Correlated failures, diversification, and information security risk management

Pei Yu Chen, Gaurav Kataria, Ramayya Krishnan

Research output: Contribution to journalArticlepeer-review

85 Scopus citations


The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure on the availability of an information network due to attacks that exploit software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. Considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting downtime into account would lead to overinvestment in homogeneous software deployment. Exploiting characteristics unique to information networks, we present a queuing model that allows us to quantify downtime loss faced by arm as a function of (1) investment in security technologies to avert attacks, (2) software diversification to limit the risk of correlated failure under attacks, and (3) investment in IT resources to repair failures due to attacks. The novelty of this method is that we endogenize the failure distribution and the node correlation distribution, and show how the diversification strategy and other security measures/investments may impact these two distributions, which in turn determine the security loss faced by the firm. We analyze and discuss the effectiveness of diversification strategy under different operating conditions and in the presence of changing vulnerabilities. We also take into account the benefits and costs of a diversification strategy. Our analysis provides conditions under which diversification strategy is advantageous.

Original languageEnglish (US)
Pages (from-to)397-422
Number of pages26
JournalMIS Quarterly: Management Information Systems
Issue number2
StatePublished - Jun 2011
Externally publishedYes


  • Correlated failures
  • Diversification
  • Downtime loss
  • Network effects
  • Risk management
  • Security
  • Software allocation

ASJC Scopus subject areas

  • Management Information Systems
  • Information Systems
  • Computer Science Applications
  • Information Systems and Management


Dive into the research topics of 'Correlated failures, diversification, and information security risk management'. Together they form a unique fingerprint.

Cite this