When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security

We study operational and managerial problems arising in the context of security monitoring where sessions, rather than raw individual events, are monitored to prevent attacks. The objective of the monitoring problem is to maximize the benefit of monitoring minus the monitoring cost. The key trade‐off in our model is that as more sessions are monitored, the attack costs should decrease. However, the monitoring cost would likely increase with the number of sessions being monitored. A key step in solving the problem is to derive the probability density of a system with n sessions being monitored with a session’s age measured as the time elapsed since it last generated a suspicious event. We next optimize the number of sessions monitored by trading off the attack cost saved with the cost of monitoring. A profiling step is added prior to monitoring and a resulting two‐dimensional optimization problem is studied. Through numerical simulation, we find that a simple size‐based policy is quite robust for a very reasonable range of values and, under typical situations, performs almost as well as the two more sophisticated policies do. Also, we find that adopting a simplified policy without using the option of managing sessions using age threshold can greatly increase the ease of finding an optimal solution, and reduce operational overhead with little performance loss compared with a policy using such an option. The insights gained from the mechanics of profiling and monitoring are leveraged to suggest a socially optimal contract for outsourcing these activities in a reward‐based contract. We also study penalty‐based contracts. Such contracts (specifically, when the penalty is levied as a percentage of the monthly service fee) do not achieve the social optimum. We show how an appropriate penalty coefficient can be chosen to implement a socially optimal penalty‐based contract. In addition, we provide a high‐level comparison between reward‐ and penalty‐based contracts. In a penalty‐based contract, the setting of the fixed payment can be challenging because it requires additional knowledge of the total expected malicious event rate, which needs to be observed through a period of no monitoring.