Game of information security investment: Impact of attack types and network vulnerability

被引:48
作者
Wu, Yong [1 ,2 ]
Feng, Gengzhong [1 ,3 ]
Wang, Nengmin [1 ,3 ]
Liang, Huigang [4 ]
机构
[1] Xi An Jiao Tong Univ, Sch Management, Xian 710049, Shaanxi, Peoples R China
[2] City Univ Hong Kong, Dept Syst Engn & Engn Management, Hong Kong, Hong Kong, Peoples R China
[3] Minist Educ Proc Control & Efficiency Engn, Key Lab, Xian 710049, Shaanxi, Peoples R China
[4] E Carolina Univ, Coll Business, Dept Management Informat Syst, Greenville, NC 27858 USA
关键词
Information security investment; Attack types; Network vulnerability; Game theory; Economic incentives; ECONOMICS; RISKS;
D O I
10.1016/j.eswa.2015.03.033
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
The level of firms' information security investment has recently become a critical issue in the management of IT infrastructure. Prior studies have not considered attack types and firms interconnection simultaneously when investigating the optimisation of such investment. Using game theory, we demonstrate that the optimal security investment level of an interconnected firm against targeted attacks is different from that against opportunistic attacks. Our model shows that not all information security risks are worth fighting against. As the potential loss increases, it is unadvisable to increase the security investment proportionately. Firms should increase investments with intrinsic vulnerability when facing target attacks, but focus on those systems that fall into the midrange of intrinsic vulnerability when facing opportunistic attacks. Firms are unwilling to invest in security and often offload reliability problems onto others when the trusted interdependence relationship becomes tighter in the absence of economic incentives. Thus we also discuss two economic incentives to motivate firms: liability and security information sharing. We find-that if the rules are set properly, both economic incentives are effective to not only internalise the negative externality and improve a firm's security level, but also reduce the total expected cost. We show that firms' optimal investments of liability always increase with the increasing number of firms, but the optimal investments on security information sharing increase only when the number of firms is large enough. These insights draw attention to many trade-offs firms often face and the importance of accurate assessment of firms' security environment. Future research directions are discussed based on the limitations and possible extensions of this study. (C) 2015 Elsevier Ltd. All rights reserved.
引用
收藏
页码:6132 / 6146
页数:15
相关论文
共 33 条
  • [1] The economics of information security
    Anderson, Ross
    Moore, Tyler
    [J]. SCIENCE, 2006, 314 (5799) : 610 - 613
  • [2] Exploring the characteristics of Internet security breaches that impact the market value of breached firms
    Andoh-Baidoo, Francis K.
    Osei-Bryson, Kweku-Muata
    [J]. EXPERT SYSTEMS WITH APPLICATIONS, 2007, 32 (03) : 703 - 725
  • [3] [Anonymous], KEY FIND GLOB STAT I
  • [4] Casey E, 2003, COMPUT FRAUD SECUR, P8, DOI 10.1016/S1361-3723(03)04010-7
  • [5] The value of intrusion detection systems in information technology security architecture
    Cavusoglu, H
    Mishra, B
    Raghunathan, S
    [J]. INFORMATION SYSTEMS RESEARCH, 2005, 16 (01) : 28 - 46
  • [6] Decision-theoretic and game-theoretic approaches to IT security investment
    Cavusoglu, Huseyin
    Raghunathan, Srinivasan
    Yue, Wei T.
    [J]. JOURNAL OF MANAGEMENT INFORMATION SYSTEMS, 2008, 25 (02) : 281 - 304
  • [7] Outsourcing Information Security: Contracting Issues and Security Implications
    Cezar, Asunur
    Cavusoglu, Huseyin
    Raghunathan, Srinivasan
    [J]. MANAGEMENT SCIENCE, 2014, 60 (03) : 638 - 657
  • [8] An economic mechanism to manage operational security risks for inter-organizational information systems
    Fang, Fang
    Parameswaran, Manoj
    Zhao, Xia
    Whinston, Andrew B.
    [J]. INFORMATION SYSTEMS FRONTIERS, 2014, 16 (03) : 399 - 416
  • [9] The economic incentives for sharing security information
    Gal-Or, E
    Ghose, A
    [J]. INFORMATION SYSTEMS RESEARCH, 2005, 16 (02) : 186 - 208
  • [10] Gates C., 2006, 5 WORKSH EC INF SEC