The Value of Escalation and Incentives in Managing Information Access

  • Xia Zhao
  • M. Eric Johnson


Managing information access within large enterprises is increasingly challenging. With thousands of employees accessing thousands of applications and data sources, managers strive to ensure the employees can access the information they need to create value while protecting information from misuse. We examine an information governance approach based on controls and incentives, where employees’ self-interested behavior can result in firm-optimal use of information. Using insights gained from a game-theoretic model, we illustrate how an incentives-based policy with escalation can control both over and under-entitlementwhile maintaining the flexibility.


  1. Antle, R. and Eppen, G. D. “Capital Rationing and Organizational Slack in Capital Budgeting,” Management Science (31:2), 1985, pp.163–174.MathSciNetCrossRefGoogle Scholar
  2. Arrow, K. J. “The Economics of Agency,” in Principals and Agents: The Structure of Business, Pratt, J.E., Zeckhauser, R.Jand Arrow, K.J. (Eds.) Harvard Business School Press, Boston, MA. 1985, pp. 37–53.Google Scholar
  3. Aveksa. “Enterprise Roles-based Access Governance,” Technical Report, White Paper, 2007.Google Scholar
  4. Baiman, S. “Agency Research in Managerial Accounting: A Second Look,” Accounting Organizations and Society (15:4), 1990, pp. 341–371.CrossRefGoogle Scholar
  5. Baker, N. R. and Freeland, J. R. “Structuring Information Flow to Enhance Innovation,” Management Science (19:1) Theory Series, 1972, pp. 105–116.CrossRefGoogle Scholar
  6. Baron, D. P. and Besanko, D. “Regulation, Asymmetric Information, and Auditing,” The RAND Journal of Economics (15:4), 1984, pp. 447–470.CrossRefGoogle Scholar
  7. Chen, P.-C.; Rohatgi, P., and Keser, C. “Fuzzy MLS: An Experiment on Quantified Risk-Adaptive Access Control,” in Proceedings of DIMACS Workshop on Information Security Economics, 2007.Google Scholar
  8. Dye, R. A. “Optimal Monitoring Policies in Agencies,” The RAND Journal of Economics (17:3), 1986, pp. 339–350.MathSciNetCrossRefGoogle Scholar
  9. Ferreira, A., Cruz-Correia, R., Antunes, L., Farinha, P., Oliveira-Palhares, E., Chadwick, D., and Costa-Pereira, A. “How to Break Access Controlin a Controlled Manner,” in Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06), 2006, pp. 847–854.Google Scholar
  10. Ferraiolo, D.F., Kuhn, D.R. and Chandramouli, R. Role-based Access Control, Ar tech House, Norwood, MA, 2007Google Scholar
  11. Goetz, E. and Johnson, M. E. “Security through Information Risk Management.” I3P Technical Report. Dartmouth College. CISO2007/Overview.pdf.
  12. Harris, M., Kriebel, C., and Raviv, A. “Asymmetric Information, Incentives and Intrafirm Resource Allocation,” Management Science (28:6), 1986, pp. 604–620.CrossRefGoogle Scholar
  13. Harris, M. and Raviv, A. “Optimal IncentiveContracts with Imperfect Information,” Journal of Economic Theory (20), 1979, pp. 231–259.MathSciNetMATHCrossRefGoogle Scholar
  14. Harris, M. and Raviv, A. “The Capital Budgeting Process: Incentives and Information,” Journal of Finance (51:4), 1996, pp. 1139–1174.CrossRefGoogle Scholar
  15. Holmstrom, B. “Moral Hazard and Observability,” Bell Journal of Economics (10:1), 1979, pp. 74-91.CrossRefGoogle Scholar
  16. Johnson, M. E. and Goetz, E. “Embedding Information Security Risk Management into the Extended Enterprise,” IEEE Security and Privacy, 5(3), 2007, pp. 16–24.CrossRefGoogle Scholar
  17. Jolly, D. “Fraud Costs French Bank $7.1 Billion,” New York Times, 2008.Google Scholar
  18. Kannan, K. and Telang, R. “Market for Software Vulnerabilities? Think Again,” Management Science (51:5), 2005, pp. 726–740.CrossRefGoogle Scholar
  19. Kim, S. K. and Suh, Y. S. “Conditional Monitoring Policy Under Moral Hazard,” Management Science (38:8), 1992, pp. 1106–1120.MATHCrossRefGoogle Scholar
  20. Krishnan, V. and Zhu, W. “Designing a Family of Development Intensive Products,” Management Science (52:6), 2006, pp. 813–825.CrossRefGoogle Scholar
  21. Lee, H. L., So, K. C., and Tang, C. S. “The Value of Information Sharing in a Two-level Supply Chain,” Management Science (46:5), 2000, pp. 626–643.MATHCrossRefGoogle Scholar
  22. Motta, M. “Endogenous Quality Choice: Price vs. Quantity Competition,” Journal of Industry Economics (41:2), 1993, pp. 113–131.CrossRefGoogle Scholar
  23. Povey, D. “Optimistic Security: a New Access ControlParadigm,” in Proceedings of the 1999 Workshop on New Security Paradigms, ACM Press, 2000, pp. 40–45.Google Scholar
  24. Rathnam, S., Mahajan, V., and Whinston, A. B. “Facilitating Coordination in Customer Support Teams: A Framework and Its Implications for the Design of Information Technology,” Management Science (41:12), 1995, pp. 1900–1922.CrossRefGoogle Scholar
  25. Richardson, R. “The 12th Annual Computer Crime and Security Survey,” Computer Security Institute, 2007.Google Scholar
  26. Rissanen, E., Firozabadi, S. B., and Sergot, M. “Towards a Mechanism for Discretionary Overriding of Access Control,” in Proceedings of the 12th International Workshop on Security Protocols, Cambridge, 2004.Google Scholar
  27. Sinclair, S., Smith, S.W., Trudeau, S., Johnson, M.E., and Portera, A. “Information Risk in Financial Institutions: Field Studyand Research Roadmap,” in Proceedings for the 3rd International Workshop on Enterprise Applications and Services in the Finance Industry (FinanceCom 2007), 2007, Montreal, Canada.Google Scholar
  28. Shavell, S. “Risk Sharing and Incentives in the Principal and Agent Relationship,” Bell Journal of Economics (10:1), pp. 55–73.Google Scholar
  29. Townsend, R. M. “Optimal Contracts and Competitive Markets with Costly State Verification,” Journal of Economy Theory (21:2), 1979, pp. 265–293MATHCrossRefGoogle Scholar
  30. Tsai, W. “Knowledge Transfer in Intraorganizational Networks: Effects of Network Position and Absorptive Capacity on Business Unit Innovation and Performance,” The Academy of Management Journal (44:5), 2001, pp. 996–1004.CrossRefGoogle Scholar
  31. US Department of Defense. “Department of Defense Trusted Computer System Evaluation Criteria,” DoD 5200.28-STD, Washington, D.C., US Department of Defense, 1985.Google Scholar
  32. US Department of Defense. “National Computer Security Center, Glossary of Computer Security Terms,” NCSC-TG-004-88, Ft. Meade, Md, National Computer Security Center, 1988.Google Scholar
  33. von Hippel, E. “Sticky Information and the Locus of Problem Solving: Implications for Innovation,” Management Science (40:4), 1994, pp. 429–439.CrossRefGoogle Scholar
  34. Zhao, X and Johnson, M.E, “Access Governance: Flexibility and Control through Escalationand Incentives,” Center for Digital Strategies working paper, Tuck School of Business, Dartmouth College, 2008.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  • Xia Zhao
  • M. Eric Johnson

There are no affiliations available

Personalised recommendations