Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

Abstract

This paper addresses the question of determining the optimal timing of interventions in information security management. Using utility theory, we derive the limiting condition under which, given a potential or realized risk, a decision to invest, delay, or abandon can be justified. Our primary focus is on the decision to defer costly deterministic investments, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with irreversible fixed costs that introduces a rigidity into the investment decision-making profile. This rigidity introduces delay in the implementation of security measures, resulting in cyclical investments in information security, as the decision-maker determines the optimal investment horizon. We therefore show that cycles emerge endogenously given the policy-maker’s chosen trade-offs between investment and the deterioration of the system attributes.

Part of this work was carried out whilst Pym was employed at HP Labs, Bristol, England, UK

Appendix

1.1 Proof of Proposition 1: Decision Function Equilibrium

The vector random variable z has n univariate log-normal marginal distributions and correlation structure driven by \(\Sigma = \mathbb{E}\left (\log z - \mu \right ){\left (\log z - \mu \right )}^{{\prime}}\). Where ′ denotes the conjugate transpose, μ = { μ₁, …, μ _n } is a vector of time-homogenous central expectations, and Σ = [σ _ij ] is a time-homogenous covariance variance matrix. Setting n = 2, the observed moments and co-moments of z are defined as

$$\begin{array}{rcl} \mathbb{E}\left ({z}_{1}\right )& =& {e}^{{\mu }_{1}+\frac{{\sigma }_{1}^{2}} {2} }\end{array}$$

(43)

$$\begin{array}{rcl} \mathbb{E}\left ({z}_{2}\right )& =& {e}^{{\mu }_{2}+\frac{{\sigma }_{2}^{2}} {2} }\end{array}$$

(44)

$$\begin{array}{rcl} \mathbb{E}{\left ({z}_{1} - \mathbb{E}\left ({z}_{1}\right )\right )}^{2}& =& var \left ({z}_{ 1}\right ) = {e}^{2{\mu }_{1}+{\sigma }_{1}^{2} }\left (-1 + {e}^{{\sigma }_{1}^{2} }\right )\end{array}$$

(45)

$$\begin{array}{rcl} \mathbb{E}{\left ({z}_{2} - \mathbb{E}\left ({z}_{2}\right )\right )}^{2}& =& var \left ({z}_{ 1}\right ) = {e}^{2{\mu }_{2}+{\sigma }_{2}^{2} }\left (-1 + {e}^{{\sigma }_{2}^{2} }\right )\end{array}$$

(46)

$$\begin{array}{rcl} \mathbb{E}\left ({z}_{1}-\mathbb{E}\left ({z}_{1}\right )\right )\left ({z}_{2}-\mathbb{E}\left ({z}_{2}\right )\right )& =& cov \left ({z}_{1},{z}_{2}\right )={e}^{{\mu }_{1}+{\mu }_{2}+\frac{1} {2} \left ({\sigma }_{1}^{2}+{\sigma }_{ 2}^{2}\right ) }\left (-1+{e}^{{\sigma }_{12} }\right )\end{array}$$

(47)

where μ₁ is the expected value of the generating normal distribution for the system attribute x ₁, μ₂ is the expected value of the generating normal distribution for the system attribute x ₂, σ₁ is the standard deviation of the underlying normal distribution for x ₁, σ₂ is the standard deviation of the underlying normal distribution for x ₂, and σ₁₂ is the covariance of the underlying normal. distribution.

Consider an arrival rate λ. The expected number of events over the interval [t ₀, T] is then λ(T − t ₀). Let t ₀ ≤ t ≤ T and set t ₀ = 0. The combined jump process y(t) ∈ ℝ ², with poisson arrivals with count λ(t), yields the expected moments of the threat environment discount factors for the interval [0, t] as follows:

$$\begin{array}{rcl} \mathbb{E}\left ({y}_{1}\right )& =& {e}^{{\mu }_{1}+\frac{{\sigma }_{1}^{2}} {2} }\lambda \left (t\right )\end{array}$$

(48)

$$\begin{array}{rcl} \mathbb{E}\left ({y}_{2}\right )& =& {e}^{{\mu }_{2}+\frac{{\sigma }_{2}^{2}} {2} }\lambda \left (t\right )\end{array}$$

(49)

$$\begin{array}{rcl} \mathbb{E}{\left ({y}_{1} - \mathbb{E}\left ({y}_{1}\right )\right )}^{2}& =& var \left ({y}_{ 1}\right ) = {e}^{2{\mu }_{1}+{\sigma }_{1}^{2} }\left (-1 + {e}^{{\sigma }_{1}^{2} }\right )\lambda \left (t\right )\end{array}$$

(50)

$$\begin{array}{rcl} \mathbb{E}{\left ({y}_{2} - \mathbb{E}\left ({y}_{2}\right )\right )}^{2}& =& var \left ({y}_{ 1}\right ) = {e}^{2{\mu }_{2}+{\sigma }_{2}^{2} }\left (-1 + {e}^{{\sigma }_{2}^{2} }\right )\lambda \left (t\right )\end{array}$$

(51)

$$\begin{array}{rcl} \mathbb{E}\left ({y}_{1} - \mathbb{E}\left ({y}_{1}\right )\right )\left ({y}_{2} - \mathbb{E}\left ({y}_{2}\right )\right )& =& cov \left ({y}_{1},{y}_{2}\right ) \\ & =& {e}^{{\mu }_{1}+{\mu }_{2}+\frac{1} {2} \left ({\sigma }_{1}^{2}+{\sigma }_{ 2}^{2}\right ) }\left (-1 + {e}^{{\sigma }_{12} }\right )\lambda \left (t\right )\end{array}$$

(52)

Combining the moments of the system process from (38) with the instantaneous expectations from (14–18), yields

$$\begin{array}{rcl}{ \mu }_{{x}_{1}}\left (t\right )& =& {e}^{{e}^{{\mu }_{1}+ \frac{{\sigma }_{1}^{2}} {2} }(t)\lambda }{x}_{ 1}(t)\end{array}$$

(53)

$$\begin{array}{rcl}{ \mu }_{{x}_{2}}\left (t\right )& =& {e}^{{e}^{{\mu }_{2}+ \frac{{\sigma }_{2}^{2}} {2} }(t)\lambda }{x}_{ 2}(t)\end{array}$$

(54)

$$\begin{array}{rcl}{ \sigma }_{{x}_{1}}\left (t\right )& =& {e}^{{e}^{2{\mu }_{1}+{\sigma }_{1}^{2}}\left (-1+{e}^{{\sigma }_{1}^{2}}\right )(t)\lambda }{x}_{1}(t)\end{array}$$

(55)

$$\begin{array}{rcl}{ \sigma }_{{x}_{2}}\left (t\right )& =& {e}^{{e}^{2{\mu }_{2}+{\sigma }_{2}^{2}}\left (-1+{e}^{{\sigma }_{2}^{2}}\right )(t)\lambda }{x}_{2}(t)\end{array}$$

(56)

$$\begin{array}{rcl}{ \sigma }_{{x}_{1},{x}_{2}}\left (t\right )& =& {e}^{{e}^{{\mu }_{1}+{\mu }_{2}+ \frac{1} {2} \left ({\sigma }_{1}^{2}+{\sigma }_{2}^{2}\right )}\left (-1+{e}^{{\sigma }_{12}}\right )(t)\lambda }{x}_{2}(t){x}_{1}(t)\end{array}$$

(57)

Substituting these into (29) gives the explicit instantaneous loss function, for compactness we assume separable additivity, therefore all the covariance terms drop out as follows:

$$\begin{array}{rcl} \mathcal{l}\left (t\vert {w}_{{x}_{1}},{w}_{{x}_{2}},{v}_{{x}_{1}},{v}_{{x}_{2}},{v}_{{x}_{1},{x}_{2}}\right )& =& {e}^{{e}^{2{\mu }_{2}+{\sigma }_{2}^{2}}\big{(}-1+{e}^{{\sigma }_{2}^{2}}\big{)}(t)\lambda }{x}_{2}(t){v}_{{x}_{2}} \\ & & +{e}^{{e}^{2{\mu }_{1}+{\sigma }_{1}^{2}}\big{(}-1+{e}^{{\sigma }_{1}^{2}}\big{)}(t)\lambda }{x}_{1}(t){v}_{{x}_{1}} \\ & & +{e}^{{e}^{{\mu }_{1}+{\mu }_{2}+ \frac{1} {2} \left ({\sigma }_{1}^{2}+{\sigma }_{2}^{2}\right )}\left (-1+{e}^{{\sigma }_{12}}\right )(t)\lambda }{x}_{2}(t){x}_{1}(t){v}_{{x}_{1},{x}_{2}} \\ & & +{e}^{{e}^{{\mu }_{2}+ \frac{{\sigma }_{2}^{2}} {2} }(t)\lambda }{x}_{ 2}(t){w}_{{x}_{2}} \\ & & +{e}^{{e}^{{\mu }_{1}+ \frac{{\sigma }_{1}^{2}} {2} }(t)\lambda }{x}_{ 1}(t){w}_{{x}_{1}} \end{array}$$

(58)

Integrating and discounting over the policy-maker’s time horizon yields the expected loss function at time t ₀

$$\begin{array}{rcl} \mathfrak{U}\left ({t}_{0},T\vert {w}_{{x}_{1}},{w}_{{x}_{2}},{v}_{{x}_{1}},{v}_{{x}_{2}},{v}_{{x}_{1},{x}_{2}}\right )& =& -{e}^{-t\beta }{x}_{ 2}(t)\frac{{e}^{-{e}^{2{\mu }_{2}+{\sigma }_{2}^{2}}\left (-1+{e}^{{\sigma }_{2}^{2}}\right )(t)\lambda }{v}_{{x}_{2}}} {\beta + {e}^{2{\mu }_{2}+{\sigma }_{2}^{2}}\left (-1 + {e}^{{\sigma }_{2}^{2}}\right )\lambda } \\ & & -{e}^{-t\beta }{x}_{ 2}(t)\frac{{e}^{-{e}^{{\mu }_{1}+{\mu }_{2}+ \frac{{\sigma }_{1}^{2}} {2} + \frac{{\sigma }_{2}^{2}} {2} }\left (-1+{e}^{{\sigma }_{12}}\right )(t)\lambda }{x}_{ 1}(t){v}_{{x}_{1},{x}_{2}}} {\beta + {e}^{{\mu }_{1}+{\mu }_{2}+\frac{{\sigma }_{1}^{2}} {2} +\frac{{\sigma }_{2}^{2}} {2} }\left (-1 + {e}^{{\sigma }_{12}}\right )\lambda } \\ & & -{e}^{-t\beta }{x}_{ 2}(t)\frac{{e}^{-{e}^{{\mu }_{2}+ \frac{{\sigma }_{2}^{2}} {2} }(t)\lambda }{w}_{{ x}_{2}}} {\beta + {e}^{{\mu }_{2}+\frac{{\sigma }_{2}^{2}} {2} }\lambda } \\ & & -{e}^{-t\beta }{x}_{ 1}(t)\frac{{e}^{-{e}^{2{\mu }_{1}+{\sigma }_{1}^{2}}\left (-1+{e}^{{\sigma }_{1}^{2}}\right )(t)\lambda }{v}_{{x}_{1}}} {\beta + {e}^{2{\mu }_{1}+{\sigma }_{1}^{2}}\left (-1 + {e}^{{\sigma }_{1}^{2}}\right )\lambda } \\ & &{ \left.-{e}^{-t\beta }{x}_{ 1}(t)\frac{{e}^{-{e}^{{\mu }_{1}+ \frac{{\sigma }_{1}^{2}} {2} }(t)\lambda }{w}_{{ x}_{1}}} {\beta + {e}^{{\mu }_{1}+\frac{{\sigma }_{1}^{2}} {2} }\lambda } \right \vert }_{t={t}_{0}}^{t=T} \end{array}$$

(59)

1.2 Proof of Theorem 1

Let T < ∞. For t ^∗ ∈ (t ₀, T), the cost function at t ₀ is defined as

$$\begin{array}{rcl} \mathfrak{U}\left ({t}_{0},T\vert {w}_{k}\right )& =& {\int }_{{t}_{0}}^{T}{e}^{-\beta t}\left (\hat{K} + {e}^{t\delta }{K}_{ 0}\right ){w}_{k}dt \\ & =&{ \left.{e}^{-t\beta }\left (-\frac{\hat{K}} {\beta } + \frac{{e}^{t\delta }{K}_{0}} {-\beta + \delta }\right ){w}_{k}\right \vert }_{t={t}_{0}}^{t=T}\end{array}$$

(60)

The subsequent trade-off decision-making function relative to the cost function from 34 is now

$$\begin{array}{rcl} \mathfrak{D}\left ({t}_{0},T\vert {w}_{{x}_{1}},{w}_{{x}_{2}},{w}_{K},{v}_{{x}_{1}},{v}_{{x}_{2}},{v}_{{x}_{1},{x}_{2}}\right )& =& -{e}^{-t\beta }{x}_{ 2}(t)\frac{{e}^{-{e}^{2{\mu }_{2}+{\sigma }_{2}^{2}}\left (-1+{e}^{{\sigma }_{2}^{2}}\right )\lambda (t) }{v}_{{x}_{2}}} {\beta + {e}^{2{\mu }_{2}+{\sigma }_{2}^{2}}\left (-1 + {e}^{{\sigma }_{2}^{2}}\right )\lambda } \\ & & -{e}^{-t\beta }{x}_{ 2}(t)\frac{{e}^{-{e}^{{\mu }_{1}+{\mu }_{2}+ \frac{{\sigma }_{1}^{2}} {2} + \frac{{\sigma }_{2}^{2}} {2} }\left (-1+{e}^{{\sigma }_{12}}\right )\lambda (t)}{x}_{ 1}(t){v}_{{x}_{1},{x}_{2}}} {\beta + {e}^{{\mu }_{1}+{\mu }_{2}+\frac{{\sigma }_{1}^{2}} {2} +\frac{{\sigma }_{2}^{2}} {2} }\left (-1 + {e}^{{\sigma }_{12}}\right )\lambda } \\ & & -{e}^{-t\beta }{x}_{ 2}(t)\frac{{e}^{-{e}^{{\mu }_{2}+ \frac{{\sigma }_{2}^{2}} {2} }\lambda (t)}{w}_{{ x}_{2}}} {\beta + {e}^{{\mu }_{2}+\frac{{\sigma }_{2}^{2}} {2} }\lambda } \\ & & +{x}_{1}(t)\left (-\frac{{e}^{-{e}^{2{\mu }_{1}+{\sigma }_{1}^{2}}\left (-1+{e}^{{\sigma }_{1}^{2}}\right )\lambda (t) }{v}_{{x}_{1}}} {\beta + {e}^{2{\mu }_{1}+{\sigma }_{1}^{2}}\left (-1 + {e}^{{\sigma }_{1}^{2}}\right )\lambda } -\frac{{e}^{-{e}^{{\mu }_{1}+ \frac{{\sigma }_{1}^{2}} {2} }\lambda (t)}{w}_{{ x}_{1}}} {\beta + {e}^{{\mu }_{1}+\frac{{\sigma }_{1}^{2}} {2} }\lambda } \right ) \\ & &{ \left.+\left (\frac{\hat{K}} {\beta } + \frac{{e}^{t\delta }{K}_{0}} {\beta - \delta } \right ){w}_{k}\right \vert }_{t={t}_{0}}^{t=T} \end{array}$$

(61)

It is now trivial to see that the inequalities in Theorem 1 are obtained by subtracting last term of (61) from each side and setting either x ₁(t ₀) or x ₂(t ₀) to zero.