Abstract
We propose in this work to use the utility theory to compute the optimal security investment over an investment horizon, considering the typologies and dynamic aspects of vulnerabilities related to the assets of a firm. A regression over a 17-year statistics available in the National Vulnerability Database is performed to predict and forecast the evolution of vulnerabilities’ rates over the investment horizon. Techniques and methodologies are proposed to compute and plan investment tranches over the whole time-horizon, while coping with budget constraints. An analysis is conducted to assess the variation of the optimal investments and the residual risk, taking into account the attitude of decision-makers towards risk. The obtained results show that : a) the optimal amount of investment in information security necessary to counter located attacks increases with the investment horizon for all types of vulnerabilities, but such an increase highly depends on the type of vulnerabilities affecting the firm; b) differently to located attacks, the optimal amount of investment in information security necessary to counter distributed attacks does not always increase with the investment horizon; and c) the optimal amount to invest in security, and the optimum value of the residual risk depend on the decision-maker attitude towards security risk.
Similar content being viewed by others
Notes
National Vulnerability Database Version 2.2 http://nvd.nist.gov/home.cfm
Common Vulnerability Scoring System v3.0: Specification Document https://www.first.org/cvss/specification-document
References
Alhazmi, O.H., & Malaiya, Y.K. (2005a). Modeling the vulnerability discovery process. In Proceedings of 16th IEEE International Symposium on Software Reliability Engineering (ISSRE”05) (pp. 129–138). Washington, DC: IEEE Computer Society.
Alhazmi, O.H., & Malaiya, Y.K. (2005b). Quantitative vulnerability assessment of systems software, Proceedings of the IEEE Reliability and Maintainability Symposium (RAMS?05) (pp. 615–620). Alexandria, VA, USA.
Alhazmi, O.H., & Malaiya, Y.K. (2008). Application of vulnerability discovery models to major operating systems. IEEE Transactions on Reliability, 57, 14–22.
Anderson, R. (2002). Security in open versus closed systems the dance of boltzmann, coase and moore, Proceedings of on open source software: economics, law and policy (pp. 20–21). Toulouse, France.
Arrow, K.J. (1965). Aspects of the Theory of Risk Bearing: Yrjo Jahnssonin Saatio.
Bedrijfsrevisoren, D., Muynck, J.D., & Portesi, S. (2015). Cyber security information sharing: An overview of regulatory and non-regulatory approaches, tech. rep., The European Union Agency for Network and Information Security (ENISA).
Bodin, L.D., Gordon, L.A., & Loeb, M.P. (2005). Evaluating information security investments using analytical hierarchy process. Communications of the ACM, 48, 78–83.
Bohme, R., & Moore, T. (2009). The iterated weakest link - a model of adaptive security investment, Proceedings of the 8th Workshop on the Economics of Information Security (WEIS), (London).
Browne, S. (1995). Optimal investment policies for a firm with a random risk process: Exponential utility and minimizing the probability of ruin. Mathematics of Operations Research, 20, 937–958.
Brykczynski, B.R., & Small, R.A. (2003). Reducing internet-based intrusions: Effective security patch management. IEEE Software, 20, 50–57 .
Cavusoglu, H., Cavusoglu, H., & Zhang, J. (2006). Economics of security patch management, The fifth Workshop on the Economics of Information Security (WEIS 2006), The fifth Workshop on the Economics of Information Security , (Cambridge, England).
Cavusoglu, H., Raghunathan, S., & Yue, W.T. (2008). Decision-theoretical and game-theoretical approaches to it security investment. Journal of Management Information Systems, 25(2), 281–304.
Charness, G., Gneezy, U., & Imas, A. (2013). Experimental methods: Eliciting risk preferences. Journal of Economic Behavior & Organization, 87, 43–51.
Cumbie, B.A., & Sankar, C.S. (2012). Choice of governance mechanisms to promote information sharing via boundary objects in the disaster recovery process. Information Systems Frontiers, 14(5), 1079–1094.
C. for Strategic and international Studies (2014). Net losses: Estimating the global cost of cybercrime. Available at http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf.
Damodaran, A. (2007). Strategic Risk Taking: A Framework for Risk Management, Pearson Business.
Fang, F., Parameswaran, M., Zhao, X., & Whinston, A.B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16, 399–416.
Franqueira, V.N.L., Houmb, S.H., & Daneva, M. (2010). On the move to meaningful internet systems: OTM 2010, ch. Using real option thinking to improve decision making in security investment, (pp. 619–638). Berlin: Springer.
Frei, S., Schatzmann, D., Plattner, B., & Trammell, B. (2010). Economics of Information Security and Privacy, ch. Modeling the Security Ecosystem - The Dynamics of (In)Security, (pp. 79–106). US: Springer.
Gao, X., Zhong, W., & Mei, S. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17, 423–438.
Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208.
Gerber, H.U., & Pafumi, G. (1998). Utility functions: From risk theory to finance. North American Actuarial Journal, 2(3), 74–100.
Gordon, L.A., & Loeb, M.P. (2002a). The economics of information security investment. ACM Transactions on Information and Systems Security, 5(4), 438–457.
Gordon, L.A., & Loeb, M.P. (2002b). Return on information security investments: Myths vs. realities. Strategic Finance, 84(5), 26–31.
Gordon, L.A., Loeb, M.P., & Lucyshyn, W. (2003a). Inormation security expenditures and real option:approach-and-see approach. Computer Security Journal, 14(2), 1–7.
Gordon, L.A., Loeb, M.P., & Lucyshyn, W. (2003b). Sharing information on computer systems security: an economic analysis. Journal of Accounting and Public Policy, 22(6), 461–485.
Grossklags, J., Christin, N., & Chuang, J. (2008). Secure or insure? a game-theoretic analysis of information security games, Proceedings of the 17th International World Wide Web Conference, (Beijing, China).
Hausken, K. (2006). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.
Hausken, K. (2007). Information sharing among firms and cyber attack. Journal of Accounting and Public Policy, 26(6), 639– 688.
Hausken, K. (2014). Returns to information security investment: Endogenizing the expected loss. Information Systems Frontiers, 16(2), 329–336.
Hausken, K. (2015). A strategic analysis of information sharing among cyber attackers. Journal of Information Systems and Technology Management, 12(2), 245–270.
Hertel, M., & Wiesent, J. (2013). Investments in information systems: a contribution towards sustainability. Information Systems Frontiers, 15(5), 815–829.
Holmes, M.C., & Neubecker, D. (2006). The impact of the sarbanes-oxley act 2002 on the information systems of public companies. Issues in Information Systems, 7(2), 24–28.
Hoo, K.J.S. (2000). How much is enough? a risk management approach to computer security. PhD thesis: Stanford University.
Hua, J. (2011). Optimal is security investment: Cyber terrorism vs. common hacking, Proceedings of the International Conference on Information Systems, (Shanghai).
Huang, C.D., & Behara, R.S. (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, 141(1), 255–268.
Huang, C.D., Hu, Q., & Behara, R.S. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114, 793–804.
ichi Tatsumi, K., & Goto, M. (2010). Economics of Information Security and Privacy, ch. Optimal Timing of Information Security Investment: A Real Options Approach, (pp. 211–228). US: Springer.
Jian, H. (2009). Optimal investment in IS security: a game theoretical approach. PhD thesis: Morgan State University.
Jiang, L., Anantharam, V., & Walrand, J. (2010). How bad are selfish investments in network security?. How Bad Are Selfish Investments in Network Security?, 19, 549–560.
Joh, H. (2013). Modeling security vulnerabilities in learning management systems. International Journal of Learning Management Systems, 1(2), 1–12.
Li, J., & Su, X. (2007). Making cost effective security decision with real option thinking, Proceedings of International Conference on Software Engineering Advances (ICSEA’07). France: Cap Esterel.
Miaoui, Y., Boudriga, N., & Abaoub, E. (2014). Optimal investment for securing enterprise information systems, Proceedings of International Business Information Management Association (IBIMA), (Milan, Italy).
Miaoui, Y., Boudriga, N., & Abaoub, E. (2015a). Economics of privacy : A model for protecting against cyber data disclosure attacks, Proceedings of 3rd Information Systems International Conference (ISICO), (Surabaya, Indonesia).
Miaoui, Y., Boudriga, N., & Abaoub, E. (2015b). Insurance versus investigation driven approach for the computation of optimal security investment, Proceedings of 19th Pacific Asia Conference on Information Systems (PACIS), (Singapore).
Menoncin, F. (2002). Optimal portfolio and background risk: an exact and an approximate solution. Insurance Mathematics and Economics, 31, 249–265.
Meyer, J. (2010). Representing risk preferences in expected utility based decision models. Annals of Operations Research, 176, 179–190.
Okamura, H., Tokuzane, M., & Dohi, T. (2013). Quantitative security evaluation for software system from vulnerability database. Journal of Software Engineering and Applications, 6(4), 15–23.
Outreville, J.F. (2014). Risk aversion, risk behavior, and demand for insurance: a survey. Journal of Insurance Issues, 37(2), 158–186.
Panaousis, E., Fielder, A., Malacaria, P., Hankin, C., & Smeraldi, F. (2014). Cybersecurity games and investments: a decision support approach, vol. 8840. Springer International Publishing.
Pratt, J.W. (1964). Risk aversion in the small and in the large. Econometrica, 32, 122–136.
PricewaterhouseCoopers (2016). Turnaround and transformation in cybersecurity: Key findings from the global state of information security survey. Available at: http://press.pwc.com/Multimedia/image/turnaround-and-transformation-in-cybersecurity/a/B174C2B4-8B52-4458-A029-0372337D54A3.
Purser, S. (2004). Improving the roi of the security management process. Computers & Security, 23, 542–546.
Ransbotham, S., & Mitra, S. (2009). Choice and chance: a conceptual model of paths to information security compromise. Information Systems Research, 20, 121–139.
Ransbotham, S. (2010). An empirical analysis of exploitation attempts based on vulnerabilities in open source software. Cambridge: Harvard University.
Rescorla, E. (2005). Is finding security holes a good idea?. Security and Privacy, 3, 14–19.
Schatz, D., & Bashroush, R. (2016). Economic valuation for information security investment: a systematic literature review. Information Systems Frontiers, 1–24.
Schilling, A., & Werners, B. (2015). Optimal information security expenditures considering budget constraints, Proceedings of 19th Pacific Asia Conference on Information Systems (PACIS), (Singapore).
Schryen (2009). Security of open source and closed source software: An empirical comparison of published vulnerabilities, Proceedings of 15th Americas Conference on Information Systems. San Francisco, California.
Schryen, G. (2011). Is open source security a myth?. Communications of the ACM, 54, 130–140.
Ullrich, C. (2013a). Valuation of it investments using real options theory. Business and Information Systems Engineering, 5(5), 331–341.
Ullrich, C. (2013b). Valuation of it investments using real options theory. Business & Information Systems Engineering, 5, 331–341.
Wang, J., Ding, B., Ren, Y., & Zheng, J. (2012). Valuing information security investment: A real options approach, Proceedings of Fifth International Conference on Business Intelligence and Financial Engineering, (Lanzhou and Tunhuang, China).
Woo, S.-W., Joh, H., Alhazmi, O.H., & Malaiya, Y.K. (2011). Modeling vulnerability discovery process in apache and iis http servers. Computers & Security, 30(1), 50–62.
Zhang, S., Ou, X., & Caragea, D. (2015). Predicting cyber risks through national vulnerability database. Information Security Journal: A Global Perspective, 24, 194–206.
Zhuang, J., Bier, V.M., & Gupta, A. (2007). Subsidies in interdependent security with heterogeneous discount rates. The Engineering Economist, 52(1), 1–19.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Miaoui, Y., Boudriga, N. Enterprise security investment through time when facing different types of vulnerabilities. Inf Syst Front 21, 261–300 (2019). https://doi.org/10.1007/s10796-017-9745-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-017-9745-3