The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

Security Standardization for Social Welfare in the Presence of Unverifiable Control

규제할 수 없는 보안통제가 존재하는 경우 보안 규제 설정

  • Lee, Chul Ho (Department of Business and Technology Management, College of Business Korea Advanced Institute of Science and Technology)
  • Received : 2017.03.20
  • Accepted : 2017.04.01
  • Published : 2017.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Standard makers in both private and public sectors have been increasingly mandating security standards upon organizations to protect organizational digital assets. A major issue in security standardization is that standards often cannot regulate all possible security efforts by the standard maker because some efforts are unverifiable by nature. This paper studies from an analytical perspective how a standard maker should design the standard using a verifiable security control in the presence of another related unverifiable one. We compare it with two benchmark standards; $na{\ddot{i}}ve$-standard which refers to the standard maker who ignores the existence of the unverifiable control, and complete-information standard which refers to the maker sets standards on both controls. Optimal standard and benchmark standard depend critically on how the two controls are configured. Under parallel configuration, the existence of the unverifiable control induces the policy maker to set a higher standard (the complete-information standard is optimal); under serial configuration, a lower standard is applied (neither benchmark works). Under best-shot configuration and if the verifiable control is more cost-efficient, the existence of the unverifiable control has no impact on the optimal standard (the $na{\ddot{i}}ve$ standard is optimal).

모든 영역에서 조직의 디지털 자산을 보호하기 위해, 보안 규제를 강제하고 있는 추세이다. 문제는 조직 내의 보안 통제장치 가운데 투입된 노력이나 보안 수준을 외부에서 확인할 수 없는 통제장치가 존재한다는 것이다. 이 논문에서는 확인할 수 없는 통제장치가 존재하는 경우, 합리적인 보안 수준이 무엇인지 불완전 계약이론을 적용하여 분석하였다. 이를 위해, 확인할 수 없는 통제장치를 무시하는 경우의 비이성적 규제(naive standard)와 모두 확인할 수 있다고 가정할 경우의 완전정보하의 규제와 비교 분석하였다. 결과는 통제장치의 구성에 따라 달라졌다. 우선 평형구성(parallel configuration)하에서는 완전정보하의 규제와 최적규제가 동일하였으며, 순차구성(serial configuration)하에서는 최적규제 수준이 낮아야 하며, 다른 비교대상 규제와는 차이를 보였다. 최적구성(best shot configuration)하에서 확인가능한 통제장치가 비용 효율성이 높은 경우, 흥미롭게도 비합리적 규제가 최적규제수준과 동일한 것으로 나타났다.

Keywords

References

  1. Adams, A. and Sasse, M. A., "Users are Not the Enemy," Communications of the ACM, Vol. 42, No. 12, pp. 41-46, 1999.
  2. Battigalli, P. and Maggi, G., "Rigidity, Discretion, and the Costs of Writing Contracts," The American Economic Review, Vol. 92, No. 4, pp. 798-817, 2002. https://doi.org/10.1257/00028280260344470
  3. Bernheim B. D. and Whinston, M. D., "Incomplete Contracts and Strategic Ambiguity," The American Economic Review, Vol. 88, No. 4, pp. 902-932, 1998.
  4. Cavusoglu, H., Mishra, B., and Raghunathan, S., "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, Vol. 16, No. 1, pp. 28-46, 2005. https://doi.org/10.1287/isre.1050.0041
  5. Cavusoglu, H., Raghunathan, S., and Cavusoglu, H., "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, Vol. 20, No. 2, pp. 198-217, 2009. https://doi.org/10.1287/isre.1080.0180
  6. Crawford, V., "Lying for Strategic Advantage: Rational and Boundedly Rational Misrepresentation of Intentions," The American Economic Review, Vol. 93, No. 1, pp. 133-149, 2003. https://doi.org/10.1257/000282803321455197
  7. Culnan, M. J. and Williams, C. C., "How ethics can enhance organizational privacy: Lessons from the choicepoint and TJX data breaches," MIS Quarterly, Vol. 33, No. 4, pp. 673-687, 2009. https://doi.org/10.2307/20650322
  8. Dey, D., Fan, M., and Zhang, C., "Design and Analysis of Contracts for Software Outsourcing," Information Systems Research, Vol. 21, No. 1, pp. 93-114, 2010. https://doi.org/10.1287/isre.1080.0223
  9. Dye, R. A., "Auditing Standards, Legal Liability, and Auditor Wealth," The Journal of Political Economy, Vol. 101, No. 5, pp. 887-914, 1993. https://doi.org/10.1086/261908
  10. Ewert, R. and Wagenhofer, A., "Economic Effects of Tightening Accounting Standards to Restrict Earnings Management," The Accounting Review, Vol. 80, pp. 1101-1024, 2005. https://doi.org/10.2308/accr.2005.80.4.1101
  11. Geng, X., Huang, Y., and Whinston, A. B., "Defending Wireless Infrastructure Against the Challenge of DDoS Attacks," ACM Journal on Mobile Networking and Applications, Vol. 7, No. 3, pp. 213-223, 2002. https://doi.org/10.1023/A:1014526713037
  12. Gordon, L. A., Loeb, M., and Lucyshyn, W., "Sharing Information on Computer Systems Security: An Economic Analysis," Journal of Accounting Public Policy, Vol. 22, No. 6, pp. 461-485, 2003. https://doi.org/10.1016/j.jaccpubpol.2003.09.001
  13. Grossklags, J., Christin, N., and Chuang, J., "Secure or Insure? A Game-Theoretic Analysis of Information Security Games," Proceedings of the 17th International World Wide Web Conference, 2008.
  14. Hausken, K., "Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability," Information Systems Frontiers, Vol. 8, No. 5, pp. 338-349, 2006. https://doi.org/10.1007/s10796-006-9011-6
  15. Hausken, K., "Information sharing among firms and cyber attacks," Journal Accounting Public Policy, Vol. 26, No. 6, pp. 639-688, 2007. https://doi.org/10.1016/j.jaccpubpol.2007.10.001
  16. Hendricks, K. and McAfee, R. P., "Feints," Journal of Economics & Management Strategy, Vol. 15, No. 2, pp. 431-456, 2006. https://doi.org/10.1111/j.1530-9134.2006.00106.x
  17. Hui, K. L., Hui, W., and Yue, W. T., "Information Security Outsourcing with System Interdependency and Mandatory Security Requirement," Journal of Management Information Systems, Vol. 29, No. 3, pp. 117-155, 2012. https://doi.org/10.2753/MIS0742-1222290304
  18. Keblawi, F. and Sullivan, D., "The Case for Flexible NIST Security Standards," IEEE Computer Society, June, pp. 19-26, 2007.
  19. Krebs, R., Hackers Test Limits of Credit Card Security Standards, Washington Post, April 16, 2009, available at voices. washingtonpost.com/securityfix/2009/04/ the_number_scale_and_sophistic.html.
  20. Lee, C. Geng, X., and Raghunathan, S., "Mandatory Standards and Organizational Information Security," Information Systems Research, Vol. 27, No. 1, pp. 70-86, 2016. https://doi.org/10.1287/isre.2015.0607
  21. Lee, C., Geng, X., and Raghunathan, S., "Contracting Information Security in the Presence of Double Moral Hazard," Information Systems Research, Vol. 24, No. 2, pp. 295-311, 2013. https://doi.org/10.1287/isre.1120.0447
  22. Loch, K., Carr, H., and Warkentin, M., "Threats to Information Systems: Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol. 16, No. 2, pp. 173-186, 1992. https://doi.org/10.2307/249574
  23. Miller, A. R. and Tucker, C. E., "Encryption and Data Loss, The Ninth Workshop on the Economics of Information Security," Harvard University, USA, p. 29, 2010.
  24. Morse, E. A. and Raval, V., "PCI DSS: Payment card industry data security standards in context," Computer Law& Security Report, Vol. 24, pp. 540-554, 2008. https://doi.org/10.1016/j.clsr.2008.07.001
  25. Narasimhan, H., Varadarajan, V., and Rangan, C. P., "Towards a Cooperative Defense Model Against Network Security Attacks," Tenth Workshop on the Economics of Information Security, 2010.
  26. Romanosk, S., Telang, R., and Acquisti, A., "Do Data Breach Disclosure Laws Reduce Identity Theft?," Seventh Workshop on the Economics of Information Security, June 25-28, 2008.
  27. Ross, R., "Managing Enterprise Security Risk with NIST Standards," IEEE Computer Society, August, pp. 88-91, 2007.
  28. Rothke, B. and Mundhenk, D., Sue the Auditor and Shut Down the Firm (July 9), 2009, Available at http://www.csoonline.com/ar ticle/496923/Sue_the_Auditor_and_Shut_Down_the_Firm.
  29. Schechter, S. E. and Smith, M. D., "How Much Security is Enough to Stop a Thief?," Lecture Notes in Computer Science, Vol. 2742, pp. 122-137, 2003.
  30. Schwartz, R., "Legal Regimes, Audit Quality and Investment," The Accounting Review, Vol. 72, No. 3, pp. 385-406, 1997.
  31. Shim, W., "An Ex Ante Evaluation Method for Assessing a Government Enforced Security Measure," The Journal of Society for e-Business Studies, Vol. 20, No. 4, pp. 241-256, 2015. https://doi.org/10.7838/jsebs.2015.20.4.241
  32. Tirole, J., "Cognition and Incomplete Contracts," The American Economic Review, Vol. 99, No. 1, pp. 265-294, 2009. https://doi.org/10.1257/aer.99.1.265
  33. Varian, H., "System Reliability and Free Riding," Economics of Information Security, Kluwer, pp 1-15, 2004.
  34. Willekens, M., Steele, A., and Miltz, D., "Audit Standards and Auditor Liability: A Theoretical Model," Accounting and Business Research, Vol. 26, No. 3, pp. 249-264, 1996. https://doi.org/10.1080/00014788.1996.9729515
  35. Zetter, K., In Legal First, Data-Breach Suit Targets Auditor, Wired (June 2), 2009, Available at http://www.wired.com/ threatlevel/2009/06/auditor_sued/.
  36. Zhao, X, Xue, L., and Whinston, A. B., "Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling," International Conference on Information Systems, Phoenix, AZ, 2009.