When hackers talk: Managing information security under variable attack rates and knowledge dissemination

Information Systems Research

Volumn 22, Issue 3, 2011, Pages 606-623

  Mookerjee, Vijay ^a   Mookerjee, Radha ^a   Bensoussan, Alain ^a   Yue, Wei T ^b  

^a UNIVERSITY OF TEXAS AT DALLAS   (United States)

^b CITY UNIVERSITY OF HONG KONG   (Hong Kong)

Author keywords

Hacker learning; Optimal security management; Security shocks; Variable attack rates

Indexed keywords

INDUSTRIAL MANAGEMENT; SECURITY OF DATA;

DISCRIMINATION ABILITY; HACKER LEARNING; INFORMATION SECURITY MANAGEMENTS; KNOWLEDGE DISSEMINATION; OPTIMAL DISCRIMINATIONS; OPTIMAL SECURITY; SECURITY SHOCKS; STEADY STATE SOLUTION;

PERSONAL COMPUTING;

EID: 84865104895     PISSN: 10477047     EISSN: 15265536     Source Type: Journal    
DOI: 10.1287/isre.1100.0341     Document Type: Article

References (24)

1. Arbaugh, W., W. Fithen, J. McHugh. 2000. Windows of vulnerability: A case study analysis. Computer 33(3) 52-59.
2. Arora, A., R. Telang, H. Xu. 2008. Optimal policy for software vulnerability disclosure. Management Sci. 54(4) 642-656.
3. Bensoussan, A., R. Mookerjee, V. Mookerjee, W. Yue. 2009. Maintaining diagnositic knowledge-based systems, a control theoretic approach. Management Sci. 55(2) 294-310.
4. Boylu, F., H. Aytug, G. Koehler. 2010. Induction over strategic agents. Inform. Systems Res. 21(1) 170-189.
5. Cavusoglu, H., S. Raghunathan, H. Cavusoglu. 2009. Configuration of and interaction between information security technologies: The case of firewalls and intrusion detection systems. Inform. Systems Res. 20(2) 198-217.
6. Crothers, T. 2003. Implementing Intrusion Detection Systems: A Hands-On Guide for Securing the Network. Wiley Publishing, Indianapolis.
7. Ernst & Young. 2008. Moving beyond compliance. Ernst & Young's 2008 global information security survey. Technical report. Ernst & Young. http://www.ey.com/Global/assets.nsf/ International/TSRS_Global_Information_Security_Survey_2008/ $file/TSRS_Global_Information_Security_Survey_2008.pdf.
8. Evers, J. 2005. Hacking for dollars. CNET News. http://news .cnet.com/Hacking-for-dollars/2100-7349_3-5772238.html
9. Gordon, L. A., M. P. Loeb, W. Lucyshyn. 2003. Sharing information on computer systems security: An economic analysis. J. Accounting Public Policy 22 461-485.
10. Gupta, S., J. Winstead. 2007. Using attack graphs to design systems. IEEE Security Privacy 5(4) 80-83.
11. Imprivata. 2007. PCI data security standard. Imprivata. http:// www.computerworld.com/pdfs/Imprivita_A_Pathway_to _PCI_Compliance.pdf.
12. Jones, A. 2007. Convergence. Inform. Security Tech. Rep. 12 69-110.
13. Jordan, T., P. Taylor. 1998. A sociology of hackers. Sociol. Rev. 46(4) 757-780.
14. Lee, W., S. Stolfo, K. Mok. 1999. A data mining framework for building intrusion detection models. IEEE Sympos. Security and Privacy 01-20. IEEE Conference Proceedings, Oakland, CA.
15. Lowd, A., C. Meek. 2004. Adversarial classification. Proc. 2004 Internat. Sympos. Knowledge Discovery and Data Mining (KDD 2004). Seattle, WA.
16. McClure, S., J. Scambray, G. Kurtz. 2005. Hacking Exposed: Network Security Secrets and Solutions. McGraw-Hill, Emeryville, CA.
17. Mitnick, K., W. Simon. 2002. The Art of Deception. Wiley Publishing, Indianapolis.
18. Scarfone, K., P. Mell. 2007. Guide to intrusion detection and prevention systems (idps). Special Publication 800-30, National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, http:// csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf.
19. Schlosser, A. E., T. B. White, S. M. Lloyd. 2006. Converting website visitors into buyers: How website investment increases consumer trusting beliefs and online purchase intentions. J. Marketing 70 133-148.
20. Sophos. 2008. Sophos security threat report 2008. Technical report. http://www.rsaconference.com/uploadedFiles/RSA365/Security_Topics/Hackers_and_Threats/White_Papers/Sophos/sophos-security-report-08.pdf.
21. Ulvila, J., J. Gaffney, Jr. 2004. A decision analysis method for evaluating computer intrusion detection systems. Decision Anal. 1(1) 35-50.
22. United States Government Accountability Office (U.S. Govt.). 2007. Personal information: Data breaches are frequent, but evidence of resulting identity theft is limited; however, the full extent is unknown. Technical report, http://www .gao.gov/new.items/d07737.pdf.
23. Yue, W., M. Cakanyildirim. 2007. Intrusion prevention in information systems: Reactive and proactive response. J. Management Inform. Systems 24(1) 329-353.
24. Zeller, T. 2005. Black market in stolen credit card data thrives on Internet. New York Times. http://www.nytimes.com/2005/06/ 21/technology/21data.html.