Security Standardization for Social Welfare in the Presence of Unverifiable Control

Chul Ho Lee


Standard makers in both private and public sectors have been increasingly mandating security standards upon organizations to protect organizational digital assets. A major issue in security standardization is that standards often cannot regulate all possible security efforts by the standard maker because some efforts are unverifiable by nature. This paper studies from an analytical perspective how a standard maker should design the standard using a verifiable security control in the presence of another related unverifiable one. We compare it with two benchmark standards; naïve-standard which refers to the standard maker who ignores the existence of the unverifiable control, and complete-information standard which refers to the maker sets standards on both controls. Optimal standard and benchmark standard depend critically on how the two controls are configured. Under parallel configuration, the existence of the unverifiable control induces the policy maker to set a higher standard (the complete-information standard is optimal); under serial configuration, a lower standard is applied (neither benchmark works). Under best-shot configuration and if the verifiable control is more cost-efficient, the existence of the unverifiable control has no impact on the optimal standard (the naïve standard is optimal).

Full Text:



Adams, A. and Sasse, M. A., “Users are Not the Enemy,” Communications of the ACM, Vol. 42, No. 12, pp. 41-46, 1999.

Battigalli, P. and Maggi, G., “Rigidity, Discretion, and the Costs of Writing Contracts,” The American Economic Review, Vol. 92, No. 4, pp. 798-817, 2002.

Bernheim B. D. and Whinston, M. D., “Incomplete Contracts and Strategic Ambiguity,” The American Economic Review, Vol. 88, No. 4, pp. 902-932, 1998.

Cavusoglu, H., Mishra, B., and Raghunathan, S., “The Value of Intrusion Detection Systems in Information Technology Security Architecture,” Information Systems Research, Vol. 16, No. 1, pp. 28-46, 2005.

Cavusoglu, H., Raghunathan, S., and Cavusoglu, H., “Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems,” Information Systems Research, Vol. 20, No. 2, pp. 198-217, 2009.

Crawford, V., “Lying for Strategic Advantage: Rational and Boundedly Rational Misrepresentation of Intentions,” The American Economic Review, Vol. 93, No. 1, pp. 133-149, 2003.

Culnan, M. J. and Williams, C. C., “How ethics can enhance organizational privacy: Lessons from the choicepoint and TJX data breaches,” MIS Quarterly, Vol. 33, No. 4, pp. 673-687, 2009.

Dey, D., Fan, M., and Zhang, C., “Design and Analysis of Contracts for Software Outsourcing,” Information Systems Research, Vol. 21, No. 1, pp. 93-114, 2010.

Dye, R. A., “Auditing Standards, Legal Liability, and Auditor Wealth,” The Journal of Political Economy, Vol. 101, No. 5, pp. 887-914, 1993.

Ewert, R. and Wagenhofer, A., “Economic Effects of Tightening Accounting Standards to Restrict Earnings Management,” The Accounting Review, Vol. 80, pp. 1101-1024, 2005.

Geng, X., Huang, Y., and Whinston, A. B., “Defending Wireless Infrastructure Against the Challenge of DDoS Attacks,” ACM Journal on Mobile Networking and Applications, Vol. 7, No. 3, pp. 213-223, 2002.

Gordon, L. A., Loeb, M., and Lucyshyn, W., “Sharing Information on Computer Systems Security: An Economic Analysis,” Journal of Accounting Public Policy, Vol. 22, No. 6, pp. 461-485, 2003.

Grossklags, J., Christin, N., and Chuang, J., “Secure or Insure? A Game-Theoretic Analysis of Information Security Games,” Proceedings of the 17th International World Wide Web Conference, 2008.

Hausken, K., “Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability,” Information Systems Frontiers, Vol. 8, No. 5, pp. 338-349, 2006.

Hausken, K., “Information sharing among firms and cyber attacks,” Journal Accounting Public Policy, Vol. 26, No. 6, pp. 639-688, 2007.

Hendricks, K. and McAfee, R. P., “Feints,” Journal of Economics & Management Strategy, Vol. 15, No. 2, pp. 431-456, 2006.

Hui, K. L., Hui, W., and Yue, W. T., “Information Security Outsourcing with System Interdependency and Mandatory Security Requirement,” Journal of Management Information Systems, Vol. 29, No. 3, pp. 117-155, 2012.

Keblawi, F. and Sullivan, D., “The Case for Flexible NIST Security Standards,” IEEE Computer Society, June, pp. 19-26, 2007.

Krebs, R., Hackers Test Limits of Credit Card Security Standards, Washington Post, April 16, 2009, available at voices.

Lee, C. Geng, X., and Raghunathan, S., “Mandatory Standards and Organizational Information Security,” Information Systems Research, Vol. 27, No. 1, pp. 70-86, 2016.

Lee, C., Geng, X., and Raghunathan, S., “Contracting Information Security in the Presence of Double Moral Hazard,” Information Systems Research, Vol. 24, No. 2, pp. 295-311, 2013.

Loch, K., Carr, H., and Warkentin, M., “Threats to Information Systems: Today’s Reality, Yesterday’s Understanding,” MIS Quarterly, Vol. 16, No. 2, pp. 173-186, 1992.

Miller, A. R. and Tucker, C. E., “Encryption and Data Loss, The Ninth Workshop on the Economics of Information Security,” Harvard University, USA, p. 29, 2010.

Morse, E. A. and Raval, V., “PCI DSS: Payment card industry data security standards in context,” Computer Law& Security Report, Vol. 24, pp. 540-554, 2008.

Narasimhan, H., Varadarajan, V., and Rangan, C. P., “Towards a Cooperative Defense Model Against Network Security Attacks,” Tenth Workshop on the Economics of Information Security, 2010.

Romanosk, S., Telang, R., and Acquisti, A., “Do Data Breach Disclosure Laws Reduce Identity Theft?,” Seventh Workshop on the Economics of Information Security, June 25-28, 2008.

Ross, R., “Managing Enterprise Security Risk with NIST Standards,” IEEE Computer Society, August, pp. 88-91, 2007.

Rothke, B. and Mundhenk, D., Sue the Auditor and Shut Down the Firm (July 9), 2009, Available at

Schechter, S. E. and Smith, M. D., “How Much Security is Enough to Stop a Thief?,” Lecture Notes in Computer Science, Vol. 2742, pp. 122-137, 2003.

Schwartz, R., “Legal Regimes, Audit Quality and Investment,” The Accounting Review, Vol. 72, No. 3, pp. 385-406, 1997.

Shim, W., “An Ex Ante Evaluation Method for Assessing a Government Enforced Security Measure,” The Journal of Society for e-Business Studies, Vol. 20, No. 4, pp. 241-256, 2015.

Tirole, J., “Cognition and Incomplete Contracts,” The American Economic Review, Vol. 99, No. 1, pp. 265-294, 2009.

Varian, H., “System Reliability and Free Riding,” Economics of Information Security, Kluwer, pp 1-15, 2004.

Willekens, M., Steele, A., and Miltz, D., “Audit Standards and Auditor Liability: A Theoretical Model,” Accounting and Business Research, Vol. 26, No. 3, pp. 249-264, 1996.

Zetter, K., In Legal First, Data-Breach Suit Targets Auditor, Wired (June 2), 2009, Available at

Zhao, X, Xue, L., and Whinston, A. B., “Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling,” International Conference on Information Systems, Phoenix, AZ, 2009.


  • There are currently no refbacks.