Mandatory Standards and Organizational Information Security

References

• August T, Tunca TI (2011) Who should be responsible for software security? A comparative analysis of liability policies in network environments. Inform. Systems Res. 19(1):48–70.Link, Google Scholar
• Battigalli P, Maggi G (2002) Rigidity, discretion, and the costs of writing contracts. Amer. Econom. Rev. 92(4):798–817.Crossref, Google Scholar
• Bernheim B, Whinston M (1998) Incomplete contracts and strategic ambiguity. Amer. Econom. Rev. 88(4):902–932.Google Scholar
• Campbell K, Gordon L, Loeb M, Zhou L (2003) The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. J. Comput. Security 11(3):431–448.Crossref, Google Scholar
• Cavusoglu H, Mishra B, Raghunathan S (2004) The effect of Internet security breach announcements on shareholder wealth. Internat. J. Electronic Commerce 9(1):69–104.Google Scholar
• Cavusoglu H, Raghunathan S, Cavusoglu H (2009) Configuration of and interaction between information security technologies: The case of firewalls and intrusion detection systems. Inform. Systems Res. 20(2):198–217.Link, Google Scholar
• Cheney J (2010) Heartland payment systems: Lessons learned from a data breach. White paper, Federal Reserve Bank of Philadelphia, Philadelphia. Accessed October 15, 2015, https://www.phil.frb.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/2010/d-2010-january-heartland-payment-systems.pdf.Google Scholar
• Coase RH (1937) The nature of the firm. Economica 4(16):386–405.Crossref, Google Scholar
• Culnan M, Williams C (2009) How ethics can enhance organizational privacy: Lessons from the choicepoint and TJX data breaches. MIS Quart. 33(4):673–687.Crossref, Google Scholar
• Cusumano MA (2004) Who is liable for bugs and security flaws in software? Comm. ACM 47(3):25–27.Crossref, Google Scholar
• Dayton S (2014) Illinois Supreme Court reverses $43 million verdict against Ford in automotive products-liability case. Accessed October 15, 2015, http://product-liability.weil.com/uncategorized/illinois-supreme-court-reverses-43-million-verdict-against-ford-in-automotive-products-liability-case/.Google Scholar
• Dye R (1993) Auditing standards, legal liability, and auditor wealth. J. Political Econom. 101(5):887–914.Crossref, Google Scholar
• Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. System Security 5(4):438–457.Crossref, Google Scholar
• Gordon LA, Loeb M, Lucyshyn W (2003) Sharing information on computer systems security: An economic analysis. J. Accounting Public Policy 22(6):461–485.Crossref, Google Scholar
• Hausken K (2006a) Income, interdependence, and substitution effects affecting incentives for security investment. J. Accounting Public Policy 25(6):629–665.Crossref, Google Scholar
• Hausken K (2006b) Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Inform. Systems Frontiers 8(5):338–349.Crossref, Google Scholar
• Hausken K (2007) Information sharing among firms and cyber attacks. J. Accounting Public Policy 26(6):639–688.Crossref, Google Scholar
• Hui KL, Hui W, Yue WT (2013) Information security outsourcing with system interdependency and mandatory security requirement. J. Management Inform. Systems 29(3):117–156.Crossref, Google Scholar
• Keblawi F, Sullivan D (2007) The case for flexible NIST security standards. Computer 40(6):19–26.Crossref, Google Scholar
• Kim BC, Chen P, Mukhopadhyay T (2011) The effect of liability and patch release on software security: The monopoly case. Production Oper. Management 20(4):603–617.Crossref, Google Scholar
• Krebs R (2009a) Hackers test limits of credit card security standards. Washington Post (April 16), voices.washingtonpost.com/securityfix/2009/04/the_number_scale_and_sophistic.html.Google Scholar
• Krebs R (2009b) Payment processor breach may be largest ever. Washington Post (January 20), voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html.Google Scholar
• Loch K, Carr H, Warkentin M (1992) Threats to information systems: Today’s reality, yesterday’s understanding. MIS Quart. 16(2):173–186.Crossref, Google Scholar
• MacCarthy M (2010) Information security policy in the U.S. retail payments industry. Workshop Econom. Inform. Security, Cambridge, MA.Google Scholar
• Miller A, Tucker C (2010) Encryption and data loss. Workshop Econom. Inform. Security, Cambridge, MA.Google Scholar
• Morse E, Raval V (2008) PCI DSS: Payment card industry data security standards in context. Comput. Law Security Report 24(6):540–554.Crossref, Google Scholar
• National Institute of Standards and Technology (2010) Guide for assessing the security controls in federal information systems and organizations. Accessed January 22, 2016, http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf.Google Scholar
• Navetta D (2009) PCI DSS incident response: The legal perspective. InfoLawGroup (July 8), http://www.infolawgroup.com/2009/07/credit-cards/pci-dss-incident-response-the-legal-perspective/.Google Scholar
• PCI Security Standards Council (2009) Payment card industry data security standard: Requirements and security assessment procedures, version 1.2.1. July 2009, https://www.pcisecuritystandards.org/documents/pci_dss_v1-2.pdf.Google Scholar
• Romanosky S, Telang R, Acquisti A (2011) Do data breach disclosure laws reduce identity theft? J. Policy Anal. Management 30(2):256–286.Crossref, Google Scholar
• Ross R (2007) Managing enterprise security risk with NIST standards. Computer 40(8):88–91.Crossref, Google Scholar
• Ryan DJ (2003) Two views on security software liability: Let the legal system decide. IEEE Security Privacy 1(1):70–72.Crossref, Google Scholar
• Schneier B (2008) Software makers should take responsibility. The Guardian (July 16), http://www.guardian.co.uk/technology/2008/jul/17/internet.security.Google Scholar
• Schwartz R (1997) Legal regimes, audit quality and investment. Accounting Rev. 72(3):385–406.Google Scholar
• Simon H (1981) The Sciences of the Artificial (MIT Press, Cambridge, MA).Google Scholar
• Vijayan J (2010) Court gives preliminary OK to $4M consumer settlement in Heartland case. ComputerWorld (May 7). http://www.computerworld.com/s/article/9176431/.Google Scholar
• Visa (2015) Compliance fines. Accessed January 2015, https://web.archive.org/web/20150607013755/http://usa.visa.com/merchants/protect-your-business/cisp/index.jsp.Google Scholar
• Whitman ME, Mattord HJ (2009) Management of Information Security (Thomson Course Technology, Boston).Google Scholar
• Willekens M, Steele A, Miltz D (1996) Audit standards and auditor liability: A theoretical model. Accounting Bus. Res. 26(3):249–264.Crossref, Google Scholar
• Williamson OE (1975) Markets and Hierarchies: Analysts and Antitrust Implications (Free Press, New York).Google Scholar
• WorldPay (2014) Financial protection. Accessed January 2014, https://web.archive.org/web/20140214094144/http://www.worldpay.us/pci-compliance.Google Scholar