nach oben

Information Systems Frontiers

Erschienen in:

25.04.2018

Interdependency Analysis in Security Investment against Strategic Attacks

verfasst von: Mansooreh Ezhei, Behrouz Tork Ladani

Erschienen in: Information Systems Frontiers | Ausgabe 1/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Information security investment is of high importance in management of IT infrastructure. There are many researches focused on game theoretical modeling and analysis of security investment of interdependent firms against potential security attacks. However, these studies usually are not concerned with dynamic and strategic nature of attacks which are increasingly important features of today’s cyber systems. Strategic attackers are those who are able to substitute their investments among targets over time by shifting investments towards poorly protected targets in order to obtain more potential financial gains. In this paper we try to analyze the effects of interdependency in security investment of firms against strategic attackers. Note that although there are a limited number of works that consider the strategic nature of attack, they model the defenders as a set of isolated nodes. Hence the positive externality caused by interconnection of the firms is not considered in these models. We consider both the attackers’ actual strategic behaviors (that causes negative externality via the possibility of substituting the target) as well as structural effects of the networked firms (that leads to positive externality via attack propagation). We propose a differential game among the networked firms in which attackers act strategically. In the proposed game, by employing a linear substitution model for characterizing the process of target selection by the attacker, the open-loop Nash solutions are highlighted in an analytical form. The analytical results show how interconnectivity between firms and the strategic behavior of the attacker determines the firms’ incentives for security investment. It is shown that overinvestment or underinvestment could occur depending on the degree of interdependency among the given firms. Accordingly we designed mechanisms to encourage the firms to invest at a socially optimal level. The achieved results in this paper helps security designers to better formulate their policies in tackling strategic attackers.

Vorheriger Artikel Breaking the Privacy Kill Chain: Protecting Individual and Group Privacy Online

Nächster Artikel Determinants of Intention to Participate in Corporate BYOD-Programs: The Case of Digital Natives

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

Amin, S., Schwartz, G. A., & Sastry, S. S. (2013). Security of interdependent and identical networked control systems. Automatica, 49, 186–192.CrossRef

Bagchi, K., & Udo, G. (2003). An analysis of the growth of computer and internet security breaches. Communications of the Association for Information Systems, 12, 46.CrossRef

Bhatt, S. C., & Pant, D. (2011). Cyber crime in India. International Journal of Advanced Research in Computer Science, 2.

Böhme, R. (2012). Security audits revisited. In Financial cryptography and data security (pp. 129–147). Springer.

Camp, L. J., & Wolfram, C. (2000). Pricing security. In Proceedings of the CERT information survivability workshop (pp. 31–39).

Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25, 281–304.CrossRef

Ezhei, M., & Tork Ladani, B. (2017). Information sharing vs. privacy: A game theoretic analysis. Expert Systems with Applications, 88, 327–337.CrossRef

Fang, F., Parameswaran, M., Zhao, X., & Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16, 399–416.CrossRef

Gao, X., Zhong, W., & Mei, S. (2013). Information security investment when hackers disseminate knowledge. Decision Analysis, 10, 352–368.CrossRef

Geer, D., Bace, R., Gutmann, P., Metzger, P., Pfleeger, C., Querterman, J., et al. (2003). Cyberinsecurity: The cost of monopoly how the dominance of microsoft’s products poses a risk to security. In Computer & Communications Industry Association Report.

Gordon, L. A., & Loeb, M. P. (2004). The economics of information security investment. In Economics of information security (pp. 105–125). Springer.

Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22, 461–485.CrossRef

Guan, P., He, M., Zhuang, J., & Hora, S. C. (2017). Modeling a Multitarget attacker–defender game with budget constraints. Decision Analysis, 14, 87–107.CrossRef

Hasheminasab, S.A., & Tork Ladani,B. (2018). Security Investment in Contagious Networks. Risk Analysis.

Hausken, K. (2006). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8, 338–349.CrossRef

Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80, 973–993.CrossRef

Jiang, L., Anantharam, V., & Walrand, J. (2011). "How bad are selfish investments in network security?," Networking. IEEE/ACM Transactions on, 19, 549–560.CrossRef

Krebs, B. (2014). Email attack on vendor set up breach at target. Krebs on Security, February, vol., 12.

Kumar, V. A., Rajaraman, R., Sun, Z., & Sundaram, R. (2010). Existence theorems and approximation algorithms for generalized network security games. In Distributed computing systems (ICDCS), 2010 I.E. 30th international conference on (pp. 348–357).CrossRef

Laszka, A., Felegyhazi, M., & Buttyan, L. (2014). A survey of interdependent information security games. ACM Computing Surveys (CSUR), 47, 23.CrossRef

Lelarge, M. (2012). Coordination in network security games: A monotone comparative statics approach. Selected Areas in Communications, IEEE Journal on, 30, 2210–2219.CrossRef

W. Saad, T. Alpcan, T. Basar, and A. Hjorungnes, "Coalitional game theory for security risk management," in Internet monitoring and protection (ICIMP), 2010 fifth international conference on, 2010, pp. 35–40.

Schaefer, I., Rabiser, R., Clarke, D., Bettini, L., Benavides, D., Botterweck, G., Pathak, A., Trujillo, S., & Villela, K. (2012). Software diversity: State of the art and perspectives. International Journal on Software Tools for Technology Transfer, 14, 477–495.CrossRef

Theodorakopoulos, G., Le Boudec, J.-Y., & Baras, J. S. (2013). "Selfish response to epidemic propagation," Automatic Control. IEEE Transactions on, 58, 363–376.

Wu, Y., Feng, G., & Fung, R. Y. (2017). Comparison of information security decisions under different security and business environments. Journal of the Operational Research Society, 1–15.

Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30, 123–152.CrossRef

Titel: Interdependency Analysis in Security Investment against Strategic Attacks
verfasst von: Mansooreh Ezhei
Behrouz Tork Ladani
Publikationsdatum: 25.04.2018
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 1/2020
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-018-9845-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2020

Making Open Data more Personal Through a Social Value Perspective: a Methodological Approach

Dissatisfaction, Disconfirmation, and Distrust: an Empirical Examination of Value Co-Destruction through Negative Electronic Word-of-Mouth (eWOM)

Examining the Role of Tie Strength in Users’ Continuance Intention of Second-Generation Mobile Instant Messaging Services

U.S. Healthcare Provider Capabilities and Performance: the Mediating Roles of Service Innovation and Quality

Analyzing Cryptocurrencies

Ubiquitous Computing Capabilities and User-System Interaction Readiness: An Activity Perspective

Premium Partner