The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Economic aspects of information security: An emerging field of research
Information Systems Frontiers
Secure or insure?: a game-theoretic analysis of information security games
Proceedings of the 17th international conference on World Wide Web
Security and insurance management in networks with heterogeneous agents
Proceedings of the 9th ACM conference on Electronic commerce
Information security investment decisions: evaluating the Balanced Scorecard method
International Journal of Business Information Systems
Can competitive insurers improve network security?
TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
Security metrics and security investment models
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Risk-neutral evaluation of information security investment on data centers
Journal of Intelligent Information Systems
A learning-based approach to reactive security
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
The economic impact of cyber terrorism
The Journal of Strategic Information Systems
Hi-index | 0.00 |
Four kinds of marginal returns to security investment to protect an information set are decrease, first increase and then decrease (logistic function), increase, and constancy. Gordon, L. A. and Loeb, M. (ACM Trans. Inf. Syst. Secur., 5:438---457, 2002). find for decreasing marginal returns that a firm invests maximum 37% (1驴/驴e) of the expected loss from a security breach, and that protecting moderately rather than extremely vulnerable information sets may be optimal. This article presents classes of all four kinds where the optimal investment is no longer capped at 1驴/驴e. First, investment in information security activities for the logistic function is zero for low vulnerabilities, jumps in a limited "bang-bang" manner to a positive level for intermediate vulnerabilities, and thereafter increases concavely in absolute terms. Second, we present an alternative class with decreasing marginal returns where the investment increases convexly in the vulnerability until a bound is reached, investing most heavily to protect the extremely vulnerable information sets. For the third and fourth kinds the optimal investment is of an all-out "bang-bang" nature, that is, zero for low vulnerabilities, and jumping to maximum investment for intermediate vulnerabilities.