[1] Gu Jianqiang, Mei Shue, Zhong Weijun,. Optimization and coordination modelof information system security investment for interdependent risk [J]. Journal of Southeast University (English Edition), 2015, 31 (2): 288-293. [doi:10.3969/j.issn.1003-7985.2015.02.023]

Copy

Optimization and coordination modelof information system security investment for interdependent risk()

风险相互依赖下的信息系统安全投资协调优化模型

Share：

Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]

Volumn:

31

Issue:

2015 2

Page:

288-293

Research Field:

Computer Science and Engineering

Publishing date:

2015-06-20

Info

Title:

Optimization and coordination modelof information system security investment for interdependent risk

风险相互依赖下的信息系统安全投资协调优化模型

Author(s):

Gu Jianqiang;  Mei Shu’e;  Zhong Weijun

School of Economics and Management, Southeast University, Nanjing 211189, China

顾建强;  梅姝娥;  仲伟俊

东南大学经济管理学院, 南京 211189

Keywords:

interdependent risk;  cyber security insurance;  self-protection;  coordination

风险相互依赖;  网络安全保险;  自我防御;  合作协调

PACS:

TP309

DOI:

10.3969/j.issn.1003-7985.2015.02.023

Abstract:

The impact of risk correlation on firm’s investments in information system security is studied by using quantification models combining the ideas of the risk management theory and the game theory. The equilibrium levels of self-protection and insurance coverage under the non-cooperative condition are compared with socially optimal solutions, and the associated coordination mechanisms are proposed. The results show that self-protection investment increases in response to an increase in potential loss when the interdependent risk is small; the interdependent risk of security investments often induce firms to underinvest in security relative to the socially efficient level by ignoring marginal external costs or benefits conferred on others. A subsidy on self-protection investment from the government can help coordinate a firm’s risk management decision and, thereby, improve individual security level and overall social welfare.

结合风险管理理论和博弈理论, 运用定量化模型研究了风险关联对企业信息系统安全投资的影响.通过对比非合作博弈和社会最优下的自我防御投资和网络安全保险水平, 提出相应的协调机制.研究结果表明:当关联性风险趋于很小时, 自我防御投资水平随其潜在安全损失的上升而增大;企业在进行信息系统安全投资时往往会忽略对其他企业的边际外部成本或收益的影响, 这种负外部性特征会导致企业自我防御投资和网络安全保险水平均低于社会最优化水平.政府通过补贴企业自我防御投资可以在一定程度上协调企业的风险管理决策, 进而改善企业安全水平, 有效提高社会福利.

References:

[1] Gao X, Zhong W J, Mei S E. A game-theory approach to configuration of detection software with decision errors[J]. Reliability Engineering & System Safety, 2013, 119(11): 35-43.
　　 [2] Zhao L R, Mei S E, Zhong W J. Configuration strategy of two information security technologies based on risk preference[J]. Journal of Systems Engineering, 2014, 29(3): 324-333.(in Chinese)
　　 [3] Zhao L R, Mei S E, Zhong W J. Game analysis on optimal configuration strategy of virtual private network and intrusion detection systems[J]. Journal of Industrial Engineering/Engineering Management, 2014, 28(4): 187-192.(in Chinese)
　　 [4] Cavusoglu H, Raghunathan S. Configuration of and interaction between information security technologies:the case of firewalls and intrusion detection systems[J]. Information Systems Research, 2009, 20(2): 198-217.
　　 [5] Heal G, Kunreuther H. Modeling interdependent risks[J]. Risk Analysis, 2007, 27(3): 621-634.
　　 [6] Bandyopadhyay T, Jacob V, Raghunathan S. Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest[J]. Information Technology and Management, 2010, 11(1): 7-23.
　　 [7] Gao X, Zhong W J, Mei S E. A game-theoretic analysis of information sharing and security investment for complementary firms[J]. Journal of the Operational Research Society, 2014, 65(11): 1682-1691.
　　 [8] Ogut H, Menon N, Raghunathan S. Cyber security risk management:public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection[J]. Risk Analysis, 2011, 31(3): 497-512.
　　 [9] Woohyun S. An analysis of information security management strategies in the presence of interdependent security risk[J]. Asia Pacific Journal of Information Systems, 2012, 22(1): 79-101.
[10] Zhuang J. Impacts of subsidized security on stability and total social costs of equilibrium solutions in an N-player game with errors [J]. The Engineering Economist, 2010, 52(2): 131-149.
[11] Schoemaker P. The expected utility model: its variants, purposes, evidence and limitations[J]. Journal of Economic Literature, 1982, 20(2): 529-563.

Memo

Memo:

Biographies: Gu Jianqiang(1979—), male, graduate; Mei Shu’e(corresponding author), female, doctor, professor, meishue@seu.edu.cn.
Foundation item: The National Natural Science Foundation of China(No.71071033).
Citation: Gu Jianqiang, Mei Shu’e, Zhong Weijun. Optimization and coordination model of information system security investment for interdependent risk[J].Journal of Southeast University(English Edition), 2015, 31(2):288-293.[doi:10.3969/j.issn.1003-7985.2015.02.023]

Common functions