A multistate modeling approach for organizational cybersecurity exploration and exploitation
Introduction
Cybersecurity has become an increasingly important area for information technology (IT) and information systems (IS) research and practices over the last few years as several highly visible and impactful attacks on large and well-known organizations around the world have resulted in significant security breaches in recent years. Just to mention a few, Home Depot experienced data loss on 56 million cards, Equifax Corporation suffered a massive data breach for 145 million customers, Yahoo Inc., the giant Internet information company experienced a huge database breach with more than half a billion user accounts compromised, MasterCard Corporation announced one of the largest security breaches occurred on 40 million credit card users, and Marriott International declared a data loss on 500 million customers which have been publicized and become the center of attention [78–82]. Consequently, cybersecurity responses have become matters of significant concern to researchers and practitioners over time [1].
Prior research on cybersecurity is multi-faceted and addressed both organizational and operational concerns such as identification of threats or vulnerabilities to cybersecurity, mechanisms of cybersecurity breaches and attacks, social, economic, and financial impacts of data breaches, and routines, structures, capabilities for cybersecurity responses for organizations. Jenab and Moslehpour [2] reviewed the cybersecurity literature on various areas such as network security, information security, and cloud security. Gordon et al. [3] described the roles of leadership processes, organizational structures, and capital allocations through the installation of the Chief Information Security Officer positions within organizations for cybersecurity oversight and management. Cybersecurity breaches are known to influence market value, stock price, and market return of organizations negatively [[4], [5], [6], [7], [8]].
Organizational cybersecurity relies on the simultaneous pursuit of two activities: exploration and exploitation [9]. It can be conceptualized as an organization's ability to simultaneously explore new cybersecurity responses, resources, and practices and also exploit their current cyber security responses, resources, and practices [10]. However, a balance between exploration and exploitation is hard to achieve due to the contradictory nature of the two activities. If the organization has limited IT resources to support high levels of exploration and exploitation, exploitation is preferred over exploration. However, if the organization has ample IT resources to enable high levels of exploration and exploitation, exploration is prioritized over exploitation [11]. To date, little research has explored the dynamics by which organizations pursue cybersecurity exploration and exploitation. To address this research gap, we aim to answer the research question: How do organizations explore or exploit cybersecurity responses over time? We propose a modeling approach that can explain how organizations transition between exploration and exploitation states in handling cybersecurity responses.
Specifically, this research examines different types of transitions between exploration and exploitation in organizational cybersecurity responses using a novel analytical multistate modeling approach. Using textual data on cybersecurity responses extracted from annual 10-K reports released by S&P 100 organizations, text analytics and Markov chain analysis are used to empirically examine exploration and exploitation behaviors in the organizational learning process for cybersecurity. Particularly, this study uses a combination of text analytics and Markov chain modeling approach to understand how organizational cybersecurity responses evolve through periods of stability (exploitation) and change (exploration) with different phases of surviving, investigating, reinforcing, and balancing. Mathematically, such organizational shifts to achieve ambidexterity over time can be interpreted as a continuous-time Markov chain model. Our proposed Markov chain model uses text-mined data and formulates the behavior of an organization as a sequence of possible states (e.g., surviving, investigating, reinforcing, and balancing) where the organization begins in one of the states and moves consecutively to another state in the face of changed market conditions. While the stochastic nature of the Markov model allows us to accommodate variety-seeking behaviors in organizational cybersecurity responses, it can also capture the central tendency of the observations which can be used to test for the stability of the pattern of responses over time.
This study, therefore, has three main contributions. First, we contribute to the organizational literature by proposing a novel analytical modeling approach for studying exploration and exploitation in the organizational learning process. Specifically, we develop continuous-time Markov models to demonstrate that organizations alternate between periods of exploration and exploitation to achieve ambidexterity over time. Second, we contribute to the organizational cybersecurity literature by identifying stages through which organizations transition to achieve a balance between exploration and exploitation in their cybersecurity response portfolios. Third, we contribute to the business analytics literature by demonstrating how textual features extracted from organizational reports via text mining techniques can be used in a different analytical approach (i.e., Markov chain). We illustrate how a combination of advanced analytics techniques can result in a better understanding of such a complex organizational phenomenon as exploration-exploitation.
The remainder of the paper is organized as follows. The next section introduces the related literature and theoretical background informing this study. The research model and research methods are described in the subsequent two sections. These are followed by the results and discussion sections, and the conclusion section wraps up the paper.
Section snippets
Cybersecurity response
Cybersecurity response represents the actions undertaken by organizations to prevent, monitor, detect, mitigate, and manage cybersecurity threats [12,13]. Such responses are aimed at protecting organizational computing resources including data, hardware, software, and networks from unauthorized access, disruption, damage, theft, loss, or malicious attack [14,15]. Organizations may implement IT and non-IT countermeasures to secure their physical facilities, personnel, and computing resources [16
Research methods
Our research methodology includes data collection, preparation, modeling, and analysis which are described in the subsections below. The overall research methodology is shown in Fig. 2.
Main analysis
Based on the criteria described in Fig. 3, we identified 236 exploration states (54.2%), and 199 exploitation states (45.8%) over the time period 2016–2020 for Model I. For Model II, the exploration and exploitation states are further categorized into 102 surviving states (23.4%), 111 investigating states (25.5%), 125 reinforcing states (28.7%) and 97 balancing states (22.2%). A total of 421 transitions were recorded in Model II (60.4%).
According to Model I, there are different types of
Findings
The objective of this study was to develop a modeling approach that can help describe how organizations transition between exploration and exploitation states in their cybersecurity response portfolio. We formulated a multistate Markov chain model for analysis of organizations' exploration and exploitation behaviors as found in their annual 10-K reports published by organizations. We described the transition processes by which organizations mobilize and coordinate exploration and exploitation
Conclusion
This study proposed a multistate continuous-time Markov chain model to analyze the behavior of organizations as they explore and exploit responses to cybersecurity. This study text-mined data gathered from the annual reports of organizations to generate longitudinal models to quantify exploration and exploitation efforts by organizations in their cybersecurity responses. The multistate Markov model was used to generate insights into how organizations go through different stages to balance
Amir Zadeh is an Associate Professor of Information Systems at Wright State University. He holds a Ph.D. in Management Science and Information Systems from Oklahoma State University. His research interests are in data-driven decision-making and machine learning with applications in health, sports, cybersecurity, operations management, and social networks. His research has been published in journals such as Decision Support Systems, Information & Management, Information Systems Frontiers,
References (77)
- et al.
Estimating the market impact of security breach announcements on firm values
Inf. Manag.
(2009) - et al.
DDoS attacks in cloud computing: issues, taxonomy, and future directions
Comput. Commun.
(2017) - et al.
Threats and countermeasures for information system security: a cross-industry study
Inf. Manag.
(2007) - et al.
Decision support for cybersecurity risk planning
Decis. Support. Syst.
(2011) - et al.
A survey of emerging threats in cybersecurity
J. Comput. Syst. Sci.
(2014) - et al.
Exploratory behavior in active learning: a between-and within-person examination
Organ. Behav. Hum. Decis. Process.
(2014) - et al.
Exploration-exploitation tradeoffs and information-knowledge gaps in self-regulated learning: implications for learner-controlled training and development
Hum. Resour. Manag. Rev.
(2019) - et al.
Too small to do it all? A meta-analysis on the relative relationships of exploration, exploitation, and ambidexterity with SME performance
J. Bus. Res.
(2021) - et al.
Exploitation vs. exploration: choosing a supplier in an environment of incomplete information
Decis. Support. Syst.
(2004) - et al.
Customer lifetime value prediction by a Markov chain based data mining model: application to an auto repair and maintenance company in Taiwan
Scientia Iranica
(2012)
A customer based supplier selection process that combines quality function deployment, the analytic network process and a Markov chain
Eur. J. Oper. Res.
An MCDM method for cloud service selection using a Markov chain and the best-worst method
Knowl.-Based Syst.
Parameter estimation for a discretely observed population process under Markov-modulation
Comput. Stat. Data Anal.
A text-mining based cyber-risk assessment and mitigation framework for critical analysis of online hacker forums
Decis. Support. Syst.
Challenges and best practices in information security management
MIS Q. Exec.
Cyber security management: a review
Bus. Manag. Dynam.
Cybersecurity, capital allocations and management control systems
Eur. Account. Rev.
The economic cost of publicly announced information security breaches: empirical evidence from the stock market
J. Comput. Secur.
The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers
Int. J. Electron. Commer.
Quantifying the financial impact of IT security breaches
Inf. Manag. Comput. Secur.
An empirical analysis of the impact of software vulnerability announcements on firm stock price
IEEE Trans. Softw. Eng.
Ambidextrous cybersecurity: the seven pillars (7Ps) of cyber resilience
IEEE Trans. Eng. Manag.
Exploration and exploitation in organizational cybersecurity
J. Comput. Inf. Syst.
Juggling information technology (IT) exploration and exploitation: a proportional balance view of IT ambidexterity
Inf. Syst. Res.
Understanding and managing cyber security threats and countermeasures in the process industries
Loss Prevent. Bull.
Towards a more representative definition of cyber security
J. Digit. Forensic Secur. Law
The privacy implications of cyber security systems: a technological survey
ACM Comput. Surveys (CSUR)
Integration of information systems and cybersecurity countermeasures: an exposure to risk perspective
ACM SIGMIS Database: the DATABASE for Advances in Information Systems
Correlated failures, diversification, and information security risk management
MIS Q.
Understanding the value of countermeasure portfolios in information systems security
J. Manag. Inf. Syst.
Information system security threats classifications
J. Informa. Organ. Sci.
Understanding cloud computing vulnerabilities
IEEE Security Privacy
A statistical and theoretical analysis of cyberthreats and its impact on industries
Int. J. Sci. Res. Comput. Sci. Appl. Manag. Stud.
HIPAA security compliance challenges: the case for small healthcare providers
Int. J. Healthcare Manag.
A general comparison of fisma, hipaa, iso 27000 and pci-dss standards
Informa. Sec. J. Global Perspect.
Maintaining a cybersecurity curriculum: professional certifications as valuable guidance
J. Inf. Syst. Educ.
Information security and Sarbanes-Oxley compliance: an exploratory study
J. Inf. Syst.
Exploration and exploitation in organizational learning
Organ. Sci.
Cited by (2)
A cybersecurity risk quantification and classification framework for informed risk mitigation decisions
2023, Decision Analytics JournalThe Impact of Industrial Internet and the Digital Economy on the Management and Development of Manufacturing Information Systems Triggering Digitization as IoT and Artificial Intelligence
2023, Journal of Information Systems Engineering and Management
Amir Zadeh is an Associate Professor of Information Systems at Wright State University. He holds a Ph.D. in Management Science and Information Systems from Oklahoma State University. His research interests are in data-driven decision-making and machine learning with applications in health, sports, cybersecurity, operations management, and social networks. His research has been published in journals such as Decision Support Systems, Information & Management, Information Systems Frontiers, Journal of Quantitative Analysis in Sports, and Journal of Business Analytics. He was awarded the Operations Research Society's Ranyard Medal for the Best Paper published in the Journal of Business Analytics in 2020.
Anand Jeyaraj is Professor of Information Systems in the Raj Soin College of Business at Wright State University and holds a PhD in Business Administration with emphasis in Information Systems. His research interests include the diffusion and adoption of information systems; success and payoff of information systems; and methodologies. His research has been published in journals such as MIS Quarterly, Management Science, Communications of the ACM, Information & Organization, and Journal of Information Technology.