Information security in organizations: Drivers, policies and compliance incentives

This dissertation consists of three essays and examines a set of questions influencing organizational decisions about the choices of information security solutions and policies. The first two essays present theoretical models studying the decisions of organizations about outsourcing their information security efforts as well as the configuration of incentives that are provided for internal compliance with information security policies. The third essay uses the data about attacks in network traffic in combination with graphical formalisms known as metagraphs to derive information security policy rules.; The first essay entitled "Growth and Sustainability of Managed Security Services Networks" analyses the growth dynamics for such networks under a consortium-based and for-profit ownership. The results describe the growth pattern and size of MSSP networks and identify the drivers behind a firm's decision to outsource the information security activities. This essay contributes to the literature on network growth dynamics in the presence of network effects. Interviews with MSSP practitioners indicate the consistency of results with what actually happens in the MSSP market.; The second essay entitled "Role of Performance Incentives in Compliance with Information Security Policies" addresses the question of internal compliance with information security policies. Since increased information security hinders individual productivity, there are conflicting incentives that can lead people and organization units to deviate from established policies. This essay uses a game theory framework to analyze incentive mechanisms that lead to voluntary compliance with security policies. The results describe configurations of bonuses and fines which are contingent on the frequency and perceived severity of the attacks. This essay uses innovative modeling concepts such as penal code and fairness in games.; The third essay entitled "Identification of Information Security Policies Using Metagraphs" presents a systematic way to develop measurable security policies based on the network attack data. It uses data mining tools to build detection and exposure metagraphs in the networks of varying size. Metagraph transformations are applied to identify information security policy rules. This essay formally extends the use of the quantitative attributes in metagraphs. It also provides the practitioners with a systematic yet intuitive way to analyze information security policies.; Keywords. Information Security, Information Systems Management, Managed Security, Outsourcing, Network Effects, Information Security Policy, Policy Analysis, Game Theory, Penal Code, Fairness.