Information Security by Words Alone

2012

Computer security issues have been a fact of life since the beginning of electronic information sharing. With the development of the Internet, these issues became global. Computer systems have been under attack by hackers through using several techniques including malicious email attachments. There are various estimates about the cost of damage, but the most recent statistics are stated to be in the range of billions of dollars per year. Organizations have been slow in adopting strategies and developing policies to secure their information resources. Firms’ budget allocations appear unaffected by the accelerated rate of computer security incidents. Companies have been slow in spending more money and adopting strategies to secure their information resources. There is a trade-off between security and the budget allocation, and organizations are having a difficult time to find a balance. The initial step in the process of finding a balance is to conduct an analysis of the existing secu...

International Journal of Public Information Systems, 2014

The topic of data breaches, protection of information and data security salient to business and criminal justice researchers, practitioners in all profit and nonprofit organizations, consumer advocate groups and legislators throughout the world. This article analyzes the trends in data breaches in the United States and classifies them into five general industry sectors and eighteen sub-sectors using a new model recently developed by the authors and also provides basic recommendations for information and security personnel in every industry throughout the world to use to improve data protection and thus help protect public information for consumers and all types of organizations. The 2,280 data breaches tracked by the Privacy Rights Clearinghouse from 2005 through 2010 were used in the study. The findings indicate that the trends for the annual number of data breaches for the five general industries and their sub-sectors have increased, although inconsistently, over the six-year period. The analysis and classification of data breaches by general and sub-sector industries with the use of this new data breach model provides an awareness of the data breach problem for information managers and security personnel in public and private sector organizations throughout the world and also provides a workable methodological framework to help them develop innovative and useful policies for safeguarding personal information of consumers, clients, employees and other entities. The topic of data breaches and information management remains salient to business and criminal justice researchers, practitioners in all profit and nonprofit organizations, consumer advocate groups and legislators throughout the world.

SSRN Electronic Journal, 2016

for their research assistance. We are grateful to the editors of the Texas Law Review for their superb assistance.

2006

Abstract While the literature on information security economics has begun to investigate the stock market impact of security breaches and vulnerability announcements, little more than anecdotal evidence exists on the effects of privacy breaches. In this paper we present the first comprehensive analysis of the impact of a company's privacy incidents on its market value.

A welcome but unintended consequence of recent state disclosure laws in the U.S. (most notably California SB 1386), has been a continuous stream of privacy breaches reported in the mass media. In this paper, we provide empirical analysis of disclosed breaches for the period of [2005][2006] to better understand what is happening in aggregate (overall patterns and trends) beyond the often sensational individual cases reported in the media. By processing raw data from the best available sources, we have created an Internet-accessible database that can be queried for breach statistics and a data set that can be shared so that our analysis can be validated, as well as enable future analysis by other researchers. The statistical analysis we report here is a first step toward answering the important and complex questions of why privacy breaches are occurring and what may be the best practices to prevent and mitigate their effects. Policy formulation to address privacy breaches is already in process at the organization, state, and national levels largely driven by mass media coverage -it is our hope decision-makers take the empirical evidence we report here into consideration.

2011

This study employs the deterrence theory to examine the factors that impact firm damage associated with announcements of Internet security breaches in the public media. Firm damage is measured as the observed cumulative abnormal returns associated with the announcement. The findings suggest that investors interpret a security breach as management’s inaction to deter potential computer abusers from violating organizational security policies and controls. Specifically, investors are more likely to react negatively to Internet firms than Non-Internet firms. In addition, investors react more negatively to more recent attacks.

2011

The author would like to thank Jake Barnes for his help in the tort law discussions of this chapter. To the extent my knowledge of tort law is accurate, I accept full responsibility. As for the errors, blame Jake. Chris Hoofnagle, Ted Janger, and Paul Schwartz provided helpful comments on the manuscript. This book chapter was originally written in 2004. Subsequent to the redrafting of this chapter, in 2005, a litany of organizations announced that they had suffered massive data security breaches. I have updated this chapter slightly to discuss the 2005 data security breaches, but I am unable to add more to discuss the legal developments in the aftermath of the breaches. By and large, these developments have unfolded as I predicted back in 2004 when writing this chapter. Data security is quickly becoming one of the major concerns of the Information Age. Computer networks are vulnerable to siege from hackers, viruses, intercepted communications, and electronic surveillance. 1 Much of the data residing in these computer networks pertains to our personal lives. Increasingly, extensive digital dossiers about us are being constructed, as businesses and the government gather pieces of personal data and assemble them in data bases. Hundreds-perhaps thousands-of entities may have our personal information. 2 Our dossiers play a profound role in our lives. They are used to assess our reputation and credibility. They are examined to determine whether we receive a loan, a job, or a license-and even whether we are detained or arrested by the police. Because so many critical decisions are based on our dossiers, ensuring that they are accurate and protected from tampering is of paramount importance.

Business & Information Systems Engineering, 2014

In an experiment, the authors distinguish between the impact of privacy violations and security breaches on the subjects' trust and behavior. They focus on first-order effects and thus the direct consumer reaction. While privacy is of prime importance for building trust, the actual behavior is affected less and customers value security higher when it comes to actual decision making. Evidence is found for the so-called "privacy paradox" which describes that people do not act according to their privacy concerns.

There are a few recent articles published that found stiffening access to sensitive data did not result in fewer reported occurrences of data breaches in IT security or the relative frequency of incidences of breaches as reported by experienced information technology (IT) professionals. In this study, we found no difference in the reported cases of breaches on having a formal IT policy, external access from mobile devices, and number of times clients were required to change their passwords, regardless of the security protocol. These findings are consistent with findings from more recent studies that stiffening access does not reduce significantly the frequency of reported breaches on IT security defenses.