IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v19y2008i1p106-120.html
   My bibliography  Save this article

Research Note ---A Value-at-Risk Approach to Information Security Investment

Author

Listed:
  • Jingguo Wang

    (College of Business Administration, University of Texas at Arlington, Arlington, Texas 76019)

  • Aby Chaudhury

    (Bryant University, Smithfield, Rhode Island 02917)

  • H. Raghav Rao

    (School of Management, State University of New York at Buffalo, Buffalo, New York 14260)

Abstract

Information security investment has been getting increasing attention in recent years. Various methods have been proposed to determine the effective level of security investment. However, traditional expected value methods (such as annual loss expectancy) cannot fully characterize the information security risk confronted by organizations, considering some extremal yet perhaps relatively rare cases in which a security failure may be critical and cause high losses. In this research note we introduce the concept of value-at-risk to measure the risk of daily losses an organization faces due to security exploits and use extreme value analysis to quantitatively estimate the value at risk. We collect a set of internal daily activity data from a large financial institution in the northeast United States and then simulate its daily losses with information based on data snapshots and interviews with security managers at the institution. We illustrate our methods using these simulated daily losses. With this approach, decision makers can make a proper investment choice based on their own risk preference instead of pursuing a solution that minimizes only the expected cost.

Suggested Citation

  • Jingguo Wang & Aby Chaudhury & H. Raghav Rao, 2008. "Research Note ---A Value-at-Risk Approach to Information Security Investment," Information Systems Research, INFORMS, vol. 19(1), pages 106-120, March.
    • Handle: RePEc:inm:orisre:v:19:y:2008:i:1:p:106-120
    DOI: 10.1287/isre.1070.0143
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.1070.0143
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.1070.0143?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Dickey, David A & Fuller, Wayne A, 1981. "Likelihood Ratio Statistics for Autoregressive Time Series with a Unit Root," Econometrica, Econometric Society, vol. 49(4), pages 1057-1072, June.
    2. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    3. Paul Embrechts, 1996. "Actuarial versus Financial Pricing of Insurance," Center for Financial Institutions Working Papers 96-17, Wharton School Center for Financial Institutions, University of Pennsylvania.
    4. Mark R. Manfredo & Raymond M. Leuthold, 1998. "Agricultural Applications of Value-at-Risk Analysis: A Perspective," Finance 9805002, University Library of Munich, Germany.
    5. Ely Dahan & Haim Mendelson, 2001. "An Extreme-Value Model of Concept Testing," Management Science, INFORMS, vol. 47(1), pages 102-116, January.
    6. Winfried Hallerbach & Bert Menkveld, 1999. "Value at Risk as a Diagnostic Tool for Corporates: The Airline Industry," Tinbergen Institute Discussion Papers 99-023/2, Tinbergen Institute.
    7. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Elmar Kiesling & Andreas Ekelhart & Bernhard Grill & Christine Strauss & Christian Stummer, 2016. "Selecting security control portfolios: a multi-objective simulation-optimization approach," EURO Journal on Decision Processes, Springer;EURO - The Association of European Operational Research Societies, vol. 4(1), pages 85-117, June.
    2. Margareta Heidt & Jin P. Gerlach & Peter Buxmann, 2019. "Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments," Information Systems Frontiers, Springer, vol. 21(6), pages 1285-1305, December.
    3. Xue Bai & Ramayya Krishnan & Rema Padman & Harry Jiannan Wang, 2013. "On Risk Management with Information Flows in Business Processes," Information Systems Research, INFORMS, vol. 24(3), pages 731-749, September.
    4. Nicole L. Beebe & Diana K. Young & Frederick R. Chang, 2013. "Framing Information Security Budget Requests to Maximize Investments," Working Papers 0217is, College of Business, University of Texas at San Antonio.
    5. Tawei Wang & Karthik N. Kannan & Jackie Rees Ulmer, 2013. "The Association Between the Disclosure and the Realization of Information Security Risk Factors," Information Systems Research, INFORMS, vol. 24(2), pages 201-218, June.
    6. Bahram Alidaee & Haibo Wang & Jun Huang & Lutfu S. Sua, 2023. "Integrating Statistical Simulation and Optimization for Redundancy Allocation in Smart Grid Infrastructure," Energies, MDPI, vol. 17(1), pages 1-13, December.
    7. Stoel, M. Dale & Muhanna, Waleed A., 2011. "IT internal control weaknesses and firm performance: An organizational liability lens," International Journal of Accounting Information Systems, Elsevier, vol. 12(4), pages 280-304.
    8. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    9. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    10. Loic Mar'echal & Alain Mermoud & Dimitri Percia David & Mathias Humbert, 2024. "Measuring the performance of investments in information security startups: An empirical analysis by cybersecurity sectors using Crunchbase data," Papers 2402.04765, arXiv.org, revised Feb 2024.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    2. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    3. Nizovtsev, Dmitri & Thursby, Marie, 2007. "To disclose or not? An analysis of software user behavior," Information Economics and Policy, Elsevier, vol. 19(1), pages 43-64, March.
    4. Fabio BISOGNI & Simona CAVALLINI & Sara DI TROCCHIO, 2011. "Cybersecurity at European Level: The Role of Information Availability," Communications & Strategies, IDATE, Com&Strat dept., vol. 1(81), pages 105-124, 1st quart.
    5. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    6. Rossana, Robert J., 1988. "Interrelated Demands for Buffer Stocks and Productive Inputs: Estimates for Two-Digit Manufacturing Industries," Department of Economics and Business - Archive 259428, North Carolina State University, Department of Economics.
    7. Michel DIMOU & Alexandra SCHAFFAR & Zhihong CHEN & Shihe FU, 2008. "LA CROISSANCE URBAINE CHINOISE RECONSIDeReE," Region et Developpement, Region et Developpement, LEAD, Universite du Sud - Toulon Var, vol. 27, pages 109-131.
    8. Bosker, Maarten & Brakman, Steven & Garretsen, Harry & Schramm, Marc, 2008. "A century of shocks: The evolution of the German city size distribution 1925-1999," Regional Science and Urban Economics, Elsevier, vol. 38(4), pages 330-347, July.
    9. Bierens, H.J. & Broersma, L., 1991. "The relation between unemployment and interest rate : some international evidence," Serie Research Memoranda 0112, VU University Amsterdam, Faculty of Economics, Business Administration and Econometrics.
    10. Muhammad Zia Ullah Khan & Muhammad Illyas & Muqqadas Rahman & Chaudhary Abdul Rahman, 2015. "Money Monetization and Economic Growth in Pakistan," International Journal of Economics and Empirical Research (IJEER), The Economics and Social Development Organization (TESDO), vol. 3(4), pages 184-192, April.
    11. Xu, Haifeng & Hamori, Shigeyuki, 2012. "Dynamic linkages of stock prices between the BRICs and the United States: Effects of the 2008–09 financial crisis," Journal of Asian Economics, Elsevier, vol. 23(4), pages 344-352.
    12. Guili Liao & Qimeng Liu & Rongmao Zhang & Shifang Zhang, 2022. "Rank test of unit‐root hypothesis with AR‐GARCH errors," Journal of Time Series Analysis, Wiley Blackwell, vol. 43(5), pages 695-719, September.
    13. Yap, Wei Yim & Lam, Jasmine S.L., 2006. "Competition dynamics between container ports in East Asia," Transportation Research Part A: Policy and Practice, Elsevier, vol. 40(1), pages 35-51, January.
    14. Carol Alexander & Anca Dimitriu, 2003. "Equity Indexing: Conitegration and Stock Price Dispersion: A Regime Switiching Approach to market Efficiency," ICMA Centre Discussion Papers in Finance icma-dp2003-02, Henley Business School, University of Reading.
    15. Xiaojie Xu, 2017. "The rolling causal structure between the Chinese stock index and futures," Financial Markets and Portfolio Management, Springer;Swiss Society for Financial Market Research, vol. 31(4), pages 491-509, November.
    16. Erasmia Kotroni & Dimitra Kaika & Efthimios Zervas, 2020. "Environmental Kuznets Curve in Greece in the period 1960-2014," International Journal of Energy Economics and Policy, Econjournals, vol. 10(4), pages 364-370.
    17. Vincent Brémond & Emmanuel Hache & Tovonony Razafindrabe, 2016. "The Oil Price and Exchange Rate Relationship Revisited: A time-varying VAR parameter approach," European Journal of Comparative Economics, Cattaneo University (LIUC), vol. 13(1), pages 97-131, June.
    18. Ibrahim Ari & Muammer Koc, 2018. "Sustainable Financing for Sustainable Development: Understanding the Interrelations between Public Investment and Sovereign Debt," Sustainability, MDPI, vol. 10(11), pages 1-25, October.
    19. Shyh-Wei Chen, 2008. "Non-stationarity and Non-linearity in Stock Prices: Evidence from the OECD Countries," Economics Bulletin, AccessEcon, vol. 3(11), pages 1-11.
    20. Hartikainen, Johanna, 1995. "Dynamic effects of demand and supply disturbances on the Finnish economy: Did liberalization of capital movements matter?," Bank of Finland Research Discussion Papers 36/1995, Bank of Finland.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:19:y:2008:i:1:p:106-120. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.