A game-theoretic analysis of information security investment for multiple firms in a network

Qian, Xiaofei; Liu, Xinbao; Pei, Jun; Pardalos, Pãnos M.; Liu, Lin

doi:10.1057/s41274-016-0134-y

Cited by 32 publications

(28 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Nadalje, unutar modela izostaje pretpostavka kako napad, bez obzira je li riječ o ciljanom ili oportunističkom napadu, može nastupiti simultano. Qian et al (2017), vodeći se pretpostavkom kako ulaganje poslovne organizacije u sigurnost ne doprinosi isključivo sigurnosti vlastitog sustava, nego i sigurnosti sustava drugih poslovnih organizacija, razmatraju Nash-ovu ravnotežu. Potonja otkriva kako povećanje broja poslovnih organizacija u okružju, usprkos činjenici što isto povećava kibernetičku ranjivost, potiče poslovne organizacije na smanjeno ulaganje u sigurnost iz razloga što se u okružju pojavljuju "slobodni jahači".…”

Section: Teorija Igara Kao Koncept Optimizacije Ulaganja U Kibernetičku Sigurnostunclassified

Ulaganje u kibernetičku sigurnost

Kovač

2021

Elektron. zb. rad. Veleuč. Šibeniku

View full text Add to dashboard Cite

Ubrzani razvoj tehnologija i njihova sve učestalija primjena unutar poslovnih organizacija stvaraju brojne prednosti u smislu brzine izvršavanja i automatizacije poslovnih procesa, lakšeg pristupa i razmjene informacija, obavljanja poslovnih aktivnosti na daljinu, lakšeg pristupa tržištima, smanjivanja troškova poslovanja i dr. Istodobno, poslovne organizacije izložene su kibernetičkim rizicima odnosno prijetnjama koje postaju sve različitije, složenije te bilježe kontinuiran rast. Različiti oblici kibernetičkih rizika manifestiraju se kroz kompromitaciju informacijskih sustava poslovnih organizacija što može izazvati značajne izravne i neizravne fi nancijske gubitke. Premda je uočena sve veća ranjivosti na kibernetičke rizike, posebno u smislu njihovog intenziteta utjecaja na poslovanje organizacija, i dalje je prisutan manjak aktivnosti upravljanja kibernetičkom sigurnošću. Velik broj poslovnih organizacija ignorira odnosno podcjenjuje kibernetičke rizike ili se oslanja na generičke proizvode. Unatoč činjenici kako kibernetički rizici postaju sve važniji čimbenik utjecaja na poslovanje organizacija i rezultata njihovog djelovanja, istraživanja kibernetičkih rizika u ekonomskoj literaturi te u njezinom užem području upravljanja rizicima, nisu adekvatno zastupljena. Cilj ovog rada je pružiti pregled istraživanja u području ulaganja u kibernetičku sigurnost kao metode fizičke kontrole šteta koja je neizostavna pretpostavka povjerljivost, dostupnost i cjelovitost informacija te informacijskih sustava. Nadalje cilj rada je ulaganje u kibernetičku sigurnost usporediti s metodom financijske kontrole te istaknuti važnost kombiniranja ovih dviju metoda u cilju postizanja kibernetičke sigurnosti.

show abstract

Section: Teorija Igara Kao Koncept Optimizacije Ulaganja U Kibernetičku Sigurnostunclassified

Ulaganje u kibernetičku sigurnost

Kovač

2021

Elektron. zb. rad. Veleuč. Šibeniku

View full text Add to dashboard Cite

show abstract

“…The cybersecurity problem among interconnected firms could be seen as the typical interdependent security (IDS) problem, proposed firstly by Kunreuther and Heal [29], who conducted a case study of security investment behaviors among firms in airline security and found that there is a "free-riding problem" of firms' security investment, also denoted as negative externality. Later, some research committed to solving such a negative external issue [10,17,30,31]. For example, Zhao, Xue, and Whinston [9] explored the effects of three risk management methods including cyberinsurance, managed security services (MSSs), and risk pooling arrangements (RPAs) in addressing the investment inefficiency, and the results showed that MSSs has the best effect on security risk management, followed by RPAs and cyberinsurance.…”

Section: Interdependent Cybersecurity Investmentmentioning

confidence: 99%

“…Sharing computer security vulnerabilities, breaches, intrusions, and technological solutions is an effective way to help organizations prevent, detect and correct security breaches proactively. Studies have also pointed out that security information sharing could reduce the uncertainty of network security investment to a certain extent, and thus depress the value of deferred options related to the investment [24,25,30]. President Obama signed the Cybersecurity Information Sharing Act (CISA) in 2015 to improve the level of cybersecurity in the United States.…”

Section: Extension To Effects Of Security Information Sharingmentioning

confidence: 99%

Cybersecurity Investment Allocation for a Multi-Branch Firm: Modeling and Optimization

2019

Mathematics

View full text Add to dashboard Cite

Network interconnection and information sharing among firms and their departments expose them to cybersecurity breaches. Traditional cybersecurity studies have paid little attention to the reallocation of security investment within firms. This paper proposes a mathematical model for optimal allocation of cybersecurity investment among headquarters and branches with budget constraints. The differences in size of information sets and system interconnection have been taken into account. The responses of optimal allocation to internal and external factors, such as the portion of branch information set, the propagation probability, the budget constraints, and the intrinsic vulnerability, have been studied in deep both theoretically and numerically. Analysis results indicate that the group will give priority to protecting headquarters when the total budget is small and intrinsic vulnerability is high. The security investment allocated to each branch increases with budget, propagation probability and portion of information set, but never exceeds 1 / ( n + 1 ) of total budget. Numerical simulations also verify that security information sharing among headquarters and branches can help improve the efficiency of security investment in the whole system. Furthermore, the findings of this paper will draw attention to the reallocation of cybersecurity investment within a business group and help cybersecurity managers to develop investment allocation strategies and policies.

show abstract

“…Proposition 2 notes that standardized decision processes are not applied. The academic literature has proposed various analyses to address information security investment decision-making (Bojanc & Jerman-Blažic 2012;Bojanc & Jerman-Blažic 2008;Huang & Behara 2013;Huang et al 2014;Qian et al 2017). While these approaches provide crucial input to determine the optimal amount, time and allocation of investments, the embedding within an organization's decision process is not carried out.…”

Section: Propositionmentioning

confidence: 99%

Information security investments: An exploratory multiple case study on decision-making, evaluation and learning

Weishäupl

Yasasin

Schryen

2018

Computers & Security

View full text Add to dashboard Cite

The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms' investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis.

show abstract

A game-theoretic analysis of information security investment for multiple firms in a network

Cited by 32 publications

References 24 publications

Ulaganje u kibernetičku sigurnost

Ulaganje u kibernetičku sigurnost

Cybersecurity Investment Allocation for a Multi-Branch Firm: Modeling and Optimization

Information security investments: An exploratory multiple case study on decision-making, evaluation and learning

Contact Info

Product

Resources

About