 ks ) DF rN ( s (1 ks ) DF ) 1 ks
Proposition 4: Under parallel configuration, a higher effective standard results in a lower firm
security if and only if k k and sPC max{s ,1/ (2k )} .
Proposition 4 says that a higher standard reduces firm security only when both of the following
conditions hold: the liability reduction effect is strong enough, and the standard is high enough. The
intuition behind the necessity of a strong liability reduction effect is analogous to that under the serial
configuration: the higher k is, the less the firm suffers under a breach, and thus the less the firm is willing
to invest in the unverifiable control (as illustrated by the left plot in Figure 6).
*
The impact of sPC on firm security
The impact of sPC on eN
e*N
Firm security
kk
kk
kk
eˆV
kk
s
sPC
sPC
Figure 6. Firm security under parallel configuration as a function of sPC 19
When it comes to the necessity of a high standard, a higher sPC intensifies the marginal impact of k on
e*N . Therefore, when the standard is already high and when it further increases, the liability reduction
effect incentivizes the firm to significantly reduce its effort on the unverifiable control to the extent that it
dominates the firm's increased effort on the verifiable control, thus resulting in decreased overall firm
security. Notice that, as illustrated by the right plot in Figure 6, decreased overall firm security can
19
DF 3000 , Ci (ei ) e6ei 6ei 1 . For k k , k 0.9 and otherwise, k 0.85
20
happen only if the liability reduction effect is above a threshold value k ; otherwise, even the strongest
possible standard (and resulting reduced liability) cannot induce enough reduction in the security of the
unverifiable control that dominates the security improvement on the verifiable control.
A comparison of Propositions 1 and 4 reveals an important insight regarding the difference between
the serial and parallel configurations: firm security can decrease in standard under both configurations,
albeit in different ranges of standards. Under serial configuration, firm security can decrease in standard
only under relatively low standard. In sharp contrast, under parallel configuration firm security can
decrease in standard only under relatively high standard. Interestingly, under the parallel configuration
this reduction of investment on the unverifiable control plays an increasingly significant role to overall
firm security when standard increases, whereas under the serial configuration it actually plays a
diminishing role because of the substitution effect between the two security controls.
5. Standardization Under Strategic Attacks
In this section we consider strategic attacks, in which case the representative attacker strategically
chooses her target control contingent on her expectation of security investments ( eV and eN ) taken by the
firm.20 We limit our attention to the parallel configuration.21 We consider the following particular form of
strategic attacker behavior: the attacker strategically targets the security control that is most likely to be
breached. Such control is commonly referred to as the weakest link in information security research
(Grossklags et al. 2008, Grossklags and Johnson 2009). In our model setup, the weakest link is the
security control with the lowest firm effort. To clearly differentiate the analysis in this section from the
parallel configuration with non-strategic attacks in the previous section, hereafter we refer to the parallel
20
While an attacker can often collect information relevant to cost-efficiency CV and C N , such as prevailing market
prices of various security products and security consulting services, it is much harder for the attacker to gauge
specific investments a firm makes on their security controls, such as which specific security products are adopted,
whether they are properly setup, and the IT labor assigned to monitor and maintain the security products.
Accordingly, we assume eV and eN to be private knowledge to the firm.
21
An attacker strategically picking a control to attack does not apply in the serial configuration because it will
require the attacker to successfully breach both controls to harm the firm.
21
configuration with strategic attacks as the weakest-link configuration, and use subscript “WL” to denote
results in this case.
Under strategic attacks, period 3 in the model timeline (Figure 1) now consists of two steps. In step 1,
the representative attacker observes standard sWL and accordingly forms rational expectation over firm
investments on the two security controls. Let eV and eN represent these beliefs, which in equilibrium are
consistent with the firm's true investments.22 In step 2, the attacker optimally decides her attack strategy
based on eV and eN . Let her optimal strategy be represented by p : she attacks the unverifiable control N
with probability p and attacks the verifiable control V with probability 1 p .
Given any standard sWL for control V that is imposed by the policy maker and expected attacker
strategy p , the firm’s optimization problem is:
max U F VF (1 ((1 p)eV peN ))(1 keV ) DF CV (eV ) CN (eN ) s.t. eV sWL
(10)
eV , eN
A key difference between this weakest link configuration and the earlier parallel configuration is that,
once the attacker chooses an optimal target control under the former configuration, she will concentrate
her attacks on this control instead of dispersing it among both controls. Parameter reflects this
concentrated effort: the smaller is, the higher the effectiveness of this concentrated attack in breaching
the targeted control (as compared to non-discretionary and diluted attacks on both controls).
We again focus on effective standard only, i.e., we consider the case where the standard is high
enough such that the constraint eV sWL is binding. Therefore, given eV* sWL , the above optimization
problem can be rewritten as:
max U F VF (1 ((1 p)sWL peN ))(1 ksWL ) DF CV (sWL ) CN (eN ) .
eN
(11)
The next lemma characterizes the firm's optimal investment on N and the attacker's optimal attack
strategy given rational beliefs. Denote sˆWL as the unique solution to rN ( (1 ksˆWL ) DF ) sˆWL .
22
The equilibrium concept we use is Sequential Equilibrium (Fudenburg and Tirole 1991, pages 321-324).
22
Lemma 3: Consider any effective standard sWL .
i.
If sWL sˆWL , there exists a unique sequential equilibrium -- the Even-Effort Equilibrium -- where
the firm exerts efforts e*N eV* sWL and the attacker randomizes her attack between the two
controls with p* cN (sWL ) / ( (1 ksWL ) DF ) .
ii.
If sWL sˆWL , there exists a unique sequential equilibrium -- the Uneven-Effort Equilibrium -where the firm exerts efforts eV* sWL and e*N rN ( (1 ksWL ) DF ) , where e*N eV* , and the
attacker always attacks the unverifiable control (i.e., p* 1 ).
In both cases of Lemma 3, the investment on the verifiable control is set simply to comply with the
standard -- a result similar to previous lemmas. Nevertheless, part (i) of Lemma 3 shows a unique
dynamic under strategic attacks: when the standard is not too high, i.e., sWL sˆWL , the firm matches its
investment on the unverifiable control with that on the verifiable one. Intuitively, the firm takes strategic
behavior by the attacker into consideration when it decides eN . If eN eV* , in a sequential equilibrium the
attacker will rationally expect the unverifiable control to be the weakest link, and thus will concentrate
her attack on this control; consequently, the firm's marginal benefit from defending the unverifiable
control will be higher than that under the parallel configuration. If, on the other hand, eN eV* , in a
sequential equilibrium the attacker will rationally expect the verifiable control to be the weakest link, and
thus will concentrate her attack on this control; consequently, the firm can scale back its investment on
the unverifiable control (up to eV* ) without hurting its security. Part (i) of Lemma 3 then says that, as long
as the standard is not too high, the firm should improve its investment on the unverifiable control to
exactly match its investment on the verifiable control, thus eliminating this possible weakest link. For
ease of exposition we refer to this equilibrium as the Even-Effort Equilibrium.
When the standard is very high, i.e., sWL sˆWL , the firm's marginal cost of investment on the
unverifiable control will be very high as well. Even though the firm knows that if it picks eN eV* in
equilibrium, it will receive concentrated attacks on the unverifiable control, the high marginal cost no
23
longer justifies the benefit of matching the investments. In other words, between saving on costs and
hiding a weakest-link, the firm chooses the lesser of the two evils, which is the former.
We next analyze the relationship between the standard and overall firm security. When sWL sˆWL ,
firm security is 1 sWL ; when sWL sˆWL , firm security is 1 rN ( (1 ksWL ) DF ) . We then have:
Proposition 5: Consider strategic attacks under the weakest-link configuration.
i.
If sWL sˆWL , higher effective standard results in higher firm security.
ii.
If sWL sˆWL , higher effective standard results in lower firm security.
There are both similarities and differences between this finding (where the attacks are strategic) and
the earlier finding under the parallel configuration (where the attacks are non-strategic). Similar to
Proposition 4, Proposition 5 shows that tightening a standard can harm firm security only if the standard
is high enough. One prominent difference between the weakest link and parallel configurations, however,
is the extent of the role played by the liability reduction effect (as measured by k ) in driving the result
that the firm security can decrease in the standard. Under the parallel configuration, the firm security
decreases in the standard only if this liability reduction effect is very strong (i.e., k k ). That is because
a small liability reduction effect cannot offset the complementarity effect. Under the weakest link
configuration, however, the firm security can decrease in the standard for any arbitrarily small liability
reduction effect. Intuitively and if sWL sˆWL , though a tighter standard forces the firm to invest more on
the verifiable control, this improved investment has no direct impact on firm security due to the fact that
the strategic attacker will completely ignore the verifiable control. Furthermore, the liability reduction
effect causes the firm to invest less on the unverifiable control -- which is the control the attack focuses
on -- thus resulting in worse overall firm security.
Our next proposition answers how strategic attacking behavior affects firm security. Namely, ceteris
paribus, how overall firm security 1 under strategic attacks compares with the one under nonstrategic
attacks. One might expect strategic attacks to be more harmful to firm security than nonstrategic ones due
24
to the fact that the former try to strategically explore the firm’s weakest link. However and surprisingly,
the next proposition refutes this common wisdom.
Proposition 6: Consider any standard s that is effective under both weakest link and parallel
configurations.
i.
If s sˆWL , firm security under strategic attacks is better than that under nonstrategic attacks if
and only if rN (s(1 ks) DF ) .
ii.
If s sˆWL , firm security under strategic attacks is better than that under nonstrategic attacks if
and only if s .
Proposition 6 shows that, surprisingly, strategic attacks can actually benefit firm security (as
compared to nonstrategic attacks) if is not too small. This is illustrated by the lighter area in Figure 7.
Key to this result is the insight that strategic attacks can induce a stronger complementarity effect on the
firm side than nonstrategic attacks. To see this, consider the underlying reasons of the complementarity
effect under nonstrategic and strategic attacks, respectively. Under nonstrategic attacks, the parallel
configuration between the two security controls incentivizes the firm to invest more on the unverifiable
control when the standard on the verifiable control increases (as we discussed in the previous section).
We refer to this complementarity effect as the Configuration-Induced Complementarity. In contrast, under
strategic attacks the complementarity effect is enhanced by the fact that attacks always target the weakest
link if one exists: this complementarity effect is strong and in fact perfect in the sense that the firm invests
equally on both controls in order to eliminate weakest link when the security standard is not too high (i.e.,
sWL sˆWL , to the left of the top-down dotted sˆWL ( ) line in Figure 7). Hereafter we refer to this strong
complementarity effect under strategic attacks the Strategic-Attack-Induced Complementarity. A stronger
Strategic-Attack-Induced Complementarity over Configuration-Induced Complementarity explains the
surprising result of Proposition 6 that strategic attacks may benefit overall firm security.
25
I
Lighter area: Firm security under
strategic attacks is better than that under
nonstrategic attacks.
II
Darker area: Firm security under
strategic attacks is worse than that under
nonstrategic attacks.
III
sˆWL ( )
s
Figure 7. Comparison between strategic and nonstrategic attacks regarding their impacts on firm security
23
When the security standard is too high, i.e., sWL sˆWL , the firm gives up matching its investment on
the two security controls. Nevertheless, it is still possible for strategic attacks to benefit firm security: on
the right side of line sˆWL ( ) in Figure 7, the firm security under strategic attacks is still greater than that
under nonstrategic attacks when s . Intuitively, the firm under strategic attacks invests at a higher
cumulative level on firm security up to s sˆWL . After sˆWL the firm stops investing more on the
unverifiable control (and may actually decrease its investment due to the liability reduction effect), but the
cumulative investment level can be still higher under strategic attacks (than that under nonstrategic
attacks) when the standard is not too high than sˆWL .
The above discussion depends on
not being too small. A small enough
(i.e.,
rN (s(1 ks) DF ) when s sˆWL or s when s sˆWL ) implies that, by concentrating on the weakest
link, attackers have a much higher chance of breaching through (than randomized and nonstrategic
attacks). When is small enough, such a higher breach chance due to concentrated attacks dominates the
benefits from the Strategic-Attack-Induced Complementarity.
23
DF 150 ,
CV (eV ) e6eV 6eV 1 , CN (eN ) e3eN 3eN 1 , k 0.9 .
26
We also divide Figure 7 into three horizontal strips I, II and III, which reveals delicate and interesting
insights into the following managerial-relevant question: are strategic attacks more harmful than
nonstrategic attacks under low or high security standards? The answer to this question clearly depends on
the strategic attack environment characterized by . When the effectiveness of concentrated attacks is
high (i.e., in area III), strategic attacks are more harmful than nonstrategic attacks regardless of the
security standard. When the effectiveness of concentrated attacks is low (i.e., in area I), strategic attacks
are beneficial than nonstrategic attacks unless the standard is high enough. Interestingly, when the
effectiveness of concentrated attacks is moderate (i.e., in area II), strategic attacks benefit firm security
(as compared to nonstrategic attacks) when the standard is neither too low nor too high. That is, as area II
illustrates, the answer can be affirmative for both low-end and high-end of standard, yet surprisingly
negative for the middle.
6. Managerial Implications and Concluding Remarks
This paper is a first study on how security standards affect a firm’s security investments and its overall
security when standards cannot cover all firm security controls. Key issues considered are security
configurations (namely how security controls together protect firm security), liability in security
compliance, and possible strategic attacks. This research has a number of managerial implications that
challenge common wisdom in security practice and regulation.
First, this research shows strikingly that a tighter security standard mandated by the government or
trade unions can sometimes have the unintentional consequence of harming overall firm security.
Intuitively, while a tight standard applies to all security controls that it regulates, it may lead a firm to
strategically reduce its investment on security controls that are not explicated regulated. We show that
such an investment reduction on unverifiable security controls may overwhelm the incremental
investment on verifiable security controls, and thus leading to overall lower firm security. Remarkably,
under serial configuration this result (that tighter standard hurts firm security) can take place even if there
is no liability reduction effect. Under parallel configuration, however, a strong liability reduction effect is
necessary for this counter-intuitive result.
27
This result that tighter standard may not necessarily lead to better firm security is consistent with
anecdotal industrial evidence. For example, in recent years the PCI Security Standards Council have
imposed increasingly stricter standards (called PCI-DSS) on how merchants should secure up their
databases in order to protect credit card information stored in them. Some industrial analysts have
subsequently found evidence that attackers are increasingly switching their attention to attack other IT
components that are not regulated by PCI-DSS, such as internal corporate networks (Krebs 2009a). As we
discussed in the Introduction, successful attacks to the payment card industry are still rampant (and even
increasing in some years) despite the continuous tightening of PCI-DSS.
Second, the conditions for tighter standards hurting firm security depend critically on the security
configuration. Under serial configuration, it can happen only if the standard is not too high. Under parallel
configuration, however, it can happen only if the standard is high enough.
Third, under serial configuration we show that a firm that cares more about security (i.e., suffers a
higher damage upon breach) may react to a tighter standard by reducing its overall security even when a
firm that cares less does not. This surprising result implies that, when policy makers contemplate
imposing tighter standards, they should not take it for granted that firms that care more about security will
more likely to respond by tightening their overall security.
Fourth, we show that strategic attacks (as compared to random and nonstrategic attacks) are not
necessarily worse for information security. We highlight the fact that, in anticipating that attackers want
to single out weakest links, firms have incentive to balance their investment across all security controls so
no control stands out as the weakest one. As a result, a tighter regulation on only verifiable controls,
coupled with strategic attacks, can have the positive indirect effect of forcing firms to also increase their
investments on unverifiable controls (to match that on verifiable controls). In other words, strategic
behavior by attackers incentivizes firms to secure up controls that are not reachable by regulations. To
our knowledge, this is the first research in information security standard literature that identifies a positive
consequence of strategic attacker behavior.
28
This first research on security regulation in the presence of unverifiable controls can be extended in a
number of ways. First, in practice security configurations can be more complicated than the two basic
forms discussed in this paper, and can involve more than two controls. The question of whether a
complicated security configuration can always be decomposed into the two basic forms is intriguing.
Second, subject to data availability, our research offers a number of empirically testable results, such as
the ones on how security configuration affects a firm's investment on unverifiable controls. A follow-up
empirical study will be valuable because there is limited research that empirically studies how security
standards affect firm investment on security controls and attacker strategy.
References
Battigalli, P., Maggi, G. 2002. Rigidity, Discretion, and the Costs of Writing Contracts. The American
Economic Review 92(4) 798-817.
Bernheim B., Whinston, M. 1998. Incomplete Contracts and Strategic Ambiguity. The American
Economic Review 88(4) 902-932.
Cavusoglu, H., Mishra, B., Raghunathan, S. 2005. The Value of Intrusion Detection Systems in
Information Technology Security Architecture. Information Systems Research 16(1) 28-46.
Cavusoglu, H., Raghunathan, S., Cavusoglu, H. 2009. Configuration of and Interaction Between
Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems.
Information Systems Research 20(2) 198-217.
Cheney, J. 2010. Heartland Payment Systems: Lessons Learned from a Data Breach. Whitepaper. Federal
Reserve Bank of Philadelphia, Philadelphia, PA. www.philadelphiafed.org/payment-cards-center/.
Coase, R. H. 1937. The Nature of the Firm. Economica 4(16) 386-405.
Culnan, M., Williams, C. 2009. How ethics can enhance organizational privacy: Lessons from the
choicepoint and TJX data breaches. MIS Quarterly 33(4) 673-687.
Dye, R. 1993. Auditing Standards, Legal Liability, and Auditor Wealth. The Journal of Political
Economy 101(5) 887-914.
Fudenburg, D. Tirole, J. 1991. Game Theory. MIT Press.
29
Gordon, L. A., Loeb, M.P. 2002. The Economics of Information Security Investment. ACM Transactions
on Information and System Security 5(4) 438-457.
Grossklags, J, Christin, N., Chuang, J. 2008. Secure or Insure? A Game-Theoretic Analysis of
Information Security Games. Proceedings of the 17th International World Wide Web Conference, San
Francisco. CA.
Grossklags, J, Christin, N., Chuang, J. 2008. Predicted and Observed User Behavior in the Weakest-Link
Security Game. Proceedings of the 2008 USENIX Workshop on Usability, Psychology, and Security,
Beijing, China.
Grossklags, J, Johnson, B. 2009. Uncertainty in the Weakest-Link Security Game. Proceedings of the
International Conference on Game Theory for Networks, Istanbul, Turkey.
Hui, K.-L., Hui, W., Yue, W. T. 2012. Information Security Outsourcing with System Interdependency
and Mandatory Security Requirement. Journal of Management Information Systems, forthcoming.
Keblawi, F., Sullivan, D. 2007. The Case for Flexible NIST Security Standards. Computer 40(6) 19-26.
Krebs, R. 2009a. Hackers Test Limits of Credit Card Security Standards, Washington Post, April 16.
Available at voices.washingtonpost.com/securityfix/2009/04/the_number_scale_and_sophistic.html.
Krebs, R. 2009b. Payment Processor Breach May Be Largest Ever, Washington Post, January 20.
Available at voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html.
Loch, K., Carr, H., Warkentin, M. 1992. Threats to Information Systems: Today’s Reality, Yesterday’s
Understanding. MIS Quarterly 16(2) 173-186.
MacCarthy, M. 2010. Information Security Policy in the U.S. Retail Payments Industry. Workshop on the
Economics of Information Security, Cambridge, MA.
Miller, A., Tucker, C. 2010. Encryption and Data Loss. Workshop on the Economics of Information
Security, Cambridge, MA.
Morse, E., Raval, V. 2008. PCI DSS: Payment card industry data security standards in context. Computer
Law& Security Report 24 540-554.
30
Narasimhan, H., Varadarajan, V., Rangan C. 2010. Towards a Cooperative Defense Model Against
Network Security Attacks. Workshop on the Economics of Information Security, Cambridge, MA.
Navetta, D. 2009. PCI DSS Incident Response: The Legal Perspective (July 8). Available at
http://www.infolawgroup.com/2009/07/credit-cards/pci-dss-incident-response-the-legal-perspective/
Romanosky, S., Telang, R., Acquisti, A. 2011. Do Data Breach Disclosure Laws Reduce Identity Theft?.
Journal of Policy Analysis and Management 30(2) 256-286.
Ross, R. 2007. Managing Enterprise Security Risk with NIST Standards. Computer 40(8) 88-91.
Schechter S., Smith, M. 2003. How Much Security is Enough to Stop a Thief?. Lecture Notes in
Computer Science 2742 122-137
Schwartz, R. 1997. Legal Regimes, Audit Quality and Investment. The Accounting Review 72(3) 385-406.
Simon, H. 1981. The Sciences of the Artificial. MIT Press.
Varian, H. 2004. System Reliability and Free Riding. Economics of Information Security 12 1-15.
Vijayan, J., 2008, Changes to PCI Standard Not Expected to Up Ante on Protecting Payment Card Data,
ComputerWorld(August 20). Available at http://www.computerworld.com/s/article/9113104/
Vijayan, J., 2010, Court Gives Preliminary OK to $4M Consumer Settlement in Heartland Case,
ComputerWorld (May 7). Available at www.computerworld.com/s/article/9176431/.
Whitman, M. E. and Mattord, H. J. 2009. Management of Information Security, Thomson Course
Technology, Boston, MA.
Williamson, O. E. 1975. Markets and Hierarchies: Analysts and Antitrust Implications. New York Free
Press.
Willekens, M., Steele, A., Miltz, D. 1996 Audit Standards and Auditor Liability: A Theoretical Model
Accounting and Business Research 26(3) 249-264.
31
© Copyright 2026 Paperzz