Intrusion prevention in information systems : Reactive and proactive responses

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review

48 Scopus Citations
View graph of relations



Original languageEnglish
Pages (from-to)329-353
Journal / PublicationJournal of Management Information Systems
Issue number1
Publication statusPublished - Jun 2007
Externally publishedYes


Intrusion prevention requires effective identification of and response to malicious events. In this paper, we model two important managerial decisions involved in the intrusion prevention process: the configuration of the detection component, and the response by the reaction component. The configuration decision affects the number of alarms the firm has to investigate. It is well known that the traditional intrusion detection system generates too many false alarms. The response decision determines whether alarms are going to be investigated or rejected outright. By jointly optimizing these two decision variables, a firm may apply different strategies in protecting its informational assets: slow but accurate, rapid but inaccurate, or a mixture of the two strategies. We use the optimal control approach to study the problem. Unlike previous literature, which studied the problem with a static model, in our model, the decision on balancing the desire to detect all malicious events with the opportunity costs required to do so is time dependent. Furthermore, we show how the choice of an optimal mixture of reactive and proactive responses depends on the values of cost parameters and investigation rate parameters. We find that in our model, a high damage cost does not immediately translate to a preference of proactive response, or a high false rejection cost does not translate to a preference of reactive response. The dynamics of the problem, such as how fast alarms accumulate and how fast they can be cleared, also affect the decisions. © 2007 M.E. Sharpe, Inc.

Research Area(s)

  • Information security, Intrusion detection, Intrusion prevention, Intrusion response