Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

Ioannidis, Christos; Pym, David J.; Williams, Julian

doi:10.1007/978-1-4614-1981-5_8

Cited by 13 publications

(15 citation statements)

References 27 publications

(25 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The parameters of interest are, therefore, represented by the estimates of λ ∞ that are indicative of the existence of jumps. Contagion is captured by the elements of the contagion matrix (13). All of the statistical results that are presented in the tables below are statistically significant at 5%.…”

Section: Results and Analysismentioning

confidence: 83%

“…The critical tipping point for additional investment occurs when L K (t, T ) = L CS (t, T ). Similar models and conditions have been given in [11,12,13].…”

Section: The Basic Modelmentioning

confidence: 96%

“…Following [13], building on [12,11], the system of equations can be uniquely characterized by the stochastic process driving threats:…”

Section: The Basic Modelmentioning

confidence: 99%

See 2 more Smart Citations

Contagion in cyber security attacks

Baldwin¹,

Gheyas

Ioannidis

et al. 2017

Journal of the Operational Research Society

Self Cite

View full text Add to dashboard Cite

ABSTRACT. We develop and estimate a vector equation system of threats to ten important IP services, using SANS-reported data over the period January 2003 to February 2011. Our results reveal strong evidence of contagion between such attacks, with attacks on ssh and Secure Web Server indicating increased attack activity on other ports. Security managers who ignore such contagious inter-relationships may underestimate the underlying risk to their systems' defence of security attributes, such as sensitivity and criticality, and thus delay appropriate information security investments.

show abstract

Section: Results and Analysismentioning

confidence: 83%

“…The critical tipping point for additional investment occurs when L K (t, T ) = L CS (t, T ). Similar models and conditions have been given in [11,12,13].…”

Section: The Basic Modelmentioning

confidence: 96%

See 1 more Smart Citation

Contagion in cyber security attacks

Baldwin¹,

Gheyas

Ioannidis

et al. 2017

Journal of the Operational Research Society

Self Cite

View full text Add to dashboard Cite

show abstract

“…This use of multi-attribute utility theory (see [16] for a detailed account) has been employed as a tool for reasoning in a range of security settings; for example, [12,14].…”

Section: Productivity and Utilitymentioning

confidence: 99%

“…Our hypothesis, supported by a body of exploratory (e.g., [1,2]) and theoretical (e.g., [13,14]) work, is that a specific combination of mathematical systems modelling of the structure and dynamics of organizations and their behaviour and economic modelling of their security policy design and decision-making can deliver a framework within which the consequences of security policy and technology co-design decisions can be predicted and explored experimentally. The security systems of interest are often complex assemblies of agents, be they software or human, policies, and technology.…”

Section: Introductionmentioning

confidence: 98%

Compositional Security Modelling

Caulfield

Pym

Williams

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The nal publication is available at Springer via http://dx.doi.org/10.1007/978-3-319-07620-121Additional information: Use policyThe full-text may be used and/or reproduced, and given to third parties in any format or medium, without prior permission or charge, for personal research or study, educational, or not-for-pro t purposes provided that:• a full bibliographic reference is made to the original source • a link is made to the metadata record in DRO • the full-text is not changed in any way The full-text must not be sold in any format or medium without the formal permission of the copyright holders.Please consult the full DRO policy for further details. Abstract. Security managers face the challenge of formulating and implementing policies that deliver their desired system security postures -for example, their preferred balance of confidentiality, integrity, and availability -within budget (monetary and otherwise). In this paper, we describe a security modelling methodology, grounded in rigorous mathematical systems modelling and economics, that captures the managers' policies and the behavioural choices of agents operating within the system. Models are executable, so allowing systematic experimental exploration of the system-policy co-design space, and compositional, so managing the complexity of large-scale systems.

show abstract

Enterprise security economics: A self‐defense versus cyber‐insurance dilemma

Miaoui

Boudriga

2019

Appl Stoch Models Bus & Ind

View full text Add to dashboard Cite

We propose a model that optimizes enterprise investments in cybersecurity using expected utility theory. The model allows computing (a) investment in self-defense to reduce the risk of security breaches, (b) investment in cyber insurance to transfer the residual risk to insurance companies, and (c) investment in forensic readiness to make the insured firms capable of generating provable insurance claims about security breaches. A three-phase-based model of vulnerability rate evolution over time is proposed and used to estimate the different planned security expenditures throughout the investment horizon.At the starting time of investment, a decision maker invests to cover the existing risk of breach and periodically spends to cover the additional risk observed due to the release of new vulnerabilities. In this work, the intermediate tranches are determined while considering three different attitudes of decision makers, namely, optimistic, pessimistic, and realistic. An analysis is conducted to assess the performance of the proposed models. KEYWORDSforensic readiness, information security, optimal investment, risk minimization 448

show abstract

Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

Cited by 13 publications

References 27 publications

Contagion in cyber security attacks

Contagion in cyber security attacks

Compositional Security Modelling

Enterprise security economics: A self‐defense versus cyber‐insurance dilemma

Contact Info

Product

Resources

About