Productivity Space of Information Security in an Extension of the Gordon-Loeb’s InvestmentModel

Abstract

Information security engineers provide some countermeasures so that attacks will fail. This is vulnerabilityreduction. In addition, they provide other countermeasures so that attacks will not occur. This is threat reduction. In order to study how the optimal investment for information security is influenced by these reductions, this chapter introduces a productivity space of information security. In the same manner as in the Gordon-Loeb model, where vulnerability reduction is only considered, I suppose a productivity of information security characterizes economic effects of information security investment. In particular, I consider a productivity regarding threat reduction as well as a productivity regarding vulnerability reduction, and investigate a two-dimensional space formed by the two productivities. The investigation shows that the productivity space is divided into three areas: the no-investment area where both the productivities are low, the mid-vulnerability intensive area where the vulnerability reduction productivity is high but the threat reduction productivity is low, and the high-vulnerability intensive area where the threat reduction productivity is high.

Appendices

Appendix

A. Proof of Claim 1

The proof of Claim 1 goes as follows. From Eq. (7), we have

$$ \frac{{\partial z^* }}{{\partial v}} = \frac{{ - \left( {\frac{1}{v} - \frac{{\alpha / v}}{{\alpha \ln v + \beta \ln t}}} \right)(\alpha \ln v + \beta \ln t) + \left\{ {\ln (vL) + \ln ( - \alpha \ln v - \beta \ln t)} \right\}\frac{\alpha }{v}}}{{(\alpha \ln v + \beta \ln t)^2 }} $$

((13))

.

For

$$ v \in (0,1) $$

, due to the fact that α/v>0 and

$$ (\alpha \ln v + \beta \ln t)^2 > 0 $$

, the sign of Eq. (13) is given by the sign of

$$ G(v) \equiv \frac{{ - (\alpha \ln v + \beta \ln t)}}{2} + 1 + \ln (vL) + \ln ( - \alpha \ln v - \beta \ln t) $$

((14))

$$ = \frac{{ - \beta \ln t}}{\alpha } + 1 + \ln L + \ln ( - \alpha \ln v - \beta \ln t) $$

((15))

.

G(v) is monotonically decreasing for

$$ v \in (0,1) $$

. And we can see

$$ G(v) \to \infty $$

when

$$ v \to + 0 $$

. Therefore, with the help of the equivalence (12), we can see that

$$ (g(V_5 ) = 0) \wedge \left( { - V_5 \ln V_5 > \frac{{\beta \ln t}}{\alpha } \cdot V_5 + \frac{e}{{\alpha L}}} \right) $$

((16))

is a necessary condition for z ^* to take a maximum at v=V ₅ such that V ₃<V ₅<V ₄ and the point (α, β) is in the mid-vulnerabilityintensive area. However, if we assume the condition (16) is satisfied, then it brings a contradiction. In fact, from the first part of the condition (16) (i.e., G(V ₅)=0), we have

$$ - \alpha \ln V_5 - \beta \ln t = \frac{{t^{\beta / \alpha } }}{{eL}} $$

((17))

.

Regarding the second part of the condition (16), since α/V ₅>0, we have

$$ - V_5 \ln V_5 > \frac{{\beta \ln t}}{\alpha } \cdot V_5 + \frac{e}{{\alpha L}} \Leftrightarrow - \alpha \ln V_5 - \beta \ln t > \frac{e}{{LV_5 }} $$

((18))

.

Using Eq. (17) and Eq. (18), we have

$$ \frac{{t^{\beta / \alpha } }}{{eL}} > \frac{e}{{LV_5 }} $$

. That is,

$$ t^{\beta / \alpha } > \frac{{e^5 }}{{V_5 }} $$

((19))

.

Since

$$ 0 \leq t \leq 1 $$

tells

$$ t^{\beta / \alpha } \leq 1 $$

and 0<V ₅<1 tells

$$ \frac{{e^2 }}{{V_5 }} > 1 $$

, the inequality (19) is a contradiction. Thus Claim 1 is proved.

B. List of Abbreviations

For the readers’ convenience, this appendix shows the following list of abbreviations used in this article:

• DoS: Denial-of-Service.

• ENBIS: Expected net benefits from an investment in information security.

• GL model: Gordon-Loeb model.

• ISP: Internet service provider.

• POW: Proof-of-Work.

• SBP function: Security breach probability function.

STP function: Security threat probability function.