Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - April 2, 2026

Available Issues

April 10, 2013 - April 2, 2026

Research Note—A Value-at-Risk Approach to Information Security Investment

Published Online:1 Mar 2008https://doi.org/10.1287/isre.1070.0143

References

  • Anderson R. H., Brackney R.Understanding the Insider Threat (2004) (RAND Corporation, Santa Monica) Google Scholar
  • Castillo E.Extreme Value Theory in Engineering (1988) (Academic Press, San Diego) Google Scholar
  • Chinchani R., Iyer A., Ngo H. Q., Upadhyaya S. Towards a theory of insider threat assessment. The 2005 Internat. Conf. Dependable Systems and Networks (DSN'05) (2005) Yokohama, Japan(IEEE Computer Society, Washington, D.C.) 108–117CrossrefGoogle Scholar
  • Coles S.An Introduction to Statistical Modeling of Extreme Values (2001) (Springer-Verlag, London) CrossrefGoogle Scholar
  • Crouhy M., Galai D., Mark R.Risk Management (2001) (McGraw-Hill, New York) Google Scholar
  • Dahan E., Mendelson H. An extreme-value model of concept testing. Management Sci. (2001) 47(1):102–116LinkGoogle Scholar
  • Davison A. C., Smith R. L. Models for exceedances over high thresholds (with discussion). J. Roy. Statist. Soc. (1990) 52:393–442Google Scholar
  • de Fontnouvelle P., Jordan J., Rosengren E. Implication of alternative operational risk modeling techniques. (2005) . NBER Working Paper 11103, National Bureau of Economic Research. Cambridge, MA. Available at http://www.nber.org/papers/w11103CrossrefGoogle Scholar
  • Devaraj S., Kohli R.The IT Payoff (2002) (Prentice Hall, Upper Saddle River, NJ) Google Scholar
  • Dickey D., Fuller W. Distribution of the estimators for autoregressive time series with a unit root. J. Amer. Statist. Assoc. (1979) 74:427–431CrossrefGoogle Scholar
  • Dickey D., Fuller W. Likelihood ratio tests for autoregressive time series with a unit root. Econometrica (1981) 49:1057–1072CrossrefGoogle Scholar
  • Dowd K.Beyond Value at Risk; The New Science of Risk Management (1998) (John Wiley & Sons, New York) Google Scholar
  • Duffie D., Pan J. An overview of value at risk. J. Derivatives (1997) 4(3):7–49CrossrefGoogle Scholar
  • Embrechts P. Actuarial versus financial pricing of insurance. (1996) . Working paper, The Wharton School, Philadelphia. Available at http://fic.wharton.upenn.edu/fic/papers/96/9617.pdfGoogle Scholar
  • Embrechts P., Kluppelberg C., Mikosch T.Modeling Extremal Events for Insurance and Finance (1997) (Springer, New York) CrossrefGoogle Scholar
  • Ernst & Young Global Information Security Survey 2003. (2003) (Ernst & Young LLP)Google Scholar
  • Ernst & Young Global Information Security Survey 2004. (2004) (Ernst & Young LLP)Google Scholar
  • Farahmand F., Navathe S. B., Sharp G. P., Enslow P. H. A management perspective on risk of security threats to information systems. Inform. Tech. Management (2005) 6(2–3):203–255CrossrefGoogle Scholar
  • Fisher R. A., Tippett L. H. C.Limiting Forms of the Frequency Distributions of the Largest or Smallest Member of a Sample (1928) (The Cambridge Philosophical Society, Cambridge University Press, London) CrossrefGoogle Scholar
  • Gal-or E., Ghose A. The economic incentives for sharing security information. Inform. Systems Res. (2005) 16(2):186–208LinkGoogle Scholar
  • Geer D., Hoo K. S., Jaquith A. Information security: Why the future belongs to the quants. IEEE Security & Privacy (2003) 1:32–40CrossrefGoogle Scholar
  • Gordon L. A., Loeb M. P. The economics of information security investment. ACM Trans. Inform. Systems Secur. (2002) 5(4):438–457CrossrefGoogle Scholar
  • Gordon L. A., Loeb M. P., Lucyshyn W., Richardson R. 2005 CSI/FBI Computer Crime and Security Survey. (2005) (Computer Security Institute, San Francisco) Google Scholar
  • Greene W. H.Econometric Analysis (2000) (Prentice Hall, Upper Saddle River, NJ) Google Scholar
  • Gumbel E. J.Statistics of Extremes (1958) (Columbia University, New York) CrossrefGoogle Scholar
  • Hallerbach W., Menkveld B. Value at risk as a diagnostic tool for corporates: The airline industry. (1999) . Papers No. 99-023/2, Tinbergen Institute Discussion Papers, Rotterdam, The Netherlands. Available at http://www.tinbergen.nl/discussionpapers/99023.pdfGoogle Scholar
  • Holton G. A.Value at Risk: Theory and Practice (2003) (Academic Press, London) Google Scholar
  • Hoo K. J. S. How much is enough? A risk-management approach to computer security. (2000) . Working paper, Center for International Security and Cooperation, Stanford University. Available at http://iis-db.stanford.edu/pubs/11900/soohoo.pdfGoogle Scholar
  • Jorion P.Value at Risk (1997) (McGraw-Hill, New York) Google Scholar
  • Kannan K., Telang R. Market for software vulnerabilities? Think again. Management Sci. (2005) 51(5):726–740LinkGoogle Scholar
  • Kesh S., Ramanujan S., Nerur S. A framework for analyzing e-commerce security. Inform. Management Comput. Secur. (2002) 10(4):149–158CrossrefGoogle Scholar
  • Leadbetter M. R., Weissman I., De Haan L., Rootzen H. On clustering of high levels in statistically stationary series. The 4th Internat. Meeting on Statist. Climatology (1989) (New Zealand Meteorological Service, Wellington, New Zealand) Google Scholar
  • Longstaff T. A., Chittister C., Pethia R., Haimes Y. Y. Are we forgetting the risks of information technology? IEEE Comput. (2000) 33(12):43–51CrossrefGoogle Scholar
  • Manfredo M. R., Leuthold R. M. Agricultural applications of value-at-risk analysis: A perspective. The NCR-134 Conf. Appl. Commodity Price Anal., Forecasting, and Market Risk Management (1998) St. LouisCrossrefGoogle Scholar
  • Mercuri R. T. Analyzing security costs. Comm. ACM (2003) 46(6):15–18CrossrefGoogle Scholar
  • Mitra D., Wang Q. Stochastic traffic engineering for demand uncertainty and risk-aware network revenue management. IEEE/ACM Trans. Networking (2005) 13(2):221–233CrossrefGoogle Scholar
  • Pickands J. Statistical inference using extreme order statistics. Ann. Statist. (1975) 3:119–131CrossrefGoogle Scholar
  • Schecter S. E., Smith M. D. How much security is enough to stop a thief? The economics of outsider theft via computer systems networks. Proc. 7th Financial Cryptography Conf. (2003) Guadeloupe, French West Indies:122–137CrossrefGoogle Scholar
  • Shaw E. D., Ruby K. G., Post J. M. The insider threat to information systems. Security Awareness Bull. (1998) 2-98Google Scholar
  • Smith R. L. Extreme value analysis of enviromental time series: An example based on ozone data (with discussion). Statist. Sci. (1989) 4:367–393CrossrefGoogle Scholar
  • Smith R. L., Weissman I. Estimating the extremal index. J. Roy. Statist. Soc. (1994) B(56):515–528Google Scholar
  • Sun L., Srivastava R. P., Mock T. J. An information systems security risk assessment model under Dempster-Shafer theory of belief functions. J. Management Inform. Systems (2006) 22(3):190–142Google Scholar
  • Tawn J. A. An extreme value theory model for dependent observations. J. Hydrology (1988) 101:227–250CrossrefGoogle Scholar
  • Varian H. R., Camp L. J., Lewis S. System reliability and free riding. Economics of Information Security (2004) (Kluwer Academic Publishers, Boston/Dordrecht/London) 1–15CrossrefGoogle Scholar
Previous
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree