Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints

In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the breach probability functions based on the theory of scale-free networks. The relationships a...

Full description

Saved in:
Bibliographic Details
Published inInternational journal of production economics Vol. 141; no. 1; pp. 255 - 268
Main Authors Huang, C. Derrick, Behara, Ravi S.
Format Journal Article
LanguageEnglish
Published Amsterdam Elsevier B.V 01.01.2013
Elsevier
Elsevier Sequoia S.A
Subjects
Budget allocation
Budgeting
Computer information security
Cost benefit analysis
Data integrity
Economics
Financing
Information security
Investment
Investment analysis
Investments
Mathematical analysis
Mathematical models
Network security
Networks
Numerical analysis
Operations research
Resource allocation
Scale-free network
Studies
Investment analysis
Budget allocation
Cost benefit analysis
Information security
Scale-free network
Online AccessGet full text
ISSN0925-5273
1873-7579
DOI10.1016/j.ijpe.2012.06.022

Cover

More Information
Summary:In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the breach probability functions based on the theory of scale-free networks. The relationships among the major variables, such as network exposure, potential loss due to a security breach, investment effectiveness, and security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited information security budget to defend against two classes of security attacks (targeted and opportunistic) concurrently. Among the results of these analyses, we find that a firm with a limited security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, we find that managers should focus the security investment on preventing targeted attacks when the information systems are highly connected and relatively open and when the potential loss is large relative to the security budget.
Bibliography:SourceType-Scholarly Journals-1
ObjectType-Feature-1
content type line 14
ObjectType-Article-1
ObjectType-Feature-2
content type line 23
ISSN:0925-5273
1873-7579
DOI:10.1016/j.ijpe.2012.06.022