The Value of Security Audits, Asymmetric Information and Market Impact of Security Breaches

Abstract

This dissertation includes two essays on the economic aspects of information security. The first essay presents a principal-agent model for assessing the value of information security audits. The issue of information security investments is confounded by control problems arising from asymmetric information and conflicting managerial interests within the firm. By analyzing the impacts of asymmetric information and security audits, this study extends the literature in three ways. First, the degree of information asymmetry is formally measured, which allows one to study how different levels of information asymmetry affect information security investment decisions. Second, the intensity of an information security audit is explicitly modeled, and the interactions between information asymmetry and security audits are examined. This analysis provides conditions under which the benefit from security audits increases with the degree of information asymmetry. Third, the current research provides an analytic model that helps to explain existing empirical findings (e.g., Gordon and Smith, 1992) concerning the relation between information asymmetry and the value of audits. The second essay examines the economic costs of publicly announced information security breaches. Similar to Campbell et al. (2003), the current study applies the event study approach, but uses a larger sample and a more sophisticated market model (Fama and French, 1993). The results confirm those of Campbell et al. (2003) that security breaches involving confidential information cause significant market reactions and security breaches not involving confidential information only cause insignificant market reactions. Further investigations also suggest that the insignificance of market reactions to non-confidential events does not seem to vary with the nature of those events.