Mandatory security standards that force firms to establish minimum levels of security controls are enforced in many domains, including information security. The information security domain is characterized by multiple intertwined security controls, not all of which can be regulated by standards, but compliance with existing security standards is often used by firms to deflect liability if a security breach occurs. We analyze a stylized setting where a firm has two security controls that are linked in either a serial or a parallel configuration. One control is directly regulated by a security standard, whereas the other one is not. We show that a higher security standard does not necessarily lead to a higher firm security. Furthermore, the conditions under which a higher standard hurts the firm security are sharply different in the twoÑserial and parallelÑconfigurations. If standard compliance leads to reduced liability for a firm following a breach, such liability reduction in turn weakens the tie between the standard and firm security. Under a setting in which the firm meets the optimal standard set by a policy maker, both firm security and social welfare are higher when the damage to the firm following a breach takes a higher share of the total damage to social welfare, and also when the firm takes a larger share of liability.
In information security outsourcing, it is the norm that the outsourcing firms and the outsourcers (commonly called managed security service providers, MSSPs) need to coordinate their efforts for better security. Nevertheless, efforts are often private and thus both firms and MSSPs can suffer from double moral hazard. Furthermore, the double moral hazard problem in security outsourcing is complicated by the existence of strong externality and the multiclient nature of MSSP services. In this prescriptive research, we first show that the prevailing contract structure in security outsourcing, bilateral refund contract, cannot solve double moral hazard. Adding breach-contingent sunk cost or external payment cannot solve double moral hazard either. Furthermore, positive externality can worsen double moral hazard. We then propose a new contract structure termed multilateral contract and show that it can solve double moral hazard and induce first-best efforts from all contractual parties when an MSSP serves two or more client firms, regardless of the externality. Firm-side externality significantly affects how payments flow under a multilateral contract when a security breach happens. When the number of client firms for an MSSP increases, we show that the contingent payments under multilateral contracts for any security breach scenario can be easily calculated using an additive method, and thus are computationally simple to implement.
We consider an online market where consumers may obtain digital goods from two mutually exclusive channels: a legitimate channel consisting of many law-abiding retailers and a piracy channel consisting of many piracy services. We analyze consumer choice, retailer strategy, and piracy control using a sequential-search approach where information acquisition is costly for some consumers (nonshoppers), yet costless for others (shoppers). First, we show that a nonshopper's channel choice is determined by a simple comparison of two reservation prices. Second, we analyze how piracy threats affect in-channel pricing among retailers. If the in-channel competition intensity among retailers is high, piracy does not affect retailer pricing. If the intensity is medium, retailers respond to piracy by giving up some shoppers and, surprisingly, raising prices. If the intensity is low, the legitimate channel loses some shoppers as well as some nonshoppers to the piracy channel. Third, we consider several mechanisms for fighting piracy and analyze their effects on firm profit and consumer surplus. Reducing piracy quality and increasing piracy search costs are both effective in controlling piracy, yet they affect consumer surplus differently. Reducing the number of piracy services is less effective in controlling piracy.
Because uncertainties around innovative technologies resolve over time, investments in such technologies are often made in stages so that organizations can use the knowledge gained from earlier stages to decide the next step. Previous studies usually assume that once some uncertainty is resolved, it becomes common knowledge within the investing organization. We develop a game-theoretical model to study how different parties within an organization gain and transfer knowledge about new technologies while investing in these technologies, and how the learning process may affect the investment decisions. We show that managers with incentives misaligned with the organization may transfer their knowledge untruthfully and distort the learning process of decision makers. Such behavior may lead to inefficient investment decisions. We also study the effect of uncertainty on the misreporting problem and the investment decisions. Mechanisms to mitigate or prevent untruthful knowledge transfer are also proposed. In particular, powerful incentive schemes may alleviate, but not prevent, the misreporting problem; punishing managers who are caught misreporting may deter the misreporting behavior, but in practice such mechanisms are difficult to implement.
With the rapid growth of rich-media content over the Internet, content and service providers (SP) are increasingly facing the problem of managing their service resources cost-effectively while ensuring a high quality of service (QoS) delivery at the same time. In this research we conceptualize and model an Internetbased storage provisioning network for rich-media content delivery. This is modeled as a capacity provision network (CPN) where participants possess service infrastructures and leverage their topographies to effectively serve specific customer segments. A CPN is a network of SPs coordinated through an allocation hub. We first develop the notion of discounted QoS capabilities of storage resources. We then investigate the stability of the discount factors over time and the network topography using a test-bed on the Internet through a longitudinal empirical study. Finally, we develop a market maker mechanism for optimal multilateral allocation and surplus sharing in a network. The proposed CPN is closely tied to two fundamental properties of Internet service technology: positive network externality among cooperating SPs and the property of effective multiplication of capacity allocation among several distributed service sites. We show that there exist significant incentives for SPs to engage in cooperative allocation and surplus sharing. We further demonstrate that intermediation can enhance the allocation effectiveness and that the opportunity to allocation and surplus sharing can play an important role in infrastructure planning. In conclusion, this study demonstrates the practical business viability of a cooperative CPN market.
The shift to more distributed forms of organizations and the prevalence of interorganizational relationships have led to an increase in the transfer of knowledge between parties with asymmetric and incomplete information about each other. Because of this asymmetry and incompleteness, parties seeking knowledge may not be able to identify qualified knowledge providers, and the appropriate experts may fail to be motivated to engage in knowledge transfer. We propose a sender-receiver framework for studying knowledge transfer under asymmetric and/or incomplete information. We outline four types of information structures for knowledge transfer, and focus on the sender-advantage asymmetric information structure and the symmetric incomplete information structure. We develop formal game-theoretical models, show how information incompleteness and asymmetry may negatively influence knowledge transfer, and propose solutions to alleviate these negative impacts. Implications for knowledge transfer research and practice are also discussed.
Creating electronic communities is a critical venture in the digital economy. However, fraud and misrepresentation have led to widespread skepticism and distrust of electronic communities. We develop an evolutionary model to explore the issue of trust within an electronic community from a dynamic process perspective. This model emphasizes large populations, continuous change in community memberships, and imperfect information and memory. As the term trust is often used in the context of individual interaction, at a group level we propose using the term health to measure the sustained competitive advantages of honest members over cheaters throughout the evolution of a community. We find conditions under which an electronic community is healthy and attracts outside population. We find that many factors, such as information dissemination speed, honest players' payoffs and possible losses, new community members' initial trust status, and the replacement rate of community members, all affect the health of an electronic community, and that some of them also affect a community's size. We then discuss the implications of our research for e-community practices.
In this paper we argue that a large gray area of information systems research exists, whose relevance to the information technology artifact is subject to significant debate even among IS scholars who support the essential role of the IT artifact. As we explain, not explicitly addressing this gray area can have negative, although often inadvertent, effects on the innovative nature of IS research; we explore this danger through three pitfalls. We then propose a stance of strategic ambiguity to deal with the gray area. Strategic ambiguity calls for deliberately withholding judgment on the relevance of research in the gray area and acceptance of gray-area research provided it meets the excellence required by professional journals. We believe that strategic ambiguity benefits innovative IS research without harming the essential role of the IT artifact.