IDEAS home Printed from https://ideas.repec.org/a/bla/popmgt/v32y2023i9p2902-2920.html
   My bibliography  Save this article

Managing the security of information systems with partially observable vulnerability

Author

Listed:
  • Radha Mookerjee
  • Jayarajan Samuel

Abstract

We consider the security maintenance of information systems where the extent of vulnerability is partially observable. However, the exact extent of the vulnerability can be observed by paying an inspection fee. In each period, the decision‐maker needs to take one of three decisions: (i) do nothing, (ii) inspect and implement (fix the vulnerability) if needed, and (iii) directly implement. We prove that the optimal policy follows a threshold structure. For each value of k (the known vulnerability), there are two thresholds for the partial information: the lower of the two thresholds dictates whether for this value of k, inspection is optimal before a possible implementation or whether direct implementation (i.e., without inspection) is optimal. If inspection is done, another threshold determines whether an implementation is done or not. If neither threshold applies, it is optimal to do nothing. We develop a numerical procedure to find the decision variables in the maintenance policy. We extend the main model to include variable implementation and inspection costs. The optimality of the threshold policy is shown to hold under more general settings. We apply the model to a real‐world problem and demonstrate its applicability and value in managing security systems. Here, we study the security maintenance policies for three different real‐world telecommunications operators and find that these operators can significantly reduce the cost of managing their security by adopting our proposed policy. Another finding is that inspection is more beneficial for medium‐sized to large‐sized operators.

Suggested Citation

  • Radha Mookerjee & Jayarajan Samuel, 2023. "Managing the security of information systems with partially observable vulnerability," Production and Operations Management, Production and Operations Management Society, vol. 32(9), pages 2902-2920, September.
  • Handle: RePEc:bla:popmgt:v:32:y:2023:i:9:p:2902-2920
    DOI: 10.1111/poms.14015
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/poms.14015
    Download Restriction: no

    File URL: https://libkey.io/10.1111/poms.14015?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Subodha Kumar & Vijay Mookerjee & Abhinav Shubham, 2018. "Research in Operations Management and Information Systems Interface," Production and Operations Management, Production and Operations Management Society, vol. 27(11), pages 1893-1905, November.
    3. Alireza Boloori & Soroush Saghafian & Harini A. Chakkera & Curtiss B. Cook, 2020. "Data-Driven Management of Post-transplant Medications: An Ambiguous Partially Observable Markov Decision Process Approach," Manufacturing & Service Operations Management, INFORMS, vol. 22(5), pages 1066-1087, September.
    4. Samayita Guha & Subodha Kumar, 2018. "Emergence of Big Data Research in Operations Management, Information Systems, and Healthcare: Past Contributions and Future Roadmap," Production and Operations Management, Production and Operations Management Society, vol. 27(9), pages 1724-1735, September.
    5. Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    6. A. Bensoussan & M. Çakanyıldırım & J. A. Minjárez-Sosa & S. P. Sethi & R. Shi, 2010. "An Incomplete Information Inventory Model with Presence of Inventories or Backorders as Only Observations," Journal of Optimization Theory and Applications, Springer, vol. 146(3), pages 544-580, September.
    7. Feng, Qi & Mookerjee, Vijay S. & Sethi, Suresh. P., 2006. "Optimal policies for the sizing and timing of software maintenance projects," European Journal of Operational Research, Elsevier, vol. 173(3), pages 1047-1066, September.
    8. Li, Weiyu & Denton, Brian T. & Morgan, Todd M., 2023. "Optimizing active surveillance for prostate cancer using partially observable Markov decision processes," European Journal of Operational Research, Elsevier, vol. 305(1), pages 386-399.
    9. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    10. Subodha Kumar & Rakesh R. Mallipeddi, 2022. "Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions," Production and Operations Management, Production and Operations Management Society, vol. 31(12), pages 4488-4500, December.
    11. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Kaur, Harpreet & Gupta, Mahima & Singh, Surya Prakash, 2024. "Integrated model to optimize supplier selection and investments for cyber resilience in digital supply chains," International Journal of Production Economics, Elsevier, vol. 275(C).
    2. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    3. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    4. Subodha Kumar & Rakesh R. Mallipeddi, 2022. "Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions," Production and Operations Management, Production and Operations Management Society, vol. 31(12), pages 4488-4500, December.
    5. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.
    6. Maximilian Klöckner & Christoph G. Schmidt & Stephan M. Wagner, 2022. "When Blockchain Creates Shareholder Value: Empirical Evidence from International Firm Announcements," Production and Operations Management, Production and Operations Management Society, vol. 31(1), pages 46-64, January.
    7. Alekh Gour & Shikha Aggarwal & Subodha Kumar, 2022. "Lending ears to unheard voices: An empirical analysis of user‐generated content on social media," Production and Operations Management, Production and Operations Management Society, vol. 31(6), pages 2457-2476, June.
    8. ManMohan S. Sodhi & Zahra Seyedghorban & Hossein Tahernejad & Danny Samson, 2022. "Why emerging supply chain technologies initially disappoint: Blockchain, IoT, and AI," Production and Operations Management, Production and Operations Management Society, vol. 31(6), pages 2517-2537, June.
    9. Choi, Tsan-Ming & Guo, Shu & Luo, Suyuan, 2020. "When blockchain meets social-media: Will the result benefit social media analytics for supply chain operations management?," Transportation Research Part E: Logistics and Transportation Review, Elsevier, vol. 135(C).
    10. Li, Bo & Tan, Zhen & Arreola-Risa, Antonio & Huang, Yiwei, 2023. "On the improvement of uncertain cloud service capacity," International Journal of Production Economics, Elsevier, vol. 258(C).
    11. Anshul Tickoo & P. K. Kapur & A. K. Shrivastava & Sunil K. Khatri, 2016. "Testing effort based modeling to determine optimal release and patching time of software," International Journal of System Assurance Engineering and Management, Springer;The Society for Reliability, Engineering Quality and Operations Management (SREQOM),India, and Division of Operation and Maintenance, Lulea University of Technology, Sweden, vol. 7(4), pages 427-434, December.
    12. Singha, Sumanta & Arha, Himanshu & Kar, Arpan Kumar, 2023. "Healthcare analytics: A techno-functional perspective," Technological Forecasting and Social Change, Elsevier, vol. 197(C).
    13. Yogita Kansal & Gurinder Singh & Uday Kumar & P. K. Kapur, 2016. "Optimal release and patching time of software with warranty," International Journal of System Assurance Engineering and Management, Springer;The Society for Reliability, Engineering Quality and Operations Management (SREQOM),India, and Division of Operation and Maintenance, Lulea University of Technology, Sweden, vol. 7(4), pages 462-468, December.
    14. Konstantina Valogianni & Wolfgang Ketter & John Collins & Dmitry Zhdanov, 2020. "Sustainable Electric Vehicle Charging using Adaptive Pricing," Production and Operations Management, Production and Operations Management Society, vol. 29(6), pages 1550-1572, June.
    15. Bag, Surajit & Dhamija, Pavitra & Singh, Rajesh Kumar & Rahman, Muhammad Sabbir & Sreedharan, V. Raja, 2023. "Big data analytics and artificial intelligence technologies based collaborative platform empowering absorptive capacity in health care supply chain: An empirical study," Journal of Business Research, Elsevier, vol. 154(C).
    16. Bo Li & Subodha Kumar, 2022. "Managing Software‐as‐a‐Service: Pricing and operations," Production and Operations Management, Production and Operations Management Society, vol. 31(6), pages 2588-2608, June.
    17. Sushil Gupta & Medha Tekriwal & Carlos M. Parra, 2022. "Permeation of the term “analytics” in production and operations management research," Production and Operations Management, Production and Operations Management Society, vol. 31(10), pages 3651-3667, October.
    18. Tsan‐Ming Choi & Subodha Kumar & Xiaohang Yue & Hau‐Ling Chan, 2022. "Disruptive Technologies and Operations Management in the Industry 4.0 Era and Beyond," Production and Operations Management, Production and Operations Management Society, vol. 31(1), pages 9-31, January.
    19. Lai, Kee-hung & Feng, Yunting & Zhu, Qinghua, 2023. "Digital transformation for green supply chain innovation in manufacturing operations," Transportation Research Part E: Logistics and Transportation Review, Elsevier, vol. 175(C).
    20. Guo, Hainan & Xie, Yue & Jiang, Bowen & Tang, Jiafu, 2024. "When outpatient appointment meets online consultation: A joint scheduling optimization framework," Omega, Elsevier, vol. 127(C).

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:bla:popmgt:v:32:y:2023:i:9:p:2902-2920. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: http://onlinelibrary.wiley.com/journal/10.1111/(ISSN)1937-5956 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.