Regulatory Influence and the Imperative of Innovation in Identity and Access Management

Regulatory Influence and the Imperative of Innovation in Identity and Access Management

Lara Khansa (Virginia Polytechnic Institute and State University, USA) and Divakaran Liginlal (Carnegie Mellon University, USA)
Copyright: © 2012 |Pages: 20
DOI: 10.4018/irmj.2012070104


In an effort to protect end users from identity theft, policy makers have enacted numerous regulations that require organizations to acquire identity and access management (IAM) technologies. In this paper, the authors develop and validate a conceptual framework that captures the unique characteristics of information security regulations and their impact on demand for IAM technologies, and the innovation and market value of IAM firms. Using paired two-sample for means t-tests and the Chow test, the authors demonstrate that the annual changes in sales of IAM firms from 1998 to 2008 are higher than those of other information technology (IT) firms around the time that information security regulations were enacted. The vector autoregression analyses show that IAM innovation is demand-driven, consistent with Schmookler’s “demand-pull” hypothesis, and has been positively valued by stock market investors. As such, our results demonstrate how policy makers can stimulate innovation and increase shareholder wealth by regulating IT consumers.
Article Preview


Aimed at addressing the increasing threat of cyber crime, information security legislation and the corresponding regulatory framework have imposed stringent requirements that organizations protect their customers’ identities and privacy. Unlike regulations in other industries, such as in the chemical and biotech industries, which are intended to regulate producers of the product, information security regulations are targeted at organizations where IT products are used, i.e., consumers of IT products and services. For example, hospitals are regulated by the Health Insurance Portability and Accountability Act (HIPAA) that is aimed at protecting patients’ records and securely transferring electronic healthcare information. Similarly, banks are regulated by the Gramm-Leach-Bliley Act (GLBA) that requires each financial institution to protect its customers’ nonpublic personal information. The Sarbanes-Oxley Act (SOX) also requires organizations to implement the necessary safeguards to ensure the confidentiality, integrity, and availability of their customers’ private information.

In this paper, we postulate that by targeting consumers of IT products, such as hospitals, banks, and a multitude of other organizations where IT products are used, information security regulations have driven the demand for information security products and services, and have, in turn, indirectly stimulated innovation by information security firms. We focus our study on a thriving industry segment of information security, namely identity and access management (IAM). IAM has gained prominence because of the role that IAM technologies play in facilitating the seamless access of customers, employees, and third parties to the numerous IT resources of an enterprise. The Federal Financial Institutions Examination Council (FFIEC) guidance of November 2005 specifically addresses the need for IAM by recommending that financial institutions and their application service providers (ASPs) deploy security measures to reliably authenticate their online banking customers through using multifactor authentication, biometrics, layered security, and other reasonable controls that mitigate security risks. Although commerce using physical markets has traditionally allowed the anonymous purchase of goods and services, transactions in virtual marketplaces mandate the use of a real identity that is traceable to its owner. IAM services allow the provisioning of individualized security and access rights, based on a person's identity, and, as such, refer to the technologies, processes, policies, and supporting infrastructures necessary for the deployment, control, and maintenance of digital identities and their access to resources. A digital identity contains data that uniquely describe a person or a thing, referred to as a subject or an entity, and encompasses information about the subject’s relationships with other entities.

We propose that the recent surge in demand for IAM, while driven by information security regulations, has constituted an economic incentive for IAM firms to innovate and has, in turn, boosted the stock price of IAM firms. In an attempt to study how information security regulations are driving IAM innovation and the market value of IAM firms, we first study the change in demand for IAM products and services around the enactment of information security regulations. We then examine the relationship between demand, innovation, and market value by addressing the following research questions:

  • 1.

    How significant has the change in sales growth of IAM products been compared to other IT products around the time that information security regulations were enacted?

  • 2.

    Has this growth in sales, in turn, driven innovation on the part of IAM firms?

  • 3.

    How significantly have investors valued innovation by IAM firms?

Complete Article List

Search this Journal:
Open Access Articles
Volume 33: 4 Issues (2020): 2 Released, 2 Forthcoming
Volume 32: 4 Issues (2019)
Volume 31: 4 Issues (2018)
Volume 30: 4 Issues (2017)
Volume 29: 4 Issues (2016)
Volume 28: 4 Issues (2015)
Volume 27: 4 Issues (2014)
Volume 26: 4 Issues (2013)
Volume 25: 4 Issues (2012)
Volume 24: 4 Issues (2011)
Volume 23: 4 Issues (2010)
Volume 22: 4 Issues (2009)
Volume 21: 4 Issues (2008)
Volume 20: 4 Issues (2007)
Volume 19: 4 Issues (2006)
Volume 18: 4 Issues (2005)
Volume 17: 4 Issues (2004)
Volume 16: 4 Issues (2003)
Volume 15: 4 Issues (2002)
Volume 14: 4 Issues (2001)
Volume 13: 4 Issues (2000)
Volume 12: 4 Issues (1999)
Volume 11: 4 Issues (1998)
Volume 10: 4 Issues (1997)
Volume 9: 4 Issues (1996)
Volume 8: 4 Issues (1995)
Volume 7: 4 Issues (1994)
Volume 6: 4 Issues (1993)
Volume 5: 4 Issues (1992)
Volume 4: 4 Issues (1991)
Volume 3: 4 Issues (1990)
Volume 2: 4 Issues (1989)
Volume 1: 1 Issue (1988)
View Complete Journal Contents Listing