IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v22y2011i3p606-623.html
   My bibliography  Save this article

When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination

Author

Listed:
  • Vijay Mookerjee

    (School of Management, The University of Texas at Dallas, Richardson, Texas 75083)

  • Radha Mookerjee

    (School of Management, The University of Texas at Dallas, Richardson, Texas 75083)

  • Alain Bensoussan

    (School of Management, The University of Texas at Dallas, Richardson, Texas 75083)

  • Wei T. Yue

    (City University of Hong Kong, Kowloon Tong, Hong Kong, People's Republic of China)

Abstract

This paper analyzes interactions between a firm that seeks to discriminate between normal users and hackers that try to penetrate and compromise the firm's information assets. We develop an analytical model in which a variety of factors are balanced to best manage the detection component within information security management. The approach not only considers conventional factors such as detection rate and false-positive rate, but also factors associated with hacker behavior that occur in response to improvements in the detection system made by the firm. Detection can be improved by increasing the system's discrimination ability (i.e., the ability to distinguish between attacks and normal usage) through the application of maintenance effort. The discrimination ability deteriorates over time due to changes in the environment. Also, there is the possibility of sudden shocks that can sharply degrade the discrimination ability. The firm's cost increases as hackers become more knowledgeable by disseminating security knowledge within the hacker population. The problem is solved to reveal the presence of a steady-state solution in which the level of system discrimination ability and maintenance effort are held constant. We find an interesting result where, under certain conditions, hackers do not benefit from disseminating security knowledge among one another. In other situations, we find that hackers benefit because the firm must lower its detection rate in the presence of knowledge dissemination. Other insights into managing detection systems are provided. For example, the presence of security shocks can increase or decrease the optimal discrimination level as compared to the optimal level without shocks.

Suggested Citation

  • Vijay Mookerjee & Radha Mookerjee & Alain Bensoussan & Wei T. Yue, 2011. "When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination," Information Systems Research, INFORMS, vol. 22(3), pages 606-623, September.
  • Handle: RePEc:inm:orisre:v:22:y:2011:i:3:p:606-623
    DOI: 10.1287/isre.1100.0341
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.1100.0341
    Download Restriction: no

    File URL: https://libkey.io/10.1287/isre.1100.0341?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    2. Fidan Boylu & Haldun Aytug & Gary Koehler, 2010. "Induction over Strategic Agents: a genetic algorithm solution," Annals of Operations Research, Springer, vol. 174(1), pages 135-146, February.
    3. Jacob W. Ulvila & John E. Gaffney, 2004. "A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems," Decision Analysis, INFORMS, vol. 1(1), pages 35-50, March.
    4. Boylu, Fidan & Aytug, Haldun & Koehler, Gary J., 2010. "Induction over constrained strategic agents," European Journal of Operational Research, Elsevier, vol. 203(3), pages 698-705, June.
    5. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    6. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    7. Alain Bensoussan & Radha Mookerjee & Vijay Mookerjee & Wei T. Yue, 2009. "Maintaining Diagnostic Knowledge-Based Systems: A Control-Theoretic Approach," Management Science, INFORMS, vol. 55(2), pages 294-310, February.
    8. Fidan Boylu & Haldun Aytug & Gary J. Koehler, 2010. "Induction over Strategic Agents," Information Systems Research, INFORMS, vol. 21(1), pages 170-189, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    2. Guang Zhu & Hu Liu & Mining Feng, 2018. "An Evolutionary Game-Theoretic Approach for Assessing Privacy Protection in mHealth Systems," IJERPH, MDPI, vol. 15(10), pages 1-27, October.
    3. Xing Gao, 2020. "Open Source or Closed Source? A Competitive Analysis with Software Security," Decision Analysis, INFORMS, vol. 17(1), pages 56-73, March.
    4. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    5. Yong Wu & Junlin Duan & Tao Dai & Dong Cheng, 2020. "Managing Security Outsourcing in the Presence of Strategic Hackers," Decision Analysis, INFORMS, vol. 17(3), pages 235-259, September.
    6. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    7. Jingguo Wang & Nan Xiao & H. Raghav Rao, 2015. "Research Note—An Exploration of Risk Characteristics of Information Security Threats and Related Public Information Search Behavior," Information Systems Research, INFORMS, vol. 26(3), pages 619-633, September.
    8. Guang Zhu & Hu Liu & Mining Feng, 2018. "Sustainability of Information Security Investment in Online Social Networks: An Evolutionary Game-Theoretic Approach," Mathematics, MDPI, vol. 6(10), pages 1-19, September.
    9. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    10. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    11. Emre M. Demirezen & Subodha Kumar & Bala Shetty, 2016. "Managing Co-Creation in Information Technology Projects: A Differential Games Approach," Information Systems Research, INFORMS, vol. 27(3), pages 517-537.
    12. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    13. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.
    14. Kang, Martin & Miller, Andrew & Jang, Kyungmyung & Kim, Horim, 2022. "Firm performance and information security technology intellectual property," Technological Forecasting and Social Change, Elsevier, vol. 181(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.
    2. Asunur Cezar & Srinivasan Raghunathan & Sumit Sarkar, 2020. "Adversarial Classification: Impact of Agents’ Faking Cost on Firms and Agents," Production and Operations Management, Production and Operations Management Society, vol. 29(12), pages 2789-2807, December.
    3. Yuanfeng Cai & Zhengrui Jiang & Vijay Mookerjee, 2017. "How to Deal with Liars? Designing Intelligent Rule-Based Expert Systems to Increase Accuracy or Reduce Cost," INFORMS Journal on Computing, INFORMS, vol. 29(2), pages 268-286, May.
    4. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    5. Zhang, Juheng & Aytug, Haldun, 2016. "Comparison of imputation methods for discriminant analysis with strategically hidden data," European Journal of Operational Research, Elsevier, vol. 255(2), pages 522-530.
    6. Juheng Zhang & Haldun Aytug & Gary J. Koehler, 2014. "Research Note —Discriminant Analysis with Strategically Manipulated Data," Information Systems Research, INFORMS, vol. 25(3), pages 654-662, September.
    7. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    8. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    9. Xiaotong Li, 2022. "An evolutionary game‐theoretic analysis of enterprise information security investment based on information sharing platform," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(3), pages 595-606, April.
    10. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    11. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    12. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2016. "Mandatory Standards and Organizational Information Security," Information Systems Research, INFORMS, vol. 27(1), pages 70-86, March.
    13. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    14. Mehmet Eren Ahsen & Mehmet Ulvi Saygi Ayvaci & Srinivasan Raghunathan, 2019. "When Algorithmic Predictions Use Human-Generated Data: A Bias-Aware Classification Algorithm for Breast Cancer Diagnosis," Service Science, INFORMS, vol. 30(1), pages 97-116, March.
    15. Huseyin Cavusoglu & Byungwan Koh & Srinivasan Raghunathan, 2010. "An Analysis of the Impact of Passenger Profiling for Transportation Security," Operations Research, INFORMS, vol. 58(5), pages 1287-1302, October.
    16. Huseyin Cavusoglu & Young Kwark & Bin Mai & Srinivasan Raghunathan, 2013. "Passenger Profiling and Screening for Aviation Security in the Presence of Strategic Attackers," Decision Analysis, INFORMS, vol. 10(1), pages 63-81, March.
    17. Huseyin Cavusoglu & Hasan Cavusoglu, 2007. "Assessing the Value of Network Security Technologies: The Impact of Configuration and Interaction on Value," Working Papers 07-19, NET Institute, revised Aug 2007.
    18. Kalpit Sharma & Arunabha Mukhopadhyay, 2023. "Cyber-risk Management Framework for Online Gaming Firms: an Artificial Neural Network Approach," Information Systems Frontiers, Springer, vol. 25(5), pages 1757-1778, October.
    19. ÇakanyIldIrIm, Metin & Yue, Wei T. & Ryu, Young U., 2009. "The management of intrusion detection: Configuration, inspection, and investment," European Journal of Operational Research, Elsevier, vol. 195(1), pages 186-204, May.
    20. Arora, Ashish & Forman, Chris & Nandkumar, Anand & Telang, Rahul, 2010. "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, Elsevier, vol. 22(2), pages 164-177, May.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:22:y:2011:i:3:p:606-623. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.