IDEAS home Printed from https://ideas.repec.org/a/eee/jomega/v40y2012i1p79-88.html
   My bibliography  Save this article

IT security planning under uncertainty for high-impact events

Author

Listed:
  • Rakes, Terry R.
  • Deane, Jason K.
  • Paul Rees, Loren

Abstract

While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult task. Past research has suggested risk metrics which may be beneficial in understanding and planning for security incidents, but most of these metrics are aimed at identifying expected overall loss and do not directly address the identification of, or planning for, sparse events which might result in high-impact loss. The use of an upper percentile value or some other worst-case measure has been widely discussed in the literature as a means of stochastic optimization, but has not been applied to this decision domain. A key requirement in security planning for any threat scenario, expected or otherwise, is the ability to choose countermeasures optimally with regard to tradeoffs between countermeasure cost and remaining risk. Most of the planning models in the literature are qualitative, and none that we are aware of allow for the optimal determination of these tradeoffs. Therefore, we develop a model for optimally choosing countermeasures to block or mitigate security attacks in the presence of a given threat level profile. We utilize this model to examine scenarios under both expected threat levels and worst-case levels, and develop budget-dependent risk curves. These curves demonstrate the tradeoffs which occur if decision makers divert budgets away from planning for ordinary risk in an effort to mitigate the effects of potential high-impact outcomes.

Suggested Citation

  • Rakes, Terry R. & Deane, Jason K. & Paul Rees, Loren, 2012. "IT security planning under uncertainty for high-impact events," Omega, Elsevier, vol. 40(1), pages 79-88, January.
  • Handle: RePEc:eee:jomega:v:40:y:2012:i:1:p:79-88
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0305048311000582
    Download Restriction: Full text for ScienceDirect subscribers only
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Cha, Young-Ho & Kim, Yeong-Dae, 2010. "Fire scheduling for planned artillery attack operations under time-dependent destruction probabilities," Omega, Elsevier, vol. 38(5), pages 383-392, October.
    2. Sawik, Tadeusz, 2010. "An integer programming approach to scheduling in a contaminated area," Omega, Elsevier, vol. 38(3-4), pages 179-191, June.
    3. Liu, Zugang & Nagurney, Anna, 2011. "Supply chain outsourcing under exchange rate risk and competition," Omega, Elsevier, vol. 39(5), pages 539-549, October.
    4. Sawik, Tadeusz, 2011. "Selection of supply portfolio under disruption risks," Omega, Elsevier, vol. 39(2), pages 194-208, April.
    5. Rockafellar, R. Tyrrell & Uryasev, Stanislav, 2002. "Conditional value-at-risk for general loss distributions," Journal of Banking & Finance, Elsevier, vol. 26(7), pages 1443-1471, July.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Schilling, Andreas & Werners, Brigitte, 2016. "Optimal selection of IT security safeguards from an existing knowledge base," European Journal of Operational Research, Elsevier, vol. 248(1), pages 318-327.
    2. Malavasi, Matteo & Peters, Gareth W. & Shevchenko, Pavel V. & Trück, Stefan & Jang, Jiwook & Sofronov, Georgy, 2022. "Cyber risk frequency, severity and insurance viability," Insurance: Mathematics and Economics, Elsevier, vol. 106(C), pages 90-114.
    3. Matteo Malavasi & Gareth W. Peters & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang & Georgy Sofronov, 2021. "Cyber Risk Frequency, Severity and Insurance Viability," Papers 2111.03366, arXiv.org, revised Mar 2022.
    4. Qian, Fubin & Gribkovskaia, Irina & Laporte, Gilbert & Halskau sr., Øyvind, 2012. "Passenger and pilot risk minimization in offshore helicopter transportation," Omega, Elsevier, vol. 40(5), pages 584-593.
    5. Michel Benaroch, 2018. "Real Options Models for Proactive Uncertainty-Reducing Mitigations and Applications in Cybersecurity Investment Decision Making," Information Systems Research, INFORMS, vol. 29(2), pages 315-340, June.
    6. Durbach, Ian N. & Stewart, Theodor J., 2012. "A comparison of simplified value function approaches for treating uncertainty in multi-criteria decision analysis," Omega, Elsevier, vol. 40(4), pages 456-464.
    7. Khouzani, MHR. & Liu, Zhengliang & Malacaria, Pasquale, 2019. "Scalable min-max multi-objective cyber-security optimisation over probabilistic attack graphs," European Journal of Operational Research, Elsevier, vol. 278(3), pages 894-903.
    8. Wang, Lei & Liu, Qing & Dong, Shiyu & Guedes Soares, C., 2022. "Selection of countermeasure portfolio for shipping safety with consideration of investment risk aversion," Reliability Engineering and System Safety, Elsevier, vol. 219(C).
    9. Lee, Sangjae & Costello, Francis Joseph & Lee, Kun Chang, 2021. "Hierarchical balanced scorecard-based organizational goals and the efficiency of controls processes," Journal of Business Research, Elsevier, vol. 132(C), pages 270-288.
    10. Daniel Zängerle & Dirk Schiereck, 2023. "Modelling and predicting enterprise-level cyber risks in the context of sparse data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 434-462, April.
    11. Paul, Jomon A. & Zhang, Minjiao, 2021. "Decision support model for cybersecurity risk planning: A two-stage stochastic programming framework featuring firms, government, and attacker," European Journal of Operational Research, Elsevier, vol. 291(1), pages 349-364.
    12. Martzoukos, Spiros H. & Zacharias, Eleftherios, 2013. "Real option games with R&D and learning spillovers," Omega, Elsevier, vol. 41(2), pages 236-249.
    13. Zängerle, Daniel & Schiereck, Dirk, 2022. "Modelling and predicting enterprise‑level cyber risks in the context of sparse data availability," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 136276, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Heckmann, Iris & Comes, Tina & Nickel, Stefan, 2015. "A critical review on supply chain risk – Definition, measure and modeling," Omega, Elsevier, vol. 52(C), pages 119-132.
    2. Chao Fang & Xiangxiang Liao & Min Xie, 2016. "A hybrid risks-informed approach for the selection of supplier portfolio," International Journal of Production Research, Taylor & Francis Journals, vol. 54(7), pages 2019-2034, April.
    3. Sawik, Tadeusz, 2013. "Selection of resilient supply portfolio under disruption risks," Omega, Elsevier, vol. 41(2), pages 259-269.
    4. Wang, Lei & Liu, Qing & Dong, Shiyu & Guedes Soares, C., 2022. "Selection of countermeasure portfolio for shipping safety with consideration of investment risk aversion," Reliability Engineering and System Safety, Elsevier, vol. 219(C).
    5. Li, Deng-Feng, 2011. "Linear programming approach to solve interval-valued matrix games," Omega, Elsevier, vol. 39(6), pages 655-666, December.
    6. He, Juan & Ma, Chao & Pan, Kai, 2017. "Capacity investment in supply chain with risk averse supplier under risk diversification contract," Transportation Research Part E: Logistics and Transportation Review, Elsevier, vol. 106(C), pages 255-275.
    7. Cui, Xueting & Zhu, Shushang & Sun, Xiaoling & Li, Duan, 2013. "Nonlinear portfolio selection using approximate parametric Value-at-Risk," Journal of Banking & Finance, Elsevier, vol. 37(6), pages 2124-2139.
    8. Dominique Guégan & Wayne Tarrant, 2012. "On the necessity of five risk measures," Annals of Finance, Springer, vol. 8(4), pages 533-552, November.
    9. Rockafellar, R.T. & Royset, J.O., 2010. "On buffered failure probability in design and optimization of structures," Reliability Engineering and System Safety, Elsevier, vol. 95(5), pages 499-510.
    10. Li, Bo & Hou, Peng-Wen & Chen, Ping & Li, Qing-Hua, 2016. "Pricing strategy and coordination in a dual channel supply chain with a risk-averse retailer," International Journal of Production Economics, Elsevier, vol. 178(C), pages 154-168.
    11. Kull, Andreas, 2009. "Sharing Risk – An Economic Perspective," ASTIN Bulletin, Cambridge University Press, vol. 39(2), pages 591-613, November.
    12. Mínguez, R. & Conejo, A.J. & García-Bertrand, R., 2011. "Reliability and decomposition techniques to solve certain class of stochastic programming problems," Reliability Engineering and System Safety, Elsevier, vol. 96(2), pages 314-323.
    13. Jia Liu & Cuixia Li, 2023. "Dynamic Game Analysis on Cooperative Advertising Strategy in a Manufacturer-Led Supply Chain with Risk Aversion," Mathematics, MDPI, vol. 11(3), pages 1-24, January.
    14. Curtis, John & Lynch, Muireann Á. & Zubiate, Laura, 2016. "The impact of the North Atlantic Oscillation on electricity markets: A case study on Ireland," Energy Economics, Elsevier, vol. 58(C), pages 186-198.
    15. Li, Yongjian & Zhen, Xueping & Qi, Xiangtong & Cai, Gangshu (George), 2016. "Penalty and financial assistance in a supply chain with supply disruption," Omega, Elsevier, vol. 61(C), pages 167-181.
    16. Brian Tomlin & Yimin Wang, 2005. "On the Value of Mix Flexibility and Dual Sourcing in Unreliable Newsvendor Networks," Manufacturing & Service Operations Management, INFORMS, vol. 7(1), pages 37-57, June.
    17. Alexander, Gordon J. & Baptista, Alexandre M. & Yan, Shu, 2014. "Bank regulation and international financial stability: A case against the 2006 Basel framework for controlling tail risk in trading books," Journal of International Money and Finance, Elsevier, vol. 43(C), pages 107-130.
    18. D. Kuhn, 2009. "Convergent Bounds for Stochastic Programs with Expected Value Constraints," Journal of Optimization Theory and Applications, Springer, vol. 141(3), pages 597-618, June.
    19. Pengyu Wei & Zuo Quan Xu, 2021. "Dynamic growth-optimum portfolio choice under risk control," Papers 2112.14451, arXiv.org.
    20. Kolos Ágoston, 2012. "CVaR minimization by the SRA algorithm," Central European Journal of Operations Research, Springer;Slovak Society for Operations Research;Hungarian Operational Research Society;Czech Society for Operations Research;Österr. Gesellschaft für Operations Research (ÖGOR);Slovenian Society Informatika - Section for Operational Research;Croatian Operational Research Society, vol. 20(4), pages 623-632, December.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:jomega:v:40:y:2012:i:1:p:79-88. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: http://www.elsevier.com/wps/find/journaldescription.cws_home/375/description#description .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.