The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare

The Sarbanes-Oxley legislation is a mandate that is bringing new attention to IT security as a critical part of the risk management framework for the dual purposes of certifying internal controls and attesting to the accuracy of information. Regulatory compliance, security audits and mandatory information disclosure about internal weaknesses can be very costly from a budget standpoint because internal resources need to be allocated away from critical functions such as innovation and product development into increased investments in technologies that facilitate compliance. We propose a theoretical framework towards analyzing the economic impact of government mandated information disclosure and internal audits on flrms’ investments in IT security, the optimal levels of industry wide production and the extent of market competition. Our analysis reveals that mandatory investments in regulatory compliance may have several unintended consequences such as reduction in optimal production quantities, decrease in the extent of market competition and an overall reduction in social welfare due to distortions in IT security and internal control investments. In particular, our results highlight that smaller sized flrms are more severely afiected than larger flrms and this process may lead to a severe long term impact on the operations of both capital as well as product markets. Our results are in accordance with recent anecdotal and empirical evidence.

[1]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[2]  A. Adam Whatever happened to information systems ethics? Caught between the devil and the deep blue sea , 2004 .

[3]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[4]  Paul E. Fischer,et al.  Public Information and Heuristic Trade , 1998 .

[5]  John E. Core,et al.  A Review of the Empirical Disclosure Literature: Discussion , 2001 .

[6]  Joel S. Demski,et al.  Market response to financial reports , 1994 .

[7]  James S. Linck,et al.  Effects and Unintended Consequences of the Sarbanes-Oxley Act on Corporate Boards , 2005 .

[8]  George Hendrikse,et al.  The Theory of Industrial Organization , 1989 .

[9]  L. J. Camp Pricing Security , 2000 .

[10]  S Hempel,et al.  At what cost? , 1991, Nursing times.

[11]  K. Hausken Production and Conflict Models Versus Rent-Seeking Models , 2005 .

[12]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[13]  T D Peacock,et al.  At what cost? The social impact of American Indian gaming. , 1999, Journal of health & social policy.

[14]  Sri S. Sridhar,et al.  Disclosure‐Disciplining Mechanisms: Capital Markets, Product Markets, and Shareholder Litigation , 2002 .

[15]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[16]  Alexander J. Triantis,et al.  Why Do Firms Go Dark? Causes and Economic Consequences of Voluntary SEC Deregistrations , 2008 .

[17]  I. Zhang Economic Consequences of the Sarbanes-Oxley Act of 2002 , 2007 .

[18]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[19]  Anindya Ghose,et al.  The Economic Consequences of Sharing Security Information , 2004, Economics of Information Security.

[20]  Krishna G. Palepu,et al.  Information Asymmetry, Corporate Disclosure and the Capital Markets: A Review of the Empirical Disclosure Literature , 2000 .

[21]  J. Hirshleifer Conflict and rent-seeking success functions: Ratio vs. difference models of relative success , 1989 .

[22]  Thomas Z. Lys,et al.  The Sarbanes Oxley Act of 2002: Implications for Compensation Structure and Risk-Taking Incentives of CEOs , 2004 .