Profit-maximizing firm investments in customer information security

Abstract

When a customer interacts with a firm, extensive personal information often is gathered without the individual's knowledge. Significant risks are associated with handling this kind of information. Providing protection may reduce the risk of the loss and misuse of private information, but it imposes some costs on both the firm and its customers. Nevertheless, customer information security breaches still may occur. They have several distinguishing characteristics: (1) typically it is hard to quantify monetary damages related to them; (2) customer information security breaches may be caused by intentional attacks, as well as through unintentional organizational and customer behaviors; and (3) the frequency of such incidents typically is low, although they can be very costly when they occur. As a result, predictive models and explanatory statistical analysis using historical data have not been effective. We present a profit optimization model for customer information security investments. Our approach is based on value-at-risk methods and operational risk modeling from financial economics. The main results of this work are that we: (1) provide guidance on the trade-offs between risk and return in customer information security investments; (2) define the range of efficient investments in technology-supported risk indemnification for sellers; (3) model how to handle government-dictated levels of investment versus self-regulation of investments in technology; and (4) characterize customer information security investment levels when the firm is able to pass some of its costs on to consumers. We illustrate our theoretical findings with empirical data from the Open Security Foundation, as a means of grounding our analysis and offering the reader intuition for the managerial interpretation of our theory and main results. The results show that we can narrow the decision set for solution providers and policy-makers based on the estimable risks and losses associated with customer information security. We also discuss the application of our approach in practice.

Introduction

The ubiquity of the Internet, the expansion of data storage space, and revolutionary increases in computing power have enabled firms to collect and analyze massive amounts of wide-ranging customer information at very low costs. Extensive personal information can be gathered either with or without the customer's knowledge, when the person interacts with a firm. Such information is gathered to profile users and provides targeted services, such as tailored advertisements, discount offers and so on. Significant risks are associated with handling such private information about customers, and firms are responsible for the proper treatment of customers when they use their information. When the firm misuses customer information or it falls into the hands of other intruders who misuse it, this may have a significant impact on the firm's reputation, and also may result in large financial losses. Various sources [31], [38] confirm that the number of customer information security breaches has been increasing over time, and more and more individuals are being affected. Firms that collect personal information from consumers should consider the costs and risks of customer information privacy protection, and strive to offer technology solutions and the security policies associated with them to create effective support.

Customer information security breaches have unique characteristics. First, it is hard to quantify the monetary damages that may be involved, even though the severity of the information security breach may be perceived to be high. Firms that suffer from information security breaches face the prospect of customer losses, reputational problems, and fines, while the contingent liabilities often lead to the downgrading of the firm's stock value [12], [16]. Some of the losses may occur over the long term, and, thus, recovery also will take time. The long-term effects also may make it difficult to estimate the related monetary damages accurately. Second, unlike other security intrusions,¹ the cause of customer information security breaches may arise due to intentional attacks, as well as unintentional organizational and individual behaviors. The Open Security Foundation [31] has reported that about a half of past information security breaches are due to intentional attacks such as hacking, while accidents under normal operations, such as lost or stolen computers and documents, account for the rest. This wide range of causes makes it hard for a firm to establish effective information security strategy; technical and non-technical means of protection mechanisms are necessary, but may not be easy to implement effectively. Last, although the total number of customer information security breaches has increased over time in the economy, the frequency of such incidents is still low for individual firms. Moreover, there is not much historical data that is publicly available (in part because firms often do not wish to make their information security issues public knowledge), so statistical analysis of historical data is not very feasible.

Since such information security breaches may have a significant negative financial impact, many firms now deploy technology and security policy-based safeguards to protect their customers' private information to prevent becoming victims of such breaches [27]. A firm may implement several information security methods to its customers to reduce the risk of information security breaches. They include software and hardware solutions known as privacy-enhancing technologies and other non-technical information security policies. Examples of software protection methods include intrusion detection add-ons, encryption software, secure socket-layer connections, public-key infrastructure, and anti-virus software. Random-number generators, smart cards and fingerprint readers are examples of hardware solutions for privacy protection. Besides such software and hardware solutions, firms also offer other means of information security to their customers. Examples of non-technical means include providing opt-out choices while collecting personal information, conducting transactions through third-party payment systems such as PayPal or Google Checkout, and using one-time auto-generated credit card numbers that are not linked to personal information. A firm can choose to hire staff to manage use of customer privacy information, too, with a chief privacy officer leading the effort.

Firms face the risks of improper access to, errors with, and theft of their customers' personal information [40]. As a firm invests more in information security, such risks will likely be reduced. However, due to the unforeseen nature of such risks, they may not be controlled completely, even if a firm implements all of the possible technological and security policy protections. Moreover, the firm may not choose to use all of these methods due to customer preferences and incompatible environments, and due to concerns about profit maximization [2]. Previous research suggests that some customers are sensitive about information security, but others are less concerned [8]. Different computing environments also prevent customers from adopting all of the possible methods of protection. Some methods require high-powered computing with advanced technology, some are dependent on the operating systems that customers have implemented, and some require nearly expert knowledge of computing.

Therefore, it is important for a firm to understand the factors affecting the value of its decision to invest in information security. Public policy and regulatory studies have identified several external factors that affect information security strategy [12], [26], [39]. Government regulations and self-regulations are key components that affect an organization's information security strategy [11]. Privacy concerns now have become a major obstacle to attracting customers to e-commerce [19]. However, Hui et al. [21] suggest that the consumers are not fully cautious about sharing their personal information with online merchants even though they are concerned about privacy. Studies by Ashrafi and Kuilboer [2] and Schwaig et al. [39] have revealed that firms selectively adopt the available information security mechanisms based on their own competitive circumstances. Prior research has overlooked the need to understand customer privacy protection more fully in economic terms though. Generally, although firms should respect their customers' rights for information privacy, economic theory predicts that it may not be optimal for a firm to protect them fully — which may be truly unfortunate in some cases.

Providing protection methods for customers may reduce the risk of misuse or the loss of private information, but at the same time, it will impose some costs on the firm, as well as on its customers. Some protection methods involve direct costs to customers. One is the use of hardware solutions that may require users to purchase technology to access services securely. An example is PayPal, which sells a small keychain device – a security fob – that provides a frequently-updated login code that enables the validation of a user's login, and blocks password phishing [36]. Other solutions may not involve direct monetary costs to customers, but some indirect costs may occur. The required time and installation effort, the learning costs for use, and the costs of dealing with malfunctions of software solutions are examples of such indirect costs. Customers' perceptions about the value of information security may vary too. So customers may choose to use protection services to different degrees, depending on how much they value privacy and how much the services cost.

Firms, on the other hand, incur implementation costs to provide customer information security. Although the result of mishandling private information can be costly, most firms will choose to implement only some of the available customer information security protections. In most cases, implementing all of the available protections will be prohibitively expensive. So firms must balance the costs and risks associated with customer information security breaches against the investment required to find a profit-maximizing level of privacy protection.

We will answer the following questions: What are the value-maximizing investment options for firms to protect customer information security? What are the factors that drive firms to invest in information security protection? How can we identify which investment level choices are optimal? We develop a profit optimization model for information security technology investments that considers the risks associated with implementation. We use a profit-at-risk approach based on value-at-risk methods, and operational risk modeling from financial economics. We show that the optimal investment choice is based on the control and expected mitigation of risks due to implementing information security technology solutions, and is affected by other concerns as well. We also provide model-based evidence as to why firms may not choose to implement full protection for their customers, and related empirical evidence of the model findings.