RESEARCH ARTICLE CORRELATED FAILURES,DIVERSIFICATION,AND INFORMATION SECURITY RISK MANAGEMENT 1 Pei-yu Chen Department of Management Information Systems, Fox School of Business and Management, Temple University, 1801 N. Broad St reet, Philad elphia, PA 19122 U.S.A. {pychen@temp le.edu} Gaurav Kataria Booz & Co., 127 Public Squire, Suite 5300, Cleveland, OH 44114 U.S.A. {[email protected]om} Ramayya Krishnan School of Information Systems and Management, The Heinz College, Carnegie Mellon University, 5000 For bes Av enue, P ittsburgh, PA 15213 U.S.A. {[email protected]} The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk offailure on the availability of an information network due to attacks that exploit software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times andgreater loss of availabilit y of the network. Considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting downtime into account would lead to overinvestment in homogeneous so ftware deployment. Exploiting characteristics unique to information networks, we present a queuing model that allows us to quan tify downtime loss faced by a rm as a function of (1) investment in security technologies to avert attacks, (2) software diversification to limit the risk ofcorrelated failure under attacks , and (3) investment in IT resourc es to repair failures due to a ttacks. The novelty of this method is that we endogenize the failure distribution and the node correlation distribution, andshow how the diversification strategy and other security measures/investments may impact these two distributions, which in turn determine the secu rity loss faced by the firm. We analyze and disc uss the effectiveness of diversification strategy under diff erent operating conditions and in the presence of changingvulnerabilities. We also take into account the be nefits and costs of a diver sification strategy. Our analysis provides conditions under which diversification strategy is advantageous. Keywords: Security, diversification, downtime loss, s oftware allocation, network effects, risk management, correlated failures 1 1 H. Raghav Rao was the accepting senior editor for this paper. Ram Gopal served as the associate editor. The appendix for this paper is located in the “Online Supplements” section of theMIS Quarterly’s website (http://www.misq.org) . MIS Quarterly Vol. 35 No. 2 pp. 397-422/June 2011 397