IDEAS home Printed from https://ideas.repec.org/a/eee/proeco/v141y2013i1p255-268.html
   My bibliography  Save this article

Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints

Author

Listed:
  • Huang, C. Derrick
  • Behara, Ravi S.

Abstract

In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics and derives the breach probability functions based on the theory of scale-free networks. The relationships among the major variables, such as network exposure, potential loss due to a security breach, investment effectiveness, and security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited information security budget to defend against two classes of security attacks (targeted and opportunistic) concurrently. Among the results of these analyses, we find that a firm with a limited security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, we find that managers should focus the security investment on preventing targeted attacks when the information systems are highly connected and relatively open and when the potential loss is large relative to the security budget.

Suggested Citation

  • Huang, C. Derrick & Behara, Ravi S., 2013. "Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints," International Journal of Production Economics, Elsevier, vol. 141(1), pages 255-268.
    • Handle: RePEc:eee:proeco:v:141:y:2013:i:1:p:255-268
    DOI: 10.1016/j.ijpe.2012.06.022
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0925527312002678
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ijpe.2012.06.022?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. M.M. Telo da Gama & A. Nunes, 2006. "Epidemics in small world networks," The European Physical Journal B: Condensed Matter and Complex Systems, Springer;EDP Sciences, vol. 50(1), pages 205-208, March.
    2. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    3. Goel, Sanjay & Chen, Vicki, 2008. "Can business process reengineering lead to security vulnerabilities: Analyzing the reengineered process," International Journal of Production Economics, Elsevier, vol. 115(1), pages 104-112, September.
    4. Derrick Huang, C. & Hu, Qing & Behara, Ravi S., 2008. "An economic analysis of the optimal information security investment in the case of a risk-averse firm," International Journal of Production Economics, Elsevier, vol. 114(2), pages 793-804, August.
    5. Kjell Hausken, 2006. "Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability," Information Systems Frontiers, Springer, vol. 8(5), pages 338-349, December.
    6. Réka Albert & Hawoong Jeong & Albert-László Barabási, 1999. "Diameter of the World-Wide Web," Nature, Nature, vol. 401(6749), pages 130-131, September.
    7. Réka Albert & Hawoong Jeong & Albert-László Barabási, 2000. "Error and attack tolerance of complex networks," Nature, Nature, vol. 406(6794), pages 378-382, July.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Daniel Schatz & Rabih Bashroush, 2017. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 19(5), pages 1205-1228, October.
    2. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    3. Daniel Schatz & Rabih Bashroush, 0. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 0, pages 1-24.
    4. Lu Xu & Yanhui Li & Jing Fu, 2019. "Cybersecurity Investment Allocation for a Multi-Branch Firm: Modeling and Optimization," Mathematics, MDPI, vol. 7(7), pages 1-20, July.
    5. Xinbao Liu & Xiaofei Qian & Jun Pei & Panos M. Pardalos, 2018. "Security investment and information sharing in the market of complementary firms: impact of complementarity degree and industry size," Journal of Global Optimization, Springer, vol. 70(2), pages 413-436, February.
    6. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    7. Maurizio Naldi & Marta Flamini & Giuseppe D’Acquisto, 2018. "Negligence and sanctions in information security investments in a cloud environment," Electronic Markets, Springer;IIM University of St. Gallen, vol. 28(1), pages 39-52, February.
    8. Xiaofei Qian & Xinbao Liu & Jun Pei & Panos M. Pardalos & Lin Liu, 2017. "A game-theoretic analysis of information security investment for multiple firms in a network," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 68(10), pages 1290-1305, October.
    9. Lu Xu & Yanhui Li & Qi Yao, 2022. "Information security investment and purchase decision for personalized products," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(6), pages 2619-2635, September.
    10. Xiaotong Li & Qianyao Xue, 2021. "An economic analysis of information security investment decision making for substitutable enterprises," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 42(5), pages 1306-1316, July.
    11. Alessandro Mazzoccoli & Maurizio Naldi, 2020. "Robustness of Optimal Investment Decisions in Mixed Insurance/Investment Cyber Risk Management," Risk Analysis, John Wiley & Sons, vol. 40(3), pages 550-564, March.
    12. Yosra Miaoui & Noureddine Boudriga, 2019. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 21(2), pages 261-300, April.
    13. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    14. Xiaofei Qian & Jun Pei & Xinbao Liu & Mi Zhou & Panos M. Pardalos, 2019. "Information security decisions for two firms in a market with different types of customers," Journal of Combinatorial Optimization, Springer, vol. 38(4), pages 1263-1285, November.
    15. Alessandro Mazzoccoli & Maurizio Naldi, 2022. "An Overview of Security Breach Probability Models," Risks, MDPI, vol. 10(11), pages 1-29, November.
    16. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    17. Mayadunne, Sanjaya & Park, Sungjune, 2016. "An economic model to evaluate information security investment of risk-taking small and medium enterprises," International Journal of Production Economics, Elsevier, vol. 182(C), pages 519-530.
    18. Yosra Miaoui & Noureddine Boudriga, 0. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 0, pages 1-40.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    2. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    3. Pi, Xiaochen & Tang, Longkun & Chen, Xiangzhong, 2021. "A directed weighted scale-free network model with an adaptive evolution mechanism," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 572(C).
    4. Blagus, Neli & Šubelj, Lovro & Bajec, Marko, 2012. "Self-similar scaling of density in complex real-world networks," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 391(8), pages 2794-2802.
    5. Biggiero, Lucio & Angelini, Pier Paolo, 2015. "Hunting scale-free properties in R&D collaboration networks: Self-organization, power-law and policy issues in the European aerospace research area," Technological Forecasting and Social Change, Elsevier, vol. 94(C), pages 21-43.
    6. Jing Yang & Yingwu Chen, 2011. "Fast Computing Betweenness Centrality with Virtual Nodes on Large Sparse Networks," PLOS ONE, Public Library of Science, vol. 6(7), pages 1-5, July.
    7. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    8. He, Xuan & Zhao, Hai & Cai, Wei & Li, Guang-Guang & Pei, Fan-Dong, 2015. "Analyzing the structure of earthquake network by k-core decomposition," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 421(C), pages 34-43.
    9. Bin Srinidhi & Jia Yan & Giri Kumar Tayi, 2008. "Firm-level Resource Allocation to Information Security in the Presence of Financial Distress," Working Papers 2008-17, School of Economic Sciences, Washington State University.
    10. Laurienti, Paul J. & Joyce, Karen E. & Telesford, Qawi K. & Burdette, Jonathan H. & Hayasaka, Satoru, 2011. "Universal fractal scaling of self-organized networks," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 390(20), pages 3608-3613.
    11. Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
    12. Sodam Baek & Kibae Kim & Jorn Altmann, 2014. "Role of Platform Providers in Service Networks: The Case of Salesforce.com AppExchange," TEMEP Discussion Papers 2014112, Seoul National University; Technology Management, Economics, and Policy Program (TEMEP), revised May 2014.
    13. Liao, Chun-Hsiung & Chen, Chun-Wei, 2014. "Network externality and incentive to invest in network security," Economic Modelling, Elsevier, vol. 36(C), pages 398-404.
    14. Sun, Chenshuo & Pei, Xin & Hao, Junheng & Wang, Yewen & Zhang, Zuo & Wong, S.C., 2018. "Role of road network features in the evaluation of incident impacts on urban traffic mobility," Transportation Research Part B: Methodological, Elsevier, vol. 117(PA), pages 101-116.
    15. Filiposka, Sonja & Juiz, Carlos, 2015. "Community-based complex cloud data center," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 419(C), pages 356-372.
    16. Gong, Pulin & van Leeuwen, Cees, 2003. "Emergence of scale-free network with chaotic units," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 321(3), pages 679-688.
    17. P.B., Divya & Lekha, Divya Sindhu & Johnson, T.P. & Balakrishnan, Kannan, 2022. "Vulnerability of link-weighted complex networks in central attacks and fallback strategy," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 590(C).
    18. Kashin Sugishita & Yasuo Asakura, 2021. "Vulnerability studies in the fields of transportation and complex networks: a citation network analysis," Public Transport, Springer, vol. 13(1), pages 1-34, March.
    19. David Iliaev & Sigal Oren & Ella Segev, 2023. "A Tullock-contest-based approach for cyber security investments," Annals of Operations Research, Springer, vol. 320(1), pages 61-84, January.
    20. Guillaume, Jean-Loup & Latapy, Matthieu, 2006. "Bipartite graphs as models of complex networks," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 371(2), pages 795-813.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:proeco:v:141:y:2013:i:1:p:255-268. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: http://www.elsevier.com/locate/ijpe .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.