孙薇,孔祥维,何德全,尤新刚

DOI: https://doi.org/10.3969/j.issn.1007-3221.2008.05.015

2008-01-01

Abstract:Based on Game theory,this paper analyzes the equilibrium of information security investment,and provides a new method to solve the investment quantity of information security.It sets up the information security investment game model of the organizations according to the strategy interdependence,and the relation parameter in the model reflects the game relationship of two organizations,so the equilibrium analysis is made based on reaction function method according to the deferent value of relation parameter.In particular,for the attacker-defender game relationship,it brings forward a proposition of information security investment and makes simulation analysis.The research result not only explains the information security investment in the world,but also provides a good direction of the information security investment quantity for organizations.

Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ICICIC.2008.319

2008-01-01

Abstract:The purpose of this paper is to analyze the strategy to promote the information security investment based on game theory. We use game theory to make the analysis and put forward the fruitful strategy suggestions for the defender organization to invest in information security. We set up the information security game model, and make the Nash Equilibrium analysis. The Nash Equilibrium analysis results of pure strategy and mixed strategy are consistent. By Nash Equilibrium analysis, we get the cost demand for information security investment. If this demand condition is not satisfied, we introduce the penalty parameter to the investment game. By regulating the value of the penalty parameter, we solve the hard problem of information security investment when it is difficult to reduce the investment cost. It is the first time to analyze information security investment by game theory. Our results provide fruitful strategy suggestions to promote information security investment.

Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ISECS.2008.147

2008-01-01

Abstract:The purpose of this paper is to resolve information security problem in the mobile electronic commerce industry chain. We analyze information security based on evolutionary game theory. In this paper, we set up the information security game model with penalty parameter, calculate replicator dynamics, and analyze the evolutionary stable strategy of the game model. The result reveals that reducing the investment cost is the key factor to promote information security investment. If this condition can not be satisfied, the regulation of penalty parameter will help to promote the investment. The research method in this paper provides a new thought for the solution of information security in the mobile electronic commerce chain.

Qin Wang,Jianming Zhu

DOI: https://doi.org/10.1109/INFOMAN.2016.7477542

2016-01-01

Abstract:With the development of information security and the occurrence of endless security incidents, information security economics has become a new discipline and gained great attentions in academia. This paper analyzes the issue of optimal information security facing two classic types of attacks. With the consideration of business benefits bought by security investment, we identify the different characteristics compared to the previous studies, which can give meaningful inspirations to firms in reality. In addition, we innovatively use evolutionary game theory to study how firms choose the investment strategy in the long run. At last we give a conclusion and point out some fields for future researches.

Yong Wu,Gengzhong Feng,Nengmin Wang,Huigang Liang

DOI: https://doi.org/10.1016/j.eswa.2015.03.033

IF: 8.5

2015-01-01

Expert Systems with Applications

Abstract:The level of firms' information security investment has recently become a critical issue in the management of IT infrastructure. Prior studies have not considered attack types and firms interconnection simultaneously when investigating the optimisation of such investment. Using game theory, we demonstrate that the optimal security investment level of an interconnected firm against targeted attacks is different from that against opportunistic attacks. Our model shows that not all information security risks are worth fighting against. As the potential loss increases, it is unadvisable to increase the security investment proportionately. Firms should increase investments with intrinsic vulnerability when facing target attacks, but focus on those systems that fall into the midrange of intrinsic vulnerability when facing opportunistic attacks. Firms are unwilling to invest in security and often offload reliability problems onto others when the trusted interdependence relationship becomes tighter in the absence of economic incentives. Thus we also discuss two economic incentives to motivate firms: liability and security information sharing. We find-that if the rules are set properly, both economic incentives are effective to not only internalise the negative externality and improve a firm's security level, but also reduce the total expected cost. We show that firms' optimal investments of liability always increase with the increasing number of firms, but the optimal investments on security information sharing increase only when the number of firms is large enough. These insights draw attention to many trade-offs firms often face and the importance of accurate assessment of firms' security environment. Future research directions are discussed based on the limitations and possible extensions of this study. (C) 2015 Elsevier Ltd. All rights reserved.

Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ISECS.2008.149

2008-01-01

Abstract:This paper analyzes information security in the E-commerce based on game theory, and this game analysis method is applied to information security for the first time. We set up the information security game model of the defender and the attacker, make the equilibrium analysis of this game model, and get the ideal strategy combination. Then we introduce the penalty parameter of the defender and the penalty parameter of the attacker to solve the problem that the restriction condition is not satisfied. The introduction of the penalty parameter of the defender promotes the defender to invest in information security, and the introduction of the penalty parameter of the attacker promotes the attacker to take no attack strategy. This paper provides good reference for information security in the E-commerce.

Xiaotong Li

DOI: https://doi.org/10.1080/09537325.2020.1841158

2020-11-18

Technology Analysis and Strategic Management

Abstract:<span>With the development of information technology and the deepening of enterprise informatization, there are new challenges of enterprise information security investment decisions because of cooperative relationships among multi-enterprises. In this paper, the Gordon-Loeb model is extended to the multi-enterprise game environment, and combined with the probability of hacker invasion, which can stimulate enterprises to increase investment in information security and reduce costs, the game model of information security investment among complementary enterprises is constructed. Through this model, the impact of factors on optimal investment can be analyzed. It is found that the information security level of enterprises in cooperation situation is higher than that in the non-cooperation situation. Our research shows that the optimal investment will increase with the increase of the probability of one spread in cooperative situations, which is contrary to the changing trend of enterprises in non-cooperation situations, and there is a minimum expected cost threshold. According to the results, enterprise compensation mechanism and information sharing mechanism are designed to ensure the optimal level of social information security, it provides a new solution to deal with the information security investment decision of complementary enterprises under the characteristics of multi-enterprise and non-cooperative.</span>

management

Jun-jie L(U),Wan-hua QIU,Yuan-zhuo WANG

DOI: https://doi.org/10.3321/j.issn:1003-207X.2006.03.002

2006-01-01

Abstract:Based on the interdependence,which is an important characteristic of information security and the diversity of invasions,an investment game model is presented in this paper.The paper investigates the investment risk exerted by the contagion between firms in the network.With externality representing the risk,the relationship between investment risks and the interdependent extension and the amount of firms in the network is illustrated.By use of the model,the investment risk and decision are analyzed quantitatively and then several Nash equilibrium solutions are provided further.

Zheng Zuo,Yong Fang,Liang Liu,Fang,Xingrong Hu

DOI: https://doi.org/10.1109/iciea.2013.6566592

2013-01-01

Abstract:This paper analyzed the interdependence of information security issues, based on the expected benefit of cost and security loss of the interdependence of information security agents in a network, a model which simulates the information security cost analysis has been built. An information security cost game model is set up based on payoff matrix, the main strategy are divided into "investment security costs" and "do not input the security cost", which using Nash equilibrium and thus support the decision of the agents' security cost.

Xiaofei Qian,Xinbao Liu,Jun Pei,Panos M. Pardalos,Lin Liu

DOI: https://doi.org/10.1057/s41274-016-0134-y

IF: 3.6

2017-10-01

Journal of the Operational Research Society

Abstract:The application of Internet of Things promotes the cooperation among firms, and it also introduces some information security issues. Due to the vulnerability of the communication network, firms need to invest in information security technologies to protect their confidential information. In this paper, considering the multiple-step propagation of a security breach in a fully connected network, an information security investment game among n firms is investigated. We make meticulous theoretic and experimental analyses on both the Nash equilibrium solution and the optimal solution. The results show that a larger network size (n) or a larger one-step propagation probability (q) has a negative effect on the Nash equilibrium investment. The optimal investment does not necessarily increase in n or q, and its variation trend depends on the concrete conditions. A compensation mechanism is proposed to encourage firms to coordinate their strategies and invest a higher amount equal to the optimal investment when they make decisions individually. At last, our model is extended by considering another direct breach probability function and another network structure, respectively. We find that a higher connection density of the network will result in a greater expected cost for each firm.

management,operations research & management science

Guang Zhu,Hu Liu,Mining Feng

DOI: https://doi.org/10.3390/math6100177

IF: 2.4

2018-01-01

Mathematics

Abstract:With the rapid development of information technologies, security violations in online social networks (OSN) have emerged as a critical issue. Traditional technical and organizational approaches do not consider economic factors, which are increasingly important to sustain information security investment. In this paper, we develop an evolutionary game model to study the sustainability of information security investment in OSN, and propose a quantitative approach to analyze and optimize security investment. Additionally, we examine a contract with an incentive mechanism to eliminate free riding, which helps sustain the security investment. Numerical examples are provided for illustration and simulation purposes, leading to several countermeasures and suggestions. Our analytical results show that the optimal strategy of information security investment not only is correlated with profit growth coefficients and investment costs, but is also influenced significantly by the profits from free riding. If the profit growth coefficients are prohibitively small, both OSN service providers and online platforms will not choose to sustain investment based on small profits. As profit growth coefficients increase, there is a higher probability that game players will invest. Another major finding is that the (Invest, Invest) profile is much less sensitive to the change of profit growth coefficients and the convergent speed of this scenario is faster than the other profiles. The government agency can use the proposed model to determine a proper incentive or penalty to help both parties reach the optimal strategies and thus improve OSN security.

Xing Gao,Manting Qiu,Ying Wang,Xifan Wang

DOI: https://doi.org/10.1080/01605682.2022.2096506

IF: 3.6

2022-08-04

Journal of the Operational Research Society

Abstract:Nowadays, business connection between firms becomes rather common so that one firm stores not only its information asset but also some of other firms' information asset. The management of information security is vital for these resource-sharing firms. This paper constructs a game-theoretic model between two resource-sharing firms and one hacker to examine their strategic interaction when the firms face budget constraint on security investment. We consider security information sharing between the firms, which can improve their overall security effort but meantime facilitate the hacker's learning to reduce attack costs. We find that although a tight budget constraint can help save investment cost, the firms always suffer from a poorly secure environment. It shows that although security information sharing is usually encouraged, the firms may be hurt when security information sharing is excessive so that fierce cyber-attacks are induced. We finally design an optimal compensation mechanism, in which the compensation fund is shown to increase with the degree of resource sharing.

management,operations research & management science

董红,邱菀华,吕俊杰,张雯

DOI: https://doi.org/10.3321/j.issn:1001-0920.2008.05.012

2008-01-01

Abstract:Focusing on the asymmetric information between attacker and defender,by applying the methodologies of game theory with incomplete information and network security,a game model of information security technique selections based on cost-benefit is constructed.The study shows the optimal strategies for the players in the deployment of two kinds of security techniques(only deploy firewall or both deploy firewall and intrusion detection systems(IDSs)).Then,by analyzing and comparing with hacking probability,investigation rate,the damage and response cost,the value of security techniques in an organization's IT security architecture is assessed,and thus an adaptive intrusion response strategy is made.Finally,the relative conclusion is illustrated further by an example.

Rong Pan,Changxin Xu

DOI: https://doi.org/10.1109/MINES.2010.110

2010-01-01

Abstract:During the cyber security construction process, how to set proper security standard and investment quota in accordance with the important degree of its information is a universal problem of enterprises. We propose a dynamic Invest-Attack Model based on Information Asymmetry between the protectors and attackers of cyber security and make RD analysis to the proposed model with Evolutionary Game Theory. Finally, we analyze motivation of decision making of players of both sides from microcosmic perspective and put forward conclusion as well as policy suggestions.

Dimitri Percia David,Alain Mermoud,Sébastien Gillard

DOI: https://doi.org/10.48550/arXiv.2112.04310

2021-12-08

Cryptography and Security

Abstract:Cyber-security breaches inflict significant costs on organizations. Hence, the development of an information-systems defense capability through cyber-security investment is a prerequisite. The question of how to determine the optimal amount to invest in cyber-security has been widely investigated in the literature. In this respect, the Gordon-Loeb model and its extensions received wide-scale acceptance. However, such models predominantly rely on restrictive assumptions that are not adapted for analyzing dynamic aspects of cyber-security investment. Yet, understanding such dynamic aspects is a key feature for studying cyber-security investment in the context of a fast-paced and continuously evolving technological landscape. We propose an extension of the Gordon-Loeb model by considering multi-period and relaxing the assumption of a continuous security-breach probability function. Such theoretical adaptations enable to capture dynamic aspects of cyber-security investment such as the advent of a disruptive technology and its investment consequences. Such a proposed extension of the Gordon-Loeb model gives room for a hypothetical decrease of the optimal level of cyber-security investment, due to a potential technological shift. While we believe our framework should be generalizable across the cyber-security milieu, we illustrate our approach in the context of critical-infrastructure protection, where security-cost reductions related to risk events are of paramount importance as potential losses reach unaffordable proportions. Moreover, despite the fact that some technologies are considered as disruptive and thus promising for critical-infrastructure protection, their effects on cyber-security investment have been discussed little.

Ru Yi Ye,Zhou Jiang,Qi Wang

DOI: https://doi.org/10.4028/www.scientific.net/amm.631-632.928

2014-01-01

Applied Mechanics and Materials

Abstract:ROSI (Return On Security Investment) has attracted a great deal of attention in recent years. By inheriting Gordon and Loeb 2002 security breach probability function, we present an adaptive economics model of investment in information security integrating dynamic characteristics of outside threat probability and detective mechanism, and deduce some guidelines for optimal investment amount.

Zhen Wang,Chaofan Li,Xing Jin,Hong Ding,Guanghai Cui,Lanping Yu

DOI: https://doi.org/10.1016/j.amc.2021.126051

IF: 4.397

2021-01-01

Applied Mathematics and Computation

Abstract:With the development of information technology, the infrastructure between enterprises and the connections between businesses show complex network characteristics. The security investment made by an enterprise in a network has an impact on its neighbors, but also bears the impact of its neighbors' security investments. Such individual interaction problems are often modeled as interdependent security games (IDS). In this paper, we study IDS models under three different attack scenarios: the total effort, the weakest link and the best shot. We use evolutionary game theory to explore the dynamics of social payoffs and the average social investments of these three models under different network topologies. The results show that under the total effort model, individuals are more inclined to increase their investments, while under the weakest link and best shot models, individuals choose to minimize their investments due to selfishness. Finally, we study the cluster effect under different network structures and find the threshold at which it exists. (C) 2021 Elsevier Inc. All rights reserved.

Dengpan Liu,Yonghua Ji,Vijay Mookerjee

DOI: https://doi.org/10.1016/j.dss.2011.05.007

IF: 6.969

2011-01-01

Decision Support Systems

Abstract:We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners' Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an ''arms race'' where they over-invest or reenact the under-investment behavior found in the complementary case. Once again, this sub-optimal behavior can be corrected using incentive mechanisms that penalize for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.

Yong Wu,Gengzhong Feng,Richard Y. K. Fung

DOI: https://doi.org/10.1057/s41274-017-0263-y

IF: 3.6

2018-01-01

Journal of the Operational Research Society

Abstract:Serious information security breaches have caused firms to suffer from customer churns directly or indirectly. To prevent customer churns, firms usually enhance their security protection through two measures, i.e. security investment and security information sharing. Prior studies seldom consider security environment and business environment simultaneously when making a firm’s optimal security decisions. Using game theory, this paper purports to demonstrate that a firm’s security decisions under a competitive environment differ significantly from those under an integrated environment. Moreover, distortions may surface if firms do not cooperate on security practices. Thus, this paper further analyses the measures that a social planner such as the government or industry association controls firms’ security decisions, and results show that these measures may not always be effective. Instead, social planners are recommended to enhance or attenuate the controlling level of the two security decisions based on realistic security and business environments.

Libin Jiang,Venkat Anantharam,Jean Walrand

DOI: https://doi.org/10.1109/TNET.2010.2071397

2011-04-01

IEEE/ACM Transactions on Networking

Abstract:We study a network security game where strategic players choose their investments in security. Since a player's investment can reduce the propagation of computer viruses, a key feature of the game is the positive externality exerted by the investment. With selfish players, unfortunately, the overall network security can be far from optimum. The contributions of this paper are as follows. 1) We first characterize the price of anarchy (POA) in the strategic-form game under an "Effective-investment" model and a "Bad-traffic" model, and give insight on how the POA depends on individual players' cost functions and their mutual influence. We also introduce the concept of "weighted POA" to bound the region of payoff vectors. 2) In a repeated game, players have more incentive to cooperate for their long term interests. We consider the socially best outcome that can be supported by the repeated game, as compared to the social optimum. 3) Next, we compare the benefits of improving security technology and improving incentives, and show that improving technology alone may not offset the price of anarchy. 4) Finally, we characterize the performance of correlated equilibrium (CE). Although the paper focuses on network security, many results are generally applicable to games with positive externalities.

telecommunications,computer science, theory & methods,engineering, electrical & electronic, hardware & architecture