Correlated failures, diversification, and information security risk management

MIS Quarterly: Management Information Systems

Volumn 35, Issue 2, 2011, Pages 397-422

  Chen, Pei Yu ^a   Kataria, Gaurav ^b   Krishnan, Ramayya ^c  

^a TEMPLE UNIVERSITY   (United States)

^b BOOZ ALLEN HAMILTON   (United States)

^c CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Correlated failures; Diversification; Downtime loss; Network effects; Risk management; Security; Software allocation

Indexed keywords

INFORMATION SERVICES; QUEUEING THEORY; REPAIR; RISK ASSESSMENT; RISK MANAGEMENT;

CORRELATED FAILURES; DIFFERENT OPERATING CONDITIONS; DIVERSIFICATION; DIVERSIFICATION STRATEGIES; INFORMATION SECURITY RISK MANAGEMENTS; NETWORK EFFECTS; SECURITY; SOFTWARE VULNERABILITIES;

NETWORK SECURITY;

EID: 80051749786     PISSN: 02767783     EISSN: None     Source Type: Journal    
DOI: 10.2307/23044049     Document Type: Article

References (36)

1. Arora, A., Krishnan, R., Telang, R., and Yang, Y. 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research. (21:1), pp. 115-132.
2. Avizienis, A. 1995. "The Methodology of n-Version Programming," Chapter 2 in Software Fault Tolerance, M. R. Lyu (ed.), New York: Wiley.
3. Bain, C., Faatz, D., Fayad, A., and Williams, D. 2001. "Diversity as a Defense Strategy in Information Systems," Technical Report, The MITRE Corporation, Bedford, MA.
4. Bakkaloglu, M., Wylie, J., Wang, C., and Ganger, G. 2002. "On Correlated Failures in Survivable Storage Systems, 2002," Technical Report CMU-CS-02-129, Carnegie Mellon University, School of Computer Science, Pittsburgh, PA.
5. th ACM Conference on Computer and Communications Security, October 27-30, Washington, DC, pp. 281-289. (Pubitemid 40673810)
6. Brynjolfsson, E., and Kemerer, C. 1996. "Network Externalities in Microcomputer Software: An Econometric Analysis of the Spreadsheet Market," Management Science (42:12), pp. 1627-2647.
7. Collins, M., Gates, C., and Kataria, G. 2006. "A Model for Opportunistic Network Exploits: The Case of P2P Worms," in Proceedings of the Fifth Workshop on the Economics of Information Security, June 26-28, University of Cambridge, UK (available online, http://weis2006.econinfosec.org/ docs/16.pdf).
8. Deswarte, Y., Kanoun, K., and Laprie, J. C. 1998. "Diversity Against Accidental and Deliberate Faults," in Proceedings of Computer Security, Dependability and Assurance: From Needs to Solutions, Los Alamitos, CA: IEEE Computer Society, pp. 171-181.
9. Eckberg, A. 1985. "Approximation for Bursty (and Smoothed) Arrival Queuing Delays Based on Generalized Peakedness," in Proceedings of the 11th International Teletraffic Congress, Kyoto.
10. Economides, N. 2001. "The Microsoft Antitrust Case," Journal of Industry, Competition and Trade: From Theory to Policy (1:1), pp. 71-79.
11. Farrell, J., and Klemperer, P. 2001. "Coordination and Lock-In: Competition with Switching Costs and Network Effects," Chapter 31 in Handbook of Industrial Organization (Volume 3), M. Armstrong and R. Porter (eds.), Amsterdam: North Holland.
12. Geer, D., Bace, R., Gutmann, P., Metzger, P, Pfleeger, C. P., Quarterman, J. S., and Schneier, B. 2003. "Cyber Insecurity: The Cost of Monopoly" (available online, http://www.ccianet.org/CCIA/files/ ccLibraryFiles/Filename/000000000061/cyberinsecurity.pdf).
13. Hadar, J., and Russell, W. 1969. "Rules for Ordering Uncertain Prospects," American Economic Review (59), pp. 25-34.
14. Honeynet Project. 2004. "Know Your Enemy: Trends" (available online, http://old.honeynet.org/papers/enemy/).
15. Howard, J. D. 1997. An Analysis of Security Incidents on the Internet: 1989-1995, unpublished Ph.D. thesis, Carnegie Mellon University, Pittsburgh, PA.
16. Kannan, K., and Telang, R. "Market for Software Vulnerabilities? Think Again," Management Science (51:5), pp. 726-740.
17. Katz, M. L., and Shapiro, C. 1985. "Network Externalities, Competition, and Compatibility," American Economic Review (75:3), pp. 424-440.
18. Katz, M. L., and Shapiro, C. 1986. "Technology Adoption in the Presence of Network Externalities," Journal of Political Economy (94:4), pp. 822-841.
19. Katz, M. L., and Shapiro, C. 1994. "Systems Competition and Network Effects," Journal of Economic Perspectives (8:2), pp. 93-115.
20. th ACM Conference on Computer and Communications Security, October 27-30, Washington, DC, pp. 272-280. (Pubitemid 40673809)
21. Kleinrock, L. 1975. Queuing Theory (Volume 1), New York: John Wiley and Sons.
22. Kunreuther, H., and Heal, G. 2003. "Interdependent Security," Journal of Risk and Uncertainty (26:2/3), pp. 231-249.
23. Li, P., and Rao, H. R. 2007. "An Examination of Private Intermediaries' Roles in Software Vulnerabilities Disclosure," Information Systems Frontiers (9:5), pp. 531-539. (Pubitemid 350007347)
24. Nicola, V. F., and Goyal, A. 1990. "Modeling of Correlated Failures and Community Error Recovery in Multiversion Software," IEEE Transactions on Software Engineering (16:3), pp. 350-359. (Pubitemid 20678681)
25. Ogut, H., Menon, N., and Ragunathan, S. 2005. "Cyber Insurance and IT Security Investment: Impact of Independent Risk," in Proceedings of the Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (available online, http://infosecon.net/workshop/pdf/56.pdf)
26. Park, I., Sharman, R., Rao, H. R., and Upadhyaya, S. 2007. "Short Term and Total Life Impact Analysis of Email Worms in Computer Systems," Decision Support Systems (43), pp. 827-841. (Pubitemid 46466992)
27. Patterson, D. 2002. "A Simple Way to Estimate the Cost of Downtime," unpublished paper, University of California, Berkeley (available online, http://roc.cs.berkeley.edu/projects/downtime).
28. Rothschild, M., and Stiglitz, J. 1970. "Increasing Risk: I. A Definition," Journal of Economic Theory (2), pp. 225-243.
29. Rothschild, M., and Stiglitz, J. 1971. "Increasing Risk: II. Its Economics Consequences," Journal of Economic Theory (3), pp. 66-84.
30. Shapiro, C., and Varian, H. R. 1999. Information Rules: A Strategic Guide to the Network Economy, Boston: Harvard Business School Press.
31. th Hawaii International Conference on System Sciences, Los Alamitos, CA: IEEE Computer Society.
32. Sohraby, K. 1989. "Delay Analysis of a Single Server Queue with Poisson Cluster Arrival Process Arising in ATM Networks," in Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM), November 27-30, pp. 611-616. (Pubitemid 20702437)
33. Straub, D., Goodman, S., and Baskerville, R. 2008. "Framing of Information Security Policies and Practices," in Information Security Policies, Processes, and Practices, D. Straub, S. Goodman and R. Baskerville (eds.), Armonk, NY: M. E. Sharpe, pp. 5-12.
34. Symantec Corporation. 2006. "Symantec Internet Security Threat Report, Volume IX," The Symantec Corporation, 20330 Stevens Creek Road, Cupertino CA, 2006.
35. rd ed.), New York: W. W. Norton & Company.
36. th Hawaii International Conference on System Sciences, Los Alamitos, CA: IEEE Computer Society.