Abstract
This paper analyzes interactions between a firm that seeks to dynamically choose the risk associated with a security system and hackers who seek to compromise it. We formulate the problem using an analytical model in which the level of system vulnerability at any point in time potentially affects a variety of risk factors that are balanced to provide a multi-dimensional approach to information security management. The approach not only considers conventional factors such as detection rate and false positive rate, but also includes factors that account for hacker attack behavior and learning that occurs in response to actions taken by the firm to manage system risk. System vulnerability can be lowered by increasing the system's discrimination ability (i.e., the ability to distinguish between attacks and normal usage). The discrimination ability deteriorates due to changes in the domain and through the dissemination of information about the system's vulnerabilities among hackers. The problem is solved to reveal the presence of a steady-state solution, one in which the level of system discrimination ability is held constant. We provide insights into managing various dimensions of risk in a consolidated risk management framework.
| Original language | English |
|---|---|
| Title of host publication | 2008 Workshop on Information Technologies and Systems, WITS 2008 |
| Publisher | Social Science Research Network |
| Pages | 169-175 |
| Publication status | Published - 2008 |
| Externally published | Yes |
| Event | 2008 Workshop on Information Technologies and Systems, WITS 2008 - Paris, France Duration: 13 Dec 2008 → 14 Dec 2008 |
Conference
| Conference | 2008 Workshop on Information Technologies and Systems, WITS 2008 |
|---|---|
| Place | France |
| City | Paris |
| Period | 13/12/08 → 14/12/08 |