Essays on information security from an economic perspective
Information security risks are becoming a critical issue to organizations given the significant impact of security related incidents. In this dissertation, we seek to further our understanding of how information security incidents and security practices affect information security risks. The first essay proposes a decision tree classification model to investigate how the nature of security risk factors disclosed in financial reports is associated with breach announcements in the subsequent period. We construct and evaluate the model based on the design science principles in Hevner et al. (2004). The model shows that security risk factors with action-oriented terms are less likely to be related to future incidents. We evaluate the model by showing that market participants could better interpret security disclosures at the time when financial reports are released. The second essay studies how general investors can make better investment decisions regarding security breaches. We explore the association between the textual contents of the news articles about security breach reports and both the stock price and trading volume reactions to breach announcements. The results suggest that general breach announcements lead to different assessments of the impact of security incidents. However, specific news articles and those about confidential information result in a more consistent negative belief of the impact of security incidents on a firm's future performance. Interestingly, sophisticated investors do not react immediately to breach announcements. By taking advantage of the different perceptions among investors, we show that, on average, one can make about 300% annual profit around the breach announcement date. The third essay investigates the cost and benefit tradeoffs when selecting two-factor authentication systems. We generalize authentication systems into four cases based on the probability of system failure and compare different systems to determine the key factors managers need to consider. This essay proposes that a firm can lower the impact of customer switching by following the larger provider's decision. Also, regulators can encourage the adoption of a more secure authentication system by changing the penalty when the system fails. Finally, it could be preferable to have both one-factor and two-factor authentication systems depending on the customers' characteristics.