Anda di halaman 1dari 10

Decision Support Systems 57 (2014) 5463

Contents lists available at ScienceDirect

Decision Support Systems


journal homepage: www.elsevier.com/locate/dss

IT security auditing: A performance evaluation decision model


Hemantha S.B. Herath a, Tejaswini C. Herath b,
a
Department of Accounting, Goodman School of Business, 240 Taro Hall, 500 Glenridge Avenue, St. Catharines, Ontario L2S 3A1, Canada
b
Department of Finance, Operations, and Information Systems, Goodman School of Business, 240 Taro Hall, 500 Glenridge Avenue, St. Catharines, Ontario L2S 3A1, Canada

a r t i c l e i n f o a b s t r a c t

Article history: Compliance with ever-increasing privacy laws, accounting and banking regulations, and standards is a top priority
Received 6 September 2011 for most organizations. Information security and systems audits for assessing the effectiveness of IT controls are im-
Received in revised form 18 June 2013 portant for proving compliance. Information security and systems audits, however, are not mandatory to all organi-
Accepted 29 July 2013
zations. Given the various costs, including opportunity costs, the problem of deciding when to undertake a security
Available online 8 August 2013
audit and the design of managerial incentives becomes an important part of an organization's control process. In
Keywords:
view of these considerations, this paper develops an IT security performance evaluation decision model for whether
Information technology management or not to conduct an IT security audit. A Bayesian extension investigates the impact of new information regarding the
Information technology audit security environment on the decision. Since security managers may act in an opportunistic manner, the model also
Information systems audit incorporates agency costs to determine the incentive payments for managers to conduct an audit. Cases in which the
Information security audit agency model suggests that it is optimal not to conduct an IT security audit are also discussed.
Audit decision 2013 Elsevier B.V. All rights reserved.
Agency model

1. Introduction to obtain an auditor's report conrming that there are sufcient internal
controls. However, this regulation-driven audit is not mandatory for
The 2011 ISACA survey notes that compliance with ever-increasing public companies earning annual revenue of less than 2 million dollars
privacy laws, accounting and banking regulations, and standards is a or for many organizations that are not public companies. Security sur-
top priority for most organizations [30]. Accounting regulations have veys show that security audits are the predominant approach in testing
had a visible impact on information security practices in organizations. the effectiveness of security technologies. Almost 5065% of companies
The SarbanesOxley Act (SOX), emerging international accounting reg- surveyed report that they carry out security audits [34], but not all com-
ulations such as the International Financial Reporting Standards (IFRS), panies undertake these investigations. The question thus arises, if sys-
and other accounting regulations affect computing practices in public tem audits are not mandatory, when should rms undertake security
organizations in the United States and worldwide [25]. Although the audits? IT systems are complex, which makes evaluating their perfor-
specic requirements of SOX and IFRS do not explicitly discuss informa- mance and security a complex problem [25]. Audits are often very labo-
tion technology, the profound shift in business records from pen and rious and expensive [37]. Implementing an IT audit strategy that
paper to electronic media has signicant implications for IT practices justies its cost and which promotes the effective use of information
for the purposes of nancial reporting. In addition to the external systems is a challenging task [33]. Given the costs involved in carrying
threats, an extensive dependence on technology may inadvertently pro- out these audits and the opportunity costs of not conducting such au-
vide sophisticated means and opportunities for employees to perpetrate dits, the question becomes an important one.
fraud in rather simple and straightforward ways [12,29]. As IT controls Although literature in the area of the economics of IT security is
have a pervasive effect on the achievement of many control objectives burgeoning with papers dealing with the issue of whether or not to in-
[26], regulations have implications for IT governance and controls vest in IT security or how to establish the optimal level of investment in
[7,13,18]. In most organizations, since the data that is used in nancial IT security [17,19,23], there is hardly any research that deals with the
reporting is captured, stored, or processed using computer-based sys- control aspects. Given budgetary constraints, rms often have to decide
tems, achieving a sufcient level of internal controls means that controls whether or not to spend resources on non-mandatory security initia-
have to be put in place for technology use in organizations [22]. tives such as IT security audits. Thus, it is important for a rm's manage-
From the accounting regulation perspective, public corporations, at ment to have an objective basis and a sound decision model for deciding
least in theory, must go through information systems audits in order whether or not to undertake an IT security audit. The decision model we
develop attempts to ll a gap in the literature and in practice in this area.
More specically, we consider the question of whether or not to carry
Corresponding author.
out an IT security audit by developing a performance evaluation deci-
E-mail addresses: hemantha.herath@brocku.ca (H.S.B. Herath), teju.herath@brocku.ca sion model. The model considers security investments and their rela-
(T.C. Herath). tionship to IT audits.

0167-9236/$ see front matter 2013 Elsevier B.V. All rights reserved.
http://dx.doi.org/10.1016/j.dss.2013.07.010
H.S.B. Herath, T.C. Herath / Decision Support Systems 57 (2014) 5463 55

Our approach is similar to the probabilistic variance analysis model Regulations such as SarbanesOxley require a sophisticated set of in-
in Bierman et al. [5]. The probabilistic variance analysis model [5] dem- ternal controls that guide the creation of nancial documents and dis-
onstrates the conditions under which a cost variance investigation is closure of nancial information in a timely and accurate manner. In
warranted in a single period setting. Applying this model to the IT secu- March 2004, the US Public Company Accounting Oversight Board
rity context, we extend Bierman et al.'s [5] model in several ways. First, (PCAOB) approved PCAOB Auditing Standard No. 2, entitled An Audit
from an application point, in order to demonstrate the IT audit decision of Internal Control Over Financial Reporting Performed in Conjunction
model, we use an IT security investment setting. Second, we incorporate with an Audit of Financial Statements, contending that IT controls
Bayesian decision theory to investigate the impact of new information have a pervasive effect on the achievement of many control objectives
regarding a security environment on the decision of whether or not to [26]. In addition to controls such as the segregation of duties, SOX
conduct an IT security audit. Lastly, in consideration that security man- has implications for other IT controls. To achieve these controls, the Se-
agers may act in an opportunistic manner, we incorporate agency theo- curities and Exchange Commission (SEC) has mandated the use of a rec-
ry into the IT security audit decision problem to determine the incentive ognized internal control framework, specically recommending the
payments for audit managers that would motivate them to carry out an Committee of Sponsoring Organizations of the Treadway Commission
audit. We also discuss the efciency loss of the agency model where an (COSO) framework with regard to compliance with SOX.
optimal decision may differ from the baseline model (i.e., without agen- General IT and application controls prevent input accuracies, which
cy issues). Our approach is general and is applicable in a wide range of reduces the likelihood of misstatements [31] and mitigates the risk of
settings, including cyber security auditing and IT manager performance certain frauds [12]. The COSO framework identies IT control activities
evaluation. broadly in two categories: (1) application controls designed within
The paper is organized as follows. In the subsequent section, we re- the application to prevent/detect unauthorized transactions, and (2)
view the background literature and discuss the security audit research general controls designed for all information systems supporting
problem. We then develop a decision model that explicitly considers secure and continuous operation. The framework recommends moni-
the cost and benet tradeoffs associated with a system audit with a toring activities to evaluate and improve the design, execution, and ef-
view to deciding whether or not an IT audit should be performed. fectiveness of internal controls. It also recommends periodic separate
Further, we investigate the impact of new information on the IT evaluations such as self-assessments and internal audits that usually re-
audit decision. Recently, the cyber security literature has highlighted sult in a formal report on internal controls. An organization may have
agency problems that may arise in the information security context. different types of evaluations, including: internal audits, external audits,
To address this issue, we apply agency theory to determine the incen- regulatory examinations, attack and penetration studies, performance
tive costs pertaining to an IT audit decision and extend the analysis to and capacity analyses, IT effectiveness reviews, control assessments, in-
investigate the efciency loss of the agency model. Finally, we conclude dependent security reviews, and project implementation reviews. IT au-
with a discussion of the model's limitations and avenues for future dits can provide assurance that systems are adequately controlled,
research. secure, and functioning as intended [33], and can play an integral role
in enterprise risk management [2].
Under SarbanesOxley Section 404, the annual external auditing of
2. Background literature company nancial records requires the inclusion of an assessment
of the adequacy of the internal controls that impact public nancial
2.1. Information system trends and accounting information: internal controls reporting. Management is required to report on the effectiveness of
and information security audits the internal controls and auditors are required to comment on the re-
port. Thus, it is important to emphasize that it requires senior manage-
The ability to capture and report nancial and accounting informa- ment and business process owners merely not only to establish and
tion through computerized systems has evolved during the last few de- maintain an adequate internal control structure, but also to assess
cades to the point that the key business processes that capture this its effectiveness on an annual basis. Organizations must ensure that
information in many companies are entirely automated. Despite the sig- appropriate controls (including IT controls) are in place, in addition to
nicance of IS and technology to the accounting and nancial reporting providing their independent auditors with documentation, evidence of
processes, relatively little is known about their impact on the frequency functioning controls, and the documented results of the testing proce-
and types of nancial misstatements [12]. Messier et al. [31] found that dures. The Auditing Standards Board's (ASB) Statements on Auditing
control problems are more prevalent in computerized environments. Standards (SAS) No. 109 (effective in 2006) further increases the need
Problems arise even from relatively simple technologies such as spread- for auditors to consider the effectiveness of their clients' internal con-
sheet applications, which are often used by small- and medium-sized trols, which in turn increases the need to evaluate automated as well
businesses for accounting and nance purposes. This extensive depen- as manual controls. Curtis et al.'s [12] research on the initial SOX
dence on technology may also inadvertently provide sophisticated Section 404, however, indicates that this goal may not have been
means and opportunities for employees to perpetrate fraud [29] by achieved in a substantial number of public companies.
rather simple and straightforward means [12]. The attention to the issue of internal controls and their implications
Altered, incomplete, or inaccurate data, as well as a complete loss of for systems security came about with the emergence of SOX-like man-
data, have adverse implications for businesses and nancial reporting. dates (e.g., HIPAA and the GrammLeachBliley Act, among others)
Internal and external information security threats represent a funda- since the regulations make these activities mandatory. To reach audit-
mental risk to a rm's operations as well as to the quality of its nancial able compliance with the regulatory requirements, every documented
and non-nancial information. IT systems managers are charged with node-to-node interface point where it can be demonstrated that ade-
protecting privacy and personally identifying nancial information; quate access and security controls are applied increases the probability
they are responsible for building access controls capable of protecting of a positive audit report. The control issues surrounding compliance
the integrity of nancial statements and safeguarding intellectual prop- with these regulations, however, do not apply only to public companies.
erty in a strong and growing regulatory environment against an ever in- Governments at all levels, the nonprot sector, and closely held compa-
creasing worldwide threat. Automated systems such as general IT and nies all face the need to satisfactorily protect the integrity of their con-
application controls can test input accuracies to ensure the validity of dential information and provide adequate controls on access to data
transactions, thereby reducing the likelihood of misstatements [31]. stores [2]. For some nonprot organizations, the nancial risk of litiga-
Proper information systems controls can also mitigate the risk of certain tion resulting from inadequate controls may be far greater than any
frauds [12]. harm from adverse audit ndings.
56 H.S.B. Herath, T.C. Herath / Decision Support Systems 57 (2014) 5463

2.2. Security and audit costs As in Bierman et al. [5], the model considers two measures to decide
whether or not to conduct an IT system audit: (1) the amount of the un-
To put the general and application level IT controls in place requires favorable loss deviation and (2) the probability of unfavorable loss devi-
substantial investments. Security evaluations such as internal audits, ation resulting from uncontrollable factors.
external audits, attack and penetration studies, or any other types of as-
sessments also have cost implications for businesses. Gordon and Loeb 3.1. The two period security investment problem
[17] have argued that the allocation of funds to information security
should be similar to or at least based on cost and benet terms due to Consider a rm planning to make IT security investments in two
the irreversibility of investment costs and the uncertain nature of the periods. The rm will initially invest in Period 1 and then, based on
outcomes. Security investments are difcult to justify due to difculties the ex-post outcome of rst period decision, it will decide whether or
in dening and measuring the full array of benets. Research is scant, not to invest in Period 2. The investment cost associated with securing
but some of the security investment literature has tried to address this information may include the software costs, hardware costs, and a
issue [10,17,19,23,24]. Security investments that allow putting various one-time IT labor cost for conguration and system set up. The model
IT controls in place are likely to have an impact on the achievement of assumes that the IT manager can partially control computer equipment
positive audit reports. However, due to the evolving nature of informa- and software failures through investment in IT security and the imple-
tion security threats, the effectiveness of these controls needs to be mentation of IT security policies. If the investment is ineffective, it will
audited regularly. Related questions then arise, such as: When should result in controllable costs or losses.1 Thus, when undertaking the rst
businesses carry out security evaluations? And what is the relationship investment in IT security, the manager will estimate the expected loss
between these security investments and evaluation? (mean loss) due to IT security breaches from uncontrollable factors,
In this regard, the cost variance investigation literature in accounting assuming the investment is effective. The expected loss because of
and the emerging literature in cyber security management control de- uncontrollable factors is set assuming that favorable and unfavorable
sign can provide us some insights. After the investments in security deviations from the mean are equally likely under practical levels of ef-
technologies are made, the effectiveness of these investments can be fectiveness and efciency. As such, a normal distribution for the losses
studied through the lens of variance investigation. Prior cost variance from uncontrollable factors can be assumed for the upcoming period
analysis literature in accounting that has examined whether a cost var- (Period 2). This normal distribution assumption makes it possible to de-
iance investigation should be undertaken or not is analogous to research termine the probability of a loss deviation of any magnitude resulting
into the decision of whether or not to carry out an IT audit. Investigation from uncontrollable factors, which can be used along with the amount
of cost variances involves the expenditure of effort and funds. The un- of the unfavorable deviation to determine whether or not to conduct
derlying criterion for investigating cost variances invariably is that an an IT security audit. The two-period setup is shown in Fig. 1.
investigation should be undertaken if and only if the expected benets The rationale is that an IT system audit should be conducted if the un-
exceed the cost of investigating and correcting the source of the cost favorable loss deviation due to an IT security breach is signicant and the
variance. Numerous articles have appeared that deal with this manage- deviation is due primarily to controllable causes. The model compares
ment control problem (e.g. [5,14,27]). the cost of conducting an IT security audit, such as a penetration test,
Research into the variance investigation problem can be broadly cat- against the benets of cost avoidance in the case of an erroneous
egorized into single verse multi-period models. Kaplan [27] developed a decision: for example, making a further investment in IT security when
probabilistic model using discrete dynamic programming techniques to the unfavorable loss deviations due to controllable factors are large
determine optimal policies governing when to investigate variances. (i.e., original investment was ineffective) and an IT manager is paid an
Demski [14] has classied the sources of cost deviations and developed incentive based on planned loss reduction.
an algorithm to determine the minimal expected time to discover the
source of a variance. Bierman et al. [5] were the rst to incorporate The model uses following notations for the model variables:
the costs and benets of an investigation into the cost variance investi- t time subscript (t (0,1,2))
gation decision. They developed the criteria for when to carry out a cost I0 base level of information security investment cost
variance investigation. Kaplan [27] provided an excellent survey which It information security investment cost at time t
summarizes techniques that are potentially useful for assessing the sig- st level of information security (expressed as an index, i.e., st II0t )
nicance of cost variances under these two categories. estimated loss with no IT security investment
More recently, the cyber security literature has also highlighted the i state of nature (i.e., i (1,2))
agency problems that may arise in the information security context ai possible acts or decisions (i.e., i (1,2))
[20]. Gordon et al. [20] discuss that information security managers p probability associated with state 2 (thus probability associat-
may have an incentive to request more funding than is justied on an ed with state 1 is (1 p))
economic basis as it is more risky for them from a career point of view C: cost of a IT security audit
when security breaches occur. An auditing process which allows the opportunity cost associated with not conducting an IT securi-
measuring of the cost effectiveness of security activities can play an im- ty audit
portant role in reducing agency problems. In this context, Gordon et al. t deviation in losses due to a breach in period t
[20] have developed an analytical model that shows that rms can use LPt planned loss in $ in period t
an information security audit as part of a management control system LAt actual losses in $ in period t
designed along with incentive contracts and investment decision rules 2t variance of the loss distribution in period t
to discourage a Chief Information Security Ofcer (agent) from using re- CIDS cost of conguring an IDS (excluding investment costs)
sources for empire building. To address the above two concerns, we de- vt probability of a security breach
velop an IT security performance evaluation model that can be used to benet (or income) to the rm regardless of the state of
decide when to undertake an IT security audit and what incentive pay- nature.
ments are needed to ensure that the manager will perform the audit.

3. System audit decision model 1


The notion of controllable events/costs and uncontrollable events/costs for evaluating
a manager's performance is standard in the management control literature in accounting.
The model developed in this article addresses the basic decision Uncontrollable costs tell nothing about a managers decisions and actions because, by def-
problem of whether or not a rm should conduct an IT system audit. inition, nothing a manager does affects such costs.
H.S.B. Herath, T.C. Herath / Decision Support Systems 57 (2014) 5463 57

Unfavorable
Cost Benefit Net Benefit
Deviations from
Controllable Causes
C C
1
1 p

Unfavorable
Deviations from Un--
Conduct IT
controllable Causes
Audit 2
C C
p
Unfavorable
Deviations from
Controllable Causes
Do Nothing 1
1 p

Unfavorable
Deviations from Un--
2 Controllable Causes 0
p

Period 0: Firm makes an investment I1, Period 1: Can either choose to conduct an IT
to reduce probability of security security audit or not before IT security investment
breach from v0 to v1. decision I2,

t=0 t=1
t=2

Fig. 1. Two period setup.

The decision regarding whether to conduct an IT security audit a cyber audit based on the audit performance evaluation model shown in
is modeled in the following scenario. At the beginning of the period Fig. 2. The critical region of whether or not to conduct a cyber audit can be
(i.e., t = 0), the IT security manager is asked to identify, in the event derived as the optimal act of minimizing the expected costs. Thus, we de-
of a breach, what amount of loss would be expected due to uncontrolla- ne the following two acts as a1 : Do an IT security audit and a2 : Do
ble factors in the event of a breach. For example, the IT security manager nothing. We dene the two states of nature as 1 : Unfavourable devia-
believes that making an IT security investment I1 is likely to reduce tion resulted from controllable causes, and 2 : Unfavourable deviation
breach probability and result in a planned loss LPt due to a reduction in resulted from uncontrollable causes.
breach probability. Thus, the expected losses in Period 1 would be Suppose there is an unfavorable deviation 1 (actual losses are great-
given by E(loss) = LP1. In order to identify the amount of unfavorable er than the planned losses); then the decision whether or not to do a
deviation (1 = Actual Losses Planned Losses ) from the planned cyber audit to investigate the causes will depend on the probabilities
loss of LP1 due to uncontrollable factors, we need an estimate of the stan- of the above two states of nature. If the true state is 1, then the unfavor-
dard deviation 1 to specify the loss distribution at the time of undertak- able deviation was caused by factors within the control of the IT security
ing the IT security investment I1. manager, such as not conguring the system properly despite making an
The standard deviation t of loss distribution can be estimated by the investment to do so and not implementing the security policies of the
following subjective procedure for a normal distribution [5]. We could rm to minimize the computer equipment and software failures. Then
ask the IT security manager to come up with a 50:50 odds bet on conducting an IT security audit is worthwhile because the rm can ben-
what range the Period 1 loss would likely fall into due to uncontrollable et from future cost savings. More specically, the rm will not invest in
(random) causes, say $10,000. Assuming a normal distribution for the $ Period 2 and not incur Period 2 IDS conguration costs. Thus, the rm
losses, since one half of the area under a normal curve lies within 0.67 will incur an opportunity cost due to not conducting an IT security
standard deviations of the mean, t can be computed as 23 1 10; 000, audit given by = I2 + CIDS, which can reasonably be assumed to be
and thus, 1 = $15,000. Now, the rm can decide whether or not to do greater than the cost of an IT security audit C (i.e. N C). The cost of an

Acts

a1 : Do an IT a 2 : Do nothing
security audit Probability

1 : Unfavorable
deviations
resulting from C 1 p
controllable
causes.
States
2 : Unfavorable
deviations
resulting from C p
uncontrollable
causes.

Fig. 2. State-Act-Conditional costs.


58 H.S.B. Herath, T.C. Herath / Decision Support Systems 57 (2014) 5463

IT security audit will be incurred if an audit is performed but not other- IT Security Audit Decision Chart
wise. If the true state is 2, where the unfavorable deviation is due to fac- 1

Deviation Resulting from Uncontrollable


Conditional Probability of Unfavorable
tors beyond the control of the IT security manager, then conducting a No IT Security Audit
0.9
security audit is not worthwhile and the cost incurred is zero. The
State-Act-Conditional Payoff table for the decision problem is shown in 0.8
Fig. 2.
0.7
Given an unfavorable deviation, the probability that the deviation
resulted from uncontrollable factors 2 is p and the probability associat- 0.6

Factors
ed with state 1 is (1 p). Note that p and (1 p) are the conditional 0.5
probability of the two states given that an unfavorable variance has oc-
curred. We can now compute the expected cost of an investigation as 0.4
Perform IT Security Audit
0.3
ECost of Audit Cp C 1p C: 1
0.2

The expected cost of not conducting an IT security audit is 0.1

0
EDo nothing 1p: 2
0 20,000 40,000 60,000 80,000 100,000 120,000
Amount of Unfavorable Deviation from Planned Loss
If C b (1 p), the rm should conduct the IT security audit, and if
C N (1 p), the rm should not conduct an IT security audit. Notice Fig. 3. Plot of critical probabilities and unfavorable deviations.
that (1 p) is analogous to the expected future cost savings. By equat-
ing the expected cost of the two acts (i.e., C = (1 p)) and solving for
the probability, one can nd the critical probability pc which separates
the decision space into when it is worthwhile to conduct an IT security
size of an unfavorable loss deviation are used in deciding whether or
audit, given as
not to audit.
C Suppose we model the breach risk as a decay function; then, at a given
pc : 3 security spending level st, the probability of a breach occurring is vt Pr

ojst est where the adjustment parameter represents an expert's
By substituting = I2 + CIDS in Eq. (3), we obtain the following ex- subjective assessment of the effectiveness of the system. More specical-
pression for the critical probability in terms of IT security variables ly, after making the investment I1 (i.e. s1 II10 ), the rm can compute the
probability of breach as v1 Projst es1 . If the expected loss without
I C IDS C any investment is s0 = 0, and thus v0 Projs0 es0 1 is estimated
pc 2 : 4
I 2 C IDS as , then the mean of the expected loss distribution is given by LP1 = v1.
Accordingly, it is assumed that the investment reduces the probability of a
If the probability is p b pc (critical probability), then C b (1 p) breach and in turn the magnitude of the loss.
and an IT security audit is warranted; however, if the probability is If the manager's subjectively assessed standard deviation is under
p N pc (critical probability), then C N (1 p) and a security audit is the normal distribution assumption, then the loss distribution is given
not warranted. In the model given in Eq. (4), the rm's management by N(v1, 2). If the actual loss is LA1, we can compute the unfavorable
must estimate the various cost parameters that make up the opportuni- loss deviation 1 = LA1 v1. Dene the event () as a loss deviation
ty cost . For simplicity, we assume that the cost of conducting the IT se- of amount 1 or more. Using the normal distribution, the probability of
curity audit is a xed amount. LA v
an unfavorable loss deviation 1 or more can be computed as 1 1
The conguration costs CIDS of an intrusion detection system will
standard deviations from the mean. The probability of an unfavorable
vary with different levels of investment It. The approach for determining
loss deviation of this scale or larger can be determined from the normal
the conguration cost CIDS follows the receiving operating characteristic
distribution tables, as bp.
(ROC) approach outlined by Cavusoglu and Raghunathan [11], Ulvila
In Fig. 3, the scale of the y-axis is from 0 to 1, which is the conditional
and Gaffney [36], and Herath and Herath [23]. The expected cost of an
probability of an unfavorable deviation resulting from uncontrollable fac-
intrusion detection system conguration as a function of the quality pa-
tors. Dene the event () as the event in which an unfavorable loss devi-
rameters of a detection system, vis--vis the probability of detection and
ation has already occurred. From the normal distribution, N(v1, 2), we
the probability of false positive, is elegantly explained in Cavusoglu and
know that P(B) = 0.5, since this is the total area under the normal curve
Raghunathan [11].
where the actual loss deviation is greater than the expected loss deviation
(mean) because otherwise the deviation is favorable. Therefore, the
3.2. Determining the separation curve
required conditional probability that the unfavorable loss deviation
of 1 or more results from uncontrollable factors can be computed
The rm can now determine the separation curve that indicates 
 bp b is from 0 to 0.5, the
the region of whether or not to conduct an IT security audit. It has to es- as P  0:5 . When the un-scaled probability p
timate the cost of conducting the IT security audit C and, assuming C re- computed conditional probability, which is scaled from 0 to 1, is the ap-
mains constant, it can further estimate the cost that can be avoided if an plicable probability and can be used with the separation curve in Fig. 3.
IT security audit is conducted by using the expression for = I2 + CIDS. Once the combination of the conditional probability of an unfavor-
For a xed C and assuming = I2 + CIDS is a linear function of the unfa- able deviation resulting from uncontrollable factors P(|) and the
vorable deviations t, the following separation curve can be plotted (see amount of the unfavorable deviation is available, we can see in which
Fig. 3) by equating t = I2 + CIDS and computing pc I2 IC IDS C
2 C IDS
for differ- region of Fig. 3 the point with the combination (unfavorable deviation,
ent levels of security investments and congurations. Notice that the probability) given by (1,P(|)) falls. If it is in the Perform IT Security
equivalence = is used only for the purpose of plotting the separation Audit region, only then is it worth conducting the audit. Notice that
curve. The conditional probability shown in Fig. 3 is conditional on an un- both the unfavorable loss deviation as well as the probability are due
favorable loss deviation having occurred. Also, both the probability and to uncontrollable factors.
H.S.B. Herath, T.C. Herath / Decision Support Systems 57 (2014) 5463 59

4. The impact of new information 5. Incorporating incentive costs

Suppose more information is gained about the states from an external Agency problems in a cyber-security context arise between princi-
information source (an expert). The expert predicts that when the state is pals (the owner or a Chief Executive Ofcer (CEO) who empowers
(1:deviations resulted from controllable causes), there is the possibility cyber-security managers to make decisions) and agents (IT security
of a favorable security environment (G) with a probability p1 and an un- managers who are in charge of the information security of rms) [20].
favorable security environment (B) with a probability 1 p1. Similarly, These agents operate as internal auditors who may have incentives
for the state (2:deviations resulting from uncontrollable causes), there and opportunity that inuence their evaluations. Previous research
is the possibility of a favorable security environment (G) with a probabil- shows that opportunities to receive incentive compensation result in
ity p2 and an unfavorable security environment (B) with a probability less reliance by external auditors on internal auditors' work where
1 p2. The additional information, which may affect the decision wheth- tasks are subjective [15]. Their study nds that if the tasks are objective,
er or not to conduct a security audit, should be combined with the prior such as a test of internal controls, incentive compensation is effective in
information about the states. This can be done using the Bayesian formula mitigating excess consumption of leisure and perquisites.
to obtain the posterior probabilities as given in Table 1. In line with the agency theory literature, we assume that the princi-
In order to determine the critical region after incorporating the new pal (owner or CEO) is risk-neutral (seeks to maximize expected cash
information, one needs to determine the Bayesian strategies. The idea is ows) and the agent (IT Manager) is risk averse (has a disutility for
to solve the decision problem twice, once for the favorable security en- acts or effort). The agent's utility function for a net benet (or cash
vironment condition (G) and then for the unfavorable security condi- ow) and effort a is given by U(,a) = F() G(a). A reservation
tion (B). We illustrate the Bayesian strategies and the derivation of the utility denoted by U is required to make the offer attractive to the
resulting critical probability pGc for the favorable security environment agent. Both the agent and the principal assess identical state probabili-
(G) below in Fig. 4. ties (). The total net benet under the state and the act a A
As before with the no new information case, we can compute the is denoted by x = f(,a). The agent and the principal are assumed to
expected cost of an investigation conditional on the security environ- jointly observe only the net benet (or cash ow). The payment to the
ment being favorable (G) using the posterior probabilities as agent if x = f(,a) is observed is given by = (x). Therefore, if a
net benet (or cash ow) x is observed, the agent receives (x) and
EV a1 jG C: 5 the principal receives x (x). The principal's problem is given by:

The expected cost of not conducting an IT security audit conditional X


max f ; a f ; a 9
on the security environment being favorable (G) is aA

x w

p2 1p X
EV a2 jG : 6
p1 p p2 1p Subject to : F f :GaU 10

If Cb p p2 1p
pp 1p, the rm should conduct the IT security audit, and if X
1 2
a arg max F f :Ga 11
CN p p2 1p
pp 1p, the rm should not conduct an IT security audit. By equat-
1 2
2 1p
ing the expected cost of the two acts (i.e., C p p ) and solving for
1 pp2 1p
G
the probability, one can nd the critical probability pc for the favorable where is the minimum feasible payment. The above model ensures a
security environment (G) as self enforcing effort supply and a payment schedule that maximizes the
principal's expected utility. We next develop the principal-agent model
G p2 C specic to the IT security audit setting.
pc : 7
C p1 p2 p2 In the model, is dened as the benet (or income) to the rm re-
gardless of whether state 1 or 2 occurs. Notice that the uncertainty
Similarly, we can nd the critical probability pBc for the un-favorable pertains to the unfavorable deviations (planned vs. actual losses from
security environment (B) as a security breach) resulting from controllable and uncontrollable causes
and not from uncertainty that affects the benet (or income) .2 Sup-
B 1p2 C
pc : 8 pose the agent's effort levels pertaining to the two acts a1 and a2 are re-
1p2 C p1 p2
spectively e1 and e2. The outcomes (net benet or cash ow) conditional
on the act and the state x = f(,a) and the effort levels are given in Fig. 6.
In Fig. 5, we show the plot of the security audit/no security audit re-
Suppose we dene the following decision variables: let 1 be the
gion without (base case) and with additional information (favorable/
agent's payment if outcome C is observed; let 2 be the agent's
unfavorable security environment assuming p1 = 0.8 and p2 = 0.4).
payment if outcome is observed; and let 3 be the agent's pay-
As expected, additional information about the prior states has an inu-
ment if outcome is observed. To keep the model simple, we assume
ence on the security audit/no security audit region. If the security envi-
a square root utility function for the agent. Therefore, the agent's
ronment is favorable, then the perform IT security audit region is
utility for the net benet (or cash ow) and effort a is U e F
smaller. Alternatively, if the security environment is unfavorable, then p
Ge e2 . Since both parties only observe the outcome, if
the No IT security audit region reduces, which increases the perform
effort a1 = e1 is supplied, we have the following model:
IT security audit region.
max f1pC 1  pC 1 g 12
1 ;2 ;3 0
Table 1
Posterior probabilities. p p 2
Subject to : 1p 1 p 1 e1 U 13
G B
p2 1p 1pp1
1 p1 pp2 1p 1p1 p1p2 1p
2
The uncertainty pertaining to (for example, uncertainty due to product demand
increased u and decreased d) can be incorporated. In this case, the state's space will con-
p1 p 1p2 1p
2 p1 pp2 1p 1p1 p1p2 1p sist of all the possible combinations of uncertain states due to both the demand and devi-
ations (i.e., there will be four states u1, d1, u2 and d2).
60 H.S.B. Herath, T.C. Herath / Decision Support Systems 57 (2014) 5463

Acts

: Do an IT : Do nothing
security audit Probability

: Unfavorable
deviations
resulting from C
controllable
causes.
States
: Unfavorable
deviations
resulting from C
uncontrollable
causes.

Fig. 4. State-Act-Conditional cost for security environment condition (G).

p p 2 p p 2 5.1. Numerical example


1p 1 p 1 e1 1p 2 p 3 e2 : 14

In order to illustrate the model, we use the following example. Sup-


If effort level a2 = e2 is supplied, then we solve the following model: pose the form estimates the expected loss without any investment to be
= $75,000, base level investment I0 = $10,000, period 1 investment
I1 = $25,000, an adjustment parameter = 0.925, and the cost to con-
max f1pC 2  p3 g 15 duct a IT security audit is $10,000. The probability of a breach, and hence
1 ;2 ;3 0
the expected loss, can be computed as v1 es1 e0:9252:5 0:10
and LP1 = v1 = $7, 500. Suppose the managers' subjectively assessed
p p 2 standard deviation is = $200,000; then loss distribution due to un-
Subject to : 1p 2 p 3 e2 U 16
controllable factors is given by N(7500,2000002). If the actual loss at
the beginning of period 2 is found to be LA1 = $72, 500, then the unfavor-
p p 2 p p 2 able loss deviation is = = $65,000. The probability of an unfavor-
1p 2 p 3 e2 1p 1 p 1 e1 : 17
65;000
able loss deviation of $65,000 or more is calculated as 200;000 0:325
standard deviations from the mean. From the normal probability tables,
In the above two models, the rst constraint is the individual ratio- the probability of 0.325 standard deviations or more is found to be 0.375.
nality constraint, which ensures that the incentive arrangement is attrac- Thus, the required conditional probability is P(|) = 0.75. In the base-
tive to the agent. The second constraint is the incentive compatibility line model without any agency issues, the point (1,P(|)) falls in the
constraint, which ensures the self-enforcing property. In a situation Perform IT Security Audit region as pc(0.85) N p(0.75).
where there is new information about the uncertain states, then the Suppose that the jointly observed benet (or cash ow) to the rm is
above agency models can be directly applied if the combination of (1, = $80,000, and the agent's reservation utility is U 100. The agent
P(|)) falls in the shifted Perform IT security audit region as a result has two options: either conduct an IT security audit (act a1 at cost of
of the resolution of uncertainty. If an audit is required, then the incentive productive effort e1 = 5) or do nothing (act a2 at cost of productive ef-
payment which ensures that the agent will perform the audit can be de- fort e2 = 0). Without the ability to observe the agent's choice of (a A)
termined using the agency model. and without a completely trustworthy agent, the principal must offer an
acceptable contract that ensures the agent will supply the desired effort
IT Security Audit Decision Chart with Additional (i.e., a1).
Information Next we dene the following: let 1 be the agent's payment if out-
come C = $70,000 is observed; let 2 be the agent's payment if out-
Unfavorable Deviation Resulting

1 No IT Security Audit
come = $ 15,000 is observed; and let 3 be the agent's payment if
from Uncontrollable Factors

0.9
Conditional Probability of

0.8 outcome = $80,000 is observed. We use the Microsoft Excel solver tool
0.7
to solve the agency models. If we consider the scheme to supply effort
e1 = 5, the optimal solution is found as 1 = $15, 625, 2 = 0, and
0.6
3 = 0, and the principal's expected benet (or cash ow) is $54,375.
0.5
Similarly, for the scheme to supply effort e2 = 0, the optimal solution is
0.4
found as 1 = 0, 2 = $10,000, and 3 = $10,000, and the principal's
0.3 expected benet (or cash ow) is $53,750. The agent's expected utility
0.2 in both situations is E(U) = 100. In the above example, it turns out that
Perform IT Security Audit
0.1 the agent is indifferent regarding supplying either effort e1 or e2. When
0 faced with a multiple optima, we assume that the agent will settle
0 20,000 40,000 60,000 80,000 100,000 120,000
for the act most desirable to the principal. That is, act a1 at cost of pro-
Amount of Unfavorable Deviation from Planned Loss ductive effort e1 = 5 since the expected value to the principal is
Base Case (No Information) $54,375 N $53,750. The agent would receive $15,625 to conduct an IT
Favourable Security Environment (G) security audit if the net benet (or cash ow) is $70,000. Through
Unfavourable Security Environment (B) conducting the IT security audit at an incentive cost of $15,625, the
rm avoids an opportunity cost of $65,000 that pertains to the second
Fig. 5. Plot of critical probabilities and unfavorable deviations with additional information. period investment and conguration cost.
H.S.B. Herath, T.C. Herath / Decision Support Systems 57 (2014) 5463 61

Fig. 6. Net benets (or cash ow) and effort levels.

5.2. Efciency loss of the moral hazard a two period IT security investment setting. The model is applicable in a
wide range of situations but is especially useful for small rms where
In this subsection, we further compare the baseline case with no moral SOX requirements do not apply since rms can compare the amount
hazard with that of the agency model. Interestingly, in the above example, of the unfavorable loss deviation and the probability that the unfavor-
both the baseline model and the incentive contract which maximized the able loss deviation resulted from uncontrollable factors as a basis for
principal's payoff resulted in a recommendation that an IT security audit conducting the audit. If the deviations are small and the probability
be conducted (act a1). In order to investigate whether the baseline case that they are from uncontrollable factors is large, then it is not worth
and the incentive model solution result in different outcomes, we conducting the IT security audit to assess the performance of the IT se-
performed sensitivity analyses of the effort level and the reservation util- curity manager. We also discuss a case in which an expert opinion is
ity. The efciency loss of the moral hazard when the effort level is varied sought regarding the need for more information about the uncertain
and the reservation utility is varied (with effort level held constant e1 = states. Thus, our model also incorporates the impact of having addition-
5) is shown below in Figs. (7) and (8) respectively. In Fig. 7, when the ef- al information. More specically, using Bayesian decision theory, the
fort level is increased above 5 units, the optimal act under the incentive model allows us to investigate the impact of new information on the
contract is act a2, do not perform IT security audit. Similarly, in Fig. 8, IT audit decision. We show that the security audit/no security audit re-
for a constant effort level e1 = 5 when the reservation utility is above gion area shifts depending on the addition of new information.
110, the optimal act under the incentive contract is act a2, do not perform Regarding agency issues, the model also permits the determination
IT security audit, contrary to what the baseline model suggests. This ex- of incentive payments for managers that can motivate them to carry
ample provides an interesting case of hysteresis in the agency model as out an audit. Our approach is general and is applicable in a wide range
applied to an IT security audit situation. of settings including cyber security auditing and IT manager perfor-
Although the agency model provides a useful framework for miti- mance evaluation. The agency model pertaining to the audit decision
gating motivational problems pertaining to cyber-security, the above model allows the determination of the optimal incentive costs that
example highlights its limitations. The principal agency model's empha- guarantee goal congruence. We also discuss the efciency loss of the
sis is on internal consistency and optimality. As such, it takes a restricted moral hazard, where the optimal decision of the agency model results
view of the environment in which an organization operates [3]. In prac- in a different outcome from what the baseline model suggests. These
tice, however, knowing these limitations is important since contrary to
the no audit optimal decision, conducting an IT security audit may have 70000
benets that are not considered in the model setup. For example,
Principal's Expected Payoff ($)

conducting an IT security audit has the potential to reduce cyber insur- 60000
ance premiums [35], demonstrate due care and due diligence for the or-
ganization, and minimize the likelihood of litigation, as well as highlight 50000
any IT control weaknesses, thereby enhancing IT governance.
40000
6. Conclusion, limitations, and future research avenues
30000
Although the current regulatory environment tries to advocate a
controlled environment, it is not imperative for all businesses. Given 20000
the budgetary constraints organizations face, non-mandatory security
initiatives such as security audits are often overlooked. Motivated by 10000
the above, in this paper we develop a performance evaluation decision
model that allows rms to decide whether it is worthwhile conducting 0
3 5 7 9 11
an IT security audit.
Effort Level (e1)-Audit
The model developed in this paper makes contributions both to theory
and practice. We draw upon the literature in investments in security tech- Audit No Audit
nologies and cost variance investigation, as well as agency theory. Our
model extends Bierman et al.'s [5] cost variance analysis by incorporating Fig. 7. Efciency loss of moral hazard as a function of effort.
62 H.S.B. Herath, T.C. Herath / Decision Support Systems 57 (2014) 5463

65000 be considered, and could cyber-insurance be an alternative to IT securi-


ty auditing? These questions create a fertile platform for future research
in IT security auditing.
Principal's Expected Payoff ($)

60000

Acknowledgements
55000
The authors would like to thank two anonymous referees for their
50000 valuable suggestions. The authors acknowledge the research funding
support from IIIA (Grant 336-332-033). Dr. Hemantha Herath acknowl-
edges research funding from the Social Sciences and Humanities
45000 Research Council (SSHRC) of Canada (Grant no: 410-2009-1398) and
Dr. Teju Herath acknowledges research funding from the Social Sciences
40000 and Humanities Research Council (SSHRC) of Canada (Grant no: 410-
2010-1848). The authors thank the participants at the AAA-MAS Annual
Conference 2011 and WISP 2010 for their valuable input on an earlier
35000 version of this article. The usual disclaimers apply.
70 90 110 130 150
Reservation Utility (e1=5)
References
Audit No Audit
[1] M.B. Adams, Agency theory and the internal audit, Managerial Accounting Journal 9
(8) (1994) 812.
Fig. 8. Efciency loss of moral hazard as a function of reservation utility. [2] U.L. Anderson, M.H. Christ, K.M. Johnstone, L.E. Rittenberg, A post-SOX examination
of factors associated with the size of internal audit functions, Accounting Horizons
26 (2) (2012) 167191.
ndings provide useful information for designing managerial incentives [3] S. Baiman, Agency research in managerial accounting: a second look, Accounting,
in an IT security context. Organizations and Society 15 (4) (1990) 341371.
There are several limitations of the model which provide avenues for [4] R.H. Barr Jr., S.Y. Chang, Outsourcing internal audits: a boon or bane? Managerial
Auditing Journal 8 (1) (1993) 1417.
further research. First, the loss deviations or the unfavorable variance
[5] H. Bierman Jr., L.E. Fouraker, R.K. Jaedicke, The use of probability and statistics in
that is investigated in this paper pertains to a single observation. If the performance evaluation, The Accounting Review 36 (3) (1961) 409417.
losses occur in several sub-periods and a sequence of observations is [6] J. Blaskovich, N. Mintchik, Information technology outsourcing: a taxonomy of prior
studies and directions for future research, Journal of Information Systems 25 (1)
available, then a multi-period approach may be more appropriate,
(2011) 136.
which may be determined through future research. The second limita- [7] D.C. Brewer, Security Controls for SarbanesOxley Section 404 IT Compliance: Autho-
tion pertains to the estimation of the parameters of the model, which rization, Authentication, and Access, Wiley Publishing, Inc., Indianapolis, USA, 2006.
includes the state probabilities, the opportunity costs associated with [8] D.H. Caplan, M. Kirschenheiter, Outsourcing and audit risk for internal audit ser-
vices, Contemporary Accounting Research 17 (3) (2000) 387427.
future savings, and the cost of manager effort pertaining to conducting [9] J.V. Carcello, D.R. Hermanson, K. Raghunandan, Factors associated with U.S. public com-
an IT security audit. Although these limitations are common in many panies' investment in internal auditing, Accounting Horizons 19 (2) (2005) 6984.
analytical models, the advantage of the IT security audit model with [10] H. Cavusoglu, B. Mishra, S. Raghunathan, The value of intrusion detection systems in
information technology security architecture, Information Systems Research 16 (1)
the agency extension is that it provides a clear criterion based on two (2005) 2846.
parameters, the magnitude of the loss deviation and the probability of [11] H. Cavusoglu, S. Raghunathan, Conguration of detection software: a comparison of
losses due to random factors. The model addresses an important man- decision and game theory approaches, Decision Analysis 1 (3) (2004) 131148.
[12] M.B. Curtis, J.G. Jenkins, J.C. Bedard, D.R. Deis, Auditors' training and prociency in
agement control issue in IT security. information systems: a research synthesis, Journal of Information Systems 23 (1)
The model considers agency issues commonly observed in in-house (2009) 7996.
audit situations. However, the outsourcing of IT security audits is a [13] M. Damianides, SarbanesOxley and IT governance: new guidance on IT control and
compliance, Information Systems Management 22 (1) (2005) 7785.
common practice today [34], which may result in other issues. While
[14] J.S. Demski, An accounting system structured on a linear programming model, The
outsourcing an internal audit can provide many advantages such as great- Accounting Review 42 (4) (1967) 701712.
er cost savings and improved quality, it can also result in disadvantages [15] F.T. Dezoort, R.W. Houston, M.F. Peters, The impact of internal auditor compensation
and role on external auditor's planning judgements and decisions, Contemporary
such as the lack of loyalty and business knowledge and the loss of a valu-
Accounting Research 18 (2) (2001) 257281.
able training ground [4,6]. Firms offering outsourced audit services ben- [16] F. Doelitzscher, C. Reich, M. Knahl, N. Clarke, Understanding Cloud Audits, Privacy
et from economies of scale, while audits done internally can provide and Security for Cloud Computing, Springer, 2013. 125163.
benets due to familiarity with the rm's operations and procedures [8]. [17] L.A. Gordon, M.P. Loeb, The economics of information security investment, ACM
Transactions on Information and System Security 5 (4) (2002) 438457.
In settings where the activities to be controlled are technically specic [18] L.A. Gordon, M.P. Loeb, W. Lucyshyn, T. Sohail, The impact of the SarbanesOxley act
and complex [1] or in industries that face substantial regulatory scrutiny on the corporate disclosures of information security activities, Journal of Accounting
[9], the employment of in-house internal auditors with industry knowl- and Public Policy 25 (5) (2006) 503530.
[19] L.A. Gordon, M.P. Loeb, W. Lucyshyn, Information security expenditures and real op-
edge may be more cost-efcient. An interesting set of questions for future tions: a wait and see approach, Computer Security Journal 19 (2) (2003) 17.
research includes what factorsfor example, the size of the company, the [20] L.A. Gordon, M.P. Loeb, T. Sohail, C.-Y. Tseng, L. Zhou, Cybersecurity, capital alloca-
industry in which it operates, and the regulatory effectwould impact tions and management control systems, The European Accounting Review 17 (2)
(2008) 215241.
the decision of whether to perform in-house or outsourced IT audits? [21] B. Grobauer, T. Walloschek, E. Stocker, Understanding cloud computing vulnerabil-
Given the known risks in IT outsourcing [6], which control strategies ities, IEEE Security and Privacy 9 (2) (2011) 5057.
would be most suited if IT audits are outsourced [32]? What would be [22] D.A. Haworth, L.R. Pietron, SarbanesOxley: achieving compliance by starting with
ISO 17799, Information Systems Management 23 (1) (2006) 7378.
an optimal contractual mechanism if the IT audits are outsourced? Final-
[23] H.S.B. Herath, T.C. Herath, Investments in information security: a real options per-
ly, what would be the impact on the evaluation of IT security risks if the spective with Bayesian post-audit, Journal of Management Information Systems
security audits are outsourced versus performed in-house? 25 (3) (2009) 337375.
[24] K.J.S. Hoo, How Much is Enough? A Risk Management Approach to Computer Secu-
IT security audit setting in this article pertains to classic IT infrastruc-
rity, (Ph.D. Dissertation) Stanford University, 2000.
tures. Security becomes challenging in the new cloud computing environ- [25] S.M. Huang, W.H. Hung, D.C. Yen, I. Chang, D. Jiang, Building the evaluation model of
ments due to factors such as the various models of cloud computing, the IT general control for CPAs under enterprise risk management, Decision Support
shared resources, scalability, and third-party hosting [16,21,28]. In Systems 50 (4) (2011) 692701.
[26] IT Governance Institute, IT Control Objectives for SarbanesOxley: the Importance of
this regard, new questions arise as to how the audit decision model IT in the Design, Implementation and Sustainability of Internal Control Over Disclo-
would change in cloud environments, what additional factors have to sure and Financial Reporting, IT Governance Institute, 2004.
H.S.B. Herath, T.C. Herath / Decision Support Systems 57 (2014) 5463 63

[27] R. Kaplan, The signicance and investigation of cost variances: survey and exten- Hemantha S. B. Herath is a professor of Managerial Accounting in the Goodman School of
sions, Journal of Accounting Research 13 (2) (1975) 311337. Business at Brock University. Previously, he was an assistant professor at University of
[28] J.M. Kizza, Cloud computing and related security issues, Guide to Computer Network Northern British Columbia and a consultant in the Oil and Gas Division of The World Bank,
Security, Springer, 2013, pp. 465489. Washington D.C. His research interests include real option analysis, management account-
[29] A. Lynch, M. Gomaa, Understanding the potential impact of information technology ing and economics of information security. He has published articles in a variety of journals
on the susceptibility of organizations to fraudulent employee behavior, Internation- including Journal of Economics and Finance, Journal of Management Information Systems, Jour-
al Journal of Accounting Information Systems 4 (4) (2003) 295308. nal of Accounting and Public Policy, Advances in Management Accounting, and The Engineering
[30] T. McCollum, Regulations' top IT audit concerns, Internal Auditor 68 (3) (2011) 1415. Economist. He was twice a recipient of the Eugene L. Grant Best Paper Award (2001, 2008)
[31] W.F. Messier, A. Eilifsen, L.A. Austen, Auditor detected misstatements and the effect from the American Society of Engineering Education (ASEE). He currently serves as an area
of information technology, International Journal of Auditing 8 (3) (2004) 223235. editor of The Engineering Economist. He is also a member of Sigma Xi-research honor soci-
[32] P. Nagpal, K.J. Lyytinen, R.J. Boland, Which control strategies and congurations af- ety. His research has been funded by SSHRC Canada and other grants.
fect performance? Evidence from large scale outsourcing arrangements, AAA
(2012) Management Accounting Section (MAS) Meeting Paper, 2011. Tejaswini C. Herath is an assistant professor of Information Systems in the Goodman
[33] M. Petterson, The keys to effective IT auditing, The Journal of Corporate Accounting School of Business at Brock University, Canada. She received her Ph.D. in Management Sci-
& Finance (2005) 4146. ence and Systems from the State University of New York at Buffalo. She holds an MMIS and
[34] R. Richardson, CSI computer crime and security survey, Computer Security Institute MSCE from Auburn University, and a B.Eng. from Pune University, India. She also holds Ad-
1 (2008) 130. vanced Certication in Information Assurance from the University at Buffalo (USA) and is a
[35] S. Romanosky, Are Firms (and consumers) Investing Enough in IT Security?, Com- Certied General Accountant (CGACanada). Her work has been published in the Journal
ments to the Department of Commerce on Incentives to Adopt Improved Cyberse- of Management Information Systems, Decision Support Systems, European Journal of Informa-
curity Practices: Docket Number 130206115-3115-01, 2013. tion Systems, Information Systems Journal, Information Systems Management, among others.
[36] J.W. Ulvila, J.E. Gaffney, A decision analysis method for evaluating computer intru- Her research interests are in Information Assurance and include topics such as information
sion detection systems, Decision Analysis 1 (1) (2004) 3550. security and privacy, diffusion of information assurance practices, economics of informa-
[37] W. van der Aalst, K. van Hee, J.M. van der Werf, A. Kumar, M. Verdonk, Conceptual tion security and risk management. Her research has been funded by SSHRC Canada and
model for online auditing, Decision Support Systems 50 (2011) 636647. other grants.

Anda mungkin juga menyukai