Mandatory security standards that force firms to establish minimum levels of security controls are enforced in many domains, including information security. The information security domain is characterized by multiple intertwined security controls, not all of which can be regulated by standards, but compliance with existing security standards is often used by firms to deflect liability if a security breach occurs. We analyze a stylized setting where a firm has two security controls that are linked in either a serial or a parallel configuration. One control is directly regulated by a security standard, whereas the other one is not. We show that a higher security standard does not necessarily lead to a higher firm security. Furthermore, the conditions under which a higher standard hurts the firm security are sharply different in the twoÑserial and parallelÑconfigurations. If standard compliance leads to reduced liability for a firm following a breach, such liability reduction in turn weakens the tie between the standard and firm security. Under a setting in which the firm meets the optimal standard set by a policy maker, both firm security and social welfare are higher when the damage to the firm following a breach takes a higher share of the total damage to social welfare, and also when the firm takes a larger share of liability.
The emerging field of data analytics and the increasing importance of data and information in decision making has created a large market for buying and selling information and information-related services. In this market, for some types of information products, it is common for a consumer to purchase the same type of information product from multiple sources. In other situations, a consumer may buy different types of information products from different sources and synthesize the information. On the seller side, bundling of different types of information products appears to have emerged as a key design strategy to improve profitability. This paper examines bundling decisions of a duopoly in the information market in which each seller offers two (or more) types of information products. A pair of competing information products from the two sellers can be substitutes or complements and consumers may find it profitable to purchase the same type of information from both sellers. We show that bundling by both sellers emerges as the equilibrium outcome when (at least) one competing pair consists of substitutes and (at least) one pair consists of complements. In this case, bundling by both sellers benefits them both by softening the price competition between their offerings. Softening of competition does not occur when all competing pairs in the bundles have only substitutes (complements) even if the degree of substitutability (complementarity) between products within a pair varies across pairs, resulting in an equilibrium in which each information type is sold separately by both sellers.
This paper studies the effect of online product reviews on different players in a channel structure. We consider a retailer selling two substitutable products produced by different manufacturers, and the products differ in both their qualities and fits to consumers' needs. Online product reviews provide additional information for consumers to mitigate the uncertainty about the quality of a product and about its fit to consumers' needs. We show that the effect of reviews on the upstream competition between the manufacturers is critical in understanding which firms gain and which firms lose. The upstream competition is affected in fundamentally different ways by quality information and fit information, and each information type has different implications for the retailer and manufacturers. Quality information homogenizes consumers' perceived utility differences between the two products and increases the upstream competition, which benefits the retailer but hurts the manufacturers. Fit information heterogenizes consumers' estimated fits to the products and softens the upstream competition, which hurts the retailer but benefits the manufacturers. Furthermore, reviews may also alter the nature of upstream competition from one in which consumers' own assessment on the quality dimension plays a dominant role in consumers' comparative evaluation of products to one in which fit dimension plays a dominant role. If manufacturers do not respond strategically to reviews and keep the same wholesale prices regardless of reviews (i.e., the upstream competition is assumed to be unaffected by reviews), then, we show that reviews never hurt the retailer and the manufacturer with favorable reviews, and never benefit the manufacturer with unfavorable reviews, a finding that demonstrates why reviews' effect on upstream competition is critical for firms in online marketplaces.
In information security outsourcing, it is the norm that the outsourcing firms and the outsourcers (commonly called managed security service providers, MSSPs) need to coordinate their efforts for better security. Nevertheless, efforts are often private and thus both firms and MSSPs can suffer from double moral hazard. Furthermore, the double moral hazard problem in security outsourcing is complicated by the existence of strong externality and the multiclient nature of MSSP services. In this prescriptive research, we first show that the prevailing contract structure in security outsourcing, bilateral refund contract, cannot solve double moral hazard. Adding breach-contingent sunk cost or external payment cannot solve double moral hazard either. Furthermore, positive externality can worsen double moral hazard. We then propose a new contract structure termed multilateral contract and show that it can solve double moral hazard and induce first-best efforts from all contractual parties when an MSSP serves two or more client firms, regardless of the externality. Firm-side externality significantly affects how payments flow under a multilateral contract when a security breach happens. When the number of client firms for an MSSP increases, we show that the contingent payments under multilateral contracts for any security breach scenario can be easily calculated using an additive method, and thus are computationally simple to implement.
Proper configuration of security technologies is critical to balance the needs for access and protection of information. The common practice of using a layered security architecture that has multiple technologies amplifies the need for proper configuration because the configuration decision about one security technology has ramifications for the configuration decisions about others. Furthermore, security technologies rely on each other for their operations, thereby affecting each other's contribution. In this paper we study configuration of and interaction between a firewall and intrusion detection systems (IDS). We show that deploying a technology, whether it is the firewall or the IDS, could hurt the firm if the configuration is not optimized for the firm's environment. A more serious consequence of deploying the two technologies with suboptimal configurations is that even if the firm could benefit when each is deployed alone, the firm could be hurt by deploying both. Configuring the IDS and the firewall optimally eliminates the conflict between them, ensuring that if the firm benefits from deploying each of these technologies when deployed alone, it will always benefit from deploying both. When optimally configured, we find that these technologies complement or substitute each other. Furthermore, we find that while the optimal configuration of an IDS does not change whether it is deployed alone or together with a firewall, the optimal configuration of a firewall has a lower detection rate (i.e., allowing more access) when it is deployed with an IDS than when deployed alone. Our results highlight the complex interactions between firewall and IDS technologies when they are used together in a security architecture, and, hence, the need for proper configuration to benefit from these technologies.
Firms have been increasing their information technology (IT) security budgets significantly to deal with increased security threats. An examination of current practices reveals that managers view security investment as any other and use traditional decision-theoretic risk management techniques to determine security investments. We argue in this paper that this method is incomplete because of the problem's strategic nature--hackers alter their hacking strategies in response to a firm's investment strategies. We propose game theory for determining IT security investment levels and compare game theory and decision theory approaches on several dimensions such as the investment levels, vulnerability, and payoff from investments. We show that the sequential game results in the maximum payoff to the firm, but requires that the firm move first before the hacker. Even if a simultaneous game is played, the firm enjoys a higher payoff than that in the decision theory approach, except when the firm's estimate of the hacker effort in the decision theory approach is sufficiently close to the actual hacker effort. We also show that if the firm learns from prior observations of hacker effort and uses these to estimate future hacker effort in the decision theory approach, then the gap between the results of decision theory and game theory approaches diminishes over time. The rate of convergence and the extent of loss the firm suffers before convergence depend on the learning model employed by the firm to estimate hacker effort.
The increasing significance of information technology (IT) security to firms is evident from their growing IT security budgets. Firms rely on security technologies such as firewalls and intrusion detection systems (IDSs) to manage IT security risks. Although the literature on the technical aspects of IT security is proliferating, a debate exists in the IT security community about the value of these technologies. In this paper, we seek to assess the value of IDSs in a firm's IT security architecture. We find that the IDS configuration, represented by detection (true positive) and false alarm (false positive) rates, determines whether a firm realizes a positive or negative value from the IDS. Specifically, we show that a firm realizes a positive value from an IDS only when the detection rate is higher than a critical value, which is determined by the hacker's benefit and cost parameters. When the firm realizes a positive (negative) value, the IDS deters (sustains) hackers. However, irrespective of whether the firm realizes a positive or negative value from the IDS, the IDS enables the firm to better target its investigation of users, while keeping the detection rate the same. Our results suggest that the positive value of an IDS results not from improved detection per se, but from an increased deterrence enabled by improved detection. Finally, we show that the firm realizes a strictly nonnegative value if the firm configures the IDS optimally based on the hacking environment.
Investments in information technology (IT) have become crucial for firms to improve the quality of their products and services. Typically, IT cost for the same performance level declines over time. In a competitive market, a decline in IT cost over time provides a cost advantage to the later entrant, making the early entrant's investment decision problem challenging. In this paper, we study the problem of strategic IT investments in the declining cost scenario using a sequential duopoly model. Our results show that declining IT cost intensifies or relaxes competition between firms depending on whether they are serving quality- or price-sensitive markets. In both cases, the average price per unit quality decreases when the IT cost declines, which benefits consumers. We also show that if the first entrant is uncertain about the extent of its cost disadvantage, the first entrant overinvests (underinvests) in a price-sensitive (quality-sensitive) market as the degree of uncertainty increases.
Electronic data interchange (EDI), used traditionally to exchange business documents, has recently been extended to facilitate interorganizational collaborative processes such as the continuous replenishment program (CRP). The key characteristics of CRP are the sharing of real-time inventory data by retailers with manufacturers and continuous replenishment of retailer inventory by manufacturers. Prior research on EDI has focused on the transaction efficiency of EDI. We analyze the impact of information sharing and continuous replenishment in the CRP context and study the factors that affect the value of CRP. The study quantifies the value derived from CRP and the optimal number of retailers a manufacturer should partner with.
Introducing multiple editions of the same software is a relatively recent innovation in the software market. The editions serve to differentiate among different user segments. Introduction of similar low- and high-end products in other markets has been analyzed using segmentation theory. However, the software market is fundamentally different from other product markets in two respects: (1) Software is characterized by negligible marginal production cost, and (2) the option of offering upgrades also exists. The authors analyze the problem of software introduction using segmentation theory. Their analysis shows that if cannibalization is low, the vendor should introduce the full software as one edition. This result differs from that obtained in prior research, which showed that the seller should introduce two distinct products in such cases. When cannibalization is high, introducing multiple editions simultaneously is optimal under a variety of conditions. The strategy of introducing a high-end edition in the first period followed by the low-end edition in the second period is optimal only when the consumers are extremely impatient and the software is large. A significant result of the authors' analysis is that offering upgrades is clearly superior to other strategies only in a very restricted range of parameters. The analysis also suggests that the vendor's profit is higher when it announces the future strategy. Theoretical results are supported by evidence from the software market.
The value of mathematical modeling and analysis in the decision support context is well recognized. However, the complex and evolutionary nature of the modeling process has limited its widespread use. In this paper, we describe our work on knowledge-based tools which support the formulation and revision of mathematical programming models. in contrast to previous work on this topic, we base our work on an indepth empirical investigation of experienced modelers and present three results: (a) a model of the modeling process of experienced modelers derived using concurrent verbal protocol analysis. Our analysis indicates that modeling is a synthetic process that relates specific features found in the problem to its mathematical model. These relationships. which are seldom articulated by modelers, are also used to revise models. (b) an implementation of a modeling support system called MODFORM based on this observationally derived model, and (c) the results of a preliminary experiment which indicates that users of MODFORM build models comparable to those formulated by experts. We use the formulation of mathematical programming models of production planning problems illustratively throughout the paper.