Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints

In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the breach probability functions based on the theory of scale-free networks. The relationships a...

Full description

Saved in:
Bibliographic Details
Published inInternational journal of production economics Vol. 141; no. 1; pp. 255 - 268
Main Authors Huang, C. Derrick, Behara, Ravi S.
Format Journal Article
LanguageEnglish
Published Amsterdam Elsevier B.V 01.01.2013
Elsevier
Elsevier Sequoia S.A
Subjects
Budget allocation
Budgeting
Computer information security
Cost benefit analysis
Data integrity
Economics
Financing
Information security
Investment
Investment analysis
Investments
Mathematical analysis
Mathematical models
Network security
Networks
Numerical analysis
Operations research
Resource allocation
Scale-free network
Studies
Investment analysis
Budget allocation
Cost benefit analysis
Information security
Scale-free network
Online AccessGet full text
ISSN0925-5273
1873-7579
DOI10.1016/j.ijpe.2012.06.022

Cover

Abstract In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the breach probability functions based on the theory of scale-free networks. The relationships among the major variables, such as network exposure, potential loss due to a security breach, investment effectiveness, and security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited information security budget to defend against two classes of security attacks (targeted and opportunistic) concurrently. Among the results of these analyses, we find that a firm with a limited security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, we find that managers should focus the security investment on preventing targeted attacks when the information systems are highly connected and relatively open and when the potential loss is large relative to the security budget.
AbstractList In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the breach probability functions based on the theory of scale-free networks. The relationships among the major variables, such as network exposure, potential loss due to a security breach, investment effectiveness, and security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited information security budget to defend against two classes of security attacks (targeted and opportunistic) concurrently. Among the results of these analyses, we find that a firm with a limited security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, we find that managers should focus the security investment on preventing targeted attacks when the information systems are highly connected and relatively open and when the potential loss is large relative to the security budget.
In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the breach probability functions based on the theory of scale-free networks. The relationships among the major variables, such as network exposure, potential loss due to a security breach, investment effectiveness, and security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited information security budget to defend against two classes of security attacks (targeted and opportunistic) concurrently. Among the results of these analyses, we find that a firm with a limited security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, we find that managers should focus the security investment on preventing targeted attacks when the information systems are highly connected and relatively open and when the potential loss is large relative to the security budget. [PUBLICATION ABSTRACT]
Author Huang, C. Derrick
Behara, Ravi S.
Author_xml – sequence: 1
  givenname: C. Derrick
  surname: Huang
  fullname: Huang, C. Derrick
  email: dhuang@fau.edu
– sequence: 2
  givenname: Ravi S.
  surname: Behara
  fullname: Behara, Ravi S.
  email: rbehara@fau.edu
BackLink http://www.econis.eu/PPNSET?PPN=734426631$$DView this record in ZBW - Deutsche Zentralbibliothek für Wirtschaftswissenschaften
BookMark eNp9kUtv3CAUhVGVSp08_kA2tdRNN3bg2gYsdVNF6UOKlE26RgxcZ3DHMAWcKv--OJNussgKBN-5OueeU3Lig0dCLhltGGX8amrcdMAGKIOG8oYCvCMbJkVbi14MJ2RDB-jrHkT7gZymNFFKBZNyQ_KNCT7MzqQqjJXzY4izzi74KqFZostP5fERU57R53Kt8g4roxOueJEWJq4_O8wYwwN6DEuqdM7a_E7VX5d31XaxD5hXOOWonc_pnLwf9T7hxct5Rn59u7m__lHf3n3_ef31tjadhFxziS0KwWknrWl7aTlKOghhLQi57ZDrYQRtudQ9AnQtldvWcs637WgBBt2ekc_HuYcY_iwlhJpdMrjf62ebinHBQNAiKeinV-gUluiLO8XYIDh0tIdCfTxSWNK4pA7RzTo-KdF2HZQprBDySJgYUoo4KuPy80LX7HvFqFoLU5NaC1NrYYpyVQorUngl_T_-TdGXF0dlj48Oo0rGoTdoXUSTlQ3uLfk_bsCyLA
CODEN IJPCEY
CitedBy_id crossref_primary_10_1007_s12525_017_0276_z
crossref_primary_10_1007_s10796_016_9648_8
crossref_primary_10_1111_risa_13416
crossref_primary_10_1007_s10878_019_00446_6
crossref_primary_10_1002_asmb_2451
crossref_primary_10_1007_s10660_022_09558_4
crossref_primary_10_1016_j_cose_2021_102533
crossref_primary_10_1016_j_procs_2015_12_165
crossref_primary_10_1080_00207543_2017_1400704
crossref_primary_10_1016_j_future_2021_05_033
crossref_primary_10_1108_JEIM_04_2023_0189
crossref_primary_10_3390_su132413677
crossref_primary_10_1080_17517575_2019_1644672
crossref_primary_10_1057_jors_2013_133
crossref_primary_10_1057_s41274_016_0134_y
crossref_primary_10_1016_j_cie_2024_110093
crossref_primary_10_1016_j_ijpe_2024_109448
crossref_primary_10_1108_TG_11_2019_0112
crossref_primary_10_1016_j_cose_2020_101961
crossref_primary_10_1016_j_eswa_2021_114990
crossref_primary_10_26425_2309_3633_2023_11_4_110_118
crossref_primary_10_4018_IJEIS_2018040101
crossref_primary_10_1016_j_cose_2018_02_001
crossref_primary_10_1080_01605682_2023_2233550
crossref_primary_10_1002_mde_3551
crossref_primary_10_1002_mde_3310
crossref_primary_10_1016_j_cie_2024_110519
crossref_primary_10_1108_ICS_02_2020_0028
crossref_primary_10_1007_s40092_016_0144_z
crossref_primary_10_1016_j_elerap_2019_100843
crossref_primary_10_4018_IJKM_2019010103
crossref_primary_10_3390_math7070587
crossref_primary_10_1007_s10898_017_0585_y
crossref_primary_10_1080_01605682_2022_2096506
crossref_primary_10_1080_00207543_2021_1994166
crossref_primary_10_1016_j_ijpe_2016_09_018
crossref_primary_10_1016_j_jaccpubpol_2018_10_005
crossref_primary_10_1080_0740817X_2015_1125044
crossref_primary_10_1007_s10479_015_1925_2
crossref_primary_10_3390_risks10110220
crossref_primary_10_1016_j_eswa_2023_120654
crossref_primary_10_1016_j_cie_2017_05_018
crossref_primary_10_1016_j_eswa_2015_03_033
crossref_primary_10_1016_j_dss_2013_10_011
crossref_primary_10_1080_01605682_2024_2368611
crossref_primary_10_1108_IMDS_06_2021_0408
crossref_primary_10_1007_s10796_017_9745_3
crossref_primary_10_3390_a15060211
Cites_doi 10.2753/MIS0742-1222250210
10.1109/TEM.2004.839962
10.1145/1005817.1005828
10.1016/j.ijpe.2008.05.002
10.1126/science.1130992
10.1109/TEM.2008.927818
10.1109/TEM.2009.2016065
10.1142/S0217979203022027
10.1145/997150.997156
10.1145/316194.316229
10.1287/deca.1040.0022
10.1126/science.286.5439.509
10.1016/j.ijpe.2008.04.002
10.1103/PhysRevLett.86.3200
10.1103/PhysRevLett.96.208701
10.1109/TNET.2005.861250
10.1140/epjb/e2006-00099-7
10.1145/335168.335170
10.1073/pnas.012583099
10.1007/s10796-006-9011-6
10.1109/MITP.2004.89
10.1145/581271.581274
10.1038/43601
10.1016/j.cose.2005.03.004
10.1038/35019019
10.1287/isre.1050.0041
10.1145/365181.365241
10.1103/PhysRevE.74.056109
10.1016/S1361-3723(03)04010-7
10.1109/TSMCB.2005.854498
10.1038/30918
10.1109/MITP.2008.90
10.1145/777313.777327
10.1109/MSP.2005.30
ContentType Journal Article
Copyright 2012 Elsevier B.V.
Copyright Elsevier Sequoia S.A. Jan 2013
Copyright_xml – notice: 2012 Elsevier B.V.
– notice: Copyright Elsevier Sequoia S.A. Jan 2013
DBID AAYXX
CITATION
OQ6
7TA
7TB
8FD
FR3
JG9
KR7
DOI 10.1016/j.ijpe.2012.06.022
DatabaseName CrossRef
ECONIS
Materials Business File
Mechanical & Transportation Engineering Abstracts
Technology Research Database
Engineering Research Database
Materials Research Database
Civil Engineering Abstracts
DatabaseTitle CrossRef
Materials Research Database
Civil Engineering Abstracts
Engineering Research Database
Technology Research Database
Mechanical & Transportation Engineering Abstracts
Materials Business File
DatabaseTitleList
Materials Research Database
Materials Research Database
DeliveryMethod fulltext_linktorsrc
Discipline Engineering
Business
Economics
EISSN 1873-7579
EndPage 268
ExternalDocumentID 2824621561
734426631
10_1016_j_ijpe_2012_06_022
S0925527312002678
Genre Feature
GroupedDBID --K
--M
-~X
.DC
.~1
0R~
1B1
1RT
1~.
1~5
29J
4.4
457
4G.
5GY
5VS
7-5
71M
8P~
9JN
9JO
AAAKF
AAAKG
AABNK
AACTN
AAEDT
AAEDW
AAFFL
AAIAV
AAIKJ
AAKOC
AALRI
AAOAW
AAPFB
AAQFI
AAQXK
AARIN
AAXUO
ABFNM
ABFRF
ABJNI
ABMAC
ABUCO
ABXDB
ABYKQ
ACDAQ
ACGFO
ACGFS
ACGOD
ACIWK
ACNNM
ACRLP
ACROA
ADBBV
ADEZE
ADFHU
ADMUD
ADTZH
AEBSH
AECPX
AEFWE
AEKER
AENEX
AEYQN
AFKWA
AFODL
AFTJW
AGHFR
AGTHC
AGUBO
AGYEJ
AHHHB
AHJVU
AI.
AIEXJ
AIIAU
AIKHN
AITUG
AJBFU
AJOXV
AJWLA
ALMA_UNASSIGNED_HOLDINGS
AMFUW
AMRAJ
APLSM
ASPBG
AVWKF
AXJTR
AXLSJ
AZFZN
BEHZQ
BEZPJ
BGSCR
BJAXD
BKOJK
BKOMP
BLXMC
BNTGB
BPUDD
BULVW
BZJEE
CS3
DU5
EBS
EFJIC
EFLBG
EJD
EO8
EO9
EP2
EP3
FDB
FEDTE
FGOYB
FIRID
FNPLU
FYGXN
G-2
G-Q
GBLVA
HAMUX
HLX
HVGLF
HZ~
IHE
IXIXF
J1W
JJJVA
KOM
LG8
LY1
LY7
M41
MO0
MS~
N9A
O-L
O9-
OAUVE
OZT
P-8
P-9
P2P
PC.
PQQKQ
Q38
R2-
RIG
ROL
RPZ
RXW
SBM
SDF
SDG
SDP
SDS
SES
SET
SEW
SPC
SPCBC
SSB
SSD
SSF
SST
SSZ
T5K
TAE
TN5
U5U
VH1
WUQ
YK3
~02
~G-
AATTM
AAXKI
AAYWO
AAYXX
ABWVN
ACRPL
ACVFH
ADCNI
ADNMO
ADVLN
AEIPS
AEUPX
AFJKZ
AFPUW
AFXIZ
AGCQF
AGQPQ
AGRNS
AIGII
AIIUN
AKBMS
AKRWK
AKYEP
ANKPU
APXCP
BNPGV
CITATION
SSH
OQ6
7TA
7TB
8FD
EFKBS
FR3
JG9
KR7
ID FETCH-LOGICAL-c482t-68e3e776048dc358d6e80977dd278b4e6a9f2ad68a5e224308b3d666b3fd229a3
IEDL.DBID AIKHN
ISSN 0925-5273
IngestDate Fri Sep 05 09:58:52 EDT 2025
Wed Aug 13 10:37:12 EDT 2025
Sat Mar 08 16:22:01 EST 2025
Tue Jul 01 02:31:19 EDT 2025
Thu Apr 24 23:09:04 EDT 2025
Fri Feb 23 02:31:14 EST 2024
IsPeerReviewed true
IsScholarly true
Issue 1
Keywords Investment analysis
Budget allocation
Cost benefit analysis
Information security
Scale-free network
Language English
License https://www.elsevier.com/tdm/userlicense/1.0
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c482t-68e3e776048dc358d6e80977dd278b4e6a9f2ad68a5e224308b3d666b3fd229a3
Notes SourceType-Scholarly Journals-1
ObjectType-Feature-1
content type line 14
ObjectType-Article-1
ObjectType-Feature-2
content type line 23
PQID 1197624052
PQPubID 45063
PageCount 14
ParticipantIDs proquest_miscellaneous_1671270666
proquest_journals_1197624052
econis_primary_734426631
crossref_citationtrail_10_1016_j_ijpe_2012_06_022
crossref_primary_10_1016_j_ijpe_2012_06_022
elsevier_sciencedirect_doi_10_1016_j_ijpe_2012_06_022
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 2013-01-01
PublicationDateYYYYMMDD 2013-01-01
PublicationDate_xml – month: 01
  year: 2013
  text: 2013-01-01
  day: 01
PublicationDecade 2010
PublicationPlace Amsterdam
PublicationPlace_xml – name: Amsterdam
PublicationTitle International journal of production economics
PublicationYear 2013
Publisher Elsevier B.V
Elsevier
Elsevier Sequoia S.A
Publisher_xml – name: Elsevier B.V
– name: Elsevier
– name: Elsevier Sequoia S.A
References Faloutsos, Faloutsos, Faloutsos (bib20) 1999; 29
Watts (bib49) 1999
Barabási, Albert (bib7) 1999; 286
Cavusoglu, Mishra, Raghunathan (bib14) 2005; 16
Cavusoglu, Mishra, Raghunathan (bib13) 2004; 47
Kumar, Park, Subramaniam (bib33) 2008; 25
Ponemon Institute, 2009. 2008 Annual Study: Cost of Data Breach. PGP Corporation.
Chang, Young (bib15) 2005; 24
Vijaya, Jaikumar, 2011. Epsilon a Victim of Spear-Phishing Attack, Says Report. Computer World, April 7.
Alter, Sherer (bib4) 2004; 14
Anderson, Moore (bib5) 2006; 314
Casey (bib11) 2003; 4
Goel, Chen (bib21) 2008; 115
Li (bib26) 2009; 56
Albert, Jeong, Barabási (bib1) 1999; 401
Richardson, R., 2009. 2008 CSI Computer Crime & Security Survey. Computer Security Institute.
Schechter (bib43) 2005; 3
Mercuri (bib35) 2003; 46
Nagaraja, Anderson (bib37) 2005
Carr (bib10) 2003; 81
Karr (bib29) 2006; 4
Watts, Strogatz (bib50) 1998; 393
Zhou, Liu, Bai, Chen, Wang (bib51) 2006; 74
Alderson, Li, Wallinger, Doyle (bib3) 2005; 13
Pastor-Satorras, Vespignani (bib39) 2001; 86
Arora, Hall, Pinto, Ramsey, Telang (bib6) 2004; 6
Huang, Behara, Hu (bib28) 2008; 10
Griffin, Brooks (bib23) 2006; 36
Bellovin (bib9) 2001; 44
Albert, Jeong, Barabási (bib2) 2000; 406
Huang, Behara, Hu (bib27) 2008; 114
Khamooshi, Cioffi (bib31) 2009; 56
Gordon, Loeb (bib22) 2002; 5
Kaufman, R., Li, X., 2005. Technology competition and optimal investment timing: a real options perspective. IEEE Transaction on Engineering Management 52 (1), 15–29.
Mirkovic, Reiher (bib36) 2004; 34
Poff (bib40) 2009
CERT, 2007. Overconfidence is Pervasive Amongst Security Professionals, E-Crime Watch Survey by CSO Magazine, CERT, and U.S. Secret Service.
Hauske (bib25) 2006; 8
Ogut, H., Menon, N., Raghunathan, S., 2005. Cyber insurance and IT security investment: impact of interdependent risk. In: Fourth Workshop on Economics of Information Security, Cambridge, MA.
Cavusoglu, Raghunathan (bib12) 2004; 1
Cremonini, D., Nizovtsev, M., 2006. Understanding and influencing attackers’ decisions: implications for security investment strategies. In: Fifth Workshop on Economics of Information Security, Cambridge, England.
Gross, D'Lima, Blasius (bib24) 2006; 96
Dhanjani (bib19) 2009
Lai, Liu, Ye (bib34) 2003; 17
Collins, M., Gates, C., Kataria, G., 2006. A model for opportunistic network exploits: the case of P2P worms. In: Fifth Workshop on Economics of Information Security, Cambridge, England.
Behara, Bhattacharya (bib8) 2007; 349–366
Telo da Gama, Nunes (bib45) 2006; 50
Wallinger, Govindan, Jamin, Paxson, Shenker (bib48) 2000; 99
Verizon, 2011. Data Breach Investigations Report.
Kumar, R., Raghavan, P., Rajagopalan, S., Sivakumar, D., Tomkins, A., Upfal, E., 2000. The web as a graph. In: Proceedings of 19th ACM Symposium of Principles of Database Systems, Dallas, Texas, 1–10.
Kumar (10.1016/j.ijpe.2012.06.022_bib33) 2008; 25
Nagaraja (10.1016/j.ijpe.2012.06.022_bib37) 2005
Bellovin (10.1016/j.ijpe.2012.06.022_bib9) 2001; 44
Goel (10.1016/j.ijpe.2012.06.022_bib21) 2008; 115
Watts (10.1016/j.ijpe.2012.06.022_bib49) 1999
Pastor-Satorras (10.1016/j.ijpe.2012.06.022_bib39) 2001; 86
10.1016/j.ijpe.2012.06.022_bib17
Huang (10.1016/j.ijpe.2012.06.022_bib27) 2008; 114
10.1016/j.ijpe.2012.06.022_bib16
10.1016/j.ijpe.2012.06.022_bib18
Mercuri (10.1016/j.ijpe.2012.06.022_bib35) 2003; 46
Faloutsos (10.1016/j.ijpe.2012.06.022_bib20) 1999; 29
Alderson (10.1016/j.ijpe.2012.06.022_bib3) 2005; 13
Li (10.1016/j.ijpe.2012.06.022_bib26) 2009; 56
Albert (10.1016/j.ijpe.2012.06.022_bib1) 1999; 401
Casey (10.1016/j.ijpe.2012.06.022_bib11) 2003; 4
Gordon (10.1016/j.ijpe.2012.06.022_bib22) 2002; 5
Anderson (10.1016/j.ijpe.2012.06.022_bib5) 2006; 314
Cavusoglu (10.1016/j.ijpe.2012.06.022_bib13) 2004; 47
Watts (10.1016/j.ijpe.2012.06.022_bib50) 1998; 393
Karr (10.1016/j.ijpe.2012.06.022_bib29) 2006; 4
Schechter (10.1016/j.ijpe.2012.06.022_bib43) 2005; 3
Telo da Gama (10.1016/j.ijpe.2012.06.022_bib45) 2006; 50
10.1016/j.ijpe.2012.06.022_bib46
10.1016/j.ijpe.2012.06.022_bib47
10.1016/j.ijpe.2012.06.022_bib42
Gross (10.1016/j.ijpe.2012.06.022_bib24) 2006; 96
10.1016/j.ijpe.2012.06.022_bib41
Chang (10.1016/j.ijpe.2012.06.022_bib15) 2005; 24
Hauske (10.1016/j.ijpe.2012.06.022_bib25) 2006; 8
Dhanjani (10.1016/j.ijpe.2012.06.022_bib19) 2009
Wallinger (10.1016/j.ijpe.2012.06.022_bib48) 2000; 99
Arora (10.1016/j.ijpe.2012.06.022_bib6) 2004; 6
Cavusoglu (10.1016/j.ijpe.2012.06.022_bib14) 2005; 16
10.1016/j.ijpe.2012.06.022_bib38
Alter (10.1016/j.ijpe.2012.06.022_bib4) 2004; 14
Huang (10.1016/j.ijpe.2012.06.022_bib28) 2008; 10
Poff (10.1016/j.ijpe.2012.06.022_bib40) 2009
Behara (10.1016/j.ijpe.2012.06.022_bib8) 2007; 349–366
Zhou (10.1016/j.ijpe.2012.06.022_bib51) 2006; 74
Khamooshi (10.1016/j.ijpe.2012.06.022_bib31) 2009; 56
10.1016/j.ijpe.2012.06.022_bib30
Carr (10.1016/j.ijpe.2012.06.022_bib10) 2003; 81
10.1016/j.ijpe.2012.06.022_bib32
Cavusoglu (10.1016/j.ijpe.2012.06.022_bib12) 2004; 1
Lai (10.1016/j.ijpe.2012.06.022_bib34) 2003; 17
Barabási (10.1016/j.ijpe.2012.06.022_bib7) 1999; 286
Griffin (10.1016/j.ijpe.2012.06.022_bib23) 2006; 36
Albert (10.1016/j.ijpe.2012.06.022_bib2) 2000; 406
Mirkovic (10.1016/j.ijpe.2012.06.022_bib36) 2004; 34
References_xml – volume: 29
  start-page: 251
  year: 1999
  end-page: 262
  ident: bib20
  article-title: On power–law relationships of the internet topology
  publication-title: ACM SIGCOMM Computer and Communications Review
– volume: 81
  start-page: 41
  year: 2003
  end-page: 49
  ident: bib10
  article-title: It doesn't matter
  publication-title: Harvard Business Review
– reference: Cremonini, D., Nizovtsev, M., 2006. Understanding and influencing attackers’ decisions: implications for security investment strategies. In: Fifth Workshop on Economics of Information Security, Cambridge, England.
– volume: 8
  start-page: 338
  year: 2006
  end-page: 349
  ident: bib25
  article-title: Returns to information security investment: the effect of alternative information security breach functions on optima investment and sensitivity to vulnerability
  publication-title: Information Systems Frontier
– volume: 56
  start-page: 650
  year: 2009
  end-page: 662
  ident: bib26
  article-title: Preemptive learning, competency traps, and information technology adoption: a real options analysis
  publication-title: IEEE Transactions on Engineering Management
– volume: 17
  start-page: 4045
  year: 2003
  end-page: 4061
  ident: bib34
  article-title: Infection dynamics on growing networks
  publication-title: International Journal of Modern Physics B
– reference: CERT, 2007. Overconfidence is Pervasive Amongst Security Professionals, E-Crime Watch Survey by CSO Magazine, CERT, and U.S. Secret Service.
– volume: 36
  start-page: 198
  year: 2006
  end-page: 202
  ident: bib23
  article-title: A note on the spread of worms in scale-free networks
  publication-title: IEEE Transactions on Systems, Man, Cybernetics B
– reference: Richardson, R., 2009. 2008 CSI Computer Crime & Security Survey. Computer Security Institute.
– volume: 406
  start-page: 378
  year: 2000
  end-page: 382
  ident: bib2
  article-title: Error and attack tolerance of complex networks
  publication-title: Nature
– volume: 4
  start-page: 8
  year: 2003
  end-page: 11
  ident: bib11
  article-title: Determining Intent—Opportunistic vs. Targeted Attacks
  publication-title: Computer Fraud & Security
– volume: 16
  start-page: 28
  year: 2005
  end-page: 46
  ident: bib14
  article-title: The value of intrusion detection systems in information technology security architecture
  publication-title: Information Systems Research
– reference: Ponemon Institute, 2009. 2008 Annual Study: Cost of Data Breach. PGP Corporation.
– volume: 10
  start-page: 14
  year: 2008
  end-page: 19
  ident: bib28
  article-title: Managing risk propagation in extended enterprise networks
  publication-title: IEEE IT Professional
– volume: 4
  year: 2006
  ident: bib29
  article-title: The State of information security spending
  publication-title: Forrester Research
– year: 2009
  ident: bib19
  article-title: Hacking: The Next Generation
– volume: 13
  start-page: 1205
  year: 2005
  end-page: 1218
  ident: bib3
  article-title: Understanding Internet topology: principles, models, and validation
  publication-title: IEEE/ACM Transactions on Networking
– volume: 314
  start-page: 610
  year: 2006
  end-page: 613
  ident: bib5
  article-title: The economics of information security
  publication-title: Science
– year: 2009
  ident: bib40
  article-title: What's really happening in IT security?
  publication-title: InterBusiness Issues
– reference: Kumar, R., Raghavan, P., Rajagopalan, S., Sivakumar, D., Tomkins, A., Upfal, E., 2000. The web as a graph. In: Proceedings of 19th ACM Symposium of Principles of Database Systems, Dallas, Texas, 1–10.
– volume: 25
  start-page: 241
  year: 2008
  end-page: 279
  ident: bib33
  article-title: Understanding the value of countermeasure portfolios in information systems security
  publication-title: Journal of Management Information Systems
– volume: 115
  start-page: 104
  year: 2008
  end-page: 112
  ident: bib21
  article-title: Can business process reengineering lead to security vulnerability: analyzing the reengineered process
  publication-title: International Journal of Production Economics
– volume: 96
  start-page: 2087011
  year: 2006
  ident: bib24
  article-title: Epidemic dynamics on an adaptive network
  publication-title: Physical Review Letters
– volume: 1
  start-page: 131
  year: 2004
  end-page: 148
  ident: bib12
  article-title: Configuration of intrusion detection systems: a comparison of decision and game theoretic approaches
  publication-title: INFORMS Journal of Decision Analysis
– volume: 5
  start-page: 438
  year: 2002
  end-page: 457
  ident: bib22
  article-title: The economics of information security investment
  publication-title: ACM Transactions on Information Systems Security
– volume: 114
  start-page: 793
  year: 2008
  end-page: 804
  ident: bib27
  article-title: An economic analysis of the optimal information security investment in the case of a risk-averse firm
  publication-title: International Journal of Production Economics
– reference: Kaufman, R., Li, X., 2005. Technology competition and optimal investment timing: a real options perspective. IEEE Transaction on Engineering Management 52 (1), 15–29.
– volume: 401
  start-page: 130
  year: 1999
  end-page: 131
  ident: bib1
  article-title: Diameter of the world-wide web
  publication-title: Nature
– volume: 24
  start-page: 280
  year: 2005
  end-page: 286
  ident: bib15
  article-title: Infection dynamics on the internet
  publication-title: Computer Security
– volume: 6
  start-page: 35
  year: 2004
  end-page: 42
  ident: bib6
  article-title: Measuring the risk-based value of IT security solutions
  publication-title: IEEE IT Professional
– reference: Collins, M., Gates, C., Kataria, G., 2006. A model for opportunistic network exploits: the case of P2P worms. In: Fifth Workshop on Economics of Information Security, Cambridge, England.
– volume: 46
  start-page: 15
  year: 2003
  end-page: 18
  ident: bib35
  article-title: Analyzing security costs
  publication-title: Communications of ACM
– volume: 56
  start-page: 171
  year: 2009
  end-page: 179
  ident: bib31
  article-title: Program risk contingency budget planning
  publication-title: IEEE Transactions on Engineering Management
– volume: 47
  start-page: 87
  year: 2004
  end-page: 92
  ident: bib13
  article-title: A model for evaluating IT security investments
  publication-title: Communications of ACM
– volume: 286
  start-page: 509
  year: 1999
  end-page: 512
  ident: bib7
  article-title: Emergence of scaling in random networks
  publication-title: Science
– reference: Vijaya, Jaikumar, 2011. Epsilon a Victim of Spear-Phishing Attack, Says Report. Computer World, April 7.
– volume: 34
  start-page: 39
  year: 2004
  end-page: 53
  ident: bib36
  article-title: A taxonomy of DDoS attack and DDoS defense mechanism
  publication-title: ACM SIGCOMM Computer and Communications Review
– reference: Ogut, H., Menon, N., Raghunathan, S., 2005. Cyber insurance and IT security investment: impact of interdependent risk. In: Fourth Workshop on Economics of Information Security, Cambridge, MA.
– volume: 50
  start-page: 205
  year: 2006
  end-page: 208
  ident: bib45
  article-title: Epidemics in small world networks
  publication-title: European Physics Journal B
– volume: 393
  start-page: 440
  year: 1998
  end-page: 442
  ident: bib50
  article-title: Collective dynamics of “small-world”
  publication-title: Networks, Nature
– volume: 349–366
  year: 2007
  ident: bib8
  article-title: Process-Centric Risk Management Framework for Information Security
  publication-title: National Security
– year: 1999
  ident: bib49
  article-title: Small worlds: the dynamics of networks between order and randomness
– reference: Verizon, 2011. Data Breach Investigations Report.
– volume: 14
  start-page: 1
  year: 2004
  end-page: 28
  ident: bib4
  article-title: A general, but readily adaptable model of information system risk
  publication-title: Communications of the AIS
– year: 2005
  ident: bib37
  article-title: The Topology of Covert Conflict, Computer Laboratory Technical Report UCAM-CL-TR-637
– volume: 3
  start-page: 40
  year: 2005
  end-page: 44
  ident: bib43
  article-title: Towards econometric models of the security risk from remote attacks
  publication-title: IEEE Security & Privacy
– volume: 99
  start-page: 2573
  year: 2000
  end-page: 2580
  ident: bib48
  article-title: Scaling phenomena in the internet: critically examining criticality
  publication-title: Proceedings of National Academy of Science
– volume: 74
  start-page: 0561091
  year: 2006
  ident: bib51
  article-title: Behavior of susceptible-infected epidemics on scale-free networks with identical infectivity
  publication-title: Physical Reviews E
– volume: 86
  start-page: 3200
  year: 2001
  end-page: 3203
  ident: bib39
  article-title: Epidemic spreading in scale-free networks
  publication-title: Physical Review Letters
– volume: 44
  start-page: 131
  year: 2001
  end-page: 132
  ident: bib9
  article-title: Computer security: an end state?
  publication-title: Communications of ACM
– year: 2009
  ident: 10.1016/j.ijpe.2012.06.022_bib19
– year: 2009
  ident: 10.1016/j.ijpe.2012.06.022_bib40
  article-title: What's really happening in IT security?
  publication-title: InterBusiness Issues
– volume: 25
  start-page: 241
  issue: 2
  year: 2008
  ident: 10.1016/j.ijpe.2012.06.022_bib33
  article-title: Understanding the value of countermeasure portfolios in information systems security
  publication-title: Journal of Management Information Systems
  doi: 10.2753/MIS0742-1222250210
– ident: 10.1016/j.ijpe.2012.06.022_bib30
  doi: 10.1109/TEM.2004.839962
– volume: 47
  start-page: 87
  issue: 7
  year: 2004
  ident: 10.1016/j.ijpe.2012.06.022_bib13
  article-title: A model for evaluating IT security investments
  publication-title: Communications of ACM
  doi: 10.1145/1005817.1005828
– volume: 115
  start-page: 104
  issue: 1
  year: 2008
  ident: 10.1016/j.ijpe.2012.06.022_bib21
  article-title: Can business process reengineering lead to security vulnerability: analyzing the reengineered process
  publication-title: International Journal of Production Economics
  doi: 10.1016/j.ijpe.2008.05.002
– volume: 14
  start-page: 1
  issue: 1
  year: 2004
  ident: 10.1016/j.ijpe.2012.06.022_bib4
  article-title: A general, but readily adaptable model of information system risk
  publication-title: Communications of the AIS
– volume: 314
  start-page: 610
  year: 2006
  ident: 10.1016/j.ijpe.2012.06.022_bib5
  article-title: The economics of information security
  publication-title: Science
  doi: 10.1126/science.1130992
– volume: 4
  year: 2006
  ident: 10.1016/j.ijpe.2012.06.022_bib29
  article-title: The State of information security spending
  publication-title: Forrester Research
– volume: 56
  start-page: 171
  issue: 1
  year: 2009
  ident: 10.1016/j.ijpe.2012.06.022_bib31
  article-title: Program risk contingency budget planning
  publication-title: IEEE Transactions on Engineering Management
  doi: 10.1109/TEM.2008.927818
– ident: 10.1016/j.ijpe.2012.06.022_bib16
– volume: 56
  start-page: 650
  issue: 4
  year: 2009
  ident: 10.1016/j.ijpe.2012.06.022_bib26
  article-title: Preemptive learning, competency traps, and information technology adoption: a real options analysis
  publication-title: IEEE Transactions on Engineering Management
  doi: 10.1109/TEM.2009.2016065
– volume: 17
  start-page: 4045
  issue: 22/23/24
  year: 2003
  ident: 10.1016/j.ijpe.2012.06.022_bib34
  article-title: Infection dynamics on growing networks
  publication-title: International Journal of Modern Physics B
  doi: 10.1142/S0217979203022027
– volume: 34
  start-page: 39
  issue: 2
  year: 2004
  ident: 10.1016/j.ijpe.2012.06.022_bib36
  article-title: A taxonomy of DDoS attack and DDoS defense mechanism
  publication-title: ACM SIGCOMM Computer and Communications Review
  doi: 10.1145/997150.997156
– year: 2005
  ident: 10.1016/j.ijpe.2012.06.022_bib37
– volume: 29
  start-page: 251
  issue: 4
  year: 1999
  ident: 10.1016/j.ijpe.2012.06.022_bib20
  article-title: On power–law relationships of the internet topology
  publication-title: ACM SIGCOMM Computer and Communications Review
  doi: 10.1145/316194.316229
– volume: 1
  start-page: 131
  issue: 3
  year: 2004
  ident: 10.1016/j.ijpe.2012.06.022_bib12
  article-title: Configuration of intrusion detection systems: a comparison of decision and game theoretic approaches
  publication-title: INFORMS Journal of Decision Analysis
  doi: 10.1287/deca.1040.0022
– volume: 286
  start-page: 509
  year: 1999
  ident: 10.1016/j.ijpe.2012.06.022_bib7
  article-title: Emergence of scaling in random networks
  publication-title: Science
  doi: 10.1126/science.286.5439.509
– volume: 114
  start-page: 793
  issue: 2
  year: 2008
  ident: 10.1016/j.ijpe.2012.06.022_bib27
  article-title: An economic analysis of the optimal information security investment in the case of a risk-averse firm
  publication-title: International Journal of Production Economics
  doi: 10.1016/j.ijpe.2008.04.002
– ident: 10.1016/j.ijpe.2012.06.022_bib47
– volume: 86
  start-page: 3200
  issue: 14
  year: 2001
  ident: 10.1016/j.ijpe.2012.06.022_bib39
  article-title: Epidemic spreading in scale-free networks
  publication-title: Physical Review Letters
  doi: 10.1103/PhysRevLett.86.3200
– volume: 96
  start-page: 2087011
  issue: 20
  year: 2006
  ident: 10.1016/j.ijpe.2012.06.022_bib24
  article-title: Epidemic dynamics on an adaptive network
  publication-title: Physical Review Letters
  doi: 10.1103/PhysRevLett.96.208701
– volume: 13
  start-page: 1205
  issue: 6
  year: 2005
  ident: 10.1016/j.ijpe.2012.06.022_bib3
  article-title: Understanding Internet topology: principles, models, and validation
  publication-title: IEEE/ACM Transactions on Networking
  doi: 10.1109/TNET.2005.861250
– volume: 81
  start-page: 41
  issue: 5
  year: 2003
  ident: 10.1016/j.ijpe.2012.06.022_bib10
  article-title: It doesn't matter
  publication-title: Harvard Business Review
– volume: 50
  start-page: 205
  year: 2006
  ident: 10.1016/j.ijpe.2012.06.022_bib45
  article-title: Epidemics in small world networks
  publication-title: European Physics Journal B
  doi: 10.1140/epjb/e2006-00099-7
– ident: 10.1016/j.ijpe.2012.06.022_bib32
  doi: 10.1145/335168.335170
– volume: 99
  start-page: 2573
  issue: 1
  year: 2000
  ident: 10.1016/j.ijpe.2012.06.022_bib48
  article-title: Scaling phenomena in the internet: critically examining criticality
  publication-title: Proceedings of National Academy of Science
  doi: 10.1073/pnas.012583099
– volume: 8
  start-page: 338
  year: 2006
  ident: 10.1016/j.ijpe.2012.06.022_bib25
  article-title: Returns to information security investment: the effect of alternative information security breach functions on optima investment and sensitivity to vulnerability
  publication-title: Information Systems Frontier
  doi: 10.1007/s10796-006-9011-6
– volume: 6
  start-page: 35
  issue: 6
  year: 2004
  ident: 10.1016/j.ijpe.2012.06.022_bib6
  article-title: Measuring the risk-based value of IT security solutions
  publication-title: IEEE IT Professional
  doi: 10.1109/MITP.2004.89
– year: 1999
  ident: 10.1016/j.ijpe.2012.06.022_bib49
– volume: 5
  start-page: 438
  issue: 4
  year: 2002
  ident: 10.1016/j.ijpe.2012.06.022_bib22
  article-title: The economics of information security investment
  publication-title: ACM Transactions on Information Systems Security
  doi: 10.1145/581271.581274
– volume: 401
  start-page: 130
  year: 1999
  ident: 10.1016/j.ijpe.2012.06.022_bib1
  article-title: Diameter of the world-wide web
  publication-title: Nature
  doi: 10.1038/43601
– ident: 10.1016/j.ijpe.2012.06.022_bib42
– volume: 24
  start-page: 280
  year: 2005
  ident: 10.1016/j.ijpe.2012.06.022_bib15
  article-title: Infection dynamics on the internet
  publication-title: Computer Security
  doi: 10.1016/j.cose.2005.03.004
– volume: 406
  start-page: 378
  year: 2000
  ident: 10.1016/j.ijpe.2012.06.022_bib2
  article-title: Error and attack tolerance of complex networks
  publication-title: Nature
  doi: 10.1038/35019019
– volume: 16
  start-page: 28
  issue: 1
  year: 2005
  ident: 10.1016/j.ijpe.2012.06.022_bib14
  article-title: The value of intrusion detection systems in information technology security architecture
  publication-title: Information Systems Research
  doi: 10.1287/isre.1050.0041
– ident: 10.1016/j.ijpe.2012.06.022_bib18
– ident: 10.1016/j.ijpe.2012.06.022_bib46
– volume: 44
  start-page: 131
  issue: 3
  year: 2001
  ident: 10.1016/j.ijpe.2012.06.022_bib9
  article-title: Computer security: an end state?
  publication-title: Communications of ACM
  doi: 10.1145/365181.365241
– volume: 74
  start-page: 0561091
  issue: 5
  year: 2006
  ident: 10.1016/j.ijpe.2012.06.022_bib51
  article-title: Behavior of susceptible-infected epidemics on scale-free networks with identical infectivity
  publication-title: Physical Reviews E
  doi: 10.1103/PhysRevE.74.056109
– volume: 349–366
  year: 2007
  ident: 10.1016/j.ijpe.2012.06.022_bib8
  article-title: Process-Centric Risk Management Framework for Information Security
– volume: 4
  start-page: 8
  year: 2003
  ident: 10.1016/j.ijpe.2012.06.022_bib11
  article-title: Determining Intent—Opportunistic vs. Targeted Attacks
  publication-title: Computer Fraud & Security
  doi: 10.1016/S1361-3723(03)04010-7
– volume: 36
  start-page: 198
  issue: 1
  year: 2006
  ident: 10.1016/j.ijpe.2012.06.022_bib23
  article-title: A note on the spread of worms in scale-free networks
  publication-title: IEEE Transactions on Systems, Man, Cybernetics B
  doi: 10.1109/TSMCB.2005.854498
– volume: 393
  start-page: 440
  year: 1998
  ident: 10.1016/j.ijpe.2012.06.022_bib50
  article-title: Collective dynamics of “small-world”
  publication-title: Networks, Nature
  doi: 10.1038/30918
– ident: 10.1016/j.ijpe.2012.06.022_bib17
– ident: 10.1016/j.ijpe.2012.06.022_bib41
– volume: 10
  start-page: 14
  issue: 4
  year: 2008
  ident: 10.1016/j.ijpe.2012.06.022_bib28
  article-title: Managing risk propagation in extended enterprise networks
  publication-title: IEEE IT Professional
  doi: 10.1109/MITP.2008.90
– ident: 10.1016/j.ijpe.2012.06.022_bib38
– volume: 46
  start-page: 15
  issue: 6
  year: 2003
  ident: 10.1016/j.ijpe.2012.06.022_bib35
  article-title: Analyzing security costs
  publication-title: Communications of ACM
  doi: 10.1145/777313.777327
– volume: 3
  start-page: 40
  issue: 1
  year: 2005
  ident: 10.1016/j.ijpe.2012.06.022_bib43
  article-title: Towards econometric models of the security risk from remote attacks
  publication-title: IEEE Security & Privacy
  doi: 10.1109/MSP.2005.30
SSID ssj0007188
Score 2.3203545
Snippet In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous...
SourceID proquest
econis
crossref
elsevier
SourceType Aggregation Database
Index Database
Enrichment Source
Publisher
StartPage 255
SubjectTerms Budget allocation
Budgeting
Computer information security
Cost benefit analysis
Data integrity
Economics
Financing
Information security
Investment
Investment analysis
Investments
Mathematical analysis
Mathematical models
Network security
Networks
Numerical analysis
Operations research
Resource allocation
Scale-free network
Studies
Title Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints
URI https://dx.doi.org/10.1016/j.ijpe.2012.06.022
http://www.econis.eu/PPNSET?PPN=734426631
https://www.proquest.com/docview/1197624052
https://www.proquest.com/docview/1671270666
Volume 141
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV3db9MwED9tHULwgGAwrTAqI-0NZU3sxnEep4qpGzBNG5P2ZvkrWyfUViR95W_nLnEqysMeeIucc2L5d747n-_OAMemcj43pU28I2-VVzIpZUiTEFB9lJarzFGi8PdLObudXNzldzsw7XNhKKwyyv5OprfSOraM42yOV_P5-CYteVs-LKM4A5S5u7DHRSnzAeydnn-dXW4EMorfViAjfUIdYu5MF-Y1f1xRtUxyCcqTlPMt_fSMNqXzektR_SOyWz109hpeRQOSnXZjfAM7YbEPz_v49X14-VeFwbfQ9InHNVtWLFZJJSxYHS-uw0aqtEFOQnxkaA8yh5qNyLGr68o3sQeKmlkis4XlumamaSg1n5ETl9m1vw8NEdftfRNN_Q5uz778mM6SeNFCggDxJpEqiFAUElezdyJXXgaVomHoPS-UnQRpyoobL5XJA6p8kSorPO57rKg856URBzBYLBfhEBjPqooHZUNuAqo6Y7NKSJdWqVdWlW4yhKyfXu1iFXIa3E_dh5s9aoJEEySaYu44H8LnTZ9VV4PjSerDDrUNbSEmZIeIbAh5j6PeYjKN-uPJTx71oOu4xGtN568SGTrH1582r3Fx0omLaeHQmSzoZB-n6v1__voDvODtBRzk9DmCQfNrHT6iGdTYEeye_M5GyOzT629Xo8j0fwDxyAoc
linkProvider Elsevier
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1LT9wwEB5RqEp7QC0tYltoXam3KmxiJ45zrFDR0gKXgsTN8it0EdpdkeyV385M4my7PXDoLXLGieUZz4zH34wBvpja-cJUNvGOolVeyaSSIU1CQPNRWa4yR4nC5xdycpX_uC6uN-B4yIUhWGXU_b1O77R1bBnH2RwvptPxr7TiXfmwjHAGqHOfwVZeiJJwfUcPf3AeqHw7dYzUCZHHzJke5DW9XVCtTAoIyqOU8zXr9Jy2pNNmzUz9o7A7K3TyGnai-8i-9SN8AxthtgsvBvT6Lrz6q77gW2iHtOOGzWsWa6QSJ1gTr63DRqqzQSFCfGToDTKHdo3Isavrizex34SZmaOohfmyYaZtKTGfUQiX2aW_CS0RN91tE23zDq5Ovl8eT5J4zUKC7OFtIlUQoSwlrmXvRKG8DCpFt9B7XiqbB2mqmhsvlSkCGnyRKis87nqsqD3nlRF7sDmbz8I-MJ7VNQ_KhsIENHTGZrWQLq1Tr6yqXD6CbJhe7WINchrcnR7AZreaWKKJJZoQd5yP4Ouqz6KvwPEk9X7PtRVtKXLyQkQ2gmLgo14TMY3W48lPHgxM13GBN5pOXyWKc4GvP69e49Kk8xbTsUNnsqRzfZyq9__560-wPbk8P9Nnpxc_P8BL3l3FQeGfA9hs75fhEB2i1n7sBP4R6SMJUg
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Economics+of+information+security+investment+in+the+case+of+concurrent+heterogeneous+attacks+with+budget+constraints&rft.jtitle=International+journal+of+production+economics&rft.au=Huang%2C+C.+Derrick&rft.au=Behara%2C+Ravi+S.&rft.date=2013-01-01&rft.pub=Elsevier+B.V&rft.issn=0925-5273&rft.eissn=1873-7579&rft.volume=141&rft.issue=1&rft.spage=255&rft.epage=268&rft_id=info:doi/10.1016%2Fj.ijpe.2012.06.022&rft.externalDocID=S0925527312002678
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0925-5273&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0925-5273&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0925-5273&client=summon