[1] Pan Chongxia, Zhong Weijun, Mei Shue,. Investment strategy analysis of information system securityin consideration of attackers [J]. Journal of Southeast University (English Edition), 2017, 33 (3): 377-381. [doi:10.3969/j.issn.1003-7985.2017.03.019]

Copy

Investment strategy analysis of information system securityin consideration of attackers()

Share：

Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]

Volumn:

33

Issue:

2017 3

Page:

377-381

Research Field:

Computer Science and Engineering

Publishing date:

2017-09-30

Info

Title:

Investment strategy analysis of information system securityin consideration of attackers

Author(s):

Pan Chongxia;  Zhong Weijun;  Mei Shu’e

School of Economics and Management, Southeast University, Nanjing 211189, China

Keywords:

information security economics;  information security investment;  investment strategy;  game theory

PACS:

TP309

DOI:

10.3969/j.issn.1003-7985.2017.03.019

Abstract:

In order to solve the problem of how a firm makes an optimal choice in developing information systems when faced with the following three modes: development by its own efforts, outsourcing them to a managed security service provider(MSSP)and cooperating with the MSSP, the firm’s optimal investment strategies are discussed by modeling and analyzing the maximum expected utility in the above cases under the condition that the firm plays games with an attacker. The results show that the best choice for a firm is determined by the reasonable range of the cooperative development coefficient and applicable conditions. When the cooperative development coefficient is large, it is more rational for the firm to cooperate with the MSSP to develop the information system. When the cooperative development coefficient is small, it is more rational for the firm to develop the information system by its own efforts. It also shows that the attacker’s maximum expected utility increases with the increase in the attacker’s breach probability and cost coefficient when the cooperative development coefficient is small. On the contrary, it decreases when the cooperative development coefficient is large.

References:

[1] Gordon L A, Loeb M P. The economics of information security investment[J]. ACM Transactions on Information and System Security, 2002, 5(4):438-457. DOI:10.1145/581271.581274.
[2] Cavusoglu H, Raghunathan S, Yue W T. Decision-theoretic and game-theoretic approaches to it security investment[J]. Journal of Management Information Systems, 2008, 25(2):281-304. DOI:10.2753/MIS0742-1222250211.
[3] Gao X, Zhong W J, Mei S E. Information security investment when hackers disseminate knowledge[J]. Decision Analysis, 2013, 10(4): 352-368. DOI:10.1287/deca.2013.0278.
[4] Gao X, Zhong W J, Mei S E. A differential game approach to information security investment under hackers’ knowledge dissemination[J]. Operations Research Letters, 2013, 41(5): 421-425. DOI:10.1016/j.orl.2013.05.002.
[5] Gao X, Zhong W J, Mei S E. A game-theoretic analysis of information sharing and security investment for complementary firms[J]. Journal of the Operational Research Society, 2014, 65(11): 1682-1691. DOI:10.1057/jors.2013.133.
[6] Gao X, Zhong W J. Information security investment for competitive firms with hacker behavior and security requirements[J]. Annals of Operations Research, 2015, 235(1): 277-300. DOI:10.1007/s10479-015-1925-2.
[7] Huang C D, Hu Q, Behara R S. An economic analysis of the optimal information security investment in the case of a risk-averse firms[J]. International Journal of Production Economics, 2008, 114(2):793-804. DOI:10.1016/j.ijpe.2008.04.002.
[8] Elitzur R, Gavious A, Wensley A K P. Information systems outsourcing projects as a double moral hazard problem[J]. Omega, 2012, 40(3): 379-389. DOI:10.1016/j.omega.2011.06.005.
[9] Lee C H, Geng X, Raghunathan S. Contracting information security in the presence of double moral hazard[J]. Information Systems Research, 2013, 24(2): 295-311. DOI:10.1287/isre.1120.0447.
[10] Hui K L, Hui W, Yue W T. Information security outsourcing with system interdependency and mandatory security requirement[J]. Journal of Management Information Systems, 2012, 29(3): 117-156. DOI:10.1287/isre.1120.0447.

Memo

Memo:

Biographies: Pan Chongxia(1977—), female, graduate; Zhong Weijun(corresponding author), male, doctor, professor, zhongweijun@seu.edu.cn.
Foundation item: The National Natural Science Foundation of China(No.71371050).
Citation: Pan Chongxia, Zhong Weijun, Mei Shu’e. Investment strategy analysis of information system security in consideration of attackers[J].Journal of Southeast University(English Edition), 2017, 33(3):377-381.DOI:10.3969/j.issn.1003-7985.2017.03.019.

Common functions