ACCESS FLEXIBILITY WITH ESCALATION AND AUDIT 1

Transcription

1 ACCESS FLEXIBILITY WITH ESCALATION AND AUDIT Xia Zao and M. Eric Jonson Center for Digita Strategies Tuck Scoo of Business Dartmout Coege, Hanover NH Fu paper: 557 Words Abstract Managing information access in igy dynamic business environments is increasingy caenging. Wit tousands of empoyees accessing tousands of appications and data sources, managers strive to ensure te empoyees can access te information tey need to create vaue wie protecting information from misuse. We propose an access governance structure wit escaation options, ensuring bot fexibiity and security of information systems. Using a gameteoretic approac, we sow tat propery couping information access, audit, vioation penaties and rewards can enabe sef-interested empoyees to access information in a timey manner, seizing business opportunities for te firm wie managing security risks. Tis researc was supported troug te Institute for Security Tecnoogy Studies at Dartmout Coege, under award Number 26- CS-- from te U.S. Department of Homeand Security (NCSD). Te statements, findings, concusions, and recommendations are tose of te autors and do not necessariy refect te views of te Department of Homeand Security.

2 Keywords: Information security, access contro, fexibiity, audit, escaation. Introduction Pervasive and timey access to information is a source of competitive advantage for many firms suc as investment banks, researc aboratories, and ospitas. Tecnoogy as made information more avaiabe trougout and between organizations, enabing coaboration and fueing innovation. Te iterature on innovation as ong discussed te benefits of free-fowing information, inking it to innovation productivity (e.g., Baker and Freeand 972; Tsai, 2; von Hippe 994). Likewise, te services and suppy cain iterature ave aso extoed te benefits of increased information avaiabiity (e.g., Lee et a. 2; Ratnam et a. 995). Wit web-based toos inked to vast enterprise data sources, firms today ave made muc data and appications readiy avaiabe to tousands of empoyees, business partners, and customers at very ow cost. Tus, in environments were information can resut in significant profits or is critica to outcome quaity, firms are driven to invest in tecnoogies tat increase information avaiabiity. Unfettered information access, owever, can create significant security concerns, driving managers to constrict te avaiabiity of information. Suc efforts become indispensibe wit te recent enforcement of many government reguations, suc as Sarbanes-Oxey (SOX), Payment Card Industry Data Security Standard (PCI DSS), Heat Insurance Portabiity and Accountabiity Act (HIPAA), Gramm-Leac-Biey Act (GLBA), Persona Information Protection and Eectronic Documents Act (PIPEDA), and te European Union Directive on Data Privacy (EU Directive), wic a incude anguage requiring firms to maintain some eve of 2

3 access contro. Driven by fears of data breaces, inteectua property osses, and compiance vioations, firms are working to reduce information accesses troug better contros and governance. Terefore, te roe of access governance as become increasingy important in baancing security and avaiabiity. Current practice of access governance focuses on te tecnica impementation of privieges and entitement 2. For exampe, access contros dictate user privieges to view a fie, execute an appication, sare data wit oter agents, and so on. Users can ony use data wen tey ave te corresponding entitements. By far, te firm s most important guideine of impementing access governance is to prevent misuse of data - eiter intentionay (suc as using te data to make iega stock trades) or unintentiona (suc as storing te data on device tat is vunerabe to a security breac). One important criterion of access governance is known as te rue of east priviege, i.e., eac user is provided wit te minimum entitements needed to perform er/is task (Aveksa 27). To ensure te rue of east priviege, an access contro system must be customized and dynamicay managed incuding five components request, approve, administer, enforce and monitor. Specificay a user requests an entitement; te owner (typicay te business owner of te data) examines te request and ten approves or rejects it; te administrator modifies te user s entitements; te user accesses te resource and te system ogs 2 An entitement is a resource tat a person is autorized to access in a certain way; for exampe, opening case fies migt be an entitement for appication X. In practice, entitement, priviege and permission are used intercangeaby. 3

4 te user s activities; and te auditor examines te ogs and evauates users activities. Figure sows te access governance system wit te rue of east priviege. Figure. Access Governance System wit te Rue of Least Priviege To enforce te rue of east priviege, empoyees accesses must be continuay updated and audited to remain in syncronization wit te canging organization. In arge organizations wit tousands of users interacting wit tousands of different appications and data sources, eac aving many eves of priviege, te assignment and maintenance of access are daunting. Te rue of east access is aso imiting in many situations were it is difficut to foresee a information needs in advance. For exampe, in a ospita setting, emergencies arise were attending pysicians may find temseves caring for anoter doctor s patient. In te increasingy dynamic environment, organizations frequenty face unanticipated situations and ave to adjust teir organizationa structures and personne to adapt te consumers needs. Rigid access contro deays an organization s response to te canging markets, resuting in missed opportunities or degraded service quaity. In current practice, fexibiity of access governance is sometimes acieved by overentitement. In a fied study of an investment bank, we found tat 5-9% of empoyees are overentited. Tis 4

5 outcome is rationaized by te argument tat ong-term empoyees are vauabe and need quick access to information to create vaue for te firm. But, as te empoyees are permanenty overentited, tey become arger security risks to te organization because teir accesses coud be used maiciousy or accidentay. Wie te maicious insiders make te eadines (Joy 28), in many cases, benign overentited empoyees pose a muc arger risk to temseves and te organization because of secondary vunerabiities ike te oss of a aptop wit sensitive data or because a maicious acker coud gain access to substantia firm information troug a singe overentited account. In an increasingy dynamic word, information governance must be fexibe, yet secure. In tis paper, we define access governance as an integrated system incuding poicies, contros, incentives, and processes tat manage user access to information resources. Te goa of suc access governance is to ensure te information systems to deiver te rigt information to te rigt peope at te rigt time, but aso protect te information from misuse, incuding security and privacy vioations. To acieve fexibiity, we consider a different approac were empoyees are aowed to escaate into controed data and appications wen needed. Tis aows one-time access witout any time-deaying approva process. In fact, we ave witnessed cases were escaation is used to sove a faiure of traditiona access contro system. For exampe, te investment banking sector refers to suc an approac as override (Rissanen et a. 24), and te eat care sector refers to it as break gass (Ferreira et a. 26). Escaation potentiay breeds significant security risks since empoyees may abuse teir abiity to access information. For exampe, accessing 5

6 information not for business reasons but rater for persona benefit. To mitigate te associated security risks, te escaation activities are ater audited, and empoyees found to be abusing teir accesses are penaized. Auditing (or monitoring) wit vioation penaties ave been impemented by firms seeking to drive desired beavior from empoyees or partners wit respect to financia reporting, contract and reguation compiance. For exampe, Inte issues speeding tickets to empoyees tat vioate information security poicies. In addition to penaties, we aso consider te possibiity tat te firm uses rewards to motivate empoyees. In tis paper, we design an access governance poicy wit escaation options wic coupes escaation accesses wit rewards, audit and vioation penaties. We use a game-teoretic mode to anayze te empoyees incentives and te firm s poicy design probem. Te resuts sow tat a propery designed governance poicy coud provide te desired access fexibiity wit a significant eve of contro. Figure 2 sows te information governance system wit escaation. 6

7 Figure 2. Access Governance System wit Escaation Of course, escaation must be confined to cases were te risk of faiure or te cost of recovery is reativey ow compared to te cost of not granting access (e.g., te potentia vaue created troug escaation). It may not be suited to some financia or trading systems were tere is significant risk of massive fraud. Rater it is usefu in cases were tere are sma risks or were te potentia vaue of business opportunities is very ig. For exampe, escaation is very effective in situations were emergency access may save someone s ife, or in a time-critica system were te person wit te necessary privieges may be unavaiabe (Povey 2). Te paper is organized as foows. In Section 2, we review te reated iterature. In Section 3 and Section 4, we outine te mode and anayze te game. We capture te important caracteristics of te optima access governance poicy wit escaation options. Finay we concude wit impementation guidance in Section Reated Literature Te tecnoogica aspect of impementing escaation in access contro as been studied in computer science iterature. Povey (2) broady discussed an optimistic access contro sceme wit escaation and deveoped a forma mode to ensure te integrity of computer systems incuding accountabiity, auditabiity and recoverabiity. Rissanen et a. (24) empasized te importance of audit and manua recovery in providing overriding of access contro. Ferreira et a. (26) described te design and initia impementation of a Break-Te-Gass poicy in a virtua Eectronic Medica Record system. Our paper focuses on te economic aspect of te access 7

8 governance wit escaation and uses a principa and agent setting to study te poicy design probem. Principe and agent modes ave been examined in a variety of contexts (e.g. Ante and Eppen 985; Arrow 985; Baiman 99; Harris and Raviv 979; Harris et a. 982; Homstrom 979; Save 979, etc.). Our paper cosey reates to a arge stream of iterature wic studies te audit poicy in te principa and agent framework (Baron and Besanko 984; Dye 986; Harris and Raviv 996; Kim and Su 992; Townsend 979). Townsend (979) was one of te first modes to examine te costy verification. Dye (986) sowed tat optima monitoring poicies are deterministic and ower-taied. Kim and Su (992) aso focused on te deterministic monitoring poicy in wic te optima investment in audit tecnoogy is endogenousy determined. Tey found te ower-taied poicy is one of te specia cases. Baron (984) investigated te random audit poicy in a reguatory pricing probem. Firms are privatey informed about teir cost functions and required to report tem to te reguator. Baron (984) found tat te optima audit poicy incudes terms tat firms may be penaized even toug tey report teir best knowedge because of ex post uncertainty. And Harris and Raviv (996) expored te random audit poicy in te capita budgeting process and identified cases of overinvestment as we as underinvestment. In our paper, we caracterize te optima audit sceme wic eps te firm acieve a significant eve of fexibiity at some expense of security risks. 8

9 3. Mode We consider te case were users gain access to data and appications troug a system empoying access contro. We focus on te firm s optima strategy in cases were tere are ony a few, discrete situations were empoyees may need more access for exampe, wen teir boss is on vacation. In tose situations, firms may aow empoyees to escaate access but ten audit teir actions (at a cost) afterward and penaize empoyees for misuse or reward for vaue generation. We mode te coection of appications and data as measured on a continuous scae of information, wit eac priviege weigted to refect te amount and sensitivity of te data. Based on vaue generated by an empoyee and te associated information risk, te firm assigns te empoyee a reguar access eve to perform routine tasks. Periodicay empoyees may face an opportunity to create more vaue by accessing information beyond er/is reguar access. We assume tat wit probabiity π ( or π ), an empoyee wi observe suc an opportunity wit ig (or ow) revenue potentia; wit probabiity π = π π, s/e does not observe any opportunity. We refer to tese situations as te ig state, denoted as θ, ow state θ and reguar state θ. We assumeθ > θ > θ =. We use a to denote te access eve. Te firm aows empoyees to escaate teir access eves temporariy to seize te business opportunities. Te net revenue from a business opportunity is determined by θ ( i,, i = ) and te empoyee s escaated access eve a, i.e., U( θ, a) i. Access contro, wie 9

10 providing a measure of security, restricts empoyees fexibiity to monetize te business opportunities. Terefore te more access rigts an empoyee as, te more ikey tat s/e creates vaue for te firm. We assume tat U(, a) θ is an increasing and concave function of a. U > i and U a. Tis is a reasonabe assumption as increased avaiabiity of information can increase revenue generating potentia, but is eventuay imited by te ski and knowedge of te empoyee. Te impact of fexibiity on firm revenue is more significant wen te firm observes a iger revenue potentia tan wen it observes a ower revenue potentia. Terefore, we assume tat te margina revenue of te information access in a iger state is arger tan tat in a ower state, U θ a >. Figure 3 sows an exampe of te firm s revenue functions from emergent opportunities in tree states. a Figure 3. Firm s Revenue Functions in Tree States Te firm bears costs associated wit te escaation access eve of C( a ) incuding additiona security risks and routine tecnica support required to prudenty maintain tat access. C( a ) is

11 an increasing and convex function. C a > and C a >. Tis we-modes te case were providing far too muc access can eventuay resut in severe consequences (risks and cost to mitigate risk). To mitigate risk of unnecessary escaation, te firm contros te escaation fexibiity and audits eac instance of escaation. In particuar, te firm offers tree escaation options, { a a a }, corresponding to te states { },, te escaation access eve a i wen te state θ i arises. θ,, θ θ and motivates empoyees to coose Empoyees derive some private benefit by accessing information and data and prefer iger access eves to ower ones. Suc "snooping" vaue is not uncommon - we ave witnessed cases in eat care, providers may examine te records of a patient for er/is own benefit. Te empoyee's private benefit from escaation is u( a ). u( a ) is an increasing and concave function. u > and u. Since some empoyees may take advantage of te fexibiity and not coose a a te rigt escaation options (coosing a i in te state θ j, j i ), te firm audits te instances of escaation at a cost and penaizes te escaation misuse. It is assumed tat te firm can detect misuse wit probabiity p by investing D( p ) in te audit capabiity. Te audit spending incudes iring auditors, tracking escaation instances, and verifying te business opportunities by communicating wit te manager or coworkers of te empoyees. We refer to p as te audit precision. D p is an increasing and convex function. D > and D >. Te empoyee wi be penaized at te eve of F if s/e is detected to misrepresent te state tat s/e observes. We assume tat te maxima vioation penaty is F. Witout oss of generaity, we assume tat if an empoyee coice is consistent wit te state (coosing a i in te state θ i ), tere is no audit error, p p

12 i.e., p =. In addition to audit and penaties, te firm may reward empoyees for coosing te rigt escaation options. w i is used to denote te reward based on te escaation options te empoyee cooses. Te audit precision, penaty and reward can be contingent on empoyees coices. Te firm maximizes its expected profit by designing an access governance poicy wit escaation options {( ai, wi, pi, Fi) i,, } =. Te sequence of events is sowed in Figure 4. We use one empoyee as an exampe. At stage, te firm announces its access governance poicy wit escaation options; At stage 2, an empoyee observes te state and ten cooses an escaation option; Finay, te firm audits te escaation instance, rewarding or penaizing te empoyee according to te announced access governance poicy. Figure 4. Te Sequence of Events Te empoyee's expected payoff, denoted by Π empoyee, can be represented by 2

13 wi + u ai if s/e cooses ai wen θ= θi Π empoyee = i, j =,, pf i i + pi wi + u ai if s/e cooses ai wen θ= θ j, j i Te firm s expected profit is (, ) E U θ a C a D p w i i i i i. Let firm expected profit obtained by te foowing optimization probem. ( θ ) Π = max E U, a C a D p w firm ai, wi, Fi, p i i i i i i st.. w + u( a) p F + p w + u( a ), j i, if θ = θ (IC) i i j j j j j i w + u( a ) (IR) w i i i, a, p, F F, i =,, i i i Π be te maximum were (IC) are te empoyee s incentive constraints and (IR) are te empoyee s individua rationaity constraints. 4. Anaysis and Resuts To gain manageria insigt, we anayze te foowing (tractabe) functiona forms. We assume tat te firm s revenue function is inear, ( θ ) U i, a = θia, ( i =,, ) were θi represents te firm s margina revenue of information access. Te empoyee s private benefit function is aso inear, u( a) = ba were b is te empoyee s margina private benefit of information access. Te assumption of inear revenue and private benefit functions does not resut in any oss of generaity because te firm can aways redefine te map between te coection of appications and data and te continuous scae of information, and transform te reationsip between te benefit and information access to a inear one. We assume te cost functions are quadratic, 2 C a = 2 sa, s >. Besides te frequent use of convex cost functions in te iterature (e.g., 3

14 Kannan and Teang 25; Krisnan and Zu 26; Motta 993), quadratic cost functions nicey capture te iger security risks associated wit iger access as we as te cost of additiona IT 2 resources for maintaining access. Simiary, te audit cost function is refects te increasing difficuty of improving te audit precision. D p = 2 tp, t >, wic 4. Bencmark Case We first consider a bencmark case were tere is no information asymmetry between te firm and empoyees. Te firm can directy observe te states (i.e. an opportunity wit ig revenue potentia, an opportunity wit ow revenue potentia, or no business opportunity) and assign te access eves to empoyees. In tis case te firm does not need to impement any incentive sceme (neiter reward nor penaty). Te firm s optimization probem can be represented by Π = max E θ a sa 2 optima 2 ai, i=,, i i i Te optima access eve is given by a = θ ( i =,, ). Wen te firm observes a business i s i opportunity wit ig revenue potentia, it wi assign θ to te empoyee; wen it observes an opportunity wit ow revenue potentia, it wi assign θ to te empoyee; oterwise, it wi not assign any additiona access to te empoyee. Te firm s optima profit is s s 2 2 Π optima = 2s π θ + πθ. 4

15 4.2 Asymmetric Information Wen tere is information asymmetry between te firm and empoyees, te firm wi design te escaation options in a way tat te empoyee wi coose te rigt option in eac state, i.e. te empoyee wi coose a i if te state is θ i. Terefore, te empoyee's incentive constraints are as foows. Hig state: ( ) w + ba pf + p w + ba IC HL w + ba pf + p w + ba IC H Low state: ( ) w + ba pf + p w + ba IC LH w + ba pf + p w + ba IC L Reguar state: w + ba pf + p w + ba IC H w + ba pf + p w + ba IC L Te first (or second) group of incentive constraints is for empoyees wo observe business opportunities wit ig (or ow) revenue potentia. Te tird group of incentive constraints is for empoyees wo do not observe any business opportunity. Presumaby, if empoyees do not observe any business opportunity, te firm soud not aow tem to escaate, i.e. a =. We do not impose tis constraint in order to identify a better soution wic gives te firm a iger profit. Propery designed escaation options wi induce empoyees to coose te rigt escaation eves and ence discose teir observations. We focus on te case were p =. Tat is, if an empoyee cooses te option a and s/e caims tat s/e does not observe any business 5

16 opportunity, te firm does not audit suc instances. Given tat escaation is used to ande unusua situations, it is reasonabe tat te firm does not investigate te reguar states 3. We can substitute p = into (IC-H) and (IC-L) and obtain te foowing inequaities. * w + ba w + ba IC H * w + ba w + ba IC L It is easy to find tat (IC-HL), (IC-LH) and (IR) are not binding. For exampe (IC-HL) is impied by (IC-H*) and (IC-L).Te firm s optimization probem can be simpified as ( a ) ( ) ( 2sa 2tp w a 2sa 2tp w 2sa w) Π = max π θ + π θ + π firm a, w, p, F a, w, p, F a, w st w ba w ba *.. + (IC-H ) w + ba w ba + ba * (IC-L ) w + ba + p F p w ba (IC-H) w + pf p w ba (IC-L) w, w, w, a, a, a, p, p, F, F F () Proposition : If te firm detects tat an empoyee misrepresents er/is observation, te firm wi penaize er/im to te maxima eve. i.e., F = F = F. (See Appendix for a proofs.) 3 In practice, periodica entitement reviews may be conducted to examine empoyees reguar access rigts and en sure tat empoyees ave te adequate access rigts to accompis teir tasks. 6

17 Te audit and associated vioation penaties deter empoyees from mirepresenting te business opportunities tey observe. Since te firm does not incur any cost by penaizing empoyees after it detects misuse, it aways penaizes tem to te maxima eve to reduce te audit spending. Proposition 2 caracterizes te escaation options wen te penaty can be extremey ars, i.e. F. Proposition 2: If F approaces infinity, te firm ony offers two options, {( ai, wi, pi, F) i, } =. In particuar, a = θ, a = θ, w = w =, p = p = ε. And te 2 2 firm can acieve te optima profit, 2s ( π θ πθ ) s +. s If te firm can render extreme penaties, for detected misuse, empoyees ave no incentive to misrepresent teir observations even toug tere is ony a sigt cance of being detected. Te firm does not need to offer any additiona information access to empoyees wo do not observe any business opportunity. Te firm can design te escaation options wit a very ow audit precision and no reward. However, an infinite penaty is impossibe to impement, e.g., te firm cannot take an empoyee s ife. Next we consider te situation tat tere is an upper bound for te penaty. To avoid trivia cases, we assume tat te difference between θ and θ is greater tan b π, i.e. b < π θ θ, and tat te audit is so costy tat it is aways not optima for te firm to invest to acieve audit precision of p =. Proposition 3 caracterizes te escaation options. 7

18 Proposition 3: Te optima soutions of te optimization probem () are {( ai, wi, pi, Fi) i,, } =, w =, π = were a s ( θ π b) p = F, F π tπ = F, a = ( θ + b), s p =, 2 b π ( 2 2 w = sb + s θ θ stπ sf + tb ), a s b =, 2 b π w ( 2 2 sb sθ stπ sf tb ) = + +, p =, F F,, F 4. () Information access: te access eve for te business opportunity wit ig revenue potentia is ower tan te optima eve in te bencmark case (underentitement); and te access eves for te ow revenue potentia and no business opportunity are iger tan te optima ones (overentitement). (2) Audit: te firm audits te escaation instances wit iger precision if te empoyees coose a iger escaation eve tan it does if te empoyees coose a ower escaation eve. (3) Reward: Te firm does not reward empoyees wo coose te igest escaation eve but rewards empoyees wo coose te oter two escaation eves. Te game as separating equiibria in wic te firm offers te escaation options as proposition 3 presents and empoyees coose different escaation eves for different states. Te access eves, rewards, audit and vioation penaties togeter motivate empoyees to escaate information access wen necessary witout te ong-term security risks of overentitement. Te 4 Since F and F can be any vaue in te range of, F, te probem as infinite optima soutions. However, F and F do not matter because of p = p =. We can regard tis probem as a unique optima soution. 8

19 access eves in te escaation options in te asymmetric information case deviate from te optima ones in te bencmark case. Te firm designs te escaation options in tis way to save spending in audit capabiity and empoyee rewards. Consequenty, it forgoes some revenue troug underentitement and vountariy bears extra costs troug overentitement. It is counterintuitive tat te firm maximizes its profit by aowing empoyees wo do not observe any business opportunity to access extra information. It is wort remarking tat designing escaation options wit no escaation in te reguar state is feasibe (by soving te optimization probem () wit an additiona constraint tat a = ). However, suc a poicy resuts in a ower profit. It must be recognized tat zero audit precision does not mean tat te firm never audits escaation instances at a. Te audit precision captures te eve of additiona time and effort by te firm in investigating te escaation instances compared to reguar information access services. Te firm soud pay additiona attention to te instances of ig escaation eve and ande oter escaation instances as te reguar services suc as granting reguar information access. From te empoyees perspective, te empoyees wo observe ig revenue potentia obtain a ig information access and generate ig private benefit witout te risk of being penaized. Tey wi not coose oter escaation options even toug tey wi not be rewarded by te firm. Te empoyees wo observe ower revenue potentia or no business opportunity are deterred 9

20 from over-caiming teir observations by te audit possibiity and potentia penaties. Tey are aso compensated by te firm troug rewards for discosing teir observations. Te firm makes a positive profit by offering te escaation options in te asymmetric information ( π ) ( ) πθ πθ π b bπθ π bθ tπ sf tb Π firm = 2s >, wic case, justifies te provision of te escaation options. However, te firm s profit in te asymmetric information case is ower tan te optima profit in te bencmark case for tree reasons. First, te access eves in te escaation options deviate from te optima access eves in te bencmark case (overentitement or underentitement); second, te firm as to invest in audit capabiity; finay te firm sares its profit wit te empoyees troug rewards. Te profit difference between te bencmark case and asymmetric information case is te vaue of information, i.e. ow muc te firm is wiing to pay to observe te business opportunities ex ante. 2 ( π ) ( ) π b π bθ π bθ tπ sf tb ΔΠ = Πoptima Π firm = 2s >. Proposition 4 summarizes some comparative statics. Proposition 4: Te vaue of information is increasing in θ, b and t and decreasing in θ and s. Te vaue of information is iger wen it is more costy for te firm to motivate empoyees to discose teir observations. Wen te margina revenue of information access in te ig state is iger, te difference between te escaation access for te ig state and tat for te oter two states is arger. Empoyees observing ow business opportunities or no business opportunity are 2

21 more ikey to ceat. Te firm needs to reward more and/or audit wit iger precision to prevent suc beavior. Wen te margina revenue of information access in te ow state is iger, te escaation access for te ow state is coser to tat for te ig state. Empoyees ave ess incentives to pretend to ave observed a ig business opportunity. Consequenty, te vaue of information is ower. Te iger margina private benefit of information access is, te more te empoyees ave incentives to ceat. Te firm as to distort te escaation access more and offer iger reward to drive empoyees to report trut, resuting in iger costs. Terefore, te vaue of information increases. On te cost side, iger audit cost reduces te firm s capabiity to detect ceating beavior, wic makes te information more vauabe. Te cost of security risks, on te oter and, reduces te vaue of information. Te increase of security risks associated wit additiona information access owers te firm s wiingness to offer iger escaation accesses. Terefore, te differences between te information accesses for different states are owers, wic reduces empoyees incentives to ceat and makes it easy for te firm to motivate empoyees. 5. Concusion Using game-teoretic anaysis, we ave sown ow te firm can encourage vaue creation troug fexibe access governance, wie controing information misuse. By propery designing te access governance wit escaation options, te firm seizes every business opportunity 2

22 witout bearing significant security risks. Escaation eves, rewards, audit and vioation penaties togeter provide empoyees wit incentives to escaate teir information accesses to te appropriate eves. Our anaysis provides many interesting insigts into te impementation caenges of access governance wit escaation.. Te firm soud consider providing empoyees wit more information access in escaation options tan stricty needed because of information asymmetry. Suc a strategy is optima in tat te firm can take advantage of te empoyees private benefit to save audit expenditure and rewards. Te proposed sceme does not impy tat te firm soud offer tree escaation options, wit empoyees escaating no matter weter tere is a business opportunity or not. Te firm can set two options instead of tree, assigning te escaation eve wit additiona access in pace of te reguar eve (and tus freeing tem from escaating from time to time wen tere is no business opportunity). 2. Contros are critica for te successfu impementation of te escaation sceme. Escaation must be done witin te aowabe zone dictated by reguatory requirements. Some data or appications cannot be made avaiabe troug an escaation sceme. By providing options wit predefined access eves, te firm contros te imit for escaation. 3. Audit quaity is an important eement of our governance sceme. Witout te abiity to catc ceaters (i.e. te audit cost is extremey ig), firms are better-off moving towards a more traditiona rigid roe-based access approac. Escaation must be done in a way tat provides an audit trai, incuding records of wo requested it, wen, wat data was accessed, and wat vaue was created (e.g., te type of transaction being performed) (Rissanen et a., 24). Neverteess, perfect monitoring is tecnoogicay caenging or financiay undesirabe in 22

23 most cases. Tis study provides managers guidance on baancing te audit expenditure and te security risks. 4. Penaty instruments need not be monetary or be directy evied against te empoyees. For exampe, operationa penaties coud be very effective, suc as mandatory attendance at compiance training for vioators or requiring empoyees to fie reports for te iegitimate escaation. We ave aso observed cases were te security fines were evied against te empoyees manager, igigting te manager s responsibiity for training. 5. Te firm needs to know empoyees private benefit to propery design te escaation options. It is important for te firm to earn empoyees caracteristics over time or troug oter approaces, and ony grant escaation fexibiity to known empoyees. 6. Te vaue of te access governance system wit escaation options aso incudes te possibiity tat te firm earns te dynamics of te business environment from empoyees. Sometime te firm is unaware of potentia business opportunities simpy because empoyees forwent tem. Te escaation sceme creates an impicit communicate canne between te firm and empoyees. It is aso possibe for te firm to spot trends tat coud identify a potentiay maicious insider. Finay, it can be very epfu in estabising reguar access eves and understanding ow empoyees roes cange over time (sometimes referred to as roe drift). By observing empoyees needs over time, te firm can adjust teir reguar accesses accordingy. 23

24 Appendix Proof of Proposition Proof: Since arger F and F make (IC-H) and (IC-L) easier to od and F and F do not appear in te firm s expected profit function, te firm maximizes its profit by imposing te maxima eve of penaty. Proof of Proposition 2 Proof: If F, (IC-H) and (IC-L) are not binding if p = p >. Te optimization probem can be simpified as ( a ) ( ) ( 2sa 2tp w a 2sa 2tp w 2sa w) Π = max π θ + π θ + π firm a, w, p a, w, p a, w st w ba w ba *.. + (IC-H ) w + ba w ba w, w, w, a, a, a, < p, p * (IC-L ) Smaer a and w make te (IC-H * ) and (IC-L * ) easy to od and increase te firm s expected profit, te firm wi set a = w =. (IC-H * ) and (IC-L * ) are not binding. Te firm s optimization probem can be furter simpified as ( a ) ( 2sa 2tp w a 2sa 2tp w ) Π = max π θ + π θ firm a, w, p a, w, p st.. w, w, a, a, < p, p 24

25 We can obtain a = θ, a = θ, w = w =. Since te penaty is effective ony if misuse can s s be detected, te firm as to audit escaation instances. p = p = ε. Te firm s profit approaces 2s ( π θ πθ ) Proof of Proposition 3 Proof: Te Lagrangian of te firm s optimization probem can be represented as ( 2 2 ) ( ) ( ) L = π θ a sa tp w + π θ a sa tp w + π sa w ( w ba w ba ) λ ( w ba w ba ) λ + λ ( w ba pf p w ba) ( w ba pf ( p) w ba) + λ FOC w.r.t. FOC w.r.t. a : π ( θ sa ) λb λ3b = p : π( tp) + λ3 ( F + w) = FOC w.r.t. w : π λ λ ( p ) + = 3 FOC w.r.t. FOC w.r.t. a : π ( θ sa ) + λ2b λ4b = p : π( tp) + λ4 ( F + w) = FOC w.r.t. w : π λ λ ( p ) + = 2 4 FOC w.r.t. FOC w.r.t. a : π λ λ λ λ sa b 2b + 3b + 4b = w : π λ λ + λ + λ = λ w + ba w ba =, λ, w + ba w ba 25

26 λ w + ba w ba =, λ, w + ba w ba 2 2 ( ) λ λ w + ba + p F p w ba =,, w + ba + p F p w ba 3 3 ( ) λ λ w + ba + p F p w ba =,, w + ba + p F p w ba 4 4 w, w, w, a, a, a, p, p = < θ, w =, π We obtain a s( θ π b) s p = F, F π tπ = F, a = ( b+ θ ) > θ, p =, s s π ( θ θ ) π w = b + sf + tb, a b 2 b 2 2 s s st do not matter. =, 2 b π w ( 2 2 sb sθ stπ sf tb ) s = + +. F and F Proof of Proposition 4 Proof: ( π ) ΔΠ = b >. θ s ( π ) 2 2 ΔΠ t = F >. 2 2t π 2 ( π ) (( ) ( ) b π b) ( ) s π b ΔΠ = π θ π πθ = π θ πθ. b s π = + >, b π ( θ π θ) Since π π π π Terefore, ΔΠ b >. < given te assumption b π ( θ θ ) <. ΔΠ = π b <. θ s 2 2 ( π ) 2 ( ( π ) bθ ( π ) b bπθ ) π b ΔΠ = 2 2 < s 2 2s 26

27 References Ante, R. and Eppen, G. D. Capita Rationing and Organizationa Sack in Capita Budgeting, Management Science (3:2), 985, pp Arrow, K. J. Te Economics of Agency, in Principas and Agents: Te Structure of Business, Pratt, J.E., Zeckauser, R.J and Arrow, K.J. (eds.) Harvard Business Scoo Press, Boston, MA. 985, pp Aveksa. Enterprise Roes-based Access Governance, Tecnica Report, Wite Paper, 27. Baiman, S. Agency Researc in Manageria Accounting: A Second Look, Accounting Organizations and Society (5:4), 99, pp Baker, N. R. and Freeand, J. R. Structuring Information Fow to Enance Innovation, Management Science (9:) Teory Series, 972, pp Baron, D. P. and Besanko, D. Reguation, Asymmetric Information, and Auditing, Te RAND Journa of Economics (5:4), 984, pp Dye, R. A. Optima Monitoring Poicies in Agencies, Te RAND Journa of Economics (7:3), 986, pp Ferreira, A., Cruz-Correia, R., Antunes, L., Farina, P., Oiveira-Paares, E., Cadwick, D., and Costa-Pereira, A. How to Break Access Contro in a Controed Manner, in Proceedings of te 9t IEEE Symposium on Computer-Based Medica Systems (CBMS'6), 26, pp Harris, M., Kriebe, C., and Raviv, A. Asymmetric Information, Incentives and Intrafirm Resource Aocation, Management Science (28:6), 986, pp

28 Harris, M. and Raviv, A. Optima Incentive Contracts wit Imperfect Information, Journa of Economic Teory (2), 979, pp Harris, M. and Raviv, A. Te Capita Budgeting Process: Incentives and Information, Journa of Finance (5:4), 996, pp Homstrom, B. Mora Hazard and Observabiity, Be Journa of Economics (:), 979, pp Joy, D. Fraud Costs Frenc Bank $7. Biion, New York Times, 28. Kannan, K. and Teang, R. Market for Software Vunerabiities? Tink Again, Management Science (5:5), 25, pp Kim, S. K. and Su, Y. S. Conditiona Monitoring Poicy Under Mora Hazard, Management Science (38:8), 992, pp Krisnan, V. and Zu, W. Designing a Famiy of Deveopment Intensive Products, Management Science (52:6), 26, pp Lee, H. L., So, K. C., and Tang, C. S. Te Vaue of Information Saring in a Two-eve Suppy Cain, Management Science (46:5), 2, pp Motta, M. Endogenous Quaity Coice: Price vs. Quantity Competition, Journa of Industry Economics (4:2), 993, pp Povey, D. Optimistic Security: a New Access Contro Paradigm, In Proceedings of te 999 Worksop on New Security Paradigms, ACM Press, 2, pp Ratnam, S., Maajan, V., and Winston, A. B. Faciitating Coordination in Customer Support Teams: A Framework and Its Impications for te Design of Information Tecnoogy, Management Science (4:2), 995, pp

29 Rissanen, E., Firozabadi, S. B., and Sergot, M. Towards a Mecanism for Discretionary Overriding of Access Contro, In Proceedings of te 2t Internationa Worksop on Security Protocos, Cambridge, 24. Save, S. Risk Saring and Incentives in te Principa and Agent Reationsip, Be Journa of Economics (:), pp Townsend, R. M. Optima Contracts and Competitive Markets wit Costy State Verification, Journa of Economy Teory (2:2), 979, pp Tsai, W. Knowedge Transfer in Intraorganizationa Networks: Effects of Network Position and Absorptive Capacity on Business Unit Innovation and Performance, Te Academy of Management Journa (44:5), 2, pp von Hippe, E. Sticky Information and te Locus of Probem Soving: Impications for Innovation, Management Science (4:4), pp