A value-at-risk approach to information security investment

Information Systems Research

Volumn 19, Issue 1, 2008, Pages 106-120

  Wang, Jingguo ^a   Chaudhury, Aby ^b   Rao, H Raghav ^c  

^a UNIVERSITY OF TEXAS AT ARLINGTON   (United States)

^b BRYANT UNIVERSITY   (United States)

^c UNIVERSITY AT BUFFALO   (United States)

Author keywords

Extreme value analysis; Information assurance; Security investment; Value at risk (VaR)

Indexed keywords

DECISION MAKING; INVESTMENTS; RISK ASSESSMENT; RISK PERCEPTION; SECURITY OF DATA;

EXTREME VALUE ANALYSIS; FINANCIAL INSTITUTION; INFORMATION ASSURANCE; INFORMATION SECURITY INVESTMENT; INFORMATION SECURITY RISKS; SECURITY FAILURE; SECURITY INVESTMENTS; VALUE AT RISK;

VALUE ENGINEERING;

EID: 61349180141     PISSN: 10477047     EISSN: 15265536     Source Type: Journal    
DOI: 10.1287/isre.1070.0143     Document Type: Article

References (44)

1. Anderson, R. H., R. Brackney. 2004. Understanding the Insider Threat. RAND Corporation, Santa Monica.
2. Castillo, E. 1988. Extreme Value Theory in Engineering. Academic Press, San Diego.
3. Chinchani, R., A. Iyer, H. Q. Ngo, S. Upadhyaya. 2005. Towards a theory of insider threat assessment. The 2005 Internat. Conf. Dependable Systems and Networks (DSN'05), Yokohama, Japan. IEEE Computer Society, Washington, D. C. 108-117.
4. Coles, S. 2001. An Introduction to Statistical Modeling of Extreme Values. Springer-Verlag, London.
5. Crouhy, M., D. Galai, R. Mark. 2001. Risk Management. McGraw-Hill, New York.
6. Dahan, E., H. Mendelson. 2001. An extreme-value model of concept testing. Management Sci. 47(1) 102-116.
7. Davison, A. C., R. L. Smith. 1990. Models for exceedances over high thresholds (with discussion). J. Roy. Statist. Soc. 52 393-442.
8. de Fontnouvelle, P., J. Jordan, E. Rosengren. 2005. Implication of alternative operational risk modeling techniques. NBER Working Paper 11103, National Bureau of Economic Research. Cambridge, MA. Available at http://www. nber.org/papers/w11103.
9. Devaraj, S., R. Kohli. 2002. The IT Payoff. Prentice Hall, Upper Saddle River, NJ.
10. Dickey, D., W. Fuller. 1979. Distribution of the estimators for autoregressive time series with a unit root. J. Amer. Statist. Assoc. 74 427-431.
11. Dickey, D., W. Fuller. 1981. Likelihood ratio tests for autoregressive time series with a unit root. Econometrica 49 1057-1072.
12. Dowd, K. 1998. Beyond Value at Risk; The New Science of Risk Management. John Wiley & Sons, New York.
13. Duffie, D., J. Pan. 1997. An overview of value at risk. J. Derivatives 4(3) 7-49.
14. Embrechts, P. 1996. Actuarial versus financial pricing of insurance. Working paper, The Wharton School, Philadelphia. Available at http://fic.wharton.upenn.edu/fic/papers/96/9617.pdf.
15. Embrechts, P., C. Kluppelberg, T. Mikosch. 1997. Modeling Extremal Events for Insurance and Finance. Springer, New York.
16. Ernst & Young. 2003. Global Information Security Survey 2003, Ernst & Young LLP.
17. Ernst & Young. 2004. Global Information Security Survey 2004, Ernst & Young LLP.
18. Farahmand, F., S. B. Navathe, G. P. Sharp, P. H. Enslow. 2005. A mana6gement perspective on risk of security threats to information systems. Inform. Tech. Management 6(2-3) 203-255.
19. Fisher, R. A., L. H. C. Tippett. 1928. Limiting Forms of the Frequency Distributions of the Largest or Smallest Member of a Sample. The Cambridge Philosophical Society, Cambridge University Press, London.
20. Gal-or, E., A. Ghose. 2005. The economic incentives for sharing security information. Inform. Systems Res. 16(2) 186-208.
21. Geer, D., K. S. Hoo, A. Jaquith. 2003. Information security: Why the future belongs to the quants. IEEE Security & Privacy 1 32-40.
22. Gordon, L. A., M. P. Loeb. 2002. The economics of information security investment. ACM Trans. Inform. Systems Secur. 5(4) 438-457.
23. Gordon, L. A., M. P. Loeb, W. Lucyshyn, R. Richardson. 2005. 2005 CSI/FBI Computer Crime and Security Survey. Computer Security Institute, San Francisco.
24. Greene, W. H. 2000. Econometric Analysis. Prentice Hall, Upper Saddle River, NJ.
25. Gumbel, E. J. 1958. Statistics of Extremes. Columbia University, New York.
26. Hallerbach, W., B. Menkveld. 1999. Value at risk as a diagnostic tool for corporates: The airline industry. Papers No. 99-023/2, Tinbergen Institute Discussion Papers, Rotterdam, The Netherlands. Available at http://www. tinbergen. nl/discussionpapers/99023.pdf.
27. Holton, G. A. 2003. Value at Risk: Theory and Practice. Academic Press, London.
28. Hoo, K. J. S. 2000. How much is enough? A risk-management approach to computer security. Working paper, Center for International Security and Cooperation, Stanford University. Available at http://iis-db.stanford.edu/pubs/ 11900/soohoo.pdf
29. Jorion, P. 1997. Value at Risk. McGraw-Hill, New York.
30. Kannan, K., R. Telang. 2005. Market for software vulnerabilities? Think again. Management Sci. 51(5) 726-740.
31. Kesh, S., S. Ramanujan, S. Nerur. 2002. A framework for analyzing e-commcrce security. Inform. Management Comput. Secur. 10(4) 149-158.
32. Leadbetter, M. R., I. Weissman, L. De Haan, H. Rootzen. 1989. On clustering of high levels in statistically stationary series. The 4th Internat. Meeting on Statist. Climatology, New Zealand Meteorological Service, Wellington, New Zealand.
33. Longstaff, T. A., C. Chittister, R. Pethia, Y. Y. Haimes. 2000. Are we forgetting the risks of information technology? IEEE Comput. 33(12) 43-51.
34. Manfredo, M. R., R. M. Leuthold. 1998. Agricultural applications of value-at-risk analysis: A perspective. The NCR-134 Conf. Appl. Commodity Price Anal., Forecasting, and Market Risk Management. St. Louis.
35. Mercuri, R. T. 2003. Analyzing security costs. Comm. ACM 46(6) 15-18.
36. Mitra, D., Q. Wang. 2005. Stochastic traffic engineering for demand uncertainty and risk-aware network revenue management. IEEE/ACM Trans. Networking 13(2) 221-233.
37. Pickands, J. 1975, Statistical inference using extreme order statistics. Ann. Statist, 3 119-131.
38. Schecter, S. E., M. D. Smith. 2003. How much security is enough to stop a thief? The economics of outsider theft via computer systems networks, Proc. 7th Financial Cryptography Conf., Guadeloupe, French West Indies. 122-137.
39. Shaw, E. D., K. G. Ruby, J. M. Post. 1998. The insider threat to information systems. Security Awareness Butt. 2-98.
40. Smith, R. L. 1989. Extreme value analysis of enviromental time series: An example based on ozone data (with discussion). Statist. Sci. 4 367-393.
41. Smith, R. L., I. Weissman. 1994, Estimating the extremal index. J. Roy. Statist. Soc. B(56) 515-528.
42. Sun, L., R. P. Srivastava, T. J. Mock. 2006. An information systems security risk assessment model under Dcmpster-Shafer theory of belief functions. J. Management Inform. Systems 22(3) 190-142.
43. Tawn, J. A. 1988. An extreme value theory model for dependent observations. J. Hydrology 101 227-250.
44. Varian, H. R. 2004. System reliability and free riding. L. J. Camp, S. Lewis, eds. Economics of Information Security. Kluwer Academic Publishers, Boston/Dordrecht/London, 1-15.