Vulnerability and Information Security Investment Under Interdependent Risks: A Theoretical Approach

  • Received : 2011.08.05
  • Accepted : 2011.09.22
  • Published : 2011.12.31

Abstract

This article explores economic models that show the optimal level of information security investment in the presence of interdependent security risks, Using particular functional forms, the analysis shows that the relationship between the levels of security vulnerability and the levels of optimal security investments is affected by externalities caused by agents' correlated security risks. This article further illustrates that, compared to security investments in the situation of independent security risks, in order to maximize the expected benefits from security investments, an agent should invest a larger fraction of the expected loss from a security breach in the case of negative externalities, while an agent should spend a smaller fraction of the expected loss in the case of negative externalities.

Keywords

References

  1. Anderson, R, "Why Information Security is Hard An Economic Perspective," Paper presented at the 17th Annual Conputer Security Applimtions Conference, New Orleans, LA, 2001.
  2. Anderson, R and Moore, T., "The Economics of Information Security," Science, Vol. 314, No. 5799, 2006, pp. 610-613. https://doi.org/10.1126/science.1130992
  3. Anderson, R, Moore, T., Nagaraja, S., and Ozment, A, "Incentives and Information Security," In N. Nisan, T. Roughgarden, E. Tardos and V. Vazirani (Eds.), Algorithmic Game Theory, Cambridge University Press, 2007, pp. 631-647.
  4. Camp, L.J. and Wolfram, C, "Pricing Security," Paper presented at the The CERT Information Survivability Workshop, Boston, 2000.
  5. Gal-Or, E. and Ghose, A, "The Economic Incentives for Sharing Security Information," Information Systems Research, Vol. 16, No.2, 2005, pp. 186-208. https://doi.org/10.1287/isre.1050.0053
  6. Gordon, L and Loeb, M., "The Economics of Information Security Investment," ACM Transactions on Information and System Security, Vol. 5, No.4, 2002, pp. 438-457. https://doi.org/10.1145/581271.581274
  7. Gordon, L., Loeb, M., and Lucyshyn, M., "An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence," Paper presented at the First Workshop on the Economics of Information Security, Berkeley, CA, 2002.
  8. Gordon, L., Loeb, M., and Lucyshyn, M., "Sharing Information on Computer Systems Security: An Economic Analysis," Journal of Accounting and Public Policy, Vol. 22, No.6, 2003, pp. 461-486. https://doi.org/10.1016/j.jaccpubpol.2003.09.001
  9. Grance, T., Hash, J., Peck, S., and Smith, J., "Security Guide for Interconnecting Information Technology Systems," NIST Special Publication, 2002, pp. 800-847.
  10. Hausken, K., "Information Sharing Among Firms and Cyber Attacks," Journal of Accounting and Public Policy, Vol. 26, No.6, 2007, pp. 639-688. https://doi.org/10.1016/j.jaccpubpol.2007.10.001
  11. Kunreuther, H. and Heal, G., "Interdependent Security," Journal of Risk and Uncertainty, Vol. 26, No.2, 2003, pp. 231-249. https://doi.org/10.1023/A:1024119208153
  12. Majuca, R.P., Yurcik, W., and Kesan, J., "The Evolution of Cyberinsurance," In ACM Computing Research Repository (CoRR), Technical Report cs.CR/0601020, 2006.
  13. Ogut, H., Menon, N., and Raghunathan, S., "Cyber Insurance and IT Security Investment: Impact of Interdependent Risk," Paper presented at the Fourth Workshop on the Economics of Information Security, Cambridge, MA, 2005.
  14. Ogut, H., Raghunathan, S., and Menon, N. M., "Information Security Risk Management through Self-Protection and Insurance," Unpublished Manuscript, The University of Texas at Dallas, 2005.
  15. Schneier, B., "Computer Security: It's the Economics, Stupid," Paper presented at the First Workshop on the Economics of Information Security, Berkeley, CA, 2002.
  16. Varian, H, "Managing Online Security Risks," The New York Times, 2000, Retrieved from http://www.nytimes.com/library / financial/ columns/060100econ-scene.html.
  17. Varian, H., "System reliability and free riding," In L.J. Camp and S. Lewis (Eds.), Economics of Information Security (Advances in Information Security, Volume 12), Dordrecht, The Netherlands: Springer, 2004, pp. 1-15.
  18. Willemson, J., "On the Gordon and Loeb Model for Information Security Investment," Paper presented at the Fifth Workshop on the Economics of Information Security, Cambridge, UK, 2006.
  19. Zhao, X., "Economic Analysis on Information Security and Risk Management," Unpublished doctoral dissertation, The University of Texas at Austin, Texas, 2007.
  20. Zhao, X., Xue, L., and Whinston, A, "Managing Interdependent Information Security Risks: An Investigation of Corrunercial Cyberinsurance and Risk Pooling Arrangement," Paper presented at the Thirtieth International Conference on Information Systems, 2009.