Article Preview
TopIntroduction
Aimed at addressing the increasing threat of cyber crime, information security legislation and the corresponding regulatory framework have imposed stringent requirements that organizations protect their customers’ identities and privacy. Unlike regulations in other industries, such as in the chemical and biotech industries, which are intended to regulate producers of the product, information security regulations are targeted at organizations where IT products are used, i.e., consumers of IT products and services. For example, hospitals are regulated by the Health Insurance Portability and Accountability Act (HIPAA) that is aimed at protecting patients’ records and securely transferring electronic healthcare information. Similarly, banks are regulated by the Gramm-Leach-Bliley Act (GLBA) that requires each financial institution to protect its customers’ nonpublic personal information. The Sarbanes-Oxley Act (SOX) also requires organizations to implement the necessary safeguards to ensure the confidentiality, integrity, and availability of their customers’ private information.
In this paper, we postulate that by targeting consumers of IT products, such as hospitals, banks, and a multitude of other organizations where IT products are used, information security regulations have driven the demand for information security products and services, and have, in turn, indirectly stimulated innovation by information security firms. We focus our study on a thriving industry segment of information security, namely identity and access management (IAM). IAM has gained prominence because of the role that IAM technologies play in facilitating the seamless access of customers, employees, and third parties to the numerous IT resources of an enterprise. The Federal Financial Institutions Examination Council (FFIEC) guidance of November 2005 specifically addresses the need for IAM by recommending that financial institutions and their application service providers (ASPs) deploy security measures to reliably authenticate their online banking customers through using multifactor authentication, biometrics, layered security, and other reasonable controls that mitigate security risks. Although commerce using physical markets has traditionally allowed the anonymous purchase of goods and services, transactions in virtual marketplaces mandate the use of a real identity that is traceable to its owner. IAM services allow the provisioning of individualized security and access rights, based on a person's identity, and, as such, refer to the technologies, processes, policies, and supporting infrastructures necessary for the deployment, control, and maintenance of digital identities and their access to resources. A digital identity contains data that uniquely describe a person or a thing, referred to as a subject or an entity, and encompasses information about the subject’s relationships with other entities.
We propose that the recent surge in demand for IAM, while driven by information security regulations, has constituted an economic incentive for IAM firms to innovate and has, in turn, boosted the stock price of IAM firms. In an attempt to study how information security regulations are driving IAM innovation and the market value of IAM firms, we first study the change in demand for IAM products and services around the enactment of information security regulations. We then examine the relationship between demand, innovation, and market value by addressing the following research questions:
- 1.
How significant has the change in sales growth of IAM products been compared to other IT products around the time that information security regulations were enacted?
- 2.
Has this growth in sales, in turn, driven innovation on the part of IAM firms?
- 3.
How significantly have investors valued innovation by IAM firms?