Toward optimal multi-objective models of network security: Survey

Information security is an important aspect of a successful business today. However, financial difficulties and budget cuts create a problem of selecting appropriate security measures and keeping networked systems up and running. Economic models proposed in the literature do not address the challenging problem of security countermeasure selection. We have made a classification of security models, which can be used to harden a system in a cost effective manner based on the methodologies used. In addition, we have specified the challenges of the simplified risk assessment approaches used in the economic models and have made recommendations how the challenges can be addressed in order to support decision makers

Towards optimal multi-objective models of network security: survey

Information security is an important aspect of a successful business today. However, financial difficulties and budget cuts create a problem of selecting appropriate security measures and keeping networked systems up and running. Economic models proposed in the literature do not address the challenging problem of security countermeasure selection. We have made a classification of security models, which can be used to harden a system in a cost effective manner based on the methodologies used. In addition, we have specified the challenges of the simplified risk assessment approaches used in the economic models and have made recommendations how the challenges can be addressed in order to support decision makers

An Analytical Evaluation of Network Security Modelling Techniques Applied to Manage Threats

The current ubiquity of information coupled with the reliance on such data by businesses has led to a great deal of resources being deployed to ensure the security of this information. Threats can come from a number of sources and the dangers from those insiders closest to the source have increased significantly recently. This paper focuses on techniques used to identify and manage threats as well as the measures that every organisation should consider to put into action. A novel game-based onion skin model has been proposed, combining techniques used in theory-based and hardware-based hardening strategies

An Overview of Economic Approaches to Information Security Management

The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions

Risk mitigation decisions for it security

Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. © 2014 ACM

Investing in Prevention or Paying for Recovery - Attitudes to Cyber Risk

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Broadly speaking an individual can invest time and effort to avoid becoming victim to a cyber attack and/or they can invest resource in recovering from any attack. We introduce a new game called the pre-vention and recovery game to study this trade-off. We report results from the experimental lab that allow us to categorize different approaches to risk taking. We show that many individuals appear relatively risk loving in that they invest in recovery rather than prevention. We find little difference in behavior between a gain and loss framing

Animal Disease Related Pre-event Investment and Post-event Compensation: A Multi-agent Problem

We employ a game-theoretic principal agent framework to analyze the individual farmer and governmental behavior pre- and post-animal disease outbreak. We examine the gap between the privately optimal and socially optimal levels of ex ante biosecurity investment and then investigate how a well-designed differentiated compensation scheme can close this gap. Our results also show that the privately optimal investment is generally lower than the first best socially optimal level, and a well-designed differentiated compensation scheme conditional on ex ante biosecurity investment can induce private preventive investment at least greater than the second best socially optimal level when the government face constraints, or even increase approaching the first best socially optimal level. Furthermore, our results suggest that compensation schemes be expanded to encompass features that provide incentives for ex ante biosecurity investment and ex post truthful disclosure. Specifically inclusion of the following two mechanisms is warranted: (a) a penalty for farms who are found to have disease incidence but have not disclosed that information.Risk and Uncertainty,