| The scale and scope of hacker and virus attacks on computer systems is on the rise (Power 2002, CERT 2000). Recurring security breaches have increased resulting damage as well. Firms employ security technologies such as firewalls, intrusion detection systems, encryption, and biometric and other authentication systems to fend against these attacks. However, complete prevention of security breaches is technologically impossible and prohibitively expensive. Consequently, firms use financial instruments such as insurance to hedge losses resulting from security breaches. Even though these financial and technological instruments reduce security vulnerabilities and losses from security breaches, it is not clear how firms should manage IT security risk. The aim of this dissertation is to analyze a few risk management strategies and provide guidelines to firms about managing risk in information security domain.; The first essay in my dissertation is related to the base rate fallacy problem of Intrusion Detection Systems (IDSs). In order to mitigate that problem, I propose waiting time strategies and analyze characteristic of these strategies. I compare my policies with commonly used polices to address the base rate fallacy problem. My results suggest that waiting time policies can be effective in mitigating the base rate fallacy problem of IDSs. The second essay in my dissertation focuses on four distinguishing characteristics of IT security domain. These are interdependent risk, imperfect detection of security breaches, security information sharing between organizations and type of insurance market. I analyze the impact of these characteristics on firms' IT security investment and insurance coverage strategies. My results partly explain low volume of insurance market in the information security domain even though cyber risk has risen considerably in recent years.; The third essay in my dissertation extends the model in second essay to analyze how the degree of imperfect detection and interdependent risk affect firm's IT security investment and cyber insurance coverage strategies. I compare firms' solutions with socially optimum level of IT security investment and insurance. By extending the basic model, I also analyze the effect of investment on both preventive and detective technologies and of detection systems having both false positive and false negative errors as well. |
