Journal Article10.1016/J.ESWA.2015.03.033
Game of information security investment
60
TL;DR: It is demonstrated that the optimal security investment level of an interconnected firm against targeted attacks is different from that against opportunistic attacks, and shows that not all information security risks are worth fighting against.
read more
Abstract: We model an interconnected firm's security investment against two attack types.A high network vulnerability spurs firms to invest less in information security.Liability and security information sharing can motivate firm to invest in security.Both incentives can improve firms' security level and decrease firms' total costs.Both incentives can be extended to the case of three or more firms. The level of firms' information security investment has recently become a critical issue in the management of IT infrastructure. Prior studies have not considered attack types and firms interconnection simultaneously when investigating the optimisation of such investment. Using game theory, we demonstrate that the optimal security investment level of an interconnected firm against targeted attacks is different from that against opportunistic attacks. Our model shows that not all information security risks are worth fighting against. As the potential loss increases, it is unadvisable to increase the security investment proportionately. Firms should increase investments with intrinsic vulnerability when facing target attacks, but focus on those systems that fall into the midrange of intrinsic vulnerability when facing opportunistic attacks. Firms are unwilling to invest in security and often offload reliability problems onto others when the trusted interdependence relationship becomes tighter in the absence of economic incentives. Thus we also discuss two economic incentives to motivate firms: liability and security information sharing. We find that if the rules are set properly, both economic incentives are effective to not only internalise the negative externality and improve a firm's security level, but also reduce the total expected cost. We show that firms' optimal investments of liability always increase with the increasing number of firms, but the optimal investments on security information sharing increase only when the number of firms is large enough. These insights draw attention to many trade-offs firms often face and the importance of accurate assessment of firms' security environment. Future research directions are discussed based on the limitations and possible extensions of this study.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Cybersecurity investments in a two-echelon supply chain with third-party risk propagation
Yanhui Li,Lu Xu +1 more
TL;DR: A game theory model is proposed to investigate cybersecurity investments with third-party risk propagation in a two-echelon supply chain consisting of one retailer and n suppliers and indicates that joint decision-making and security risk compensation perform better on stimulating firms' investments and reducing expected costs both individually and collectively relative to security information sharing.
46
Information sharing vs. privacy
TL;DR: A differential game model is proposed in which a linear fusion model for characterizing the process of knowledge growth via the ISAC is employed and the Nash equilibrium of the proposed game including the optimized values of security investment, and the thresholds of data sharing with the price of privacy are highlighted.
36
Online masquerade detection resistant to mimicry
TL;DR: A novel detection method robust against evasion strategies based on mimicry, demonstrating great precision against conventional masqueraders and a success rate of 80.2% when identifying mimicry attacks, hence outperforming the best contributions of bibliography.
25
Decisions making in information security outsourcing: Impact of complementary and substitutable firms
TL;DR: A contract-theory model is constructed to investigate how an MSSP’s (Managed Security Service Provider) operating characteristics of cost efficiency, multiple clients, security externality and firms’ information nature affect the MSSP's strategic decisions, including the contract structure and the optimum investment level for firms.
25
A new game of information sharing and security investment between two allied firms
TL;DR: The theoretical analysis shows that firms’ strategies can achieve global optimality in the totally centralised decision model and proposes two compensation mechanisms to help firms coordinate their strategies when making decisions individually.
24
References
The economics of information security investment
TL;DR: In this article, an economic model that determines the optimal amount to invest to protect a given set of information is presented, taking into account the vulnerability of the information to a security breach and the potential loss should such a breach occur.
1.1K
The Economics of Information Security Investment.
Lawrence A. Gordon,Martin P. Loeb +1 more
- 01 Jan 2004
TL;DR: An economic model is presented that determines the optimal amount to invest to protect a given set of information and takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur.
1K
The Economics of Information Security
Ross Anderson,Tyler Moore +1 more
TL;DR: The economics of information security has recently become a thriving and fast-moving discipline and provides valuable insights into more general areas such as the design of peer-to-peer systems, the optimal balance of effort by programmers and testers, why privacy gets eroded, and the politics of digital rights management.
Effective IS Security: An Empirical Study
TL;DR: Investigation of whether a management decision to invest in IS security results in more effective control of computer abuse indicates that security countermeasures that include deterrent administrative procedures and preventive security software will result in significantly lower computer abuse.
823
System Reliability and Free Riding
Hal R. Varian
- 01 Jan 2004
TL;DR: In the context of system reliability, the authors can distinguish three prototype cases: purely voluntary provision of public goods, individuals may tend to shirk, and an inefficient level of the public good.