Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach. (26th August 2020)
- Record Type:
- Journal Article
- Title:
- Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach. (26th August 2020)
- Main Title:
- Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach
- Authors:
- Gupta, Rohit
Biswas, Baidyanath
Biswas, Indranil
Sana, Shib Sankar - Abstract:
- Abstract : Purpose: This paper aims to examine optimal decisions for information security investments for a firm in a fuzzy environment. Under both sequential and simultaneous attack scenarios, optimal investment of firm, optimal efforts of attackers and their economic utilities are determined. Design/methodology/approach: Throughout the analysis, a single firm and two attackers for a "firm as a leader" in a sequential game setting and "firm versus attackers" in a simultaneous game setting are considered. While the firm makes investments to secure its information assets, the attackers spend their efforts to launch breaches. Findings: It is observed that the firm needs to invest more when it announces its security investment decisions ahead of attacks. In contrast, the firm can invest relatively less when all agents are unaware of each other's choices in advance. Further, the study reveals that attackers need to exert higher effort when no agent enjoys the privilege of being a leader. Research limitations/implications: In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator. Practical implications: This study reports that the optimal breach effort exerted by each attacker is proportional to its obtained economic benefit for both sequential andAbstract : Purpose: This paper aims to examine optimal decisions for information security investments for a firm in a fuzzy environment. Under both sequential and simultaneous attack scenarios, optimal investment of firm, optimal efforts of attackers and their economic utilities are determined. Design/methodology/approach: Throughout the analysis, a single firm and two attackers for a "firm as a leader" in a sequential game setting and "firm versus attackers" in a simultaneous game setting are considered. While the firm makes investments to secure its information assets, the attackers spend their efforts to launch breaches. Findings: It is observed that the firm needs to invest more when it announces its security investment decisions ahead of attacks. In contrast, the firm can invest relatively less when all agents are unaware of each other's choices in advance. Further, the study reveals that attackers need to exert higher effort when no agent enjoys the privilege of being a leader. Research limitations/implications: In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator. Practical implications: This study reports that the optimal breach effort exerted by each attacker is proportional to its obtained economic benefit for both sequential and simultaneous attack scenarios. A set of numerical experiments and sensitivity analyzes complement the analytical modeling. Originality/value: In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator. … (more)
- Is Part Of:
- Information and computer security. Volume 29:Number 1(2021)
- Journal:
- Information and computer security
- Issue:
- Volume 29:Number 1(2021)
- Issue Display:
- Volume 29, Issue 1 (2021)
- Year:
- 2021
- Volume:
- 29
- Issue:
- 1
- Issue Sort Value:
- 2021-0029-0001-0000
- Page Start:
- 73
- Page End:
- 104
- Publication Date:
- 2020-08-26
- Subjects:
- Vulnerability -- Information security modeling -- Game theory -- Fuzzy sets -- Gordon – Loeb breach function -- Information security investment
Computer security -- Management -- Periodicals
Computer networks -- Security measures -- Periodicals
Data protection -- Management -- Periodicals
658.47 - Journal URLs:
- http://www.emeraldinsight.com/loi/ics ↗
http://www.emeraldinsight.com/ ↗ - DOI:
- 10.1108/ICS-02-2020-0028 ↗
- Languages:
- English
- ISSNs:
- 2056-4961
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4481.796000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 22453.xml