Game of information security investment : Impact of attack types and network vulnerability

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalNot applicablepeer-review

18 Scopus Citations
View graph of relations

Author(s)

  • Yong Wu
  • Gengzhong Feng
  • Nengmin Wang
  • Huigang Liang

Detail(s)

Original languageEnglish
Pages (from-to)6132-6146
Journal / PublicationExpert Systems with Applications
Volume42
Issue number15-16
Early online date8 Apr 2015
Publication statusPublished - Sep 2015

Abstract

The level of firms' information security investment has recently become a critical issue in the management of IT infrastructure. Prior studies have not considered attack types and firms interconnection simultaneously when investigating the optimisation of such investment. Using game theory, we demonstrate that the optimal security investment level of an interconnected firm against targeted attacks is different from that against opportunistic attacks. Our model shows that not all information security risks are worth fighting against. As the potential loss increases, it is unadvisable to increase the security investment proportionately. Firms should increase investments with intrinsic vulnerability when facing target attacks, but focus on those systems that fall into the midrange of intrinsic vulnerability when facing opportunistic attacks. Firms are unwilling to invest in security and often offload reliability problems onto others when the trusted interdependence relationship becomes tighter in the absence of economic incentives. Thus we also discuss two economic incentives to motivate firms: liability and security information sharing. We find that if the rules are set properly, both economic incentives are effective to not only internalise the negative externality and improve a firm's security level, but also reduce the total expected cost. We show that firms' optimal investments of liability always increase with the increasing number of firms, but the optimal investments on security information sharing increase only when the number of firms is large enough. These insights draw attention to many trade-offs firms often face and the importance of accurate assessment of firms' security environment. Future research directions are discussed based on the limitations and possible extensions of this study.

Research Area(s)

  • Attack types, Economic incentives, Game theory, Information security investment, Network vulnerability

Citation Format(s)

Game of information security investment : Impact of attack types and network vulnerability. / Wu, Yong; Feng, Gengzhong; Wang, Nengmin; Liang, Huigang.

In: Expert Systems with Applications, Vol. 42, No. 15-16, 09.2015, p. 6132-6146.

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalNot applicablepeer-review