[1] Pan Chongxia, Zhong Weijun, Mei Shue,. Investment strategy analysis of information system securityin consideration of attackers [J]. Journal of Southeast University (English Edition), 2017, 33 (3): 377-381. [doi:10.3969/j.issn.1003-7985.2017.03.019]

Copy

Investment strategy analysis of information system securityin consideration of attackers()

考虑黑客攻击下的信息系统安全投资策略分析

Share：

Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]

Volumn:

33

Issue:

2017 3

Page:

377-381

Research Field:

Computer Science and Engineering

Publishing date:

2017-09-30

Info

Title:

Investment strategy analysis of information system securityin consideration of attackers

考虑黑客攻击下的信息系统安全投资策略分析

Author(s):

Pan Chongxia;  Zhong Weijun;  Mei Shu’e

School of Economics and Management, Southeast University, Nanjing 211189, China

潘崇霞;  仲伟俊;  梅姝娥

东南大学经济管理学院, 南京 211189

Keywords:

information security economics;  information security investment;  investment strategy;  game theory

信息安全经济学;  信息安全投资;  投资策略;  博弈论

PACS:

TP309

DOI:

10.3969/j.issn.1003-7985.2017.03.019

Abstract:

In order to solve the problem of how a firm makes an optimal choice in developing information systems when faced with the following three modes: development by its own efforts, outsourcing them to a managed security service provider(MSSP)and cooperating with the MSSP, the firm’s optimal investment strategies are discussed by modeling and analyzing the maximum expected utility in the above cases under the condition that the firm plays games with an attacker. The results show that the best choice for a firm is determined by the reasonable range of the cooperative development coefficient and applicable conditions. When the cooperative development coefficient is large, it is more rational for the firm to cooperate with the MSSP to develop the information system. When the cooperative development coefficient is small, it is more rational for the firm to develop the information system by its own efforts. It also shows that the attacker’s maximum expected utility increases with the increase in the attacker’s breach probability and cost coefficient when the cooperative development coefficient is small. On the contrary, it decreases when the cooperative development coefficient is large.

为解决企业面对自主研发、把信息安全完全外包给安全服务外包提供商MSSP和企业与MSSP合作共同开发3种模式下如何作出最优选择问题, 在考虑企业与黑客博弈的情况下, 通过对企业期望效用的建模与分析对企业在3种情况下的最优安全投资策略进行了讨论.结论表明, 企业的最优选择取决于合作开发系数的取值范围及其适用条件.当合作开发系数较高时, 企业与MSSP合作开发更为理性;当合作开发系数较低时, 企业选择自主研发更为理性.当企业与MSSP的合作开发系数较小时, 黑客的最大期望效用随着入侵概率与成本系数的增大而增大, 而在当企业与MSSP的合作开发系数较大时则相反.

References:

[1] Gordon L A, Loeb M P. The economics of information security investment[J]. ACM Transactions on Information and System Security, 2002, 5(4):438-457. DOI:10.1145/581271.581274.
[2] Cavusoglu H, Raghunathan S, Yue W T. Decision-theoretic and game-theoretic approaches to it security investment[J]. Journal of Management Information Systems, 2008, 25(2):281-304. DOI:10.2753/MIS0742-1222250211.
[3] Gao X, Zhong W J, Mei S E. Information security investment when hackers disseminate knowledge[J]. Decision Analysis, 2013, 10(4): 352-368. DOI:10.1287/deca.2013.0278.
[4] Gao X, Zhong W J, Mei S E. A differential game approach to information security investment under hackers’ knowledge dissemination[J]. Operations Research Letters, 2013, 41(5): 421-425. DOI:10.1016/j.orl.2013.05.002.
[5] Gao X, Zhong W J, Mei S E. A game-theoretic analysis of information sharing and security investment for complementary firms[J]. Journal of the Operational Research Society, 2014, 65(11): 1682-1691. DOI:10.1057/jors.2013.133.
[6] Gao X, Zhong W J. Information security investment for competitive firms with hacker behavior and security requirements[J]. Annals of Operations Research, 2015, 235(1): 277-300. DOI:10.1007/s10479-015-1925-2.
[7] Huang C D, Hu Q, Behara R S. An economic analysis of the optimal information security investment in the case of a risk-averse firms[J]. International Journal of Production Economics, 2008, 114(2):793-804. DOI:10.1016/j.ijpe.2008.04.002.
[8] Elitzur R, Gavious A, Wensley A K P. Information systems outsourcing projects as a double moral hazard problem[J]. Omega, 2012, 40(3): 379-389. DOI:10.1016/j.omega.2011.06.005.
[9] Lee C H, Geng X, Raghunathan S. Contracting information security in the presence of double moral hazard[J]. Information Systems Research, 2013, 24(2): 295-311. DOI:10.1287/isre.1120.0447.
[10] Hui K L, Hui W, Yue W T. Information security outsourcing with system interdependency and mandatory security requirement[J]. Journal of Management Information Systems, 2012, 29(3): 117-156. DOI:10.1287/isre.1120.0447.

Memo

Memo:

Biographies: Pan Chongxia(1977—), female, graduate; Zhong Weijun(corresponding author), male, doctor, professor, zhongweijun@seu.edu.cn.
Foundation item: The National Natural Science Foundation of China(No.71371050).
Citation: Pan Chongxia, Zhong Weijun, Mei Shu’e. Investment strategy analysis of information system security in consideration of attackers[J].Journal of Southeast University(English Edition), 2017, 33(3):377-381.DOI:10.3969/j.issn.1003-7985.2017.03.019.

Common functions