Managing Information System Security Under Continuous and Abrupt Deterioration

In this study, we focus on the maintenance of an intrusion detection system (IDS) that attempts to discriminate between benign and malicious traffic arriving at a firm. An attack is more likely to successfully harm the firm if the ability of its IDS to discriminate between malicious and benign traffic is low, implying loopholes or vulnerabilities in the firm’s security. A novel aspect of this study is the modeling of both continuous degradation in system discrimination ability (drift) and the arrival of abrupt shocks that can suddenly lower discrimination ability. We model shocks to arrive randomly and cause a random decrease in discrimination ability. Furthermore, we prove the existence of a steady‐state level of discrimination ability that firms should strive to reach and maintain. When discrimination ability is below this steady‐state level, full effort must be exerted to reach it. We also compare our model with alternative settings, examine the impact of parameter estimation error, and study scenarios in which the arrival rate of malicious traffic is a function of the steady‐state discrimination ability chosen by the firm.

[1]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[2]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[3]  Mohiuddin Ahmed,et al.  A survey of network anomaly detection techniques , 2016, J. Netw. Comput. Appl..

[4]  Tridas Mukhopadhyay,et al.  The Effect of Liability and Patch Release on Software Security: The Monopoly Case , 2011 .

[5]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[6]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[7]  Huseyin Cavusoglu,et al.  Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems , 2009, Inf. Syst. Res..

[8]  Huseyin Cavusoglu,et al.  Intrusion-Detection Policies for IT Security Breaches , 2008, INFORMS J. Comput..

[9]  Erhan Guven,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2016, IEEE Communications Surveys & Tutorials.

[10]  Tsuhan Chen,et al.  Data Fusion and Cost Minimization for Intrusion Detection , 2008, IEEE Transactions on Information Forensics and Security.

[11]  Vidyadhar G. Kulkarni,et al.  Optimal Allocation of Effort to Software Maintenance: A Queuing Theory Approach , 2008 .

[12]  Alain Bensoussan,et al.  Maintaining Diagnostic Knowledge-Based Systems: A Control-Theoretic Approach , 2009, Manag. Sci..

[13]  Vijay S. Mookerjee,et al.  Optimal Enhancement and Lifetime of Software Systems: A Control Theoretic Analysis: Optimal Enhancement and Lifetime of Software Systems , 2011 .

[14]  Alain Bensoussan,et al.  When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination , 2011, Inf. Syst. Res..

[15]  Kai Lung Hui,et al.  Information Security Outsourcing with System Interdependency and Mandatory Security Requirement , 2012, J. Manag. Inf. Syst..

[16]  Kasia Muldner,et al.  Preparation, detection, and analysis: the diagnostic work of IT security incident response , 2010, Inf. Manag. Comput. Secur..

[17]  Teodor Sommestad,et al.  Intrusion detection and the role of the system administrator , 2012, Inf. Manag. Comput. Secur..

[18]  Chih-Fong Tsai,et al.  CANN: An intrusion detection system based on combining cluster centers and nearest neighbors , 2015, Knowl. Based Syst..

[19]  Kasia Muldner,et al.  Towards Understanding Diagnostic Work During the Detection and Investigation of Security Incidents , 2009, HAISA.

[20]  Jackie Rees Ulmer,et al.  The Association Between the Disclosure and the Realization of Information Security Risk Factors , 2013, Inf. Syst. Res..

[21]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[22]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[23]  Terrence August,et al.  Cloud Implications on Software Network Structure and Security Risks , 2014, Inf. Syst. Res..

[24]  Wayne G. Lutters,et al.  Developing expertise for network intrusion detection , 2009, Inf. Technol. People.

[25]  Indranil Bose,et al.  Do phishing alerts impact global corporations? A firm value analysis , 2014, Decis. Support Syst..

[26]  Vijay S. Mookerjee,et al.  When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security , 2016, Inf. Syst. Res..

[27]  Jun Zhang,et al.  Security Patch Management: Share the Burden or Share the Damage? , 2008, Manag. Sci..

[28]  Gerald Quirchmayr,et al.  A Formal Approach Enabling Risk-Aware Business Process Modeling and Simulation , 2011, IEEE Transactions on Services Computing.

[29]  Suresh P. Sethi,et al.  Optimal policies for the sizing and timing of software maintenance projects , 2006, Eur. J. Oper. Res..

[30]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[31]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[32]  Yong Tan,et al.  Comparing uniform and flexible policies for software maintenance and replacement , 2005, IEEE Transactions on Software Engineering.

[33]  Wei T. Yue,et al.  Intrusion Prevention in Information Systems: Reactive and Proactive Responses , 2007, J. Manag. Inf. Syst..

[34]  Jun Gao,et al.  Online Adaboost-Based Parameterized Methods for Dynamic Distributed Network Intrusion Detection , 2014, IEEE Transactions on Cybernetics.

[35]  Xianjun Geng,et al.  Mandatory Standards and Organizational Information Security , 2016, Inf. Syst. Res..

[36]  Suresh P. Sethi,et al.  Optimal Software Development: A Control Theoretic Approach , 2004, Inf. Syst. Res..