Abstract
This paper addresses the question of determining the optimal timing of interventions in information security management. Using utility theory, we derive the limiting condition under which, given a potential or realized risk, a decision to invest, delay, or abandon can be justified. Our primary focus is on the decision to defer costly deterministic investments, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with irreversible fixed costs that introduces a rigidity into the investment decision-making profile. This rigidity introduces delay in the implementation of security measures, resulting in cyclical investments in information security, as the decision-maker determines the optimal investment horizon. We therefore show that cycles emerge endogenously given the policy-maker’s chosen trade-offs between investment and the deterioration of the system attributes.
Part of this work was carried out whilst Pym was employed at HP Labs, Bristol, England, UK
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
∗ Part of this work was carried out whilst Pym was employed at HP Labs, Bristol, England, UK
- 2.
The solution includes the stochastic process that represents the threat environment.
- 3.
Modelling multiple trade-offs can be accommodated within the same methodology.
- 4.
Well specified, in this case, implies that preferences represented by this utility function are consistent with rational choice. For a full exposition of axiomatic utility theory and decision making see [14].
- 5.
National Institute of Science and Technology (NIST), www.nist.gov; Common Vulnerability Scoring System (CVSS).
References
Abel R (1990) Asset prices under habit formation and catching up with the Joneses. Am Econ Rev 80(2):38–42
Anderson R (2001) Why information security is hard: an economic perspective. In: Proceedings of 17th Annual Computer Security Applications Conference, pp 358–265. IEEE
Anderson R, Böhme R, Clayton R, Moore T (2007) Security economics and the internal market. Report to the European Network and Information Security Agency (ENISA)
Anderson R, Moore T (2006) The economics of information security. Science 314:610–613. Extended version available at http://www.cl.cam.ac.uk/~rja14/Papers/toulouse-summary.pdf
Arora A, Telang R, Xu H (2008) Optimal policy for software vulnerability disclosure. Manag Sci 54(4):642–656
Arrow K (1971) The theory of risk aversion. In: Essays in the theory of risk bearing. Markham Publ. Co. pp 90–109 (Reprinted from: Aspects of the Theory of Risk Bearing, by Yrjo Jahnssonin Saatio, Helsinki, 1965)
August T, Tunca T (2006) Network software security and user incentives. Manag Sci 52(11):1703–1720
Beres Y, Griffin J, Shiu S, Heitman M, Markle D, Ventura P (2008) Analysing the performance of security solutions to reduce vulnerability exposure window. In: Proceedings of the 2008 Annual Computer Security Applications Conference. IEEE Computer Society Conference Publishing Services (CPS), pp 33–42
Beres Y, Pym D, Shiu S (2010) Decision support for systems security investment. In: Network Operations and Management Symposium Workshops (NOMS Wksps), 2010. IEEE/IFIP, pp 118–125, Doi: 10.1109/NOMSW.2010.5486590, ISBN: 978-1-4244-6037-3, INSPEC Accession Number: 11502735
Bloom N (2009) The impact of uncertainty shocks. Econometrica 77(3):623–685
Cavusoglu H, Cavusoglu H, Zhang J (2008) Security patch management: share the burden or share the damage. Manag Sci 54(4):657–670
Collinson M, Monahan B, Pym D (2010) Semantics for structured systems modelling and simulation. In: Proceedings of Simutools 2010. ICST: ACM Digital Library and EU Digital Library. ISBN: 78-963-9799-87-5
Epstein LG, Zin SE (1989) Substitution, risk aversion, and the temporal behavior of consumption growth and asset returns I: a theoretical framework. Econometrica 57(4):937–969
Fishburn PC (1970) Utility theory for decision making. Wiley
Fultz N, Grossklags J (2009) Blue versus red: towards a model of distributed security attacks. In: Dingledine R, Golle P (eds) Proceedings of the Thirteenth International Conference Financial Cryptography and Data Security (FC’09), Springer Verlag, pp 167–183, LNCS 5628, ISBN: 978-3-642-03548-7
Gordon L, Loeb M (2002) The economics of information security investment. ACM Trans Inform Syst Secur 5(4):438–457
Gordon L, Loeb M (2006) Managing cybersecurity resources: a cost-benefit analysis. McGraw Hill
Gordon L, Loeb M, Lucyshyn W (2003) Information security expenditures and real options: a wait-and-see approach. Comput Secur J 19(2):1–7
Ioannidis C, Pym D, Williams J (2009) Investments and trade-offs in the economics of information security. In: Dingledine R, Golle P (eds) Proceedings of Financial Cryptography and Data Security ’09, LNCS, Springer, vol 5628, pp 148–166. Preprint available at http://www.abdn.ac.uk/~csc335/IoannidisPymWilliams-FC09.pdf
Ioannidis C, Pym D, Williams J (2011) Information security trade-offs and optimal patching policies. Eur J Oper Res. Forthcoming (TBA), TBA
Kahneman D, Tversky A (1979) Prospect theory: an analysis of decisions under risk. Econometrica 47: 313–327
Keeney R, Raiffa H (1976) Decisions with multiple objectives: preferences and value trade-offs. Wiley
Loistl O (1976) The erroneous approximation of expected utility by means of Taylor’s series expansion: analytic and computational Results. Am Econ Rev 66(5):904–910
Mont MC, Beres Y, Pym D, Shiu S (2010) Economics of identity and access management: providing decision support for investments. In: Network Operations and Management Symposium Workshops (NOMS Wksps), 2010, IEEE/IFIP, pp 134–141, Doi: 10.1109/NOMSW.2010.5486588, ISBN: 978-1-4244-6037-3, INSPEC Accession Number: 11502733
Pratt J (1964) Risk aversion in the small and in the large. Econometrica 32:122–136
Rogers D, Williams L (2000) Diffusions, Markov processes, and Martingales. Cambridge Mathematics Library
Ross S (1995) Stochastic processes. Wiley
Taksumi K, Goto M (2010) Optimal timing of information security investment: a real options approach. In: Moore T, Pym D, Ioannidis C (eds) Economics of Information Security and Privacy. Proceedings of WEIS 2009, Springer, London
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
1.1 Proof of Proposition 1: Decision Function Equilibrium
The vector random variable z has n univariate log-normal marginal distributions and correlation structure driven by \(\Sigma = \mathbb{E}\left (\log z - \mu \right ){\left (\log z - \mu \right )}^{{\prime}}\). Where ′ denotes the conjugate transpose, μ = { μ1, …, μ n } is a vector of time-homogenous central expectations, and Σ = [σ ij ] is a time-homogenous covariance variance matrix. Setting n = 2, the observed moments and co-moments of z are defined as
where μ1 is the expected value of the generating normal distribution for the system attribute x 1, μ2 is the expected value of the generating normal distribution for the system attribute x 2, σ1 is the standard deviation of the underlying normal distribution for x 1, σ2 is the standard deviation of the underlying normal distribution for x 2, and σ12 is the covariance of the underlying normal. distribution.
Consider an arrival rate λ. The expected number of events over the interval [t 0, T] is then λ(T − t 0). Let t 0 ≤ t ≤ T and set t 0 = 0. The combined jump process y(t) ∈ ℝ 2, with poisson arrivals with count λ(t), yields the expected moments of the threat environment discount factors for the interval [0, t] as follows:
Combining the moments of the system process from (38) with the instantaneous expectations from (14–18), yields
Substituting these into (29) gives the explicit instantaneous loss function, for compactness we assume separable additivity, therefore all the covariance terms drop out as follows:
Integrating and discounting over the policy-maker’s time horizon yields the expected loss function at time t 0
1.2 Proof of Theorem 1
Let T < ∞. For t ∗ ∈ (t 0, T), the cost function at t 0 is defined as
The subsequent trade-off decision-making function relative to the cost function from 34 is now
It is now trivial to see that the inequalities in Theorem 1 are obtained by subtracting last term of (61) from each side and setting either x 1(t 0) or x 2(t 0) to zero.
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Ioannidis, C., Pym, D., Williams, J. (2013). Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach. In: Schneier, B. (eds) Economics of Information Security and Privacy III. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-1981-5_8
Download citation
DOI: https://doi.org/10.1007/978-1-4614-1981-5_8
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-1980-8
Online ISBN: 978-1-4614-1981-5
eBook Packages: Computer ScienceComputer Science (R0)