References
- Adams, A. and Sasse, M. A., "Users are Not the Enemy," Communications of the ACM, Vol. 42, No. 12, pp. 41-46, 1999.
- Battigalli, P. and Maggi, G., "Rigidity, Discretion, and the Costs of Writing Contracts," The American Economic Review, Vol. 92, No. 4, pp. 798-817, 2002. https://doi.org/10.1257/00028280260344470
- Bernheim B. D. and Whinston, M. D., "Incomplete Contracts and Strategic Ambiguity," The American Economic Review, Vol. 88, No. 4, pp. 902-932, 1998.
- Cavusoglu, H., Mishra, B., and Raghunathan, S., "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, Vol. 16, No. 1, pp. 28-46, 2005. https://doi.org/10.1287/isre.1050.0041
- Cavusoglu, H., Raghunathan, S., and Cavusoglu, H., "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, Vol. 20, No. 2, pp. 198-217, 2009. https://doi.org/10.1287/isre.1080.0180
- Crawford, V., "Lying for Strategic Advantage: Rational and Boundedly Rational Misrepresentation of Intentions," The American Economic Review, Vol. 93, No. 1, pp. 133-149, 2003. https://doi.org/10.1257/000282803321455197
- Culnan, M. J. and Williams, C. C., "How ethics can enhance organizational privacy: Lessons from the choicepoint and TJX data breaches," MIS Quarterly, Vol. 33, No. 4, pp. 673-687, 2009. https://doi.org/10.2307/20650322
- Dey, D., Fan, M., and Zhang, C., "Design and Analysis of Contracts for Software Outsourcing," Information Systems Research, Vol. 21, No. 1, pp. 93-114, 2010. https://doi.org/10.1287/isre.1080.0223
- Dye, R. A., "Auditing Standards, Legal Liability, and Auditor Wealth," The Journal of Political Economy, Vol. 101, No. 5, pp. 887-914, 1993. https://doi.org/10.1086/261908
- Ewert, R. and Wagenhofer, A., "Economic Effects of Tightening Accounting Standards to Restrict Earnings Management," The Accounting Review, Vol. 80, pp. 1101-1024, 2005. https://doi.org/10.2308/accr.2005.80.4.1101
- Geng, X., Huang, Y., and Whinston, A. B., "Defending Wireless Infrastructure Against the Challenge of DDoS Attacks," ACM Journal on Mobile Networking and Applications, Vol. 7, No. 3, pp. 213-223, 2002. https://doi.org/10.1023/A:1014526713037
- Gordon, L. A., Loeb, M., and Lucyshyn, W., "Sharing Information on Computer Systems Security: An Economic Analysis," Journal of Accounting Public Policy, Vol. 22, No. 6, pp. 461-485, 2003. https://doi.org/10.1016/j.jaccpubpol.2003.09.001
- Grossklags, J., Christin, N., and Chuang, J., "Secure or Insure? A Game-Theoretic Analysis of Information Security Games," Proceedings of the 17th International World Wide Web Conference, 2008.
- Hausken, K., "Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability," Information Systems Frontiers, Vol. 8, No. 5, pp. 338-349, 2006. https://doi.org/10.1007/s10796-006-9011-6
- Hausken, K., "Information sharing among firms and cyber attacks," Journal Accounting Public Policy, Vol. 26, No. 6, pp. 639-688, 2007. https://doi.org/10.1016/j.jaccpubpol.2007.10.001
- Hendricks, K. and McAfee, R. P., "Feints," Journal of Economics & Management Strategy, Vol. 15, No. 2, pp. 431-456, 2006. https://doi.org/10.1111/j.1530-9134.2006.00106.x
- Hui, K. L., Hui, W., and Yue, W. T., "Information Security Outsourcing with System Interdependency and Mandatory Security Requirement," Journal of Management Information Systems, Vol. 29, No. 3, pp. 117-155, 2012. https://doi.org/10.2753/MIS0742-1222290304
- Keblawi, F. and Sullivan, D., "The Case for Flexible NIST Security Standards," IEEE Computer Society, June, pp. 19-26, 2007.
- Krebs, R., Hackers Test Limits of Credit Card Security Standards, Washington Post, April 16, 2009, available at voices. washingtonpost.com/securityfix/2009/04/ the_number_scale_and_sophistic.html.
- Lee, C. Geng, X., and Raghunathan, S., "Mandatory Standards and Organizational Information Security," Information Systems Research, Vol. 27, No. 1, pp. 70-86, 2016. https://doi.org/10.1287/isre.2015.0607
- Lee, C., Geng, X., and Raghunathan, S., "Contracting Information Security in the Presence of Double Moral Hazard," Information Systems Research, Vol. 24, No. 2, pp. 295-311, 2013. https://doi.org/10.1287/isre.1120.0447
- Loch, K., Carr, H., and Warkentin, M., "Threats to Information Systems: Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol. 16, No. 2, pp. 173-186, 1992. https://doi.org/10.2307/249574
- Miller, A. R. and Tucker, C. E., "Encryption and Data Loss, The Ninth Workshop on the Economics of Information Security," Harvard University, USA, p. 29, 2010.
- Morse, E. A. and Raval, V., "PCI DSS: Payment card industry data security standards in context," Computer Law& Security Report, Vol. 24, pp. 540-554, 2008. https://doi.org/10.1016/j.clsr.2008.07.001
- Narasimhan, H., Varadarajan, V., and Rangan, C. P., "Towards a Cooperative Defense Model Against Network Security Attacks," Tenth Workshop on the Economics of Information Security, 2010.
- Romanosk, S., Telang, R., and Acquisti, A., "Do Data Breach Disclosure Laws Reduce Identity Theft?," Seventh Workshop on the Economics of Information Security, June 25-28, 2008.
- Ross, R., "Managing Enterprise Security Risk with NIST Standards," IEEE Computer Society, August, pp. 88-91, 2007.
- Rothke, B. and Mundhenk, D., Sue the Auditor and Shut Down the Firm (July 9), 2009, Available at http://www.csoonline.com/ar ticle/496923/Sue_the_Auditor_and_Shut_Down_the_Firm.
- Schechter, S. E. and Smith, M. D., "How Much Security is Enough to Stop a Thief?," Lecture Notes in Computer Science, Vol. 2742, pp. 122-137, 2003.
- Schwartz, R., "Legal Regimes, Audit Quality and Investment," The Accounting Review, Vol. 72, No. 3, pp. 385-406, 1997.
- Shim, W., "An Ex Ante Evaluation Method for Assessing a Government Enforced Security Measure," The Journal of Society for e-Business Studies, Vol. 20, No. 4, pp. 241-256, 2015. https://doi.org/10.7838/jsebs.2015.20.4.241
- Tirole, J., "Cognition and Incomplete Contracts," The American Economic Review, Vol. 99, No. 1, pp. 265-294, 2009. https://doi.org/10.1257/aer.99.1.265
- Varian, H., "System Reliability and Free Riding," Economics of Information Security, Kluwer, pp 1-15, 2004.
- Willekens, M., Steele, A., and Miltz, D., "Audit Standards and Auditor Liability: A Theoretical Model," Accounting and Business Research, Vol. 26, No. 3, pp. 249-264, 1996. https://doi.org/10.1080/00014788.1996.9729515
- Zetter, K., In Legal First, Data-Breach Suit Targets Auditor, Wired (June 2), 2009, Available at http://www.wired.com/ threatlevel/2009/06/auditor_sued/.
- Zhao, X, Xue, L., and Whinston, A. B., "Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling," International Conference on Information Systems, Phoenix, AZ, 2009.