Mandatory Standards and Organizational Information Security

Transcription

1 Mandatory Standard and Organizational Information Scurity ull Papr ubmittd to WISE Word count: 9,846 Chul Ho L, Xianjun Gng, Srinivaan Raghunathan Th Univrity of Txa at Dalla {irontigr, gng, Abtract Mandatory curity tandard that forc firm to tablih minimum lvl of curity control ar nforcd in many domain including information curity. Information curity domain i charactrizd by multipl intrtwind curity control, not all of which can b rgulatd by tandard, but complianc with xiting curity tandard ar oftn ud by firm to dflct liability if a curity brach occur. urthrmor, tratgic attackr may u tandard to targt th vulnrabl control for thir attack. Thi papr tudi whn and how mandatory tandard can harm a firm information curity. W conidr a tting whr a firm ha two curity control that ar linkd in ithr a rial or a paralll configuration. On control i dirctly rgulatd by a curity tandard whil th othr on i not. Undr rial configuration, w find that th firm curity can dcra in th tandard whn thi tandard i not too high. Surpriingly, uch dcra i mor likly to happn whn th firm car mor about curity. Undr paralll configuration, firm curity can dcra in th tandard only whn th tandard i high nough and th firm invtmnt on th rgulatd control can ignificantly rduc it liabiliti upon brach. Whn th tandard i not too high, w how that tratgic attacking bhavior can augmnt th ffctivn of th tandard in that th firm will invt mor on curity (than that undr nontratgic attack). Kyword: Information curity, curity rgulation, unvrifiability, tratgic attack 1. Introduction In thi ntworkd conomy, whn an organization' digital at or onlin rvic i compromid by attack, damag oftn go byond th organizational boundary. or xampl, in 2009 th information 1

2 ytm of a larg paymnt card procor, Hartland Paymnt Sytm (HPS hraftr), wa brachd and million of conumr wr affctd (Krb 2009b, Chny 2010). 1 Scurity incidnt imilar to th on at HPS in which th brach of a ingl firm rultd in larg-cal damag to conumr and buin coytm in gnral hav bn occurring on a rgular bai -- MacCarthy (2010) for dtaild account of om high-profil incidnt. Incraingly, policy makr in both privat and public ctor mandat information curity tandard upon organization with th intntion to not only to protct th organization, but alo to protct th valu of all takholdr who ntrut thir nitiv information to th organization. Two uch prominnt policy makr ar PCI Scurity Standard Council in th privat ctor that mandat information curity tandard collctivly rfrrd to a PCI-DSS -- upon all mrchant that u major paymnt card, and th ational Intitut of Standard and Tchnology (IST) that mandat information curity tandard upon all US govrnmntal agnci. But ar mandatory tandard ffctiv in improving organizational information curity? Ancdotal vidnc in th privat ctor m to paint a puzzling pictur whr tightr tandard hav not ncarily ld to bttr curity. or xampl, PCI-DSS a a major tandard intndd to tightn curity rlatd to all paymnt card tranaction wa firt implmntd in vrthl, th numbr of annual publicizd curity brach in th buin ctor in U.S. incrad for thr out of four yar from 2004 to Intrtingly, in 2008 th PCI Council loond vral mandat within PCI-DSS, 3 and th numbr of curity brach ha dclind ignificantly inc Th ming lack of connction btwn tightr tandard and bttr curity ha alo caught th attntion of acadmia. or xampl, Millr and Tuckr (2010) mpirically how that mandatory adoption of ncryption oftwar do not dcra publicizd data lo ca. Thi papr analytically tudi th impact of mandatory tandard on ovrall firm curity, and in 1 Though conumr who wr affctd by th brach rcivd financial compnation, it did not fully covr th damag thy incurrd (ijayan 2010). 2 Data from Opn Scurity oundation ( 3 or xampl, th frquncy of mandatory rul-t rviw wa down from quartrly to biannually (ijayan 2008). 4 On plauibl argumnt for looning of tandard i cot aving on curity invtmnt. Howvr, thi argumnt do not xplain why thr ar l amount of brach following th looning of tandard. 2

3 particular w pay attntion to whn and how mandatory tandard can harm firm curity. Our invtigation tart with th obrvation that, in indutrial practic, a mandatory tandard can influnc a firm' ovrall curity through multipl intrtwind mchanim a litd blow. irt, a mandatory curity tandard dirctly influnc firm invtmnt on any curity control that i xplicitly rgulatd (hraftr, vrifiabl control). 5 or xampl, U.S. compani that accpt crdit card nd to invt in ncrypting outgoing tranaction data, a rquird undr PCI-DSS. 6 Scond and intrtingly, curity tandard do not rgulat all poibl curity control. or xampl, PCI-DSS do not rgulat th curity of intrnal communication within a firm, vn though pat attack -- uch a th aformntiond on to HPS -- provid vidnc that intrnal communication can b a targt for attackr (Krb 2009a, Chny 2010). Hraftr w rfr to any curity control not rgulatd an unvrifiabl control. 7 or a firm that dploy multipl curity control in a comprhniv protction plan, it invtmnt on ach of tho control can b intrdpndnt. Thrfor, vn if a tandard do not xplicitly rgulat a control, it may till indirctly affct firm invtmnt on thi unvrifiabl control du to th firm' tratgic balancing of invtmnt on all control. Thr ar a varity of raon why curity tandard do not covr all poibl control. Cot for writing and nforcing tandard can b conomically prohibitiv for om control. or xampl, givn th larg varity, complxity and nvironmntal-contingncy of xcption (alo calld tickt) gnratd by an Intruion Dtction Sytm (IDS), it would b cot-prohibitiv for a policy makr to writ a dtaild nough tandard rgulating what th corrct rpon to vry poibl xcption hould b. 8 In addition, information curity i a fat-volving fild whr nw curity thrat contantly mrg. Policy makr, a bounddly-rational agnt, may ovrlook th importanc of om xiting control or imply cannot 5 "Scurity control" i a widly-adoptd trm that rfr to "th managmnt, oprational, and tchnical afguard or countrmaur prcribd for an information ytm to protct th confidntiality, intgrity, and availability of th ytm and it information." (crc.nit.gov/publication/nitpub/ rv2/p rv2-final.pdf, pag 1) 6 Pnalty for noncomplianc i hfty and includ $5,000 to $100,000 pr month for PCI complianc violation and incra in tranaction f. If a mrchant i found to b non-compliant whn data i compromid, additional pnalty includ fin up to $500,000 pr incidnt, cot of alrting all affctd conumr, and vn dicontinuation of crdit card rvic by th according mrchant bank. 7 By "unvrifiabl" w man "unvrifiabl from a policy makr' prpctiv." 8 W ar unawar of any curity tandard that rgulat in dtail how xcption hould b dalt with. Alo Coa (1937), Williamon (1975) and Battigalli and Maggi (2002) for imilar argumnt for contract in gnral. 3

4 for curity control not yt invntd at th tim of a curity tandard' incption. 9 inally, curity control involving human dilignc -- pcially on that dal with ocial nginring -- ar difficult to maur or to u a court vidnc (Whitman and Mattord 2009, pag ). Third, aftr a brach happn and if a court i involvd in dciding liabiliti of all involvd parti, it i not rar for a firm to cit thir complianc with xiting curity tandard for lf-dfn (avtta 2009). Such x pot uag of tandard complianc a a liability rduction tool can hav x ant implication on firm invtmnt on any unvrifiabl curity control. ourth, on uniqu apct of information curity i th poibl prnc of attackr who tratgically ract to tandard by changing thir attack tratgy. Such tratgic advrari ar not prnt in contxt uch a accounting and auditing which rly havily on tandard. Stratgic attackr bhavior not only can dirctly affct firm curity, it may alo incntiviz a firm to adjut it invtmnt on it portfolio of control to optimally account for xpctd attacking pattrn. In thi rarch w xplicitly acknowldg all four abov mchanim through which a mandatory tandard can dirctly or indirctly affct firm curity. W ak th following pcific rarch qution: 1. How do a tandard affct firm curity whn both vrifiabl and unvrifiabl control xit? In particular, whn and how can a tightr tandard harm firm curity? 2. How do th liability rduction ffct affct firm curity? 3. How do tratgic attack ract to a tandard, and vntually affct firm curity? In thi papr w addr th rarch qution uing a gam-thortical modl in which th ovrall firm curity i dpndnt on two curity control. On control i vrifiabl, i.., thi control i xplicitly rgulatd in a vrifiabl mannr by th policy makr. Th othr i unvrifiabl and cannot b rgulatd by th policy makr. It turn out th anwr to how a tandard affct firm curity dpnd critically on how th two control ar connctd to ach othr and to th digital at to b protctd which w rfr to a curity configuration. W compar two fundamntal configuration: rial, undr which th digital at i 9 S Simon (1981) on th rlationhip btwn boundd rationality and contract incompltn. 4

5 compromid only if both curity control ar brachd; and paralll, undr which th digital at i compromid if ithr curity control i brachd. Our firt finding i that, undr rial configuration, firm curity can dcra in th tandard whn th tandard i not too high. Intuitivly, a tightr tandard dirctly rult in mor invtmnt by th firm on th vrifiabl control, yt indirctly rult in l invtmnt on th unvrifiabl control du to a ubtitution ffct btwn th two control. It turn out that th lattr can dominat th formr (thu rulting in lowr ovrall firm curity) only if th tandard i not too high. urthrmor, if th firm' invtmnt on th vrifiabl control can rduc it har of liability hould a brach happn, th firm' ovrall curity can dcra mor in th tandard. On th othr hand, our cond finding i that, undr paralll configuration, firm curity dcra in th tandard only whn both of th following condition hold: th firm invtmnt on th vrifiabl control ignificantly rduc it liabiliti upon brach, and th tandard i alrady high nough (not that thi contrat with th rquirmnt of an uppr bound on th tandard undr th rial configuration). Intuitivly, undr paralll configuration and without th liability rduction mchanim, th firm invtmnt on th two control ar complmnt: a tightr tandard both dirctly induc mor invtmnt on th vrifiabl control and indirctly induc mor invtmnt on th unvrifiabl control. Whn thr i a trong liability rduction ffct, howvr, it diminih th firm' incntiv to invt on th unvrifiabl control. W how that, only whn th tandard i high nough, it i poibl for th liability rduction ffct to dominat th complmntarily ffct, thu rulting in lowr ovrall curity. Our third finding concrn th rlationhip btwn th damag a firm uffr from a curity brach and it invtmnt on curity control. On might intuitivly think that th highr th damag i, th mor a firm car about it curity, and thu th l likly th firm will rduc it own ovrall curity in fac of a tightr tandard. Strikingly, our third finding ovrturn thi intuition for a rial configuration: w how that a firm that car mor about curity may ract to a tightr tandard by rducing it ovrall curity vn whn a firm that car l do not. 5

6 Our fourth major finding i that, undr paralll configuration, whthr curity attack ar tratgic (i.. targting th wakt link) or not ha a ignificant influnc on how curity tandard affct a firm curity. In particular, tratgic attackr can urpriingly lad to bttr firm curity (than that undr nontratgic attack) a long a th tandard i not too high. Intuitivly, to countr tratgic attack that targt th wakt link hould on xit, th firm will rpond by ignificantly improving it invtmnt on th unvrifiabl control to match that on th vrifiabl control (o nithr on i th apparnt wakt link). Thrfor, ovrall th firm invt havily on both curity control. Th rt of th papr i organizd a follow. In Sction 2 w rviw rlvant litratur. W prnt our modl in Sction 3. Sction 4 contain th main rult for paralll configuration and rial configuration with nontratgic attack. W dicu th impact of tratgic attack in Sction 5. W dicu managrial implication and conclud th papr in Sction Litratur Rviw Sinc curity tandard a a tratgy to manag information curity i a rcnt dvlopmnt, th xtant rarch on thi topic i limitd. Much of th prior work on curity tandard ha takn a dcriptiv approach to th tandard tting problm and focud on principl that hould govrn information curity tandard (Kblawi and Sullivan 2007, Ro 2007, Mor and Raval 2008, Culnan and William 2009). Som of th rcnt work ha mpirically xamind th impact of tandard and law rlatd to brach diclour and data ncryption on curity incidnt. Romanoky t al. (2011) how that th adoption of data brach diclour law ha marginal ffct on th rduction in incidnc of idntity thft. Millr and Tuckr (2010) how that adoption of ncryption oftwar bcau of af harbor proviion in brach notification rgulation incra th incidnt of publicizd data lo, partly bcau of carln with rpct to othr protction activiti on th part of tho that hould protct th information at. To our knowldg, Hui t al. (2012) i th only othr papr that u an analytical approach to how that an ovrly tringnt curity rgulation can harm th curity of firm. Our rarch diffr from Hui t al. in vral apct. Hui t al. conidr an outourcing contxt in which multipl firm contract with 6

7 a common curity rvic providr, whil w do not conidr outourcing. Th ky dynamic in Hui t al. that lad to th rult that tightr rgulation harming firm curity i a pillovr ffct: a hard curity infratructur at th common curity providr impli that curity rik ar alo hard. In contrat, w focu on th intrplay btwn a ingl firm invtmnt on vrifiabl and unvrifiabl curity control. Whil th xtant litratur on curity tandard i par, xtniv work ha bn don on tandard in othr tting. Of particular rlvanc i th litratur on financial auditing tandard. Dy (1993) how that th avrag quality of audit may dclin a auditing tandard bcom toughr. Willkn t al. (1996) argu that th incrad difficulty of firing a compliant auditor that follow tandard can rduc rathr than incra th quality of audit work upplid. Schwart (1998) find that th ocially optimal commitmnt according to auditing tandard i achivabl if th auditor lgal liability rgim i on of trict liability and i indpndnt of th actual invtmnt. Whil rarch in th auditing tandard litratur modl auditing a a ingl obrvabl activity on which tandard can b impod, w conidr a modl in which multipl curity control xit and tandard cannot b impod on all of thm. On uniqu apct of information curity i th prnc of tratgic hackr who may u information about tandard and chang thir attack tratgy. Such tratgic advrari ar not prnt in contxt uch a auditing. Th litratur on information curity conomic ha analyzd cnario with tratgic attackr. Cavuoglu t al. (2005) analyz th valu of IDS and how that IDS offr a poitiv valu only whn thy dtr hackr. Cavuoglu t al. (2009) highlight th complx intraction btwn firwall and IDS tchnologi whn thy ar ud togthr in a curity architctur, and, hnc, th nd for propr configuration to bnfit from th tchnologi. Thy how that vry tchnology ha diffrnt optimal configuration lvl according to thir prformanc and circumtanc. Starting with arian (2004), vral papr hav xamind th conomic incntiv of agnt which hav intrdpndncy on curity (Groklag t al. 2008, araimhan t al. 2010). araimhan t al.(2010) how that th ucc of cooprativ curity ffort dpnd on th natur of th attack and th attitud of th dfndr. On th othr hand, Schchtr and Smith (2003) analyz how much curity i rquird 7

8 whn attackr focu on only on attractiv targt or pntrat a many ytm a poibl. Howvr, thi tram of work do not conidr curity tandard. Our work i alo rlatd to th litratur on incomplt contract with unvrifiabl rvic. Brnhim and Whinton (1998) how it i oftn optimal to pcify an incomplt contract, whn om apct of prformanc ar unvrifiabl. Battigalli and Maggi (2002) furthr propo optimal contract with rigidity and dicrtion if writing contract i vry cotly. Our rarch diffr in that w conidr curity configuration and tratgic advrari, two dynamic pcific to th information curity contxt. 3. Th Modl Th modl conit of a firm that i rponibl for protcting a digital at uing two curity control, a rprntativ attackr that may aail th curity control in ordr to compromi th digital at, and on policy makr that t curity tandard that th firm mut follow. Scurity Control. A modrn information ytm ar gtting incraingly complx, organization oftn find thmlv having a multitud of curity wakn to addr. Accordingly, a common practic i for organization to dploy multipl curity control (control in hort) in a comprhniv protction plan, uch a multipl firwall to afguard all ntranc to a corporat ntwork. In thi papr w conidr a parimoniou ca in which, in ordr to protct th digital at, th firm invt in two curity control, and. 10 Lt i rprnt th probability that th firm can uccfully prvnt brach of curity control i, i {, }. Hraftr w rfr to i a firm ffort on control i. Th cot of ffort i for th firm i C ( ), which i a monotonically incraing and convx function with C (0) 0 and i i C (1) for i {, } (, for xampl, Gordon and Lob 2002 for a imilar tylizd cot modl). or i notational convninc, dnot marginal cot function a ci C i and invr marginal cot function a i r i 1 c i. W mak th following aumption rgarding th marginal cot function: Aumption 1: (1 ) ( ) c c ( ) i wakly-dcraing in, and c ( ) c ( ) i wakly-incraing in. 10 Shortly w will that "" tand for "vrifiabl control," and "" tand for "unvrifiabl control." 8

9 Aumption 1 i not vry rtrictiv in that it hold for commonly ud cot function form including powr function of any ordr, xponntial function, and polynomial function with poitiv cofficint. Scurity Configuration. W nxt dcrib th rlationhip btwn th two curity control and th curity of th digital at, which w rfr to a curity configuration. Lt function (, ) dnot th probability that curity control do not uccfully protct th digital at. W conidr two baic and commonly-n rlationhip: rial and paralll configuration. Undr rial configuration, th digital at i compromid only if both curity control ar brachd, i.., (, ) (1 )(1 ). (1) Th rial configuration fit ituation whr attackr hav to brak through a combination of curity control in ordr to rach a digital at. On xampl i th popular practic by firm to adopt both a firwall and an IDS to guard a ntwork ntranc, whr a hackr ha to rndr both inffctiv in ordr to gt acc to intrnal data. Srial configuration alo fit ituation whr firm ar mor concrnd about rvic diruption rathr than unauthorizd acc of information (Loch t al. 1992). or xampl, a popular dfn againt Dnial-of-Srvic (DoS) attack for wb rvic oprator i to mirror thir rvic to multipl ditributd wb rvr. If on rvr xprinc rvic outag du to DoS attack, othr rdundant rvr can takovr and rum th rvic. Thrfor, attackr will hav to uccfully tak down all mirror it in ordr to black out a wb rvic. Undr paralll configuration, th digital at i compromid if ithr curity control i brachd, (, ) 1. (2) On commonly n xampl of th paralll configuration i a corporat ntwork that i linkd to th Intrnt at multipl acc point, whr ach acc point i curd by a parat firwall. Braking any uch firwall will thn xpo intrnal data to an attackr. Anothr xampl i whn th digital at i tord or can b ad at multipl vnu,.g. on in an oprational databa and anothr in a backup rvr; braching ithr rvr will lad to th lak of th digital at. 9

10 ot that in buin practic, curity configuration can b a complx combination of th aformntiond baic on. A a firt thortical xploration on undrtanding th impact of curity configuration on th ffctivn of curity rgulation in th prnc of an unvrifiabl control, w focu on th abov two baic curity configuration. ontratgic and Stratgic Attack. Attack againt th curity control can b broadly claifid into two catgori: on that ar indpndnt of th curity ffort by th firm, and on that ar dpndnt. W rfr to th formr a nontratgic attack and th lattr a tratgic attack. Intuitivly, a curity attack can b mot ffctiv whn it i againt a firm' wakt point of dfn. Thrfor, an attackr may find it bnficial to firt analyz a firm' curity ffort bfor taking any tratgic action. W will analyz uch tratgic "wakt-link" attack tratgy in Sction 5. Thr ar, nvrthl, two othr widly applicabl ca whr attack ar nontratgic. irt, it i popular for hackr to blankt th Intrnt with automatd attack, uch a viru, worm, and port can attack. Th frquncy with which a firm rciv Port Scan Attack to any of it curity control ha littl to do with th rlativ trngth among th curity control givn th automatd natur of th attack. Scond, many curity rik ar du to non-tratgic factor uch a quipmnt dtrioration, accidntal man-mad diatr or advr nvironmntal condition (.g. powr outag or natural diatr). W conidr nontratgic attack in Sction 4. Scurity Rgulation and rifiability of Scurity Control. Whil th dirct control of curity ffort i in th hand of th firm, a policy makr can indirctly affct firm ffort through rgulatory tandard (uch a PCI-DSS) on any vrifiabl curity control. In thi papr w conidr th ca whr curity control i vrifiabl to th policy makr whil i not. or xampl and in th contxt of rducing firwall brach, control can b th frquncy of xtrnal rviw of firwall rul t that i contractually vrifiabl and thu nforcabl by th policy makr; 11 control can b a firm' managrial ffort pnt on dicouraging mploy from viiting xtrnal wbit that ar irrlvant to thir job, 11 Thi i tandard in PCI-DSS vrion

11 whra uch ffort i hard to monitor, quantify, and to latr u a court vidnc hould a brach happn. A a rult, th policy makr can only mandat a tandard for control, which i a vrifiabl ffort thrhold that th firm mut match or xcd. 12 In othr word, onc th policy makr t, th firm cannot pick any. or th cop of thi papr, w focu on curity tandard that hav trict nforcmnt powr, o that th affctd firm ha to unconditionally confirm. Two widly applicabl xampl ar IST curity tandard and PCI-DSS: IST tandard ar mandatory for all affctd U.S. govrnmntal agnci (Kblawi and Sullivan 2007); PCI-DSS i mandatory for all mrchant that "accpt, tranmit or tor any (crdit or dbit) cardholdr data." 13 Payoff Structur of th irm. ot that th firm' primary buin can b (and in practic oftn i) diffrnt from curity proviion. or xampl, th primary buin function of HPS i to proc paymnt card tranaction, whra it invt in curity to protct thi primary function. W focu on curity iu in thi papr and aum that, notwithtanding a curity compromi, th firm arn a poitiv buin profit of. W furthr aum that i larg nough o that th firm will not xit th markt mrly du to information curity concrn. 14 W modl th firm' payoff tructur a follow: U (, )(1 k ) D C ( ) C ( ) (3) In (3), trm (1 k ) D rprnt th damag to th firm if th digital at i compromid. Thi damag conit of two componnt: 1 k and D. Th firt componnt 1 k captur th liability rduction ffct of a curity tandard: th highr i, th lowr th damag to th firm i. Bcau i unvrifiabl, thi liability rduction ffct only dpnd on. W rfr to k a liability rduction factor. 0 k 1. Th cond componnt D i th firm' maximum damag undr full liability or xampl, tandard in PCI-DSS vrion rquir a firm to "rviw firwall and routr rul t at lat vry ix month." Modling individual rationality do not offr ignificantly nw inight byond what thi papr currntly offr. 15 Lt D includ opportunity cot (what th firm would hav gaind hould th compromi not tak plac). 11

12 igur 1 how th timing of th modl. Th policy makr firt announc th tandard,, for control. In thi papr w focu on firm and attackr bhavior, and thu tak a xognouly givn. Th firm thn choo it invtmnt and on th curity control. Poibl curity attack thn tak plac. policy makr announc tandard for control firm xrt ffort and in curity control and, rpctivly attack tak plac payoff/damag ralizd dpnding on whthr information at i compromid priod 1 priod 2 priod 3 priod 4 4. Th Impact of Standard on irm Scurity igur 1. Timing of th Modl In thi ction w tudy how th curity tandard influnc a firm ovrall curity. W firt conidr rial configuration, and thn conidr paralll configuration Srial Configuration W u ubcript to dnot rult for th rial configuration. Givn any tandard for control that i impod by th policy makr, th firm optimization problm i: max U (1 )(1 )(1 k ) D C ( ) C ( ).t.. (4), Lt ˆ and ˆ dnot th firm optimal ffort on control and rpctivly whn thr i no curity tandard, i.. whn contraint i not binding. That i, ˆ i th olution to (1 r ((1 ˆ )(1 kˆ ) D ))(1 k 2 kˆ ) D c ( ˆ ), and ˆ r ((1 ˆ )(1 kˆ ) D ). Lmma 1: Undr th rial configuration and givn tandard for control, i. if ˆ, th firm optimal ffort ar ˆ and ˆ, and ar indpndnt of. ii. if ˆ,th firm ffort on th vrifiabl control match th tandard, i.. ffort on th unvrifiabl control i, and it r ((1 )(1 k ) D ). (5) 12

13 All proof ar in th Appndix. Part (i) of Lmma 1 how that a curity tandard mattr only whn it i abov a minimal thrhold ˆ. W rfr to any tandard highr than ˆ an "ffctiv tandard" (and accordingly any tandard lowr or qual to ˆ "inffctiv tandard"). Unl notd othrwi, hraftr w focu on th rlativly mor intrting ca whr th policy makr tandard i ffctiv. In othr word, hraftr w aum that ˆ alway hold. Part (ii) of Lmma 1 tablih two rult. irt, an ffctiv tandard dirctly dictat th firm ffort on th vrifiabl control, a thy match. Scond, thi ffctiv tandard alo indirctly and ngativly influnc th firm ffort on th unvrifiabl control,, through two ditinct dynamic, which w rfr to a th ubtitution ffct and th liability rduction ffct. Intuitivly, undr rial configuration th firm invtmnt on th two control ar ubtitut: an incra of invtmnt on on control rduc th marginal impact of th othr control on firm curity. Th ubtitution ffct rfr to th dynamic that a highr tandard (and thu a highr ffort on th vrifiabl control) dcra th marginal valu of on rducing th brach probability (i.. on ), thu lading to a diminihd. Thi i vidnt from trm (1 ) on th right-hand id of (5). Th ffctiv tandard alo influnc th firm ffort through a liability rduction ffct: bcau a highr invtmnt on control rduc th firm' har of liability hould a brach happn, it rduc th firm' incntiv in furthr curing it digital at through control, thu rulting in a rducd. Thi i vidnt from trm (1 k ) on th right-hand id of (5). ow w analyz how th tandard affct th firm ovrall curity (or firm curity in hort), a maurd by 1 (, ) 1 (1 )(1 ). Givn any, from Lmma 1 w know thi ovrall curity undr rial configuration can b xprd a: 1 ( ( ), ( )) 1 (1 )(1 r ((1 )(1 k ) D )). (6) 13

14 A ky inight w hav undr th rial configuration i that it i poibl for th ubtitution ffct alon to gnrat th rult that tightning th curity tandard can urpriingly rduc ovrall firm curity, a hown in th nxt propoition. Dnot a th uniqu olution to 1 r((1 )(1 k) D) 1 k 2. r ((1 )(1 k) D )(1 )(1 k) D 1 k Propoition 1: Givn rial configuration and that (1 r ( D )) / ( r ( D ) D ) 1, a highr ffctiv tandard rult in lowr firm curity a long a th tandard i uppr-boundd by. Propoition 1 how that, whn (1 r ( D )) / ( r ( D ) D ) 1, tightning th tandard -- a long a it do not gt too high -- can harm firm curity rgardl of whthr th liability rduction ffct xit or not. To undrtand why tandard bing uppr boundd by i a ncary condition for thi intrting rult, w nxt iolat and thn compar th dirct ffct of th tandard on control and th indirct ffct of it on control. Bcau firm curity contain a multiplicativ function a in (6), w u a logarithm tranformation of th ovrall brach probability (i.. a hown blow) for air graphical comparion: ln( ) ln(1 ( ))(1 ( )) ln(1 ) ln(1 r ((1 )(1 k ) D )) igur 2 illutrat th dirct ffct ( ln(1 ) ), th indirct ffct ( ln(1 r ((1 )(1 k ) D )) ) and th ovrall brach probability ln( ) -- all with logarithm tranformation. 16 Intuitivly, th mallr i, th fatr (lowr) th indirct (dirct) ffct chang in -- i.., th olid (dahd) lin in igur 2 i tpr (flattr) whn i mallr. ormally, d d ln(1 ( )) / r ((1 )(1 k ) D )(1 k 2 k ) D 1 r ((1 )(1 k ) D ) incra in, whil d d dcra ln(1 ( )) / 1/ (1 ) in. otic that i th thrhold valu whr d d d d. ln(1 ( )) / ln(1 ( )) / Paramtr valu ud for igur 2 ar D 2500, ( ) 6 C 20 1, C ( ) 6 1, k 0.1. W trid variou paramtr combination, and th rult ar conitnt. 14

15 Thrfor, for any tandard, th chang in th indirct ffct dominat th oppoit chang in th dirct ffct (i.., d d d d ), thu rulting in a rduction of ovrall ln(1 ( )) / ln(1 ( )) / firm curity. ln(brach probability) ln(1 ) ln(1 r ((1 )(1 k ) D )) ln( ) igur 2. Brach probabiliti of th vrifiabl and th unvrifiabl control a a function of Whn (1 r ( D )) / ( r ( D ) D ) 1, th ubtitution ffct alon i not ufficint in driving th rult that curity dcra in tandard for any tandard rang: Propoition 2: Givn rial configuration and that (1 r ( D )) / ( r ( D ) D ) 1, a highr ffctiv tandard rult in lowr firm curity only if both following condition hold: th liability rduction factor k i larg nough (i.. k (1 r ( D )) / ( r ( D ) D ) 1), and th tandard i uppr-boundd by. A hown in th lft id of igur 3, a trong liability rduction ffct (i.. a larg k) -- on top of th ubtitution ffct -- furthr dampn th firm' incntiv to invt in control. Whn k i larg nough and th tandard i not too high, th firm' caling-back of invtmnt on control can b ignificant nough to pull down it ovrall curity a hown by th olid lin in th right id of igur 3. Intrtingly, if th tandard i vry high, it i l likly that a trong liability rduction ffct can harm ovrall firm curity. Intuitivly, whn th tandard i vry high, th firm invt havily on control, which i thn th primary drivr of ovrall firm curity. Conquntly th firm' invtmnt on control i alway minimal rgardl how trong th liability rduction ffct i; thi diminih th rol of th liability rduction ffct in driving firm curity. 15

16 Th impact of on k =0.6 k =0 irm curity Th impact of on firm curity k =0.6 k =0 igur 3. Th impact of tandard on and firm curity 17 W nxt turn our attntion to th rol of D in influncing firm curity. A highr firm uffr mor whn a curity brach tak plac -- ctri paribu, a highr firm car mor about curity. On might thn intuitivly think that, th highr D man th D thn impli that th D i, th l likly a highr tandard will harm th firm' ovrall curity. Th nxt propoition how that, urpriingly, thi intuition i not accurat. Propoition 3. Givn rial configuration and ffctiv tandard, / D 0. Rcall that i th thrhold tandard lvl blow which a tightr tandard hurt firm curity. Propoition 3 ay that, th mor a firm car about it curity (i.., th highr D i), th highr thi thrhold lvl i. Thi propoition thu impli, urpriingly, that whn th policy makr tightn th curity tandard, a firm that car mor about curity may ract by rducing it ovrall curity vn whn a firm that car l do not. Thi urpriing rult i illutratd in igur 4. In thi xampl, D 5,000 ( D 20,000 ) rprnt th ca whr th firm car l (mor) about it own curity. Whn 0.875, th firm that car l about curity alway rpond to a marginally tightr tandard by incraing it ovrall curity ( th olid lin), whil th firm that car mor rpond to a marginally tightr tandard by dcraing it ovrall curity ( th dahd lin). 17 D 20, c ( ) / (1 ), c ( ) / (1 ). 16

17 irm Scurity D =5,000 D =20,000 igur 4. irm curity undr diffrnt lvl of damag D 18 Th intuition bhind thi triking rult li in how a tightr tandard marginally affct firm curity. or notational convninc, lt f (, D ) dnot firm curity (i.., 1 ) undr rial configuration for any givn tandard and damag D. By partially diffrntiating firm curity with rpct to, w that th marginal firm curity conit of thr componnt: a contant (th firt trm of th righthand id in quation (7)), th marginal valu of a firm invtmnt on th unvrifiabl control (th cond trm), and th invtmnt on th unvrifiabl control (th third trm). f D D D (7) (, ) / 1 (1 )( (, ) / ) (, ) W now chck how th lat two trm on th right-hand id of quation (7) ract to th damag and provid th intuition and illutrativ figur for th trm. Rgarding th cond trm: ctri paribu, th mor a firm car about it curity, th mor it cal back it marginal invtmnt on th unvrifiabl control (than th firm that car l), i..,. Thi chang in diminihing marginal valu of a firm invtmnt on th ( (, D ) / ) / D 0 unvrifiabl control i illutratd in igur 5(a) on th firt-ordr diffrntiation of ovr : in abolut trm, thi chang i alway largr undr D 20,000 ( th dahd lin) than that undr D 5,000 ( th olid lin). Intuitivly, th firm that car mor alway invt at a much highr cot lvl on th unvrifiabl control. Whn th tandard tightn, howvr, th incrad invtmnt on th k 0.9, ( ) 6 C 20 1, C ( )

18 vrifiabl control diminih th marginal valu of a firm invtmnt on th unvrifiabl on, and a highr D amplifi thi diminihing marginal valu thu rulting in mor caling-back of invtmnt. Rgarding th third trm: Th firm that car mor about curity ha a highr invtmnt on th unvrifiabl control (than th firm that car l), i.., (, D ) / D 0. A illutratd in igur 5(b), i largr undr D 20,000 (dahd lin) than undr D 5,000 (olid lin). Whn th () tandard tightn, th incrad invtmnt on th vrifiabl control dicourag a firm from making invtmnt on th unvrifiabl control du to th ubtitution ffct, and a highr D trngthn thi ubtitution ffct. To ummariz, a highr D dicourag th firm mor in trm of invting in th unvrifiabl control in fac of a tightr curity tandard bcau of both th diminihing marginal valu (th cond trm) and th diminihing valu (th third trm) with rpct to / Th impact of on /. Th impact of on D =5,000 D =5,000 D =20,000 D =20,000 5(a) 5(b) igur 5. Invtmnt and marginal invtmnt on unvrifiabl control undr diffrnt lvl of 4.2. Paralll Configuration W now analyz how th curity tandard influnc firm curity undr paralll configuration. W u ubcript PC for thi ca. or any givn tandard PC on control, th firm optimization problm i: D max U (1 )(1 k ) D C ( ) C ( ).t. PC. (8), Thr ar two imilariti btwn rial and paralll configuration in trm of th firm rpon to 18

19 a curity tandard. irt, a low nough tandard ha no impact on firm invtmnt. Without cauing ambiguity, in thi ubction w till u ˆ and ˆ to rprnt firm ffort undr no or low nough tandard. ˆ i now th olution to r ( ˆ (1 ˆ ) )(1 ˆ ) (1 ˆ ( ˆ (1 ˆ ) )) ( ˆ k D k D r k D kd c ) and ˆ r ( ˆ (1 kˆ ) D ). Scond, if th tandard i high nough, th firm invtmnt on th vrifiabl control will match th tandard, i.. PC. Th two curity configuration, nvrthl, diffr fundamntally in how th tandard influnc th firm invtmnt on th unvrifiabl control: Lmma 2: Undr th paralll configuration and givn tandard PC for control, if ˆ PC, th firm ffort on th vrifiabl control match th tandard, i.. control i PC, and it ffort on th unvrifiabl r ( (1 k ) D ). (9) PC PC Lmma 2 how that th liability rduction ffct continu to influnc invtmnt on th nonvrifiabl control undr th paralll configuration, a vidnt from trm (1 k PC ) on th right-hand id of (9). Th paralll configuration diffr from th rial configuration in that, undr th formr, th ffctiv tandard indirctly and poitivly influnc th firm ffort on th unvrifiabl control -- vidnt from trm PC on th right-hand id of (9). W rfr to thi indirct ffct th "complmntarity ffct." Intuitivly, undr paralll configuration th firm' invtmnt on on control i ffctiv only if th invtmnt on th othr control i not diproportionally low. Taking both liability rduction ffct and complmntarity ffct togthr, (9) impli that th firm invtmnt on th unvrifiabl control i dcraing in tandard whn 1/ (2 k). Intuitivly, a highr tandard rduc th firm har of liability mor, and thu diincntiviz it from invting in th unvrifiabl control. Th nxt propoition ummariz how th tandard affct ovrall firm curity undr paralll configuration, a maurd by 1 ( ( ), ( )) ( ) ( ) r ( (1 k ) D ). Dnot PC PC PC PC PC PC PC PC 19

20 k a th uniqu olution to r((1 k ) D) 1 (1 k ) D r ((1 k ) D ) 1 k 2 and a th uniqu olution to r( (1 k ) D) 1 (1 k ) D r ( (1 k ) D ) 1 k 2. Propoition 4: Undr paralll configuration, a highr ffctiv tandard rult in a lowr firm curity if and only if k k and max{,1/ (2 k)}. PC Propoition 4 ay that a highr tandard rduc firm curity only whn both of th following condition hold: th liability rduction ffct i trong nough, and th tandard i high nough. Th intuition bhind th ncity of a trong liability rduction ffct i analogou to that undr th rial configuration: th highr k i, th l th firm uffr undr a brach, and thu th l th firm i willing to invt in th unvrifiabl control (a illutratd by th lft plot in igur 6). Th impact of PC on Th impact of PC on firm curity irm curity k k k k k k k k PC ˆ PC 19 igur 6. irm curity undr paralll configuration a a function of PC Whn it com to th ncity of a high tandard, a highr PC intnifi th marginal impact of k on. Thrfor, whn th tandard i alrady high and whn it furthr incra, th liability rduction ffct incntiviz th firm to ignificantly rduc it ffort on th unvrifiabl control to th xtnt that it dominat th firm' incrad ffort on th vrifiabl control, thu rulting in dcrad ovrall firm curity. otic that, a illutratd by th right plot in igur 6, dcrad ovrall firm curity can 19 6 D 3000, C ( ) i 6 1. or k k, k 0.9 and othrwi, k 0.85 i i i 20

21 happn only if th liability rduction ffct i abov a thrhold valu k ; othrwi, vn th trongt poibl tandard (and rulting rducd liability) cannot induc nough rduction in th curity of th unvrifiabl control that dominat th curity improvmnt on th vrifiabl control. A comparion of Propoition 1 and 4 rval an important inight rgarding th diffrnc btwn th rial and paralll configuration: firm curity can dcra in tandard undr both configuration, albit in diffrnt rang of tandard. Undr rial configuration, firm curity can dcra in tandard only undr rlativly low tandard. In harp contrat, undr paralll configuration firm curity can dcra in tandard only undr rlativly high tandard. Intrtingly, undr th paralll configuration thi rduction of invtmnt on th unvrifiabl control play an incraingly ignificant rol to ovrall firm curity whn tandard incra, whra undr th rial configuration it actually play a diminihing rol bcau of th ubtitution ffct btwn th two curity control. 5. Standardization Undr Stratgic Attack In thi ction w conidr tratgic attack, in which ca th rprntativ attackr tratgically choo hr targt control contingnt on hr xpctation of curity invtmnt ( and ) takn by th firm. 20 W limit our attntion to th paralll configuration. 21 W conidr th following particular form of tratgic attackr bhavior: th attackr tratgically targt th curity control that i mot likly to b brachd. Such control i commonly rfrrd to a th wakt link in information curity rarch (Groklag t al. 2008, Groklag and Johnon 2009). In our modl tup, th wakt link i th curity control with th lowt firm ffort. To clarly diffrntiat th analyi in thi ction from th paralll configuration with non-tratgic attack in th prviou ction, hraftr w rfr to th paralll 20 Whil an attackr can oftn collct information rlvant to cot-fficincy C and C, uch a prvailing markt pric of variou curity product and curity conulting rvic, it i much hardr for th attackr to gaug pcific invtmnt a firm mak on thir curity control, uch a which pcific curity product ar adoptd, whthr thy ar proprly tup, and th IT labor aignd to monitor and maintain th curity product. Accordingly, w aum and to b privat knowldg to th firm. 21 An attackr tratgically picking a control to attack do not apply in th rial configuration bcau it will rquir th attackr to uccfully brach both control to harm th firm. 21

22 configuration with tratgic attack a th wakt-link configuration, and u ubcript to dnot rult in thi ca. Undr tratgic attack, priod 3 in th modl timlin (igur 1) now conit of two tp. In tp 1, th rprntativ attackr obrv tandard and accordingly form rational xpctation ovr firm invtmnt on th two curity control. Lt and rprnt th blif, which in quilibrium ar conitnt with th firm' tru invtmnt. 22 In tp 2, th attackr optimally dcid hr attack tratgy bad on and. Lt hr optimal tratgy b rprntd by p : h attack th unvrifiabl control with probability p and attack th vrifiabl control with probability 1 p. Givn any tandard for control that i impod by th policy makr and xpctd attackr tratgy p, th firm optimization problm i: max U (1 ((1 p) p ))(1 k ) D C ( ) C ( ).t. (10), A ky diffrnc btwn thi wakt link configuration and th arlir paralll configuration i that, onc th attackr choo an optimal targt control undr th formr configuration, h will concntrat hr attack on thi control intad of dipring it among both control. Paramtr rflct thi concntratd ffort: th mallr i, th highr th ffctivn of thi concntratd attack in braching th targtd control (a compard to non-dicrtionary and dilutd attack on both control). W again focu on ffctiv tandard only, i.., w conidr th ca whr th tandard i high nough uch that th contraint i binding. Thrfor, givn, th abov optimization problm can b rwrittn a: max U (1 ((1 p) p ))(1 k ) D C ( ) C ( ). (11) Th nxt lmma charactriz th firm' optimal invtmnt on and th attackr' optimal attack tratgy givn rational blif. Dnot ˆ a th uniqu olution to r ( (1 kˆ ) D ) ˆ. 22 Th quilibrium concpt w u i Squntial Equilibrium (udnburg and Tirol 1991, pag ). 22

23 Lmma 3: Conidr any ffctiv tandard. i. If ˆ, thr xit a uniqu quntial quilibrium -- th Evn-Effort Equilibrium -- whr th firm xrt ffort and th attackr randomiz hr attack btwn th two control with p c k D ( ) / ( (1 ) ). ii. If ˆ, thr xit a uniqu quntial quilibrium -- th Unvn-Effort Equilibrium -- whr th firm xrt ffort and r ( (1 k ) D ), whr, and th attackr alway attack th unvrifiabl control (i.., p 1). In both ca of Lmma 3, th invtmnt on th vrifiabl control i t imply to comply with th tandard -- a rult imilar to prviou lmma. vrthl, part (i) of Lmma 3 how a uniqu dynamic undr tratgic attack: whn th tandard i not too high, i.., ˆ, th firm match it invtmnt on th unvrifiabl control with that on th vrifiabl on. Intuitivly, th firm tak tratgic bhavior by th attackr into conidration whn it dcid. If, in a quntial quilibrium th attackr will rationally xpct th unvrifiabl control to b th wakt link, and thu will concntrat hr attack on thi control; conquntly, th firm' marginal bnfit from dfnding th unvrifiabl control will b highr than that undr th paralll configuration. If, on th othr hand,, in a quntial quilibrium th attackr will rationally xpct th vrifiabl control to b th wakt link, and thu will concntrat hr attack on thi control; conquntly, th firm can cal back it invtmnt on th unvrifiabl control (up to ) without hurting it curity. Part (i) of Lmma 3 thn ay that, a long a th tandard i not too high, th firm hould improv it invtmnt on th unvrifiabl control to xactly match it invtmnt on th vrifiabl control, thu liminating thi poibl wakt link. or a of xpoition w rfr to thi quilibrium a th Evn-Effort Equilibrium. Whn th tandard i vry high, i.., ˆ, th firm' marginal cot of invtmnt on th unvrifiabl control will b vry high a wll. Evn though th firm know that if it pick in quilibrium, it will rciv concntratd attack on th unvrifiabl control, th high marginal cot no 23

24 longr jutifi th bnfit of matching th invtmnt. In othr word, btwn aving on cot and hiding a wakt-link, th firm choo th lr of th two vil, which i th formr. W nxt analyz th rlationhip btwn th tandard and ovrall firm curity. Whn ˆ, firm curity i 1 ; whn ˆ, firm curity i 1 r ( (1 k ) D ). W thn hav: Propoition 5: Conidr tratgic attack undr th wakt-link configuration. i. If ˆ ii. If ˆ, highr ffctiv tandard rult in highr firm curity., highr ffctiv tandard rult in lowr firm curity. Thr ar both imilariti and diffrnc btwn thi finding (whr th attack ar tratgic) and th arlir finding undr th paralll configuration (whr th attack ar non-tratgic). Similar to Propoition 4, Propoition 5 how that tightning a tandard can harm firm curity only if th tandard i high nough. On prominnt diffrnc btwn th wakt link and paralll configuration, howvr, i th xtnt of th rol playd by th liability rduction ffct (a maurd by k ) in driving th rult that th firm curity can dcra in th tandard. Undr th paralll configuration, th firm curity dcra in th tandard only if thi liability rduction ffct i vry trong (i.., k k ). That i bcau a mall liability rduction ffct cannot offt th complmntarity ffct. Undr th wakt link configuration, howvr, th firm curity can dcra in th tandard for any arbitrarily mall liability rduction ffct. Intuitivly and if ˆ, though a tightr tandard forc th firm to invt mor on th vrifiabl control, thi improvd invtmnt ha no dirct impact on firm curity du to th fact that th tratgic attackr will compltly ignor th vrifiabl control. urthrmor, th liability rduction ffct cau th firm to invt l on th unvrifiabl control -- which i th control th attack focu on -- thu rulting in wor ovrall firm curity. Our nxt propoition anwr how tratgic attacking bhavior affct firm curity. amly, ctri paribu, how ovrall firm curity 1 undr tratgic attack compar with th on undr nontratgic attack. On might xpct tratgic attack to b mor harmful to firm curity than nontratgic on du 24

25 to th fact that th formr try to tratgically xplor th firm wakt link. Howvr and urpriingly, th nxt propoition rfut thi common widom. Propoition 6: Conidr any tandard that i ffctiv undr both wakt link and paralll configuration. i. If ˆ, firm curity undr tratgic attack i bttr than that undr nontratgic attack if and only if r ( (1 k) D ). ii. If ˆ, firm curity undr tratgic attack i bttr than that undr nontratgic attack if and only if. Propoition 6 how that, urpriingly, tratgic attack can actually bnfit firm curity (a compard to nontratgic attack) if i not too mall. Thi i illutratd by th lightr ara in igur 7. Ky to thi rult i th inight that tratgic attack can induc a trongr complmntarity ffct on th firm id than nontratgic attack. To thi, conidr th undrlying raon of th complmntarity ffct undr nontratgic and tratgic attack, rpctivly. Undr nontratgic attack, th paralll configuration btwn th two curity control incntiviz th firm to invt mor on th unvrifiabl control whn th tandard on th vrifiabl control incra (a w dicud in th prviou ction). W rfr to thi complmntarity ffct a th Configuration-Inducd Complmntarity. In contrat, undr tratgic attack th complmntarity ffct i nhancd by th fact that attack alway targt th wakt link if on xit: thi complmntarity ffct i trong and in fact prfct in th n that th firm invt qually on both control in ordr to liminat wakt link whn th curity tandard i not too high (i.., ˆ, to th lft of th top-down dottd ˆ ( ) lin in igur 7). Hraftr w rfr to thi trong complmntarity ffct undr tratgic attack th Stratgic-Attack-Inducd Complmntarity. A trongr Stratgic-Attack-Inducd Complmntarity ovr Configuration-Inducd Complmntarity xplain th urpriing rult of Propoition 6 that tratgic attack may bnfit ovrall firm curity. 25

26 I II III Lightr ara: irm curity undr tratgic attack i bttr than that undr nontratgic attack. Darkr ara: irm curity undr tratgic attack i wor than that undr nontratgic attack. ˆ ( ) igur 7. Comparion btwn tratgic and nontratgic attack rgarding thir impact on firm curity 23 Whn th curity tandard i too high, i.., ˆ, th firm giv up matching it invtmnt on th two curity control. vrthl, it i till poibl for tratgic attack to bnfit firm curity: on th right id of lin ˆ ( ) in igur 7, th firm curity undr tratgic attack i till gratr than that undr nontratgic attack whn. Intuitivly, th firm undr tratgic attack invt at a highr cumulativ lvl on firm curity up to ˆ. Aftr ˆ th firm top invting mor on th unvrifiabl control (and may actually dcra it invtmnt du to th liability rduction ffct), but th cumulativ invtmnt lvl can b till highr undr tratgic attack (than that undr nontratgic attack) whn th tandard i not too high than ˆ. Th abov dicuion dpnd on not bing too mall. A mall nough (i.., r( (1 k) D) whn ˆ or whn ˆ ) impli that, by concntrating on th wakt link, attackr hav a much highr chanc of braching through (than randomizd and nontratgic attack). Whn i mall nough, uch a highr brach chanc du to concntratd attack dominat th bnfit from th Stratgic-Attack-Inducd Complmntarity. 23 D 150, 3 C, C ( ) 3 1, k ( )

27 W alo divid igur 7 into thr horizontal trip I, II and III, which rval dlicat and intrting inight into th following managrial-rlvant qution: ar tratgic attack mor harmful than nontratgic attack undr low or high curity tandard? Th anwr to thi qution clarly dpnd on th tratgic attack nvironmnt charactrizd by. Whn th ffctivn of concntratd attack i high (i.., in ara III), tratgic attack ar mor harmful than nontratgic attack rgardl of th curity tandard. Whn th ffctivn of concntratd attack i low (i.., in ara I), tratgic attack ar bnficial than nontratgic attack unl th tandard i high nough. Intrtingly, whn th ffctivn of concntratd attack i modrat (i.., in ara II), tratgic attack bnfit firm curity (a compard to nontratgic attack) whn th tandard i nithr too low nor too high. That i, a ara II illutrat, th anwr can b affirmativ for both low-nd and high-nd of tandard, yt urpriingly ngativ for th middl. 6. Managrial Implication and Concluding Rmark Thi papr i a firt tudy on how curity tandard affct a firm curity invtmnt and it ovrall curity whn tandard cannot covr all firm curity control. Ky iu conidrd ar curity configuration (namly how curity control togthr protct firm curity), liability in curity complianc, and poibl tratgic attack. Thi rarch ha a numbr of managrial implication that challng common widom in curity practic and rgulation. irt, thi rarch how trikingly that a tightr curity tandard mandatd by th govrnmnt or trad union can omtim hav th unintntional conqunc of harming ovrall firm curity. Intuitivly, whil a tight tandard appli to all curity control that it rgulat, it may lad a firm to tratgically rduc it invtmnt on curity control that ar not xplicatd rgulatd. W how that uch an invtmnt rduction on unvrifiabl curity control may ovrwhlm th incrmntal invtmnt on vrifiabl curity control, and thu lading to ovrall lowr firm curity. Rmarkably, undr rial configuration thi rult (that tightr tandard hurt firm curity) can tak plac vn if thr i no liability rduction ffct. Undr paralll configuration, howvr, a trong liability rduction ffct i ncary for thi countr-intuitiv rult. 27

28 Thi rult that tightr tandard may not ncarily lad to bttr firm curity i conitnt with ancdotal indutrial vidnc. or xampl, in rcnt yar th PCI Scurity Standard Council hav impod incraingly trictr tandard (calld PCI-DSS) on how mrchant hould cur up thir databa in ordr to protct crdit card information tord in thm. Som indutrial analyt hav ubquntly found vidnc that attackr ar incraingly witching thir attntion to attack othr IT componnt that ar not rgulatd by PCI-DSS, uch a intrnal corporat ntwork (Krb 2009a). A w dicud in th Introduction, uccful attack to th paymnt card indutry ar till rampant (and vn incraing in om yar) dpit th continuou tightning of PCI-DSS. Scond, th condition for tightr tandard hurting firm curity dpnd critically on th curity configuration. Undr rial configuration, it can happn only if th tandard i not too high. Undr paralll configuration, howvr, it can happn only if th tandard i high nough. Third, undr rial configuration w how that a firm that car mor about curity (i.., uffr a highr damag upon brach) may ract to a tightr tandard by rducing it ovrall curity vn whn a firm that car l do not. Thi urpriing rult impli that, whn policy makr contmplat impoing tightr tandard, thy hould not tak it for grantd that firm that car mor about curity will mor likly to rpond by tightning thir ovrall curity. ourth, w how that tratgic attack (a compard to random and nontratgic attack) ar not ncarily wor for information curity. W highlight th fact that, in anticipating that attackr want to ingl out wakt link, firm hav incntiv to balanc thir invtmnt acro all curity control o no control tand out a th wakt on. A a rult, a tightr rgulation on only vrifiabl control, coupld with tratgic attack, can hav th poitiv indirct ffct of forcing firm to alo incra thir invtmnt on unvrifiabl control (to match that on vrifiabl control). In othr word, tratgic bhavior by attackr incntiviz firm to cur up control that ar not rachabl by rgulation. To our knowldg, thi i th firt rarch in information curity tandard litratur that idntifi a poitiv conqunc of tratgic attackr bhavior. 28