IT security planning under uncertainty for high-impact events

While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult task. Past research has suggested risk metrics which may be beneficial in understanding and planning for security incidents, but most of these metrics are aimed at identifying expected overall loss and do not directly address the identification of, or planning for, sparse events which might result in high-impact loss. The use of an upper percentile value or some other worst-case measure has been widely discussed in the literature as a means of stochastic optimization, but has not been applied to this decision domain. A key requirement in security planning for any threat scenario, expected or otherwise, is the ability to choose countermeasures optimally with regard to tradeoffs between countermeasure cost and remaining risk. Most of the planning models in the literature are qualitative, and none that we are aware of allow for the optimal determination of these tradeoffs. Therefore, we develop a model for optimally choosing countermeasures to block or mitigate security attacks in the presence of a given threat level profile. We utilize this model to examine scenarios under both expected threat levels and worst-case levels, and develop budget-dependent risk curves. These curves demonstrate the tradeoffs which occur if decision makers divert budgets away from planning for ordinary risk in an effort to mitigate the effects of potential high-impact outcomes.     

Cyber Security Risk Management: Public Policy Implications of Correlated Risk,Imperfect Ability to Prove Loss,and Observability of Self‐Protection

The correlated nature of security breach risks, the imperfect ability to prove loss from a breach to an insurer, and the inability of insurers and external agents to observe firms’ self‐protection efforts have posed significant challenges to cyber security risk management. Our analysis finds that a firm invests less than the social optimal levels in self‐protection and in insurance when risks are correlated and the ability to prove loss is imperfect. We find that the appropriate social intervention policy to induce a firm to invest at socially optimal levels depends on whether insurers can verify a firm's self‐protection levels. If self‐protection of a firm is observable to an insurer so that it can design a contract that is contingent on the self‐protection level, then self‐protection and insurance behave as complements. In this case, a social planner can induce a firm to choose the socially optimal self‐protection and insurance levels by offering a subsidy on self‐protection. We also find that providing a subsidy on insurance does not provide a similar inducement to a firm. If self‐protection of a firm is not observable to an insurer, then self‐protection and insurance behave as substitutes. In this case, a social planner should tax the insurance premium to achieve socially optimal results. The results of our analysis hold regardless of whether the insurance market is perfectly competitive or not, implying that solely reforming the currently imperfect insurance market is insufficient to achieve the efficient outcome in cyber security risk management.     

Revenue Management in Business Services

A significant portion of the services industry is focused on providing services (medical, legal, financial, personal, and travel) to individuals. However, studies have shown that a less visible but rapidly growing segment of the service sector comprises firms that provide business functions to other businesses. The sector covers tasks such as payroll processing, procurement, and information systems management, as well as business consulting, technical support, call center operations, and software development. Firms may choose to purchase, rather than perform, these business functions to reduce costs, to mitigate risk, or simply to focus on their processes that provide marketplace differentiation. Transferring a business function from within a firm to an outside supplier is often called “outsourcing”; when the supplier provides the service from a lower‐cost country, it is called “offshoring.” The risks and benefits of outsourcing to the firm purchasing a business service have been studied in some detail by both academics and consultants. In this paper, we outline revenue management issues faced by business service providers and describe some new opportunities for the use of analytic methods in the service science sector.     

基于相互依赖性的信息安全投资博弈

相互依赖性是现阶段信息安全风险所具备的一个重要特征,网络中企业的信息安全决策会相互影响.本文以企业间的病毒传染为例,依据相互依赖性和威胁侵入类型的多样性,提出了企业间信息安全的投资博弈模型.通过外部性对企业间的依赖程度进行度量,说明了投资风险与企业间的病毒传染的概率和网络中企业数量之间的关系,并根据该关系,确定了多个企业进行信息安全投资的纳什均衡解.     

信贷扭曲下系统性风险形成和“双支柱”政策协调问题研究——基于异质性企业的视角

我国国有企业和私营企业在信贷获取和生产效率上的差异性会扭曲信贷资源配置,进而抬高宏观杠杆率,增加系统性风险。本文基于抵押约束机制构建了包含异质性企业的动态随机一般均衡模型,从理论上分析了由企业信贷扭曲引起的系统性风险形成机制,并探讨了货币政策和宏观审慎政策"双支柱"调控的协调问题。研究发现：在异质性企业环境下,宏观审慎政策通过减缓信贷市场顺周期行为,抑制信贷规模过度膨胀,起到降低宏观杠杆率、防范系统性风险的作用,并显著改善社会福利损失,为货币政策制定创造更多空间;货币政策与宏观审慎政策"双支柱"的调控框架仅减缓了抵押约束机制对经济周期的放大效应,未解决异质性企业对经济结构的扭曲问题。因此,深化供给侧结构性改革,提高国有企业市场竞争力和自负盈亏能力,充分发挥市场对资源的配置作用,是建立"去杠杆"长效机制、提高金融韧性以形成能够内生消化风险的市场环境的关键所在。     

What Risks Are Chinese People Concerned About?

The aim of this study is to investigate public perceived risk on various issues in present-day China. Two surveys were conducted in urban China in 1996 and 1998. In the first survey, risk perceptions of different occupational groups are compared. Gender differences within each occupational group are also analyzed. In the second survey, participants with diverse employment status were recruited. The overall risk rankings of both surveys indicate great concern with risks that threaten national stability and economic development, and less concern with high-technology risk such as threat from a nuclear power plant. It is also found that employees from high-profit firms are more concerned about macroscopic catastrophic risks, whereas laid-off workers and employees from money-losing enterprises are more concerned about daily life or self-concerned risks. The importance of actual exposure to risk, mass media coverage, culture, and psychometric dimensions are discussed.     

Market Impact on IT Security Spending

Traditionally, IT security investment decisions are made in isolation. However, as firms that compete for customers in an industry are closely interlinked, a macro perspective is needed in analyzing these decisions. We utilize the notions of direct‐ and cross‐risk elasticity to describe the customer response to adverse IT security events in the firm and competitor, respectively, thus allowing us to analyze optimal security investment decisions. Examining both symmetric and asymmetric duopoly cases using a continuous‐time Markov chain (CTMC) model, we demonstrate that optimal IT security spending, expected firm profits and willingness of firms to cooperate on security improvements are highly dependent on the nature of customer response to adverse events. We also examine the investment problem when security attacks on different firms are correlated.     

Heston模型下保险公司和再保险公司的投资与再保险博弈

在同时考虑保险公司和再保险公司利益的前提下,研究了保险公司和再保险公司之间的投资与再保险博弈问题。假设保险公司面临的赔付过程由带漂移的布朗运动描述。保险公司可以向再保险公司购买比例再保险,两公司均可以投资于一种无风险资产和一种价格过程服从Heston模型的风险资产,并以加权终端财富的期望效用最大化为目标,利用动态规划原理建立相应的HJB方程并求解,分别得到了保险公司与再保险公司的均衡投资与再保险策略的解析表达,并利用均衡保险市场上再保险合同的供需关系分析了保险产品的定价问题。最后通过数值实例分析了各模型参数对均衡策略的影响。     

创新网络嵌入视角下企业研发竞争的博弈研究

研发投入是创新发展的基础和源泉,如何促进企业研发投入是实施创新驱动战略的关键。本文基于创新网络嵌入的背景,构建同一创新网络内两个企业间的博弈模型,针对不同网络位置企业竞争博弈和相同网络位置企业竞争博弈两种情形,探究在研发竞争状态下企业研发投入受网络地位、网络关系的影响情况。研究结果表明:创新网络嵌入下,同质企业的竞争性研发投入与网络范围的技术溢出、网络平均吸收能力以及网络中心度均存在正向相关关系。研究结论丰富了企业研发投入影响因素的研究成果,也为有效激励企业创新提供一个有价值的思路。     

基于风险的企业战略控制系统

本文从分析战略风险的形成以及战略风险类型出发,指出了预期战略与应急战略的风险产生主要是由相应的环境因素和风险压力的结合导致的。依据此逻辑,为防止预期战略和应急战略的风险,需要从组织外部和内部视角建立相应的控制机制,最终组成企业完整的战略控制系统(TOEM模型)。最后,为使战略控制系统在实践中切实发挥效果,企业要采取一定的措施,使战略控制系统得以实施、维护和更新。     

Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions

Firms are increasingly outsourcing information security operations to managed security service providers (MSSPs). Cost reduction and quality (security) improvement are often mentioned as motives for outsourcing information security, and these are also the frequently cited reasons for outsourcing traditional information technology (IT) functions, such as software development and maintenance. In this study, we present a different explanation—one based on interdependent risks and competitive externalities associated with IT security—for firms' decisions to outsource security. We show that in the absence of competitive externalities and interdependent risks, a firm will outsource security if and only if the MSSP offers a quality advantage over in‐house operations, which is consistent with the conventional explanation for security outsourcing. However, when security risks are interdependent and breaches impose competitive externalities, although firms still have stronger incentive to outsource security if the MSSP offers a higher quality in terms of preventing breaches than in‐house management, a quality advantage of MSSP over in‐house management is neither a prerequisite for a firm to outsource security nor a guarantee that a firm will. In addition to MSSP quality, the type of externality (positive or negative), the degree of externality, whether outsourcing increases or decreases risk interdependency, and the breach characteristics determine firms' sourcing decisions. When security breaches impose a positive externality, the incentive to outsource is enhanced if the MSSP decreases the risk interdependency and diminished if the MSSP increases this interdependency. A negative externality has the opposite effect on firms' incentives to outsource. A high demand spillover to a competitor, together with a high loss in industry demand because of a security breach, enhances these incentives to outsource security operations when the externality is negative. Finally, we extend our base model in several dimensions and show that our main results regarding the impact of interdependent risks and competitive externalities on sourcing decisions are robust and generalizable to different specifications.     

Innovation in Emerging Markets: The Role of Management Consulting Firms

Firms in emerging markets are often reluctant to invest in innovation because of the institutional voids endemic to such markets. Addressing the gap in the literature concerning the role of consultancy firms in emerging markets, we argue that management consultancy firms can fill institutional voids and thus help firms implement innovation initiatives. We buttress our main argument by combining strands of institutional theory with the resource-based view. Acknowledging the tensions inherent in the use of consultancy firms, we also examine two contextual variables that may mitigate their positive effects. We explore the critical aspects of the firms' internal and external environments and posit that well-functioning national institutions and a high level of firm competency attenuate the positive roles of management consulting firms because there are few voids that management consultancy can effectively address under such conditions. To test our hypotheses, we examine the effects of management consultancy on both the input and output aspects of innovation. We use a sample of 1330 establishments operating in nine emerging markets. Our findings support all main and moderating effects on innovation inputs but not on innovation outputs. We discuss the theoretical implications of our findings and provide suggestions for future research.     

双随机复合泊松损失下巨灾债券定价与数值模拟

上世纪90年代出现的巨灾债券是以规避巨灾财产损失为目的的新型非传统风险转移金融创新工具之一,在我国有良好的发展前景。本文针对巨灾风险事件呈现出周期性与不规则的上升特征,构建了BDT过程用以刻画巨灾风险的抵达过程,并基于风险中性测度技术,在随机利率环境与双随机复合泊松损失条件下,导出了巨灾债券定价公式。进而结合伦敦同业银行拆借利率数据与美国保险服务所提供的PCS损失指数估计并校正了模型参数。最后,通过数值模拟检验了利率风险与巨灾风险如何影响巨灾债券的价格,同时验证了定价模型的可行性。     

KNOWING THE RIGHT PERSON IN THE RIGHT PLACE: POLITICAL CONNECTIONS AND RESISTANCE TO CHANGE

We use a political economy model of Schumpeterian growth with entry to investigate how an incumbent politician can strategically use the level of red tape to acquire incumbency advantage. By setting sufficiently high red tape, the politician induces the incumbent firm in the intermediate sector to invest in political connections, which are valued also by voters, who recognize that bureaucratic costs can be reduced by connected firms. Within this framework, we study the Markov perfect equilibria of an infinitely repeated game among politicians, firms, and voters, and show that all equilibria are characterized by investments in political connections and the re‐election of the incumbent politician. Political connections may prevent entry of advanced competitors and cause the economy to lag behind the technological frontier. Our model provides a possible explanation for the persistence of inefficient democracies and political barriers to technology development, where these reflect shared rather than conflicting interests.     

How does homeland security affect U.S. firms' international competitiveness?

This paper frames the issue of homeland security and its relationship to the international competitiveness of U.S. firms in general. This is largely a conceptual statement, identifying the areas of national security (homeland security) that are key to business, and exploring the management concerns of business to the new threats and opportunities that have arisen.We establish the point that homeland security is a purposeful, conscious, and rational response to terrorist events that is an emergent and evolving systems phenomenon. This systems approach is an especially useful way to look at the implications of homeland security in its relation to business. We then look specifically at the kinds of costs and risks that are generated for U.S. international business (exports, imports, incoming and outgoing investments) as a result of this phenomenon. Management strategies for dealing with these costs and risks are explored for U.S. firms.Our conclusion is to demonstrate the scope of analysis that is needed to understand and to managerially cope with the homeland security problem. We show the value of using theory from various disciplines for analyzing a multi-dimensional problem like this. And finally we are able to recommend some policy dimensions for both companies and the U.S. Government toward mitigating the negative impacts of the homeland security problem.     

An empirical analysis of innovation strategies of biotechnology firms in the U.S.

The paper explores the strategies of biotechnology firms in the U.S. through a mail questionnaire study. Based on the responses of 89 companies we have developed strategy archetypes of these firms in R&D, marketing, and technology acquisition. In R&D, we found the firms to follow either incremental or radical strategy. In marketing, the firms use either a defender or an innovator strategy. In technology acquisition, firms differ in terms of their emphasis on licensing or developing new technology. The interrelationship among the strategy groups is weak. The R&D and technology acquisition strategies are related in the sense that aggressive technology strategy dictates radical R&D behavior with emphasis on development of new technology. We have found that firms following aggressive technology strategy tend to follow conservative marketing strategy. This is consistent with an earlier study by of German firms where it was found that firms tend to balance their technical and marketing risks. The paper also provides additional information about the factors considered to be important in product decisions for various strategies.     

Impact of strategic and operational risk management practices on firm performance: An empirical investigation

Increasingly, creating and delivering value through complex supply chain networks involves substantial risks. However, strategy development under business risk conditions is not well-understood. This cross-country research examines how, under conditions of supply chain network risk, firms develop effective risk management practices. Using a literature review and survey research of managers from global firms; we present a research model, and empirically test the hypothesized relationships. The results show that under conditions of uncertainty, management decision-making is more likely to be cautious until visible forms of risks emerge, and prudent response mechanisms are put in place. This study identifies the crucial role of supply chain exploration and exploitation practices, and their influence in development of network risk management practices, leading to competitive financial outcomes.     

Managing Technology Selection and Development Risk in Competitive Environments

Managing development decisions for new products based on dynamically evolving technologies is a complex task, especially in highly competitive industries. Product managers often have to choose between introducing an incrementally better, safe new product early and a superior, yet highly risky, product later. Recommendations for managing such performance vs. time‐to‐market trade‐offs often ignore competitive reactions to development decisions. In this paper, we study how a firm could incorporate the presence of a strategic competitor in making technology selection and investment decisions regarding new products. We consider a model in which an innovating firm and its rival can introduce a new product immediately or pursue a more advanced product for later launch. Further, the firm can reduce the uncertainty surrounding product development by dedicating more resources; the effectiveness of this investment depends on the firm's innovative capacity. Our model generates two sets of insights. First, in highly competitive industries, firms can adopt different technologies and effectively use introduction timing to mitigate the effects of price competition. More importantly, the firm could strategically invest in the advanced product to influence its rival's technology choice. We characterize equilibrium development and investment decisions of the firms, and derive innovative capacity hurdles that govern a firm's choice between the risky and safe alternatives. The effects of development flexibility—where firms might have the option to revert to the safe product if the advanced product fails—are also considered.     

Investment in Shared Suppliers: Effect of Learning,Spillover, and Competition

We investigate the optimal strategies for firms to invest in their suppliers when the benefits of such investments can spillover to other firms who also source from the same suppliers. We consider two Bayesian firms that can invest in improving the quality of their shared supplier; the firms do not have complete information on the true quality of the supplier, but they update their beliefs based on the supplier's performance. We formulate the problem as an investment game and obtain Markov perfect equilibria characterized by the investment thresholds of both firms. The equilibrium investment strategies of the two firms are characterized by a region of preemption and a region of war of attrition. We also examine how the interplay between spillover, competition, and returns from the investment at shared suppliers affect the investment threshold and the time to the leader's investment, and identify the conditions under which competition delays or hastens the first investment in a shared supplier.     

Compliance Strategies under Permits for Emissions

We characterize the trade‐offs among firms' compliance strategies in a market‐based program where a regulator interested in controlling emissions from a given set of sources auctions off a fixed number of emissions permits. We model a three‐stage game in which firms invest in emissions abatement, participate in a share auction for permits, and produce output. We develop a methodology for a profit‐maximizing firm to derive its marginal value function for permits and translate this value function into an optimal bidding strategy in the auction. We analyze two end‐product market scenarios independent demands and Cournot competition. In both scenarios we find that changing the number of available permits influences abatement to a lesser extent in a dirty industry than in a cleaner one. In addition, abatement levels taper off with increasing industry dirtiness levels. In the presence of competition, firms in a relatively clean industry can, in fact, benefit from a reduction in the number of available permits. Our findings are robust to changes in certain modeling assumptions.