Elsevier

Decision Support Systems

Volume 162, November 2022, 113849
Decision Support Systems

A multistate modeling approach for organizational cybersecurity exploration and exploitation

https://doi.org/10.1016/j.dss.2022.113849Get rights and content

Highlights

  • Organizational cybersecurity relies on the simultaneous pursuit of exploration and exploitation

  • A framework was proposed for studying exploration and exploitation in the organizational learning process

  • Four states are identified to describe the dynamics of exploration and exploitation in organizational cybersecurity space.

  • Text Analytics was applied to annual report data to create longitudinal exploration and exploitation variables.

  • A Markov chain was proposed to model transitions between different states of organizational exploration and exploitation.

Abstract

This study examines the dynamic stages of exploration and exploitation efforts by organizations in their cybersecurity responses using multistate modeling. Using textual data from the annual 10-K reports of S&P 100 organizations, this study uses a combination of text analytics and Markov chain approach to quantify exploration and exploitation in organizational cybersecurity responses. The study models two and four states of exploration and exploitation based on their cybersecurity responses over time and uses a continuous-time Markov chain approach to analyze transitions between states as organizations adapt their responses over time to achieve ambidexterity. The two-state Markov model focuses on the firm-level Exploration and Exploitation states whereas the four-state model captures deeper levels of exploration and exploitation by considering Surviving, Investigating, Reinforcing, and Balancing as possible states for exploration and exploitation of cybersecurity responses. We analyze the dynamics of organizational exploration-exploitation behaviors by modeling longitudinal transition probabilities across different states. Implications for research and practice are discussed.

Introduction

Cybersecurity has become an increasingly important area for information technology (IT) and information systems (IS) research and practices over the last few years as several highly visible and impactful attacks on large and well-known organizations around the world have resulted in significant security breaches in recent years. Just to mention a few, Home Depot experienced data loss on 56 million cards, Equifax Corporation suffered a massive data breach for 145 million customers, Yahoo Inc., the giant Internet information company experienced a huge database breach with more than half a billion user accounts compromised, MasterCard Corporation announced one of the largest security breaches occurred on 40 million credit card users, and Marriott International declared a data loss on 500 million customers which have been publicized and become the center of attention [78–82]. Consequently, cybersecurity responses have become matters of significant concern to researchers and practitioners over time [1].

Prior research on cybersecurity is multi-faceted and addressed both organizational and operational concerns such as identification of threats or vulnerabilities to cybersecurity, mechanisms of cybersecurity breaches and attacks, social, economic, and financial impacts of data breaches, and routines, structures, capabilities for cybersecurity responses for organizations. Jenab and Moslehpour [2] reviewed the cybersecurity literature on various areas such as network security, information security, and cloud security. Gordon et al. [3] described the roles of leadership processes, organizational structures, and capital allocations through the installation of the Chief Information Security Officer positions within organizations for cybersecurity oversight and management. Cybersecurity breaches are known to influence market value, stock price, and market return of organizations negatively [[4], [5], [6], [7], [8]].

Organizational cybersecurity relies on the simultaneous pursuit of two activities: exploration and exploitation [9]. It can be conceptualized as an organization's ability to simultaneously explore new cybersecurity responses, resources, and practices and also exploit their current cyber security responses, resources, and practices [10]. However, a balance between exploration and exploitation is hard to achieve due to the contradictory nature of the two activities. If the organization has limited IT resources to support high levels of exploration and exploitation, exploitation is preferred over exploration. However, if the organization has ample IT resources to enable high levels of exploration and exploitation, exploration is prioritized over exploitation [11]. To date, little research has explored the dynamics by which organizations pursue cybersecurity exploration and exploitation. To address this research gap, we aim to answer the research question: How do organizations explore or exploit cybersecurity responses over time? We propose a modeling approach that can explain how organizations transition between exploration and exploitation states in handling cybersecurity responses.

Specifically, this research examines different types of transitions between exploration and exploitation in organizational cybersecurity responses using a novel analytical multistate modeling approach. Using textual data on cybersecurity responses extracted from annual 10-K reports released by S&P 100 organizations, text analytics and Markov chain analysis are used to empirically examine exploration and exploitation behaviors in the organizational learning process for cybersecurity. Particularly, this study uses a combination of text analytics and Markov chain modeling approach to understand how organizational cybersecurity responses evolve through periods of stability (exploitation) and change (exploration) with different phases of surviving, investigating, reinforcing, and balancing. Mathematically, such organizational shifts to achieve ambidexterity over time can be interpreted as a continuous-time Markov chain model. Our proposed Markov chain model uses text-mined data and formulates the behavior of an organization as a sequence of possible states (e.g., surviving, investigating, reinforcing, and balancing) where the organization begins in one of the states and moves consecutively to another state in the face of changed market conditions. While the stochastic nature of the Markov model allows us to accommodate variety-seeking behaviors in organizational cybersecurity responses, it can also capture the central tendency of the observations which can be used to test for the stability of the pattern of responses over time.

This study, therefore, has three main contributions. First, we contribute to the organizational literature by proposing a novel analytical modeling approach for studying exploration and exploitation in the organizational learning process. Specifically, we develop continuous-time Markov models to demonstrate that organizations alternate between periods of exploration and exploitation to achieve ambidexterity over time. Second, we contribute to the organizational cybersecurity literature by identifying stages through which organizations transition to achieve a balance between exploration and exploitation in their cybersecurity response portfolios. Third, we contribute to the business analytics literature by demonstrating how textual features extracted from organizational reports via text mining techniques can be used in a different analytical approach (i.e., Markov chain). We illustrate how a combination of advanced analytics techniques can result in a better understanding of such a complex organizational phenomenon as exploration-exploitation.

The remainder of the paper is organized as follows. The next section introduces the related literature and theoretical background informing this study. The research model and research methods are described in the subsequent two sections. These are followed by the results and discussion sections, and the conclusion section wraps up the paper.

Section snippets

Cybersecurity response

Cybersecurity response represents the actions undertaken by organizations to prevent, monitor, detect, mitigate, and manage cybersecurity threats [12,13]. Such responses are aimed at protecting organizational computing resources including data, hardware, software, and networks from unauthorized access, disruption, damage, theft, loss, or malicious attack [14,15]. Organizations may implement IT and non-IT countermeasures to secure their physical facilities, personnel, and computing resources [16

Research methods

Our research methodology includes data collection, preparation, modeling, and analysis which are described in the subsections below. The overall research methodology is shown in Fig. 2.

Main analysis

Based on the criteria described in Fig. 3, we identified 236 exploration states (54.2%), and 199 exploitation states (45.8%) over the time period 2016–2020 for Model I. For Model II, the exploration and exploitation states are further categorized into 102 surviving states (23.4%), 111 investigating states (25.5%), 125 reinforcing states (28.7%) and 97 balancing states (22.2%). A total of 421 transitions were recorded in Model II (60.4%).

According to Model I, there are different types of

Findings

The objective of this study was to develop a modeling approach that can help describe how organizations transition between exploration and exploitation states in their cybersecurity response portfolio. We formulated a multistate Markov chain model for analysis of organizations' exploration and exploitation behaviors as found in their annual 10-K reports published by organizations. We described the transition processes by which organizations mobilize and coordinate exploration and exploitation

Conclusion

This study proposed a multistate continuous-time Markov chain model to analyze the behavior of organizations as they explore and exploit responses to cybersecurity. This study text-mined data gathered from the annual reports of organizations to generate longitudinal models to quantify exploration and exploitation efforts by organizations in their cybersecurity responses. The multistate Markov model was used to generate insights into how organizations go through different stages to balance

Amir Zadeh is an Associate Professor of Information Systems at Wright State University. He holds a Ph.D. in Management Science and Information Systems from Oklahoma State University. His research interests are in data-driven decision-making and machine learning with applications in health, sports, cybersecurity, operations management, and social networks. His research has been published in journals such as Decision Support Systems, Information & Management, Information Systems Frontiers,

References (77)

  • M.R. Asadabadi

    A customer based supplier selection process that combines quality function deployment, the analytic network process and a Markov chain

    Eur. J. Oper. Res.

    (2017)
  • F. Nawaz et al.

    An MCDM method for cloud service selection using a Markov chain and the best-worst method

    Knowl.-Based Syst.

    (2018)
  • M. de Gunst et al.

    Parameter estimation for a discretely observed population process under Markov-modulation

    Comput. Stat. Data Anal.

    (2019)
  • B. Biswas et al.

    A text-mining based cyber-risk assessment and mitigation framework for critical analysis of online hacker forums

    Decis. Support. Syst.

    (2022)
  • M.-D. McLaughlin et al.

    Challenges and best practices in information security management

    MIS Q. Exec.

    (2018)
  • K. Jenab et al.

    Cyber security management: a review

    Bus. Manag. Dynam.

    (2016)
  • L.A. Gordon et al.

    Cybersecurity, capital allocations and management control systems

    Eur. Account. Rev.

    (2008)
  • K. Campbell et al.

    The economic cost of publicly announced information security breaches: empirical evidence from the stock market

    J. Comput. Secur.

    (2003)
  • H. Cavusoglu et al.

    The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers

    Int. J. Electron. Commer.

    (2004)
  • A. Garg et al.

    Quantifying the financial impact of IT security breaches

    Inf. Manag. Comput. Secur.

    (2003)
  • R. Telang et al.

    An empirical analysis of the impact of software vulnerability announcements on firm stock price

    IEEE Trans. Softw. Eng.

    (2007)
  • E.G. Carayannis et al.

    Ambidextrous cybersecurity: the seven pillars (7Ps) of cyber resilience

    IEEE Trans. Eng. Manag.

    (2019)
  • A. Jeyaraj et al.

    Exploration and exploitation in organizational cybersecurity

    J. Comput. Inf. Syst.

    (2021)
  • H. Liang et al.

    Juggling information technology (IT) exploration and exploitation: a proportional balance view of IT ambidexterity

    Inf. Syst. Res.

    (2022)
  • A. Longley

    Understanding and managing cyber security threats and countermeasures in the process industries

    Loss Prevent. Bull.

    (2019)
  • D. Schatz et al.

    Towards a more representative definition of cyber security

    J. Digit. Forensic Secur. Law

    (2017)
  • E. Toch et al.

    The privacy implications of cyber security systems: a technological survey

    ACM Comput. Surveys (CSUR)

    (2018)
  • R. Baskerville et al.

    Integration of information systems and cybersecurity countermeasures: an exposure to risk perspective

    ACM SIGMIS Database: the DATABASE for Advances in Information Systems

    (2018)
  • P.-Y. Chen et al.

    Correlated failures, diversification, and information security risk management

    MIS Q.

    (2011)
  • R.L. Kumar et al.

    Understanding the value of countermeasure portfolios in information systems security

    J. Manag. Inf. Syst.

    (2008)
  • S. Gerić et al.

    Information system security threats classifications

    J. Informa. Organ. Sci.

    (2007)
  • B. Grobauer et al.

    Understanding cloud computing vulnerabilities

    IEEE Security Privacy

    (2010)
  • M. Imran et al.

    A statistical and theoretical analysis of cyberthreats and its impact on industries

    Int. J. Sci. Res. Comput. Sci. Appl. Manag. Stud.

    (2018)
  • J.Q. Chen et al.

    HIPAA security compliance challenges: the case for small healthcare providers

    Int. J. Healthcare Manag.

    (2017)
  • C. Gikas

    A general comparison of fisma, hipaa, iso 27000 and pci-dss standards

    Informa. Sec. J. Global Perspect.

    (2010)
  • K.J. Knapp et al.

    Maintaining a cybersecurity curriculum: professional certifications as valuable guidance

    J. Inf. Syst. Educ.

    (2017)
  • L. Wallace et al.

    Information security and Sarbanes-Oxley compliance: an exploratory study

    J. Inf. Syst.

    (2011)
  • J.G. March

    Exploration and exploitation in organizational learning

    Organ. Sci.

    (1991)
  • Cited by (2)

    Amir Zadeh is an Associate Professor of Information Systems at Wright State University. He holds a Ph.D. in Management Science and Information Systems from Oklahoma State University. His research interests are in data-driven decision-making and machine learning with applications in health, sports, cybersecurity, operations management, and social networks. His research has been published in journals such as Decision Support Systems, Information & Management, Information Systems Frontiers, Journal of Quantitative Analysis in Sports, and Journal of Business Analytics. He was awarded the Operations Research Society's Ranyard Medal for the Best Paper published in the Journal of Business Analytics in 2020.

    Anand Jeyaraj is Professor of Information Systems in the Raj Soin College of Business at Wright State University and holds a PhD in Business Administration with emphasis in Information Systems. His research interests include the diffusion and adoption of information systems; success and payoff of information systems; and methodologies. His research has been published in journals such as MIS Quarterly, Management Science, Communications of the ACM, Information & Organization, and Journal of Information Technology.

    View full text