About

Professor Wade Baker is a faculty member at Virginia Tech's Business Information Technology department within the Pamplin College of Business. His research actively engages in the study of security and privacy issues facing businesses and society. His work includes examining how GDPR consent requirements influence business performance, how the presentation of consent choices affects privacy decisions, and the effectiveness of security fear appeals when they interrupt tasks. Additionally, he researches multilevel privacy decision-making and predicts users' susceptibility to phishing attacks. Beyond security and privacy, Professor Baker's research extends to health information technology and service operations for social good. This includes exploring how information technology can improve health outcomes by understanding responses to fitness technologies like Fitbit, enhancing women’s health in developing countries through IT, optimizing asset positioning in disaster situations, and partnering resource-limited populations with medical legal assistance. He also conducts research on artificial intelligence, machine learning, and deep learning applications to solve business and societal problems, such as analyzing customer agility through text analytics, mining user-generated content for product defects, and predicting financial performance by analyzing news articles.

Research topics

• Computer Science
• Risk analysis (engineering)
• Computer Security
• Business
• Psychology
• Knowledge management
• Marketing
• Finance

Selected publications

• Cybersecurity in Supply Chains: Quantifying Risk

  Journal of Computer Information Systems · 2022 · 10 citations

  • Computer Science
  • Business
  • Risk analysis (engineering)

  Sharing information in a supply chain can bring benefits to many, if not all, members of the chain; however, the impact of information sharing and information technology (IT) implementation on supply chain risk is not well understood. Reports from corporate board meetings indicate that while concern is expressed over such risk, there are no accepted principles or best practices for quantification of supply chain risk. To increase understanding of cybersecurity risk in supply chains from a more grounded quantitative perspective, we identify four different ways an organization in a chain can be attacked as well as the principal factors putting that firm at risk to each of the four types of attack. Using data from detailed forensic analyses of approximately 2000 companies and/or organizations that experienced attacks, we answer fundamental, data-driven questions both external and internal to a firm belonging to a supply chain.

  PublisherDOI

• Improving vulnerability remediation through better exploit prediction

  Journal of Cybersecurity · 2020 · 97 citations

  Senior authorCorresponding
  • Computer Science
  • Computer Security
  • Computer Science

  Abstract Despite significant innovations in IT security products and research over the past 20 years, the information security field is still immature and struggling. Practitioners lack the ability to properly assess cyber risk, and decision-makers continue to be paralyzed by vulnerability scanners that overload their staff with mountains of scan results. In order to cope, firms prioritize vulnerability remediation using crude heuristics and limited data, though they are still too often breached by known vulnerabilities for which patches have existed for months or years. And so, the key challenge firms face is trying to identify a remediation strategy that best balances two competing forces. On one hand, it could attempt to patch all vulnerabilities on its network. While this would provide the greatest ‘coverage’ of vulnerabilities patched, it would inefficiently consume resources by fixing low-risk vulnerabilities. On the other hand, patching a few high-risk vulnerabilities would be highly ‘efficient’, but may leave the firm exposed to many other high-risk vulnerabilities. Using a large collection of multiple datasets together with machine learning techniques, we construct a series of vulnerability remediation strategies and compare how each perform in regard to trading off coverage and efficiency. We expand and improve upon the small body of literature that uses predictions of ‘published exploits’, by instead using ‘exploits in the wild’ as our outcome variable. We implement the machine learning models by classifying vulnerabilities according to high- and low-risk, where we consider high-risk vulnerabilities to be those that have been exploited in actual firm networks.

  PublisherOA PDFDOI

• Toward a Decision Support System for Measuring and Managing Cybersecurity Risk in Supply Chains

  VTechWorks (Virginia Tech) · 2017-04-03 · 1 citations

  dissertationOpen access1st authorCorresponding

  Much of the confusion about the effectiveness of information security programs concerns not only how to measure, but also what to measure — an issue of equivocality. Thus, to lower uncertainty for improved decision-making, it is first essential to reduce equivocality by defining, expanding, and clarifying risk factors so that metrics, the "necessary measures," can be unambiguously applied. We formulate a system that (1) allows threats to be accurately measured and tracked, (2) enables the impacts and costs of successful threats to be determined, and (3) aids in evaluating the effectiveness and return on investment of countermeasures. We then examine the quality of controls implemented to mitigate cyber risk and study how effectively they reduce the likelihood of security incidents. Improved control quality was shown to reduce the likelihood of security incidents, yet the results indicate that investing in maximum quality is not necessarily the most efficient use of resources. The next manuscript expands the discussion of cyber risk management beyond single organizations by surveying perceptions and experiences of risk factors related to 3rd parties. To validate and these findings, we undertake in an in-depth investigation of nearly 1000 real-world data breaches occurring over a ten-year period. It provides a robust data model and rich database required by a decision support system for cyber risk in the extended enterprise. To our knowledge, it is the most comprehensive field study ever conducted on the subject. Finally, we incorporate these insights, data, and factors into a simulation model that enables us study the transfer of cyber risk across different supply chain configurations and draw important managerial implications.

  Publisher

• The Impact of Strategic IT Partnerships on IT Security

  2013-03-01

  articleSenior author

  Partnering is a common business practice which takes advantage of outside expertise and allows companies to focus efforts on their core competencies. A key component of partner coordination is information sharing. Whether a partner is a traditional partner such as a supply vendor, where the firms use information technology (IT) as a facilitator for information sharing, or an IT partner to which an organization outsources certain IT functions, IT allows partners to open information borders to each other. While beneficial in many ways, this sharing also creates security vulnerabilities which should not be ignored. In this study, we examine forensic accounts of numerous past security incidents in an effort to learn more about the impact of partner relationships on security risk, and to suggest factors which may be indicators of increased risk.

  Publisher

• A NOTE ON QUESTIONNAIRE DEVELOPMENT PROCEDURES

  2012-01-01

  article

  Although principal investigators (PI) have a variety of design techniques for strengthening the validity of questionnaires, they often lack the tools for interactive judgmental processing needed to verify the logical design relationships between questions that they used in designing the questionnaire. To facilitate this verification process, we use the PI's judgment of what constitutes a logical response mismatch between questions as the catalyst for investigation that often leads to questionnaire redesign. Such logical response mismatches often occur when questions are mistakenly placed within opposing linguistic contextual spaces or simply do not clearly express the intended meaning—i.e., a lack of clarity. We present two simple techniques useful in identifying such mismatches and offer heuristics that may be used to rationalize taking corrective questionnaire redesign actions. We also provide a decision support system (DSS) based on a VBA-Excel macro that facilitates identifying such mismatches. The DSS is available upon request.

  Publisher

• Decision support for Cybersecurity risk planning

  Decision Support Systems · 2011-02-24 · 124 citations

  articleSenior author
  PublisherDOI

• Assessing the information technology security risk in medical supply chains

  International Journal of Electronic Marketing and Retailing · 2010-01-01 · 8 citations

  articleSenior author

  Many medical organisations around the world have connected themselves in supply chains, and are exploring the strategic utilisation of information technology (IT) throughout their chains to improve their overall efficiency and effectiveness. Although these efforts may reduce health costs, both the current status of IT security risk and the potential consequences of interconnectedness are largely unknown. This research examines medical supply chain risk exposure. In particular, data from six pharmaceutical companies and eight healthcare organisations is combined with input from security experts to determine the current degree of IT security risk. In addition, we examine an optimal strategy to reduce overall risk and the amount of supply chain risk due to partnering. We find, for the surveyed organisations, a dramatic under-deployment of controls, resulting in huge risk exposure.

  PublisherDOI

• PERCEPTION AND REALITY: AN INTROSPECTIVE STUDY ON SUPPLY CHAIN INFORMATION SECURITY RISK

  Issues in Information Systems · 2008-01-01 · 3 citations

  articleOpen access

  The collaborative nature of supply chains has exposed firms to a variety of security risks. With information technology (IT) as the cornerstone to integration, this exposure can be passed throughout all levels of business. Unfortunately, the role one plays in the supply chain may affect an internalized view of their firm's current security position, both in terms of what is being done and what should be done to limit risk exposure.

  PublisherOA PDFDOI

• Information Security Risk in the E-Supply Chain

  IGI Global eBooks · 2007-01-01 · 8 citations

  book-chapter1st authorCorresponding

  Collaboration between supply chain partners, facilitated by integration of information flows, has created more efficient and effective networks. However, the benefits of interconnectivity are not gained without risk. Though essential to support collaboration, increased use of information technology has removed internal and external protective barriers around an organization’s assets and processes. Thus, supply chains are better able to satisfy the needs of customers while more vulnerable to an array of IT-specific risks. This chapter identifies the sources of IT threats in the supply chain, categorizes those threats, and validates them by means of a survey of 188 companies representing a range of supply chain functions. Analysis suggests that supply chain risk is affected by IT threats, and therefore the benefits of collaboration facilitated by IT integration must exceed the increase in risk due to IT security threats.

  PublisherDOI

• Is Information Security Under Control?: Investigating Quality in Information Security Management

  IEEE Security & Privacy · 2007-01-01 · 121 citations

  article1st authorCorresponding

  Over the past decade, organizations have sought to become more efficient and productive by adopting information and communication technologies. Organizations are consequently more aware of information security risks and the need to take appropriate action. Previous studies of organizations' use of information security controls have focused on the presence or absence of controls, rather than their quality. We designed and conducted a survey as an initial step toward meeting this challenge. To do this, we benchmarked how organizations manage information security by implementating various controls. Although security surveys are nothing new, our method aims to uncover specific details of control implementation and focus on implementation quality. With a more precise understanding of current practices, information security management can begin to properly pursue effective strategies to improve quality and lower risk

  PublisherDOI

Frequent coauthors

• Gregory E. Smith

  Roman L. Hruska U.S. Meat Animal Research Center

  6 shared

• Kevin Watson

  Louisiana Tech University

  6 shared

• Jason K. Deane

  Virginia Tech

  4 shared

• Loren Paul Rees

  Virginia Tech

  3 shared

• John C. Tedesco

  Virginia Tech

  2 shared

• Terry R. Rakes

  Virginia Tech

  2 shared

• Emiley M. Baker

  2 shared

• J. A. Pokorski

  Virginia Tech

  1 shared

Labs

• Business Information TechnologyPI

Awards & honors

• Cyentia Institute (co-founded 2016)
• Advisory Boards for the RSA Conference and the FAIR Institut…