Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

This paper addresses the question of determining the optimal timing of interventions in information security management. Using utility theory, we derive the limiting condition under which, given a potential or realized risk, a decision to invest, delay, or abandon can be justified. Our primary focus is on the decision to defer costly deterministic investments, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with irreversible fixed costs that introduces a rigidity into the investment decision-making profile. This rigidity introduces delay in the implementation of security measures, resulting in cyclical investments in information security, as the decision-maker determines the optimal investment horizon. We therefore show that cycles emerge endogenously given the policy-maker’s chosen trade-offs between investment and the deterioration of the system attributes.

[1]  Andrew B. Abel,et al.  Asset Prices Under Habit Formation and Catching Up with the Joneses , 1990 .

[2]  Larry G. Epstein,et al.  Substitution, Risk Aversion, and the Temporal Behavior of Consumption and Asset Returns: A Theoretical Framework , 1989 .

[3]  The Impact of Uncertainty Shocks , 2007 .

[4]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[5]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[6]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[7]  Terrence August,et al.  Network Software Security and User Incentives , 2006, Manag. Sci..

[8]  Marco Casassa Mont,et al.  Economics of Identity and Access Management: Providing decision support for investments , 2010, 2010 IEEE/IFIP Network Operations and Management Symposium Workshops.

[9]  Otto Loistl The Erroneous Approximation of Expected Utility by Means of a Taylor's Series Expansion: Analytic and Computational Results , 1976 .

[10]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[11]  J. Pratt RISK AVERSION IN THE SMALL AND IN THE LARGE11This research was supported by the National Science Foundation (grant NSF-G24035). Reproduction in whole or in part is permitted for any purpose of the United States Government. , 1964 .

[12]  Simon Shiu,et al.  Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Window , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[13]  L. Rogers,et al.  Diffusions, Markov processes, and martingales , 1979 .

[14]  A. Tversky,et al.  Prospect theory: analysis of decision under risk , 1979 .

[15]  R. M. Adelson,et al.  Utility Theory for Decision Making , 1971 .

[16]  David J. Pym,et al.  Semantics for structured systems modelling and simulation , 2010, SimuTools.

[17]  R. L. Keeney,et al.  Decisions with Multiple Objectives: Preferences and Value Trade-Offs , 1977, IEEE Transactions on Systems, Man, and Cybernetics.

[18]  Jun Zhang,et al.  Security Patch Management: Share the Burden or Share the Damage? , 2008, Manag. Sci..

[19]  D. L. Hanson,et al.  ON THE THEORY OF RISK AVERSION , 1970 .

[20]  Simon Shiu,et al.  Decision support for systems security investment , 2010, 2010 IEEE/IFIP Network Operations and Management Symposium Workshops.

[21]  K. Arrow,et al.  Aspects of the theory of risk-bearing , 1966 .

[22]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[23]  Sheldon M. Ross,et al.  Stochastic Processes , 2018, Gauge Integral Structures for Stochastic Calculus and Quantum Electrodynamics.

[24]  Julian Williams,et al.  Investments and Trade-offs in the Economics of Information Security , 2009, Financial Cryptography.

[25]  B. Tieben,et al.  The Impact of Uncertainty , 2012 .

[26]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[27]  Jens Grossklags,et al.  Blue versus Red: Towards a Model of Distributed Security Attacks , 2009, Financial Cryptography.

[28]  Makoto Goto,et al.  Optimal Timing of Information Security Investment: A Real Options Approach , 2009, WEIS.

[29]  N. Bloom The Impact of Uncertainty Shocks , 2007 .

[30]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[31]  Julian Williams,et al.  Information security trade-offs and optimal patching policies , 2012, Eur. J. Oper. Res..

[32]  A. Tversky,et al.  Prospect Theory : An Analysis of Decision under Risk Author ( s ) : , 2007 .

[33]  F. B. Vernadat,et al.  Decisions with Multiple Objectives: Preferences and Value Tradeoffs , 1994 .