Evaluation of strategic investments in information technology
Communications of the ACM
Securing network software applications: introduction
Communications of the ACM
Real options analysis of the timing of IS investment decisions
Information and Management
Inside Internet Security: What Hackers Don't Want You to Know
Inside Internet Security: What Hackers Don't Want You to Know
The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Editorial—IT Investment Payoff in E-Business Environments: Research Issues
Information Systems Frontiers
A model for evaluating IT security investments
Communications of the ACM - Has the Internet become indispensable?
Evaluating information security investments using the analytic hierarchy process
Communications of the ACM - Medical image modeling
The Value of Intrusion Detection Systems in Information Technology Security Architecture
Information Systems Research
The Economic Incentives for Sharing Security Information
Information Systems Research
Risk analysis for information technology
Journal of Management Information Systems
A note on project risk and option values of investments in information technologies
Journal of Management Information Systems
Security+ Guide to Network Security Fundamentals
Security+ Guide to Network Security Fundamentals
Information Exploitation and Interorganizational Systems Ownership
Journal of Management Information Systems
Journal of Management Information Systems
International Journal of Electronic Commerce
Intrusion Prevention in Information Systems: Reactive and Proactive Responses
Journal of Management Information Systems
Information Security: Facilitating User Precautions Vis-à-Vis Enforcement Against Attackers
Journal of Management Information Systems
Uncertainty in the weakest-link security game
GameNets'09 Proceedings of the First ICST international conference on Game Theory for Networks
An Economic Analysis of the Software Market with a Risk-Sharing Mechanism
International Journal of Electronic Commerce
Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers
Journal of Management Information Systems
Maximising resource allocation effectiveness for IT security investments
International Journal of Business Information Systems
A learning-based approach to reactive security
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
When information improves information security
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Hacker Behavior, Network Effects, and the Security Software Market
Journal of Management Information Systems
The economic impact of cyber terrorism
The Journal of Strategic Information Systems
Hi-index | 0.00 |
Firms have been increasing their information technology (IT) security budgets significantly to deal with increased security threats. An examination of current practices reveals that managers view security investment as any other and use traditional decision-theoretic risk management techniques to determine security investments. We argue in this paper that this method is incomplete because of the problem's strategic nature-hackers alter their hacking strategies in response to a firm's investment strategies. We propose game theory for determining IT security investment levels and compare game theory and decision theory approaches on several dimensions such as the investment levels, vulnerability, and payoff from investments. We show that the sequential game results in the maximum payoff to the firm, but requires that the firm move first before the hacker. Even if a simultaneous game is played, the firm enjoys a higher payoff than that in the decision theory approach, except when the firm's estimate of the hacker effort in the decision theory approach is sufficiently close to the actual hacker effort. We also show that if the firm learns from prior observations of hacker effort and uses these to estimate future hacker effort in the decision theory approach, then the gap between the results of decision theory and game theory approaches diminishes over time. The rate of convergence and the extent of loss the firm suffers before convergence depend on the learning model employed by the firm to estimate hacker effort.