Examining the structure of security networks, that is their constituent elements, facilitates uncovering components that play key roles in how prevention is attained and therefore allows a better understanding of security networks’ prevention efforts. The current literature pays significant attention to individuals in security networks (e.g. a vendor, a competitor, an infomediary), whereby examining their actions it tries to explain collective security efforts. For example, in vulnerability disclosure networks preventing threats is achieved through referencing to vendors’ patch release time decision (Arora et al., 2010; Arora et al., 2008) or infomediaries’ profit maximization actions (Kannan & Telang, 2005; Li & Rao, 2007; Ransbotham et al.,
2012). Similarly, although information sharing and analysis center’s goal is not maximizing its own profits but increasing the network’s reliability and decreasing losses from security breaches, it still achieves this by leveraging its role in setting the optimal membership fee structure (Liu et al., 2014). Explanation is therefore achieved through focusing on individual’s actions. This study shows that how security networks achieve prevention cannot be seen resulting from individual’s actions alone. Each actor indeed had his own agenda on how prevention should be pursued but in such an interactive process it would be difficult to attribute the efforts of the network to that of one actor alone. Consensus on a prevention measure was rarely made individually. Rather it resulted collectively through negotiating solutions proposed by the network’s heterogeneous actors which by themselves (proposed solutions) were modified during the process resulting in the emergence of new solutions that did not exist before. Possible alternatives therefore do not exist in outer space and already known by actors (Arora et al., 2008) but can rather emerge throughout actors’ efforts in finding the future security path. Therefore, to explain collective security efforts it is more useful to look at social actors in security networks through their relations with each other and the external environment rather than focusing on individuals’ actions alone.
Moreover, although social actors are a key element in the structure of security networks, they offer a limited view on how these networks prevent security threats. This research identified technology and operating system (in terms of laws and regulations that govern actors’ interactions) as other critical components that can change how prevention is achieved and thus their role should not be neglected.
Of importance here is to go more in depth and beyond identification of structural components to identify their properties that influence collective security efforts. My research shows that social actors occupy different roles in the network. Similarly the novelty and newness of the technology and the complexity of the legal system makes technology and operating system (respectively) causally relevant to the network’s prevention efforts.
stabilizers, and enablers. The case further demonstrated that actors’ role is not static and that the same actor can shift between these roles in response to changing context. While Visa’s efforts in developing security standards represent its enabler role, the company acted as a stabilizer when there was confusion in the market in the 1980s over whether smart card would replace magstripe or not. Actors thus do not only shift their security position such as levels of security investments and information sharing or preference towards a certain patch disclosure policy to fit contextual conditions (Cavusoglu et al., 2007; Hausken, 2007), but also their network position. The latter reflects the dynamic nature of security networks where actors move, enter, exit, or even threaten the network. It is crucial not to neglect such changes as they can impact security path as evident in the case of credit card fraud. This can be further inferred from Cavusoglu et al. (2007) study that observed a change in optimal disclosure policies once their single-vendor model was extended to incorporate the presence of multiple vendors in the network. Hausken (2007) also notes that social planner’s interference in information sharing alliances should be carefully examined in order for it to result in collectively beneficial sharing conditions. This is because a social planner’s actions (e.g. controlling for security investment) can sometimes have a perverse effect and result in an increase in free-riding behaviour. Moreover, it is vital to recognize the heterogeneity of actors in security networks and the impact that has on security decisions. Actors in the network differ in their capabilities to accommodate solutions that lead to better security (Gal-Or & Ghose, 2005; Liu et al., 2014). Because small-size vendors need to be able to accept credit cards payment, security solutions adopted were not always the optimal ones. The fact that the network included small actors actually benefited larger ones in their negotiations and helped them in their mobilizing efforts. This runs contrary to what is frequently assumed that small actors tend to exploit larger ones (Gupta & Zhdanov, 2012).
Inherited complexity is the second property identified to be relevant to prevention efforts. It depicts how the multi-level and interrelated nature of the legal system interferes to constrain actors’ security efforts. The study illustrated how such structure created inconsistencies concerning prevention efforts between the different legal branches prolonging the prevention process as well as creating security gaps that could be exploited to conduct illegal activities. The study extends prior research that conceptualizes the impact of the regulatory environment through the actions of
regulators (e.g., Arora et al., 2010; Gal-Or & Ghose, 2005) to show the impact of the legal system as a whole in security networks prevention efforts.
Technological novelty is the final property identified that shape collective security efforts. The research findings show that the effect of new technologies can be seen in three ways. First, actors have to experiment with new technologies to gain knowledge about their feasibility and consequences to be able to draw future security path. Second, new technologies are open to multiple interpretations that create confusion over how security is best achieved. Actors thus engage in negotiations to develop shared understanding of the meaning of the technology. Third, new technologies are not always seen ambiguous but can offer business opportunities that incite competition to deliver best security solutions.