Abstract
Managing information access within large enterprises is increasingly challenging. With thousands of employees accessing thousands of applications and data sources, managers strive to ensure the employees can access the information they need to create value while protecting information from misuse. We examine an information governance approach based on controls and incentives, where employees’ self-interested behavior can result in firm-optimal use of information. Using insights gained from a game-theoretic model, we illustrate how an incentives-based policy with escalation can control both over and under-entitlementwhile maintaining the flexibility.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The Center for Digital Strategies at the Tuck School of Business examines the role of digital strategies in corporations and the use of technology-enabled processes to harness an organization’s unique competencies, support its business strategy, and drive competitive advantage. This research was supported through the Institute for Security Technology Studies at Dartmouth College, under award Number 2006-CS-001-000001 from the U.S. Department of Homeland Security (NCSD). The statements, findings, conclusions, and recommendations are those of the authors and do not necessarily reflect the views of the Department of Homeland Security.
- 2.
The reading right is granted if the security level of the subject dominates that of the object.
- 3.
The writing right is granted if the security level of the subject is dominated by that of the object.
- 4.
“Overentitlement” refers to the situation that an employee has more privileges than s/he needs. “Underentitlement” refers to the situation that an employee has less privileges than s/he needs.
References
Antle, R. and Eppen, G. D. “Capital Rationing and Organizational Slack in Capital Budgeting,” Management Science (31:2), 1985, pp.163–174.
Arrow, K. J. “The Economics of Agency,” in Principals and Agents: The Structure of Business, Pratt, J.E., Zeckhauser, R.Jand Arrow, K.J. (Eds.) Harvard Business School Press, Boston, MA. 1985, pp. 37–53.
Aveksa. “Enterprise Roles-based Access Governance,” Technical Report, White Paper, 2007.
Baiman, S. “Agency Research in Managerial Accounting: A Second Look,” Accounting Organizations and Society (15:4), 1990, pp. 341–371.
Baker, N. R. and Freeland, J. R. “Structuring Information Flow to Enhance Innovation,” Management Science (19:1) Theory Series, 1972, pp. 105–116.
Baron, D. P. and Besanko, D. “Regulation, Asymmetric Information, and Auditing,” The RAND Journal of Economics (15:4), 1984, pp. 447–470.
Chen, P.-C.; Rohatgi, P., and Keser, C. “Fuzzy MLS: An Experiment on Quantified Risk-Adaptive Access Control,” in Proceedings of DIMACS Workshop on Information Security Economics, 2007.
Dye, R. A. “Optimal Monitoring Policies in Agencies,” The RAND Journal of Economics (17:3), 1986, pp. 339–350.
Ferreira, A., Cruz-Correia, R., Antunes, L., Farinha, P., Oliveira-Palhares, E., Chadwick, D., and Costa-Pereira, A. “How to Break Access Controlin a Controlled Manner,” in Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06), 2006, pp. 847–854.
Ferraiolo, D.F., Kuhn, D.R. and Chandramouli, R. Role-based Access Control, Ar tech House, Norwood, MA, 2007
Goetz, E. and Johnson, M. E. “Security through Information Risk Management.” I3P Technical Report. Dartmouth College. http://mba.tuck.dartmouth.edu/digital/Programs/CorporateEvents/ CISO2007/Overview.pdf.
Harris, M., Kriebel, C., and Raviv, A. “Asymmetric Information, Incentives and Intrafirm Resource Allocation,” Management Science (28:6), 1986, pp. 604–620.
Harris, M. and Raviv, A. “Optimal IncentiveContracts with Imperfect Information,” Journal of Economic Theory (20), 1979, pp. 231–259.
Harris, M. and Raviv, A. “The Capital Budgeting Process: Incentives and Information,” Journal of Finance (51:4), 1996, pp. 1139–1174.
Holmstrom, B. “Moral Hazard and Observability,” Bell Journal of Economics (10:1), 1979, pp. 74-91.
Johnson, M. E. and Goetz, E. “Embedding Information Security Risk Management into the Extended Enterprise,” IEEE Security and Privacy, 5(3), 2007, pp. 16–24.
Jolly, D. “Fraud Costs French Bank $7.1 Billion,” New York Times, 2008.
Kannan, K. and Telang, R. “Market for Software Vulnerabilities? Think Again,” Management Science (51:5), 2005, pp. 726–740.
Kim, S. K. and Suh, Y. S. “Conditional Monitoring Policy Under Moral Hazard,” Management Science (38:8), 1992, pp. 1106–1120.
Krishnan, V. and Zhu, W. “Designing a Family of Development Intensive Products,” Management Science (52:6), 2006, pp. 813–825.
Lee, H. L., So, K. C., and Tang, C. S. “The Value of Information Sharing in a Two-level Supply Chain,” Management Science (46:5), 2000, pp. 626–643.
Motta, M. “Endogenous Quality Choice: Price vs. Quantity Competition,” Journal of Industry Economics (41:2), 1993, pp. 113–131.
Povey, D. “Optimistic Security: a New Access ControlParadigm,” in Proceedings of the 1999 Workshop on New Security Paradigms, ACM Press, 2000, pp. 40–45.
Rathnam, S., Mahajan, V., and Whinston, A. B. “Facilitating Coordination in Customer Support Teams: A Framework and Its Implications for the Design of Information Technology,” Management Science (41:12), 1995, pp. 1900–1922.
Richardson, R. “The 12th Annual Computer Crime and Security Survey,” Computer Security Institute, 2007.
Rissanen, E., Firozabadi, S. B., and Sergot, M. “Towards a Mechanism for Discretionary Overriding of Access Control,” in Proceedings of the 12th International Workshop on Security Protocols, Cambridge, 2004.
Sinclair, S., Smith, S.W., Trudeau, S., Johnson, M.E., and Portera, A. “Information Risk in Financial Institutions: Field Studyand Research Roadmap,” in Proceedings for the 3rd International Workshop on Enterprise Applications and Services in the Finance Industry (FinanceCom 2007), 2007, Montreal, Canada.
Shavell, S. “Risk Sharing and Incentives in the Principal and Agent Relationship,” Bell Journal of Economics (10:1), pp. 55–73.
Townsend, R. M. “Optimal Contracts and Competitive Markets with Costly State Verification,” Journal of Economy Theory (21:2), 1979, pp. 265–293
Tsai, W. “Knowledge Transfer in Intraorganizational Networks: Effects of Network Position and Absorptive Capacity on Business Unit Innovation and Performance,” The Academy of Management Journal (44:5), 2001, pp. 996–1004.
US Department of Defense. “Department of Defense Trusted Computer System Evaluation Criteria,” DoD 5200.28-STD, Washington, D.C., US Department of Defense, 1985.
US Department of Defense. “National Computer Security Center, Glossary of Computer Security Terms,” NCSC-TG-004-88, Ft. Meade, Md, National Computer Security Center, 1988.
von Hippel, E. “Sticky Information and the Locus of Problem Solving: Implications for Innovation,” Management Science (40:4), 1994, pp. 429–439.
Zhao, X and Johnson, M.E, “Access Governance: Flexibility and Control through Escalationand Incentives,” Center for Digital Strategies working paper, Tuck School of Business, Dartmouth College, 2008.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Zhao, X., Johnson, M.E. (2009). The Value of Escalation and Incentives in Managing Information Access. In: Johnson, M.E. (eds) Managing Information Risk and the Economics of Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09762-6_8
Download citation
DOI: https://doi.org/10.1007/978-0-387-09762-6_8
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09761-9
Online ISBN: 978-0-387-09762-6
eBook Packages: Computer ScienceComputer Science (R0)