Managing Information Access in Data-Rich Enterprises with Escalation and Incentives

Managing information access in highly dynamic e-business environments is increasingly challenging. In large firms with thousands of employees accessing thousands of applications and data sources, managers must protect information against misuse but ensure that employees can access the information needed for value creation. An escalation scheme with audits to increase flexibility while maintaining security is proposed. By coupling incentives with controls, escalation aligns employees' self-interest with the firm's profit objective. A game-theoretic model shows that an incentives-based policy with escalation and audit can control both overentitlement and underentitlement while maintaining flexibility.

[1]  Charles H. Kriebel,et al.  Asymmetric Information, Incentives and Intrafirm Resource Allocation , 1982 .

[2]  Paul R. Milgrom,et al.  AGGREGATION AND LINEARITY IN THE PROVISION OF INTERTEMPORAL INCENTIVES , 1987 .

[3]  Fethi A. Rabhi,et al.  Enterprise Applications and Services in the Finance Industry , 2008, Lecture Notes in Business Information Processing.

[4]  Artur Raviv,et al.  The Capital Budgeting Process: Incentives and Information , 1996 .

[5]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[6]  Marek J. Sergot,et al.  Towards a Mechanism for Discretionary Overriding of Access Control , 2004, Security Protocols Workshop.

[7]  Son Ku Kim,et al.  Conditional monitoring policy under moral hazard , 1992 .

[8]  Robert J. Kauffman,et al.  Relative importance, specific investment and ownership in interorganizational systems , 2007, Inf. Technol. Manag..

[9]  Tommaso Di Noia,et al.  A Nonmonotonic Approach to Semantic Matchmaking and Request Refinement in E-Marketplaces , 2007, Int. J. Electron. Commer..

[10]  Christopher S. Tang,et al.  The Value of Information Sharing in a Two-Level Supply Chain , 2000 .

[11]  Rajiv Kohli,et al.  Measuring Information Technology Payoff: A Meta - Analysis of Structural Variables in Firm - Level Empirical Research , 2003, Inf. Syst. Res..

[12]  K. Arrow The Economics of Agency. , 1984 .

[13]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[14]  E. Hippel Sticky Information and the Locus of Problem Solving: Implications for Innovation , 1994 .

[15]  James R. Freeland,et al.  Structuring Information Flow to Enhance Innovation , 1972 .

[16]  Massimo Motta,et al.  Endogenous Quality Choice: Price vs. Quantity Competition , 1993 .

[17]  David P. Baron,et al.  Regulation, Asymmetric Information, and Auditing , 1984 .

[18]  Stanley Baiman,et al.  AGENCY RESEARCH IN MANAGERIAL ACCOUNTING: A SECOND LOOK. , 1990 .

[19]  S. Shavell Risk Sharing and Incentives in the Principal and Agent Relationship , 1979 .

[20]  Christof Weinhardt,et al.  Enterprise, applications and services in the finance industry , 2007, Inf. Syst. E Bus. Manag..

[21]  R. Zeckhauser,et al.  Principals and Agents: The Structure of Business , 1990 .

[22]  Vish Krishnan,et al.  Designing a Family of Development-Intensive Products , 2006, Manag. Sci..

[23]  Thompson S. H. Teo,et al.  Assimilation and Diffusion of Web Technologies in Supply-Chain Management: An Examination of Key Drivers and Performance Impacts , 2004, Int. J. Electron. Commer..

[24]  M. Harris,et al.  Optimal incentive contracts with imperfect information , 1979 .

[25]  R. Dye Optimal Monitoring Policies in Agencies , 1986 .

[26]  Sunder Kekre,et al.  Business Value of Information Technology: A Study of Electronic Data Interchange , 1995, MIS Q..

[27]  Dean Povey Optimistic security: a new access control paradigm , 1999, NSPW '99.

[28]  Erik Rissanen Towards a Mechanism for Discretionary Overriding of Access Control (Transcript of Discussion) , 2004, Security Protocols Workshop.

[29]  P. Rohatgi,et al.  Fuzzy MLS : An Experiment on Quantified Risk – Adaptive Access Control , 2007 .

[30]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[31]  Andrew B. Whinston,et al.  Facilitating coordination in customer support teams: a framework and its implications for the design of information technology , 1995 .

[32]  Bengt Holmstrom,et al.  Moral Hazard and Observability , 1979 .

[33]  R. Preston McAfee,et al.  Competition for Agency Contracts , 1987 .

[34]  Morten T. Hansen,et al.  Knowledge Transfer in Intraorganizational Networks : Effects of Network Position and Absorptive Capacity on Business Unit Innovation and Performance , 2007 .

[35]  Sean W. Smith,et al.  Information Risk in Financial Institutions: Field Study and Research Roadmap , 2007, FinanceCom.

[36]  Dimitris Askounis,et al.  Effects of Enterprise Interoperability on Integration Efforts in Supply Chains , 2009, Int. J. Electron. Commer..

[37]  Jean Tirole,et al.  Auctioning Incentive Contracts , 1987, Journal of Political Economy.

[38]  Gary D. Eppen,et al.  Capital Rationing and Organizational Slack in Capital Budgeting , 1985 .

[39]  R. Townsend Optimal contracts and competitive markets with costly state verification , 1979 .

[40]  E. Brynjolfsson,et al.  Paradox Lost? Firm-Level Evidence on the Returns to Information Systems Spending , 1996 .