Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment

Firms have been increasing their information technology (IT) security budgets significantly to deal with increased security threats. An examination of current practices reveals that managers view security investment as any other and use traditional decision-theoretic risk management techniques to determine security investments. We argue in this paper that this method is incomplete because of the problem's strategic nature—hackers alter their hacking strategies in response to a firm's investment strategies. We propose game theory for determining IT security investment levels and compare game theory and decision theory approaches on several dimensions such as the investment levels, vulnerability, and payoff from investments. We show that the sequential game results in the maximum payoff to the firm, but requires that the firm move first before the hacker. Even if a simultaneous game is played, the firm enjoys a higher payoff than that in the decision theory approach, except when the firm's estimate of the hacker effort in the decision theory approach is sufficiently close to the actual hacker effort. We also show that if the firm learns from prior observations of hacker effort and uses these to estimate future hacker effort in the decision theory approach, then the gap between the results of decision theory and game theory approaches diminishes over time. The rate of convergence and the extent of loss the firm suffers before convergence depend on the learning model employed by the firm to estimate hacker effort.

[1]  Eric K. Clemons,et al.  Evaluation of strategic investments in information technology , 1991, CACM.

[2]  Houston H. Carr,et al.  Risk Analysis for Information Technology , 1991, J. Manag. Inf. Syst..

[3]  Ram L. Kumar,et al.  A Note on Project Risk and Option Values of Investments in Information Technologies , 1996, J. Manag. Inf. Syst..

[4]  J. Rockart,et al.  EIGHT IMPERATIVES FOR THE NEW IT ORGANIZATION , 1996 .

[5]  D. Fudenberg,et al.  The Theory of Learning in Games , 1998 .

[6]  E. Barucci Exponentially fading memory learning in forward-looking economic models , 2000 .

[7]  Yacov Y. Haimes,et al.  Are we forgetting the risks of information technology? , 2000, Computer.

[8]  Suresh L. Konda,et al.  The Survivability of Network Systems: An Empirical Analysis , 2000 .

[9]  Imran Bashir,et al.  Securing network software applications: introduction , 2001, CACM.

[10]  Graham Roberts Inside Internet Security — What Hackers Don’t Want You To Know , 2001 .

[11]  John Campbell,et al.  Real options analysis of the timing of IS investment decisions , 2002, Inf. Manag..

[12]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[13]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[14]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[15]  R. Kohli,et al.  Editorial—IT Investment Payoff in E-Business Environments: Research Issues , 2003, Inf. Syst. Frontiers.

[16]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[17]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[18]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[19]  Robert J. Kauffman,et al.  Information Exploitation and Interorganizational Systems Ownership , 2004, J. Manag. Inf. Syst..

[20]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[21]  Huseyin Cavusoglu,et al.  Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches , 2004, Decis. Anal..

[22]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[23]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[24]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[25]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[26]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[27]  Christopher J. Coyne,et al.  THE ECONOMICS OF COMPUTER HACKING , 2005 .

[28]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[29]  K. Hausken Income, interdependence, and substitution effects affecting incentives for security investment , 2006 .

[30]  Dmitri Nizovtsev,et al.  Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies , 2006, WEIS.

[31]  Wei T. Yue,et al.  Intrusion Prevention in Information Systems: Reactive and Proactive Responses , 2007, J. Manag. Inf. Syst..

[32]  Mark Ciampa Security+ Guide to Network Security Fundamentals , 2008 .

[33]  Kjell Hausken Strategic defense and attack for series and parallel reliability systems , 2008, Eur. J. Oper. Res..

[34]  Huseyin Cavusoglu,et al.  Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems , 2009, Inf. Syst. Res..