nach oben

Information Systems Frontiers

Erschienen in:

17.03.2017

Enterprise security investment through time when facing different types of vulnerabilities

verfasst von: Yosra Miaoui, Noureddine Boudriga

Erschienen in: Information Systems Frontiers | Ausgabe 2/2019

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We propose in this work to use the utility theory to compute the optimal security investment over an investment horizon, considering the typologies and dynamic aspects of vulnerabilities related to the assets of a firm. A regression over a 17-year statistics available in the National Vulnerability Database is performed to predict and forecast the evolution of vulnerabilities’ rates over the investment horizon. Techniques and methodologies are proposed to compute and plan investment tranches over the whole time-horizon, while coping with budget constraints. An analysis is conducted to assess the variation of the optimal investments and the residual risk, taking into account the attitude of decision-makers towards risk. The obtained results show that : a) the optimal amount of investment in information security necessary to counter located attacks increases with the investment horizon for all types of vulnerabilities, but such an increase highly depends on the type of vulnerabilities affecting the firm; b) differently to located attacks, the optimal amount of investment in information security necessary to counter distributed attacks does not always increase with the investment horizon; and c) the optimal amount to invest in security, and the optimum value of the residual risk depend on the decision-maker attitude towards security risk.

Vorheriger Artikel Task scheduling algorithms for multi-cloud systems: allocation-aware approach

Nächster Artikel A model to analyze the challenge of using cyber insurance

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

National Vulnerability Database Version 2.2 http://nvd.nist.gov/home.cfm

Common Vulnerability Scoring System v3.0: Specification Document https://www.first.org/cvss/specification-document

Alhazmi, O.H., & Malaiya, Y.K. (2005a). Modeling the vulnerability discovery process. In Proceedings of 16th IEEE International Symposium on Software Reliability Engineering (ISSRE”05) (pp. 129–138). Washington, DC: IEEE Computer Society.

Alhazmi, O.H., & Malaiya, Y.K. (2005b). Quantitative vulnerability assessment of systems software, Proceedings of the IEEE Reliability and Maintainability Symposium (RAMS?05) (pp. 615–620). Alexandria, VA, USA.

Alhazmi, O.H., & Malaiya, Y.K. (2008). Application of vulnerability discovery models to major operating systems. IEEE Transactions on Reliability, 57, 14–22.CrossRef

Anderson, R. (2002). Security in open versus closed systems the dance of boltzmann, coase and moore, Proceedings of on open source software: economics, law and policy (pp. 20–21). Toulouse, France.

Arrow, K.J. (1965). Aspects of the Theory of Risk Bearing: Yrjo Jahnssonin Saatio.

Bedrijfsrevisoren, D., Muynck, J.D., & Portesi, S. (2015). Cyber security information sharing: An overview of regulatory and non-regulatory approaches, tech. rep., The European Union Agency for Network and Information Security (ENISA).

Bodin, L.D., Gordon, L.A., & Loeb, M.P. (2005). Evaluating information security investments using analytical hierarchy process. Communications of the ACM, 48, 78–83.CrossRef

Bohme, R., & Moore, T. (2009). The iterated weakest link - a model of adaptive security investment, Proceedings of the 8th Workshop on the Economics of Information Security (WEIS), (London).

Browne, S. (1995). Optimal investment policies for a firm with a random risk process: Exponential utility and minimizing the probability of ruin. Mathematics of Operations Research, 20, 937–958.CrossRef

Brykczynski, B.R., & Small, R.A. (2003). Reducing internet-based intrusions: Effective security patch management. IEEE Software, 20, 50–57 .CrossRef

Cavusoglu, H., Cavusoglu, H., & Zhang, J. (2006). Economics of security patch management, The fifth Workshop on the Economics of Information Security (WEIS 2006), The fifth Workshop on the Economics of Information Security , (Cambridge, England).

Cavusoglu, H., Raghunathan, S., & Yue, W.T. (2008). Decision-theoretical and game-theoretical approaches to it security investment. Journal of Management Information Systems, 25(2), 281–304.CrossRef

Charness, G., Gneezy, U., & Imas, A. (2013). Experimental methods: Eliciting risk preferences. Journal of Economic Behavior & Organization, 87, 43–51.CrossRef

Cumbie, B.A., & Sankar, C.S. (2012). Choice of governance mechanisms to promote information sharing via boundary objects in the disaster recovery process. Information Systems Frontiers, 14(5), 1079–1094.CrossRef

C. for Strategic and international Studies (2014). Net losses: Estimating the global cost of cybercrime. Available at http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf.

Damodaran, A. (2007). Strategic Risk Taking: A Framework for Risk Management, Pearson Business.

Fang, F., Parameswaran, M., Zhao, X., & Whinston, A.B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16, 399–416.CrossRef

Franqueira, V.N.L., Houmb, S.H., & Daneva, M. (2010). On the move to meaningful internet systems: OTM 2010, ch. Using real option thinking to improve decision making in security investment, (pp. 619–638). Berlin: Springer.CrossRef

Frei, S., Schatzmann, D., Plattner, B., & Trammell, B. (2010). Economics of Information Security and Privacy, ch. Modeling the Security Ecosystem - The Dynamics of (In)Security, (pp. 79–106). US: Springer.

Gao, X., Zhong, W., & Mei, S. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17, 423–438.CrossRef

Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208.CrossRef

Gerber, H.U., & Pafumi, G. (1998). Utility functions: From risk theory to finance. North American Actuarial Journal, 2(3), 74–100.CrossRef

Gordon, L.A., & Loeb, M.P. (2002a). The economics of information security investment. ACM Transactions on Information and Systems Security, 5(4), 438–457.

Gordon, L.A., & Loeb, M.P. (2002b). Return on information security investments: Myths vs. realities. Strategic Finance, 84(5), 26–31.

Gordon, L.A., Loeb, M.P., & Lucyshyn, W. (2003a). Inormation security expenditures and real option:approach-and-see approach. Computer Security Journal, 14(2), 1–7.

Gordon, L.A., Loeb, M.P., & Lucyshyn, W. (2003b). Sharing information on computer systems security: an economic analysis. Journal of Accounting and Public Policy, 22(6), 461–485.

Grossklags, J., Christin, N., & Chuang, J. (2008). Secure or insure? a game-theoretic analysis of information security games, Proceedings of the 17th International World Wide Web Conference, (Beijing, China).

Hausken, K. (2006). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.CrossRef

Hausken, K. (2007). Information sharing among firms and cyber attack. Journal of Accounting and Public Policy, 26(6), 639– 688.CrossRef

Hausken, K. (2014). Returns to information security investment: Endogenizing the expected loss. Information Systems Frontiers, 16(2), 329–336.CrossRef

Hausken, K. (2015). A strategic analysis of information sharing among cyber attackers. Journal of Information Systems and Technology Management, 12(2), 245–270.CrossRef

Hertel, M., & Wiesent, J. (2013). Investments in information systems: a contribution towards sustainability. Information Systems Frontiers, 15(5), 815–829.CrossRef

Holmes, M.C., & Neubecker, D. (2006). The impact of the sarbanes-oxley act 2002 on the information systems of public companies. Issues in Information Systems, 7(2), 24–28.

Hoo, K.J.S. (2000). How much is enough? a risk management approach to computer security. PhD thesis: Stanford University.

Hua, J. (2011). Optimal is security investment: Cyber terrorism vs. common hacking, Proceedings of the International Conference on Information Systems, (Shanghai).

Huang, C.D., & Behara, R.S. (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, 141(1), 255–268.CrossRef

Huang, C.D., Hu, Q., & Behara, R.S. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114, 793–804.CrossRef

ichi Tatsumi, K., & Goto, M. (2010). Economics of Information Security and Privacy, ch. Optimal Timing of Information Security Investment: A Real Options Approach, (pp. 211–228). US: Springer.

Jian, H. (2009). Optimal investment in IS security: a game theoretical approach. PhD thesis: Morgan State University.

Jiang, L., Anantharam, V., & Walrand, J. (2010). How bad are selfish investments in network security?. How Bad Are Selfish Investments in Network Security?, 19, 549–560.

Joh, H. (2013). Modeling security vulnerabilities in learning management systems. International Journal of Learning Management Systems, 1(2), 1–12.CrossRef

Li, J., & Su, X. (2007). Making cost effective security decision with real option thinking, Proceedings of International Conference on Software Engineering Advances (ICSEA’07). France: Cap Esterel.

Miaoui, Y., Boudriga, N., & Abaoub, E. (2014). Optimal investment for securing enterprise information systems, Proceedings of International Business Information Management Association (IBIMA), (Milan, Italy).

Miaoui, Y., Boudriga, N., & Abaoub, E. (2015a). Economics of privacy : A model for protecting against cyber data disclosure attacks, Proceedings of 3rd Information Systems International Conference (ISICO), (Surabaya, Indonesia).

Miaoui, Y., Boudriga, N., & Abaoub, E. (2015b). Insurance versus investigation driven approach for the computation of optimal security investment, Proceedings of 19th Pacific Asia Conference on Information Systems (PACIS), (Singapore).

Menoncin, F. (2002). Optimal portfolio and background risk: an exact and an approximate solution. Insurance Mathematics and Economics, 31, 249–265.CrossRef

Meyer, J. (2010). Representing risk preferences in expected utility based decision models. Annals of Operations Research, 176, 179–190.CrossRef

Okamura, H., Tokuzane, M., & Dohi, T. (2013). Quantitative security evaluation for software system from vulnerability database. Journal of Software Engineering and Applications, 6(4), 15–23.CrossRef

Outreville, J.F. (2014). Risk aversion, risk behavior, and demand for insurance: a survey. Journal of Insurance Issues, 37(2), 158–186.

Panaousis, E., Fielder, A., Malacaria, P., Hankin, C., & Smeraldi, F. (2014). Cybersecurity games and investments: a decision support approach, vol. 8840. Springer International Publishing.

Pratt, J.W. (1964). Risk aversion in the small and in the large. Econometrica, 32, 122–136.CrossRef

PricewaterhouseCoopers (2016). Turnaround and transformation in cybersecurity: Key findings from the global state of information security survey. Available at: http://press.pwc.com/Multimedia/image/turnaround-and-transformation-in-cybersecurity/a/B174C2B4-8B52-4458-A029-0372337D54A3.

Purser, S. (2004). Improving the roi of the security management process. Computers & Security, 23, 542–546.CrossRef

Ransbotham, S., & Mitra, S. (2009). Choice and chance: a conceptual model of paths to information security compromise. Information Systems Research, 20, 121–139.CrossRef

Ransbotham, S. (2010). An empirical analysis of exploitation attempts based on vulnerabilities in open source software. Cambridge: Harvard University.

Rescorla, E. (2005). Is finding security holes a good idea?. Security and Privacy, 3, 14–19.CrossRef

Schatz, D., & Bashroush, R. (2016). Economic valuation for information security investment: a systematic literature review. Information Systems Frontiers, 1–24.

Schilling, A., & Werners, B. (2015). Optimal information security expenditures considering budget constraints, Proceedings of 19th Pacific Asia Conference on Information Systems (PACIS), (Singapore).

Schryen (2009). Security of open source and closed source software: An empirical comparison of published vulnerabilities, Proceedings of 15th Americas Conference on Information Systems. San Francisco, California.

Schryen, G. (2011). Is open source security a myth?. Communications of the ACM, 54, 130–140.CrossRef

Ullrich, C. (2013a). Valuation of it investments using real options theory. Business and Information Systems Engineering, 5(5), 331–341.

Ullrich, C. (2013b). Valuation of it investments using real options theory. Business & Information Systems Engineering, 5, 331–341.

Wang, J., Ding, B., Ren, Y., & Zheng, J. (2012). Valuing information security investment: A real options approach, Proceedings of Fifth International Conference on Business Intelligence and Financial Engineering, (Lanzhou and Tunhuang, China).

Woo, S.-W., Joh, H., Alhazmi, O.H., & Malaiya, Y.K. (2011). Modeling vulnerability discovery process in apache and iis http servers. Computers & Security, 30(1), 50–62.CrossRef

Zhang, S., Ou, X., & Caragea, D. (2015). Predicting cyber risks through national vulnerability database. Information Security Journal: A Global Perspective, 24, 194–206.

Zhuang, J., Bier, V.M., & Gupta, A. (2007). Subsidies in interdependent security with heterogeneous discount rates. The Engineering Economist, 52(1), 1–19.CrossRef

Titel: Enterprise security investment through time when facing different types of vulnerabilities
verfasst von: Yosra Miaoui
Noureddine Boudriga
Publikationsdatum: 17.03.2017
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 2/2019
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-017-9745-3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2019

Multi-dimensional intelligence in smart physical objects

Risks and rewards of cloud computing in the UK public sector: A reflection on three Organisational case studies

Way too sentimental? a credible model for online reviews

Predictive maintenance: strategic use of IT in manufacturing organizations

The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats

Dynamic network analysis of online interactive platform