The Impact of Information Security Ratings on Vendor Competition

Security breaches often stem from business partner failures within the value chain. There have been several recent efforts to develop a common reference for rating the information risk posed by partners. We develop a simple analytical model to examine the impact of such information security ratings on service providers, customers, and social welfare. While some might believe that ratings would benefit high-security providers and hurt those with lower security, we show that this is not always the case. We find that information security ratings can hurt both types of providers or benefit both, depending on the market conditions. Surprisingly, we also find that security ratings do not always benefit the most demanding customers who desire highly secure business partners. Yet, in all cases, we find that social welfare is improved when information security ratings are adopted. This result suggests that information security ratings should be encouraged through public policy initiatives.

[1]  Joseph D. Piotroski,et al.  The Long-Run Stock Returns Following Bond Ratings Changes , 1998 .

[2]  J. Muth Rational Expectations and the Theory of Price Movements , 1961 .

[3]  Darren J. Kisgen Credit Ratings and Capital Structure , 2003 .

[4]  Anthony DiRomualdo,et al.  Strategic Intent for IT Outsourcing , 1998 .

[5]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[6]  A. Adam Whatever happened to information systems ethics? Caught between the devil and the deep blue sea , 2004 .

[7]  Carl Shapiro,et al.  Investment, Moral Hazard, and Occupational Licensing , 1986 .

[8]  Terrence August,et al.  Network Software Security and User Incentives , 2006, Manag. Sci..

[9]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[10]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[11]  Hemant K. Bhargava,et al.  Research Note - When Is Versioning Optimal for Information Goods? , 2008, Manag. Sci..

[12]  Alan Calder,et al.  Information Security Based on ISO 27001/ISO 17799: A Management Guide , 2006 .

[13]  Rahul Telang,et al.  Sell First, Fix Later: Impact of Patching on Software Quality , 2004 .

[14]  Terrence August,et al.  Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions , 2008, Inf. Syst. Res..

[15]  Hemant K. Bhargava,et al.  Information Goods and Vertical Differentiation , 2001, J. Manag. Inf. Syst..

[16]  Rahul Telang,et al.  Research Note - Sell First, Fix Later: Impact of Patching on Software Quality , 2006, Manag. Sci..

[17]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[18]  Doron Kliger,et al.  The Information Value of Bond Ratings , 2000 .

[19]  John R. M. Hand,et al.  The Effect of Bond Rating Agency Announcements on Bond and Stock Prices , 1992 .

[20]  Lars Norden,et al.  Informational Efficiency of Credit Default Swap and Stock Markets: The Impact of Credit Rating Announcements , 2004 .

[21]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..