Decision-Theoretic and game-theoretic approaches to IT security investment

Research output: Journal Publications and ReviewsRGC 21 - Publication in refereed journalpeer-review

183 Scopus Citations
View graph of relations

Author(s)

Detail(s)

Original languageEnglish
Pages (from-to)281-304
Journal / PublicationJournal of Management Information Systems
Volume25
Issue number2
Publication statusPublished - 2008
Externally publishedYes

Abstract

Firms have been increasing their information technology (IT) security budgets significantly to deal with increased security threats. An examination of current practices reveals that managers view security investment as any other and use traditional decision-theoretic risk management techniques to determine security investments. We argue in this paper that this method is incomplete because of the problem's strategic nature-hackers alter their hacking strategies in response to a firm's investment strategies. We propose game theory for determining IT security investment levels and compare game theory and decision theory approaches on several dimensions such as the investment levels, vulnerability, and payoff from investments. We show that the sequential game results in the maximum payoff to the firm, but requires that the firm move first before the hacker. Even if a simultaneous game is played, the firm enjoys a higher payoff than that in the decision theory approach, except when the firm's estimate of the hacker effort in the decision theory approach is sufficiently close to the actual hacker effort. We also show that if the firm learns from prior observations of hacker effort and uses these to estimate future hacker effort in the decision theory approach, then the gap between the results of decision theory and game theory approaches diminishes over time. The rate of convergence and the extent of loss the firm suffers before convergence depend on the learning model employed by the firm to estimate hacker effort. © 2008 M.E. Sharpe, Inc.

Research Area(s)

  • Decision theory, Game theory, IT security investments

Citation Format(s)

Decision-Theoretic and game-theoretic approaches to IT security investment. / Cavusoglu, Huseyin; Raghunathan, Srinivasan; Yue, Wei T.
In: Journal of Management Information Systems, Vol. 25, No. 2, 2008, p. 281-304.

Research output: Journal Publications and ReviewsRGC 21 - Publication in refereed journalpeer-review