Abstract
We propose an extension of the Gordon-Loeb model by considering multi-periods and relaxing the assumption of a continuous security breach probability function. Such adaptations allow capturing dynamic aspects of information security investment such as the advent of a disruptive technology and its consequences. In this paper, the case of big data analytics (BDA) and its disruptive effects on information security investment is theoretically investigated. Our analysis suggests a substantive decrease in such investment due to a technological shift. While we believe this case should be generalizable across the information security milieu, we illustrate our approach in the context of critical infrastructure protection (CIP) in which security cost reduction is of prior importance since potential losses reach unaffordable dimensions. Moreover, despite BDA has been considered as a promising method for CIP, its concrete effects have been discussed little.
Dimitri Percia David—Short paper submitted to the 2016 CRITIS conference under topic 1: Technologies: Innovative responses for the protection of cyber-physical systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The terms cyber security and information security are considered as synonyms and therefore substitutable in this paper.
- 2.
E.g. externalities arising when decisions of one party affects those of others [2].
- 3.
In economic terms, the notion of disruptive technology [7] refers to a radically innovative technology that significantly disrupts existing economic structures, markets and value networks, displacing established leading products and services.
- 4.
In this paper, the term big data refers to data whose complexity impedes it from being processed (mined, managed, queried and analyzed) through conventional data processing technologies [10, 11]. The complexity of big data is defined by three aspects: \(1^\circ \), the volume (terabytes, petabytes, or even exabytes (\(1000^{6}\) bytes); \(2^\circ \), the velocity (referring to the fast paced data generation); and \(3^\circ \), the variety (referring to the combination of structured and unstructured data) [10, 11]. The field of BDA is related to the extraction of value from big data – i.e., insights that are non-trivial, previously unknown, implicit and potentially useful [11]. BDA extracts patterns of actions, occurrences, and behaviors from big data by fitting statistical models on those patterns through different data mining techniques (predictive analytics, cluster analysis, association rule mining, and prescriptive analytics) [5, 12].
- 5.
- 6.
[8] explicitly acknowledge that they «abstract from reality and assume that postulated functions are sufficiently smooth and well behaved », and therefore creating favorable conditions for applying basic differential calculus, simplifying the optimization problem of the security investment phenomenon. Although a smooth approximation of the security investment phenomenon done by [8] is a reasonable first approach in order to deliver insights concerning the problem of determining an optimal level of cyber security investment, such an approach lacks of realism. As explicitly mentioned by [8] themselves: “[...] in reality, discrete investment in new security technologies is often necessary to get incremental result. Such discrete investment results in discontinuities ”.
- 7.
The following cases illustrate this claim. In BDA, an extremely large, fast paced and complex amount of information can be processed with significantly shortened timeframes and – once the fixed cost of the systems and algorithm for investigating threat patterns is invested – at almost zero marginal cost per additional unit of information [13]. Furthermore, the real-time analytics provided by big data algorithms are likely to neutralize any attacker’s information advantage, such that the probability of a cyber breach should be reduced. For example, an attacker can exploit zero-day vulnerabilities by knowing where to attack, while the defender does not know and hence has to protect all potential entry spots. As real-time analytics reveals both the time and the position of the attack as it happens, the defender can react precisely in the attacked spot only and thus saves any unnecessary investment in the protection of spots, which, eventually, are never attacked.
References
Alcaraz, C., Zeadally, S.: Critical infrastructure protection: Requirements and challenges for the 21st century. Int. J. Crit. Infrastruct. Prot. 8, 53–66 (2015)
Anderson, R.: Why information security is hard - an economic perspective, pp. 358–365. IEEE Comput. Soc (2001)
Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)
Anderson, R., Fuloria, S.: Security economics and critical national infrastructure. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy, pp. 55–66. Springer, US (2010). https://doi.org/10.1007/978-1-4419-6967-5_4
Cardenas, A.A., Manadhata, P.K., Rajan, S.P.: Big data analytics for security. IEEE Secur. Priv. 11(6), 74–76 (2013)
Chen, H., Chiang, R.H., Storey, V.C.: Business intelligence and analytics: from big data to big impact. MIS Q. 36(4), 1165–1188 (2012)
Christensen, C., Raynor, M.E., McDonald, R.: What Is Disruptive Innovation? Harvard Business Review, Boston (2015)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(4), 438–457 (2002)
Gordon, L.A., Loeb, M.P., Lucyshyn, W., Zhou, L., et al.: others: Externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model. J. Inf. Secur. 6(01), 24 (2014)
Laney, D.: 3D data management: Controlling data volume, velocity and variety. META Group Research Note 6, 70 (2001)
Mahmood, T., Afzal, U.: Security analytics: big data analytics for cybersecurity: a review of trends, techniques and tools. In: 2013 2nd National Conference on Information Assurance (NCIA), pp. 129–134 (2013)
Sathi, A.: Big Data Analytics: Disruptive Technologies for Changing the Game. Mc Press, Los Angeles (2012)
Sowa, J.F.: Conceptual Structures: Information Processing in Mind and Machine. Addison-Wesley Pub., Reading (1983)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Percia David, D., Keupp, M.M., Ghernaouti, S., Mermoud, A. (2017). Cyber Security Investment in the Context of Disruptive Technologies: Extension of the Gordon-Loeb Model and Application to Critical Infrastructure Protection. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2016. Lecture Notes in Computer Science(), vol 10242. Springer, Cham. https://doi.org/10.1007/978-3-319-71368-7_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-71368-7_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71367-0
Online ISBN: 978-3-319-71368-7
eBook Packages: Computer ScienceComputer Science (R0)