THESIS
2004
vii, 46 leaves : ill. ; 30 cm
Abstract
Information security is becoming an increasingly serious problem faced by many enterprises and organizations that perform part of their business processes via the Internet. It has been a hot topic among the industry and the academic community for many years. However, most of the research done in this field focuses on security technologies, while only a very small percentage of it focuses on economics of investment in security....[
Read more ]
Information security is becoming an increasingly serious problem faced by many enterprises and organizations that perform part of their business processes via the Internet. It has been a hot topic among the industry and the academic community for many years. However, most of the research done in this field focuses on security technologies, while only a very small percentage of it focuses on economics of investment in security.
Gordon and Loeb [1] have put forth a simple but useful model to determine the optimal investment in security. They consider the investment made in preventive mechanism, and derive that the optimal level of investment in information security should not exceed 37% of the expected loss caused by the vulnerability without any protection, for two classes of security breach probability functions: power function and exponential function.
Based on Gordon and Loeb's work, this thesis first relaxes the specific assumption of the functional form of the security breach probability function, and provides a more general result on the upper bound of optimal investment in security. Second, it introduces hacker's response behavior and detective mechanism, and as a result makes a more general and adaptive economic model of investment in information security. It is concluded that for an arbitrary form of security breach probability function, the optimal level of total investment made in both preventive and detective mechanisms should not exceed one half of the expected loss without any protection; and this upper bound still holds if the hacker's response behavior is integrated to the model. In addition, this thesis derives the circumstance under which the investment should be made in detective mechanism for a better overall performance.
Key Words: Optimal security investment, Hacker's response behavior, Detective mechanism
Post a Comment