Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints

Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints

0.00 Avg rating0 Votes
Article ID: iaor20127965
Volume: 141
Issue: 1
Start Page Number: 255
End Page Number: 268
Publication Date: Jan 2013
Journal: International Journal of Production Economics
Authors: ,
Keywords: information, security, combinatorial optimization
Abstract:

In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the breach probability functions based on the theory of scale‐free networks. The relationships among the major variables, such as network exposure, potential loss due to a security breach, investment effectiveness, and security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited information security budget to defend against two classes of security attacks (targeted and opportunistic) concurrently. Among the results of these analyses, we find that a firm with a limited security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, we find that managers should focus the security investment on preventing targeted attacks when the information systems are highly connected and relatively open and when the potential loss is large relative to the security budget.

Reviews

Required fields are marked *. Your email address will not be published.