Information security (IS) threats are increasingly pervasive, and search engines are being used by the public as the primary tool for searching for relevant information. This research investigates the following two questions: (1) How can different IS threats be characterized and distinguished in terms of their risk characteristics? and (2) how are risk characteristics related to public searches for information on IS threats? Applying psychometric analysis, our analyses of survey data first show that unknown risk and dread risk are two underlying dimensions that can characterize different IS threats. Drawing broadly on the literature of information foraging theory, we examine the influence of risk characteristics on public searches for information on these threats. We utilize a search engine log to extract searches related to IS threats. We develop and estimate a system of equations with correlated individual-specific error terms using the Markov Chain Monte Carlo method. We find that the two risk characteristics exert differential impacts on information search behavior (including types of information sought, number of pages viewed, and length of query). The implications for IS research and practice are discussed.
This study investigates the risk of insider threats associated with different applications within a financial institution. Extending routine activity theory (RAT) from criminology literature to information systems security, hypotheses regarding how application characteristics, namely value, inertia, visibility, accessibility, and guardians, cause applications to be exposed to insider threats are developed. Routine activity theory is synthesized with survival modeling, specifically a Weibull hazard model, and users’ system access behavior is investigated using seven months of field data from the institution. The inter-arrival times of two successive unauthorized access attempts on an application are employed as the measurement of risk. For a robustness check, the daily number of unauthorized attempts experienced by an application as an alternative measurement of risk are introduced and a zero-inflated Poisson-Gamma model is developed. The Markov chain Monte Carlo (MCMC) method is used for model estimations. The results of the study support the empirical application of routine activity theory in understanding insider threats, and provide a picture of how different applications have different levels of exposure to such threats. Theoretical and practical implications for risk management regarding insider threats are discussed. This study is among the first that uses behavioral logs to investigate victimization risk and attack proneness associated with information assets.
Information security investment has been getting increasing attention in recent years. Various methods have been proposed to determine the effective level of security investment. However, traditional expected value methods (such as annual loss expectancy) cannot fully characterize the information security risk confronted by organizations, considering some extremal yet perhaps relatively rare cases in which a security failure may be critical and cause high losses. In this research note we introduce the concept of value-at-risk to measure the risk of daily losses an organization faces due to security exploits and use extreme value analysis to quantitatively estimate the value at risk. We collect a set of internal daily activity data from a large financial institution in the northeast United States and then simulate its daily losses with information based on data snapshots and interviews with security managers at the institution. We illustrate our methods using these simulated daily losses. With this approach, decision makers can make a proper investment choice based on their own risk preference instead of pursuing a solution that minimizes only the expected cost.