Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
The Optimal Investment Strategy of Information Security
CHUN-HSIUNG LIAO, National Cheng Kung University CHUN-WEI CHEN, National Cheng Kung University
JA-WAY HUNG, National Cheng Kung University
This study analyzes an optimal investment strategy for information security (IS) for a profit-maximizing
online monopoly when it is facing attacks from cyber criminals by considering a network security
theoretical model with time-varying characteristics. The intangible profit of security investment is
transformed into a measurable sales benefit by using a successful entry ratio that links the relationships
among IS investment, security improvement, and increases in consumer demand. The dynamic
optimization technique is adopted to analyze optimal network security investments for enterprises. It is
found that there exists a unique optimal IS investment level. This investment strictly increases with
market potential and degree of threat, but the increment strictly decreases with changes in market
potential and the degree of threat. The benefit-cost ratio of investment versus threat is strictly concave in
regard to threat degree. Next, in a finite time frame, an optimal investment in information security
monotonically decreases over time until the end of the time period whenever the discount rate is low.
Finally, it is also found that the optimal upgrade time to invest in information security occurs when a
monopoly’s gross profits in two generations of products are the same.
Categories and Subject Descriptors: K.4.4 [Electronic Commerce]: Security
General Terms: Economics, Security, Theory
Additional Key Words and Phrases: Information security, threat degree, cyber attack, investment strategy,
upgrade time
ACM Reference Format:
Liao,C. H., Chen, C. W., and Hung, J.W. 2010. The Optimal Investment Strategy of Information Security
Architecture.
1. INTRODUCTION
Computer technology and the Internet play a ubiquitous role in economic activities
related to consumption and transactions. Home shopping Home economics has been
booming in recent decades since public consumption behavior has substantially
changed. Recently, J.P. Morgan (2011) surveyed the e-commerce industry in the U.S.
and found that the number of people who shop online keeps increasing, with 38
percent buying at least once per month, and the percentage of people who don’t shop
online declined to 12 percent in 2010 from 20 percent in 2007. In particular, higher
income consumers shop online the most often, with 34 percent of those making
$100,000 or more shopping online at least three times per month. As of 2009, e-commerce was 3.9 percent of all U.S. retail sales, up from 1.4% in
2002 (J.P. Morgan, 2011). This report also forecasted that e-commerce revenue would
grow to $680 billion in 2011 worldwide, up 18.9 percent from 2010 revenue. Further,
it predicted that online retail commerce in the U.S. alone will grow 13.2 percent to
$187 billion, and global e-commerce revenue will hit a whopping $963 billion by 2013.
Similarly, Cisco Systems Inc. (2011) conducted interviews with 32 e-retailers that sell
internationally to define the priorities, processes and individual market complexities
involved in international e-commerce. The report forecasted that global e-commerce,
including travel and auto purchases as well as online retail sales, will increase 13.5%
annually for the next four years and reach an estimated $1.4 trillion in 2015. The
sophistication of the e-commerce infrastructure, such as Internet connection
capabilities, delivery services and payment systems, plays an important role when
retailers consider enter the online market of their country or region.
Online transactions are always under substantial hacker threats. Symantec (2010)
surveyed more than 2,100 enterprises’ chief information officers and information
technological (IT) managers from 27 countries and released the findings of its global
state of enterprise security study.
Author’s addresses: C.H. Liao, Institute of Telecommunications Management and Department of
Communication and Transportation Management, National Cheng Kung University, Tainan, TAIWAN;
C.W. Chen, Department of Communication and Transportation Management, National Cheng Kung
University, Tainan, TAIWAN; J.W. Hung, Department of Communication and Transportation
Management, National Cheng Kung University, Tainan, TAIWAN.
The study found that 42 percent of organizations rate security their top issue, more
than natural disasters, terrorism, and traditional crime combined. Further, 75
percent of organizations had experienced cyber-attacks in the previous 12 months,
and 29 percent of enterprises reported that attacks had increased in 2009. These
attacks cost businesses an average of $2 million per year. Finally, organizations
reported that enterprise security is becoming more difficult mainly as a result of a
number of factors such as understaffing, new IT initiatives that intensify security
issues and IT compliance issues. High profile attacks in various ways on giant
organizations and government agencies, such as Microsoft, eBay, Yahoo, and
Amazon.com, the Department of Defense and the Federal Bureau of Investigation,
also have made regular headlines (Kesan et al., 2004). Weaver and Paxson (2004)
suggested that a worst-case worm could cost anywhere from $50 billion to $100
billion that excludes difficult-to-estimate but quite possibly large additional indirect
damage to the U.S. economy.
The types of security attacks include denial of service (DoS), Trojan horses that
come with other software, viruses that reproduce themselves by attaching to other
executable files, worms that are self-reproducing programs that create copies of
themselves and spread by using e-mail address books, logic bombs that are dormant
until an event triggers them (e.g., date, user action, random trigger, etc.) (see The
Computer Technology Documentation Project, 2001). They exploit weaknesses in
security in various forms. Many of these attacks may cause loss of service or system
crashes. The consequences may result in damage or destruction of internal data, loss
of sensitive information to hostile parties, use of sensitive information to steal items
of monetary value or negatively affect an organization's customers, and damage to
the reputation of an organization.
Information technology security includes the products and services of firewalls,
intrusion detection systems (IDSs), anti-virus software, and intrusion detection
systems etc. Network layout can also be used to increase network security. IT
security indeed comes with a cost. It was estimated that U.S. companies spent on
average $196 per employee per year on security in 2002 (Carey, 2002). CompTIA
(2007), based on a survey of more than 1,000 U.S. corporations, revealed that
companies spent on average 20 percent of their total technology budget in 2006 on
security measures, up from 12 percent in 2004, and nearly one-half of those surveyed
planned to continue to increase IT security spending. IT security investments are
considered as a compound of system configuration specific costs and operating costs
(Mizzi, 2005). System configuration specific costs are typically one-time costs (i.e.,
sunk costs) for development, testing and implementation of defense solutions that
protect information assets from possible threats. Operating costs are represented by
annual maintenance (upgrades and patching of the defense solution), training users
and network administrators, who monitor the solutions.
Conventional firms, which have been referred as “brick and mortar” firms, such as
Coca-Cola, use the Internet as a marketing channel to communicate with their
customers if not to sell products. They might be expected to be the least vulnerable to
cyber-attacks as they are the least dependent on the Internet to conduct business.
But e-commerce enterprises like Amazon.com and eBay.com run their businesses on
the platform of IT network systems and rely purely on Internet channels to sell their
products and services. These firms face increasing network vulnerability because of
the risk that the business they conduct via the Internet might be interrupted. The
Internet is like the lifeline for enterprises, where they generate revenues and survive
in the long run. The guarantee of security network systems is related directly to the
success of Internet enterprises (Cavusoglu et al., 2004b).
Investment in information security (IS) architecture is essential for contemporary
enterprises that sell products through both physical store channels and online.
However, these investments generally incur high costs. With insufficient IS
investment, enterprises may experience the negative effects of cyber attacks upon
actual immediate loss like product sales, service quality and even their goodwill
related to indirect losses. On the other hand, over-investment in IS does not bring
justifiable returns for the investment (Gordon and Loeb, 2002; Hoo, 2000). The
indirect losses from security risks usually appear to be more serious, as they have a
much longer negative impact on the customer base, supplier partners, and financial
market, banks and business alliance relationships, and such costs are almost as high,
and sometimes even higher, than the immediate costs caused by the security attacks
(Camp and Wolfram, 2004; Dynes, Andrijcic and Johnson, 2006; Rowe and Gallaher
2006). Hence, the optimal security investment for specific security vulnerability and
the threat environment of organizations has attracted the attention of academia.
The recent literature on this topic has been mostly focused on the return on
investment (ROI) that links the relationship between cost and benefit related to IS
investment. This measurement approach is useful for enterprises in regard to
presenting the cost versus benefit analysis required for IS-related policies. Bayuk
(2001) demonstrated a risk analysis model of ROI-maximizing IS investment and
illustrated how much money must be spent to achieve a “reasonable” degree of
security. The risk is assumed to be quantifiable as dollar amounts, for example, a loss
of revenue streamed from a given order-processing system or manufacturing line.
The optimal IS investment is derived at the condition where the dollar amount at
risk is equated to the price of security improvement. Gordon and Loeb (2002)
constructed a one-period economic model of a risk-neutral firm contemplating the
provision of additional security to protect a given information set, such as a list of
customers, a strategic plan, or a company website. In their model, the vulnerability of
the information set is the probability that without additional security, a threat that
is realized will result in the information set being breached and the subsequent loss.
The loss is assumed to be the product of threat and vulnerability. It was shown that
increases in vulnerability result in an increase in the optimal IS investment and that
the maximum amount a firm should spend is only a fraction of the expected loss due
to security breaches. Tanaka, Matsuura and Sudoh (2005) used actual information
derived from the security investments of e-local governments in Japan to examine
the relationship between the optimal level of investment and vulnerability found in
the economic framework of Gordon and Loeb (2002).
Cavusoglu et al. (2004a) considered a game-theoretical model for evaluating the
investments in an IS architecture of both a firewall and an IDS and assessed the
value of two technologies. A game tree was used to depict the strategies of a firm and
a hacker. The firm minimized its investment cost and loss, but the hacker maximized
its utility from the intrusion and cost if detected. The intrusion action of the hacker
and successful detection using two technologies of the firm were given with
probabilities. The expected payoff of each outcome was derived and thus, the firm’s
optimal strategies could be found. The study provided a guideline for choosing an
alternative security technology in which to invest and concluded that firms should
evaluate the value of an additional security mechanism based on already existing
controls before estimating its return. Huang et al. (2008) proposed an economics
model of simultaneously distributed and targeted security attacks from multiple external
agents with distinct characteristics and derived optimal investments based on the
principle of benefit maximization. It was found that not all information security risks
are worth protecting against a risk-averse decision maker. Specifically, until the
potential loss from a security breach reaches certain level, the firm is better off not
investing any money at all in protecting against such a threat. Further, the optimal
investment in information security does not always go up with the effectiveness of
such investments.
Cavusoglu et al. (2004b) adopted event-study analysis, using security breach
announcements from 40 firms trading in the U.S. during 1996-2001, to assess the
impact of security breaches on the market values of breached firms. It was found that
the breached firms lost an average 2.1% of their market value (equivalently, 1.65
billion per breach) within two days of the announcement. Hence, the market
penalizes all firms for security breaches, but smaller firms are penalized more than
larger firms when a security breach occurs since the importance of security is more
crucial to smaller firms’ survival. Finally, Internet firms are penalized more than
conventional firms because of the differential degrees of these firms dependence on
the Internet to generate revenues and survive in the long run. Iheagwara et al. (2004)
measured the financial benefit of an intrusion detection system (IDS) deployment by
incorporating a standard risk analysis framework with the cascading threat
multiplier (CTM). The CTM is a security compromise that incurs two types of costs:
the direct cost of lost integrity/confidentiality/availability, and the indirect cost of the
compromised component serving as a potential stepping stone for future attacks. The
paper tried to capture the second type of CTM costs, which are typically ignored in
the classic risk analysis framework. The proposed risk analysis formulas tied the
CTM concept into accurate ROI calculation and illustrated an effective decision
making process in which they indicated what techniques are appropriate for the cost
effective management of IDS in a given environment. Similarly, Iheagwara et al.
(2005) induced multiple metrics that enable risk and cost-benefit assessments for
calculating the ROI of information assurance technology investments.
Finally, the alternative approach of financial metric indexes and methodical
methods has been used for the evaluation of organizational asset values and to assess
the threat and vulnerability of systems. The quantification of an investment, using in
combination of several economic indexes, such as ROI, net present value (NPV), and
internal rate of return (IRR), resulted in a recommendation for choosing an optimal
security solution (Borka and Bojanc, 2008).
In sum, the above literature on network security investment mainly has dealt
with the benefit and cost effectiveness of the investment, using quantitative metrics.
In particular, the non-financial benefits of security investments such as improved
image, gain of customer trust, prevented security breaches, impact on operations,
mission performance, or customer satisfaction are difficult to evaluate. Tsiakis and
Stephanides (2005) referred to these gray areas as “intangibles” or “soft” returns and
suggested that they are usually the most significant parts in terms of cost, but are
the hardest to prove. However, the probability, frequency and size of true network
security loss and benefits have remained difficult to identify and estimate, and the
investment decisions based on the benefits and costs have seldom been discussed.
This study analyzes the optimal investment strategy of IS architecture for a
monopoly firm that sells the products through sales points on the Internet while
facing cyber criminals with a probability of hacker attacks. In the event that a
successful attack occurs, the website breaks down, and the firm is out of the market.
The firm decides a monetary IS investment to avoid the attacks to reduce security
threat probability which is a function of the investment and threat degree. The cost
of security investment is an endogenous part of the benefit of e-commerce revenues.
A population of consumers has a valuation distribution for the product offered by the
firm. This study analyzes the optimal IS investment for the firm as well as its
increment and benefit-cost ratio related to market potential and threat degree. Next,
when the model is extended to a finite time frame, the firm maximizes its aggregate
profits. The population of consumers across periods varies with an awareness
diffusion process which is a function of the attractiveness of the firm’s website and
word of mouth among consumers. The word of mouth effect increases the size of
consumers due to the security improvement and in turn, increases the firm’s
revenues. The optimal IS investments with a discount rate across time periods are
derived. Finally, in the case where time is in infinitely continuous duration, the
timing when the monopoly firm upgrades its security investment is dealt with.
The paper is structured as follows: Section 2 deals with the benchmark model of
the firm’s IS investment selection in a single period. Section 3 extends the model in a
dynamic setup, and Section 4 addresses the timing decision for the security upgrade.
Finally, a brief conclusion is provided in the last section.
2. THE BENCHMARK MODEL
This study considers a monopoly firm M that sells the products to maximize its profit
through sales points on the Internet. Suppose cyber criminals exist such that the
probability of hacker attacks is defined as θ, θ ]1,0[ . In the event that a successful
attack occurs, the website breaks down, and M loses all revenues derived from the
Internet. M decides z, z > 0, as the monetary investment in information security to
avoid the attacks and to retain a good customer reputation.
2.1 Security threat probability function
Security threat probability function ( , )ST z is based on the assumption that M
faces depending on security investment z and threat degree θ. It is assumed that ST
is monotonically decreasing and strictly concave in z such that / 0ST z , and
2 2/ 0ST z . Namely, M reduces threat probability through investment (i.e., ST is
monotonically strictly decreasing in z), and the decrease in threat probability
increases with per dollar IS investment. This implies that there is increasing scale to
IS investment in the reduction of security threat. It is also assumed that
( , ) 0ST z if z→∞. Hence, ST(θ, z) can be reduced to zero if M sufficiently invests
in information security or if it is in the long run. Security threat probability function
is defined by1
( , )ST z )1( ze ,
where is a positive adjustment variable, 0. Note that probability of the
security threat is equal to the probability of hacker attacks (i.e., ST = θ) when no
investment is made (i.e., z = 0).
2.2 Successful entry ratio
The first step to have online transactions between M and its customers is that
potential customers successfully access the website. The probability that potential
customers access the website, successful entry ratio, can be written as
1 Gordon and Loeb (2002) distinguished the security threat probability function into two broad classes:
linear and nonlinear in threat, but the former one is not realistic. In this study, nonlinear security threat
probability function is adopted for the optimal return-on-investment analysis.
(1 ) [ ( , )] ( , ) [ ( , )]SER ST z ST z ST z ,
where (1 ) and [ ( , )]ST z are the probabilities of no hacker threat
without/with IS investment, respectively, and the third term
( , ) [ ( , )]ST z ST z is the probability of unsuccessful attacks at given levels of
hacker threat and IS investment. Note that SER is within the interval of [0, 1]. Here
it is implicitly assumed that the probability of entering M’s website is equal to the
probability that the website is intact from hacker attack. Rearranging the above
equation,
(1 ) [1 ( , )] [ ( , )].SER ST z ST z
2.3 Market potential
Customers value products differently due to variety of income and preferences. There
are N0 representative customers in the market. Without loss of generality, suppose
that the consumer has a valuation of the product, v, and f(v) is the probability density
function of the valuation. Assume that the product’s value is full information to
customers. A customer buys the product only if its price is set less than its value.
Hence, M’s market potential can be written as:
0( ) ( ) .v p
N p N f v dv
Note that N(p) is a non-decreasing function of price. Then M’s demand would be
N(p)×SER.
2.4 Optimal investment versus threat
Monopolist decides the levels of IS investment z to maximize its profit from the sales
on the Internet. The problem becomes
0
( 1)
[ ( ) ( )]
. . ( ) ( )
(1 ) [1 ( , )] [ ( , )]
( , ) .
v p
z
Max N p SER p c z
s t N p N f v dv
SER ST z ST z
ST z e
(1)
where p is market price, and c is the average cost of the production, (i.e., )( cp is
the unit gross earned).
Since security threat probability function ST is monotonically decreasing in z, and
M’s profit is concave in z. An interior optimal level of investment in information
security can be found by solving for z* in the first order condition given by (1). Let
)(* z denote this optimal yield:
)(* z
21~
2342~~
)}1(8)]146({[]}1)2()1(2[{
1ln
NNN ,
where ~
( ) ( ) .N N p p c Plot )(* z on the plane of the threat degree and
the optimal investment (see Figure 1).2 The figure pattern demonstrates that the
optimal investment in security is strictly increasing with the degree of threat. The
positive relationship between θ and )(* z can be easily verified in general forms by
the first order condition in (1), which is
0.SER ST
z SER ST z
Since 0SER
, and 0
ST
z
, it must be that 0
SER
ST
in the equilibrium.
Recall that 0.ST
In the equilibrium, if θ increases, then ST >ST*. To restore ST
back to the equilibrium level, it must be the case that *( )z
increases. Thus, *( )
0.z
Figure 1. Relationship between investment in security and threat degree
In the intervals of low hacker threat and high hacker threat, the slopes of the
optimal IS investment are steep, and equivalently, the increments of the optimal IS
investment per unit of hacker threat are high. In the interval of intermediate hacker
threat, the increment of the optimal IS investment per unit of hacker threat is low.
The economic meanings for the phenomena are provided as follows: In a low hacker
threat stage, the monopoly needs to spend lots of resources on information security
infrastructures such as equipment, firewalls and antivirus software. These
investments are seen as the “sunk cost” of the IS investment. Once the IS
infrastructures are built up, less resources are needed in additional IS protection,
such as upgrading of old IS safeguards and educating extra IT employees regarding
the stage of an intermediate hacker threat. In a high hacker threat stage, the
2 In Figure 1, the numerical values of 0.000000001, 1)( cp and ( ) 100,000N p are
assumed. The )(* z are plotted with the level of threat degree θ between 0.1 to 0.9.
monopoly’s revenue loss due to hacker attack substantially hikes if no IS investment
is done, and hence, the optimal IS investment per unit of hacker threat will increase.
It is generally recognized in the literature that the concept of ROI is widely used
to measure the effectiveness of security processes (Surmacz, 2002; Newman, 2003;
Leach, 2003; Berinato, 2002). However, the risk of cyber attacks has been ignored in
calculating quantitative ROI values. Moreover, how the benefit-cost ratio fluctuates
with threat degree is more interesting. The threat degree divided by the level of
monetary IS investments (i.e., θ/ )(* z is the inverse of the slope for the optimal
investment curve to the origin in the above figure). The relationship between benefit-
cost ratio and the levels of threat degree is illustrated in Figure 2.
Figure 2. Relationship between benefit-cost ratio and threat degree
The benefit-cost ratio illustrates the efficiency of IS investment against hacker
attack at different levels of threat degree. The above benefit-cost ratio curve is
strictly concave in regard to threat degree, and the marginal increase in the benefit-
cost ratio is strictly decreasing in regard to threat degree. Namely, in the equilibrium,
the degree of hacker threat defended by each dollar spent on IS investment strictly
decreases with the threat degree. This property stems from the assumption of strictly
concave security threat probability on IS investment.
COROLLARY 1. The information security investment benefit-cost ratio of a profit-
maximizing monopoly is strictly concave in regard to threat degree.
This corollary implies that there exists a unique optimal effective security
investment level when the degree of threat is within the intermediate level. At a low
degree of threat, it would be inefficient for the monopoly to invest a lot in purchasing
expensive information security safeguards. Similarly, in the case of a high threat
degree, less security improvement is achieved with additional investment.
Economic intuition mainly lies on decreasing marginal return to information
security investment, which is consistent with the preliminary empirical work done by
Tanaka et al. (2005). The results were similar to a conclusion that managers
allocating an information security budget should normally focus on information
which falls into the midrange of vulnerability as demonstrated from theoretical
analysis (Gordon and Loeb, 2002). Tanaka et al. (2005) showed empirical evidence
that the security investment level is greater than usual not when an information set
is highly vulnerable but rather when it is vulnerable at a medium level.
2.5 Numerical analysis of market potential
In this subsection, the impact of market potential on the optimal IS investment is
proceeded by the following numerical analyses. The level of the optimal IS
investment is calculated for different levels of market potential and degrees of threat
(see Table 1). Table 1 reveals that the larger market potential is, the greater the IS
investment is in equilibrium. An explanation is provided as follows: When market
potential is large, the demand the monopoly has is large. As a result, the loss it faces
will be larger when a hacker attack is successful, i.e. shutting down its online sales.
Hence, the IS investment made by the monopoly will increase with the level of
market potential. This is the case where large e-commerce firms such as Yahoo and
Amazon have invested substantial amounts of resources on information security
designed to protect them against cyber-crimes.
Table 1. The optimal IS investment level for different levels of market potential and degrees of threat
Market potential
(hundred persons)
Threat degree
0.2 0.4 0.6 0.8
1,000 506 759 1,314 1,706
2,000 645 972 1,391 2,228
3,000 717 1,012 1,437 2,429
4,000 755 1,038 1,471 2,602
COROLLARY 2. The optimal investment in information security strictly increases
with market potential and degree of threat.
Next, the increment of the optimal IS investment level is calculated when the size
of market potential increases, as shown in Table 2. It can be seen that this increment
decreases with the increase in market potential. The reasons for this also include the
“sunk cost” of IS investment and the increasing scale of IS investment.
Table 2. The increments of optimal IS investment levels for different levels of change in market potential and
degree of threat
Change in market potential
(hundred persons)
Threat degree
0.2 0.4 0.6 0.8
1,000→2,000 139 213 77 522
2,000→3,000 72 40 46 201
3,000→4,000 38 26 34 173
COROLLARY 3. The increment of the optimal information security investment
strictly decreases with changes in market potential and degree of threat.
In the above discussions, the relationships among the optimal investment, threat
and market potential are revealed. Hence, the optimal investment strategies in
information security for monopolist are summarized as follows:
PROPOSITION 1. Consider a profit-maximizing monopoly that sells products online
and faces an attack from cyber criminals. There exists a unique optimal investment
level for the monopoly in information security. This optimal investment strictly
increases with market potential and degree of threat, but the increment of the
optimal investment strictly decreases with the change in market potential and
degree of threat. Finally, the benefit-cost ratio of investment versus threat is strictly
concave in regard to threat degree.
The positive relationship between the optimal investment and market potential
and degree of threat is consistent with the findings of Cavusoglu et al. (2004b) in that
the more dependent a firm is on the Internet, the more significant the consequences
of an attack will be on the financial health of that firm.
3. OPTIMAL INVESTMENT IN A DYNAMIC SETUP
In this section, the time factor is incorporated in the optimal investment in
information security of a monopoly in a dynamic setup. The monopoly is intended to
maximize aggregate profits in a finite time period. The demand for the products sold
on-line is affected by the degree of website quality improvement with regard to
attractiveness and as a result of word of mouth among consumers.
3.1 Awareness diffusion
Consider a profit-maximizing monopoly that offers a product on-line in a finite time
frame {1, 2, …, T}. Let N0 be the initial population of potential consumers for the
product. A consumer purchases the product only if he is aware of the existence of the
monopoly and if the price is no greater than his willingness to pay. Let yt be the set of
the population who are aware of the monopoly at time t. Then tk is the percentage of
the awareness population at time t, namely, 0 .t tk y N
Note that an unaware consumer never purchases the product from the monopoly.
The rest of the population who is unaware of the monopoly at time t, N0-yt, can be
informed either by word of mouth or by the increase in the quality of the monopoly’s
website. An investment zt by the monopoly at time t promotes its website by spending
on higher information security, advertisements in protocol websites, and better
layouts in the website for user browsing, etc. Let g(zt) be the attractiveness to
consumers due to the quality improvement of the monopoly’s website with the
investment zt. Assume that g(0) = 0; g’(zt) > 0, and g’’(zt) < 0. Namely, the
attractiveness function form is in concavity, and there is a saturation level at some
point. Word of mouth for the product is diffused at the rate of w, 0<w<1, among the
consumers who purchase the product. The information communication among the
consumers increases the size of the awareness population. Hence, awareness
diffusion among the population across periods can be written as
1 1 1[1 ][ ( ) ].t t t t t tk k k k g z wk
The above equation implicitly assumes that all potential consumers are
homogeneous with respect to information diffusion.
3.2 Dynamic Demand
The monopoly’s demand at time t is the subset of the awareness population who has
the willingness to pay no less than the price of the product. Namely, ( ) ,tN p k
where 0( ) ( )
v p
N p N f v dv
and f(v) are the probability density function of the
valuation. Assume that the consumer who purchased the product at previous period
t-1 continuously purchases at the same price level at time t. The expected new
adoptions at the time t are:
1[ ( ) ]e
t t ty N p k y
,
where 1t t tk k k
is given by the awareness diffusion equation above.
3.3 Policy Implication
The monopoly maximizes the net present value of its cash flows from time 1 to T.
Denote bye
ty as the expected product sales at time t, by c as unit cost of the product,
and by r the discount rate. The optimal investment decision of the monopoly in this
dynamic setup is
1
1
1 1
[( ) ]
. . [ ( ) ]
[1 ][ ( ) ].
T
rt e
t t
e
t t t
t t t t
Max e p c y z dt
s t y N p k y
k k g z wk
(2)
By the maximum principle, the Hamiltonian in current values is
1 2( , , )e e
t t t t t t tH TR p y k z y k
,
where TR(.) is the gross profit, and 1
t and 2
t are the adjoint (co-state) variables
which represent the value of the shadow price for an expected adopter and an
existing user, respectively.
The optimality conditions to the problem in (2) deliver:
2 2 '
11 1 (1 ) ( ) 0tt t t t
t t
kHk g z
z z
and 1 0.
e
tt
yH TR
p p p
Hence,
2
1
1
(1 ) '( )t
t tk g z
and 1 .t
e e
t t
TR
TRp
y y
p
Note that 1
t and 2
t are neither zero nor infinity. Therefore, there must be an
internal solution. By taking the derivative of 2
t with respect to time t and by the
first order condition, 2 2 ,t t tH k r
we obtain:
2 1
2
1
"( )(1 ) '( )
[ '( )(1 )]
t t t tt
t t
g z k z g z k
g z k
and 2 2 1 2
e
t tt t t t
t t t
y kdTRr
dk k k
,
where
•
.z dz dt Then equating the above two equations,
11
2
1 1
"( )(1 ) '( ) 1[ ] .
[ '( )(1 )] '( )(1 )
e
t t t t t tt
t t t t t t t
g z k z g z k k yTRr
g z k k g z k k k
Note that when t
t
k
k
1 1(1 ) [ ( ) ]t t tk w g z wk , then
1
1 1
"( )(1 ) '( )(1 )[ ].
'( )
e
t tt t t t
t t t
g z ydTRz r k w g z k
g z dk k
Substitute 1
t into the above equation,
1
"( )(1 ) .
'( )
tt
t
g zz r k w
g z
Note that g’ (zt) >0 and g’’ (zt) < 0. If discount rate r is low enough such that r-(1-
kt-1)w < 0, then •
0.z Namely, the investment in information security monotonically
decreases along with the time but it is nonzero until the end of time T. Therefore,
PROPOSITION 2. When the discount rate is low (such that 1(1 )tr k w ) or there
is a zero discount rate, the optimal investment in information security monotonically
decreases over time until the end of the time period.
The proposition holds because of decreasing marginal improvement by security
investments. Moitra and Konda (2000) found that as the investment in security
increases, the survivability of firms from security breaches increases rapidly at first
and then more slowly at higher levels of investments.
4. OPTIMAL INVESTMENT TIME IN SECURITY UPGRADE
The section considers the problem in which monopoly M decides when to upgrade its
security investment from generation I to generation II (e.g., Windows OS; Cisco
Integrated Services Routers) in an infinitely continuous time frame from 0 to T. Let tc
represent the terminal time for security investment for generation I. Assume that
consumers in generation I continue to purchase the product in generation II
regardless of the security upgrade. Namely, ( ) ( ).II I
e c e cy t y t Also, the expected
new added adoptions (or sales sit) in time t are a function of price, unit cost and
investment in information security
( )( , , ), , .
e
ii i i i
dy tG p c z i I II
dt
different generations of security impose different growth patterns for product sales.
The optimization problem for the monopoly is to choose the time tc to maximize its
total discounted profits throughout the entire time frame. Namely,
0
[( ) ] [( ) ]
. . ( , , ) and (0) 0
( , , ) and ( ) ( ),
c
c
II I
t T
rt rt
I I It I II II IIt II
t
It I I I I I
e c e c
IIt II II II II
Max e p c s z dt e p c s z dt
s t s G p c z y
s G p c z y t y t
(3)
where (0) 0Iy implies zero initial product sales. By substituting ( )I
e
Its dy t dt
and ( )II
e
IIts dy t dt into the above objective function in (3) and by re-arranging the
formula, the following is obtained:
0
( ) ( )[( ) ] [( ) ]
c
I II
c
e et T
rt rt
I I I II II II
t
dy t dy te p c z dt e p c z dt
dt dt
0 0
( ) ( ) ( ) ( ) [ ]
c c
I II
c c
t T t T
rt e rt e rt rt
I I II II I II
t t
e p c dy t e p c dy t e z dt e z dt
0 0( )[ ( )] ( )[ ( )] [ ]c c
c cI II
rt e t rt e T rt t rt TI III I II II t t
z zp c e y t p c e y t e e
r r
( )[ ( )[ ( ) [ ].( )] ]c c c c
rt rT II rt rt rt rTI I II II
I I II III II
e c e z z z zp c e p c e y T e e e e
r r r ry t y
Take the first order condition with respect to time tc,
[ ] [ ]
( ) ( )( ) ( ) 0.
c cI II
e c e c
rt rt
I I II II
dy t dy tp c e p c e
dt dt
Substitute the constraints ( , , )i
e
it i i i is dy dt G p c z into the above equation and
rearrange it,
( )
( , , ).
( ) ( , , )
I
II
e c
It I I I I II II
e c
IIt II II II II I I
dy t
s G p c z p cdt
dy t s G p c z p c
dt
Equivalently, ( ) ( , , ) ( ) ( , , ).I I I I I I II II II II II IIp c G p c z p c G p c z
Hence, the optimal upgrade time for security investment occurs when the gross
profits in two generations are the same, or when the ratio of sales equals the
reciprocal ratio of the gross profits in two generations. Figure 3 illustrates the
optimal upgrade time for an investment in information security. Note that the
monopoly’s total gross profits are the shaded areas below the curves. If the
information security is upgraded at time *,ct the monopoly suffers no loss and thus,
its total profit is maximized. If the time of upgrading investment in information
( ) ( , , )I I I I I Ip c G p c z
Gross profit
in generation I Gross profit
in generation II
security is earlier than *,ct unnecessary losses may occur since the gross profit in
generation I is higher than that in generation II. A similar case applies in the
situation when the time to upgrade information security is later than *.ct
Figure 3. The optimal upgrade time for information security
PROPOSITION 3. The optimal upgrade time to invest in information security occurs
when the monopoly’s gross profits in two generations are the same.
The improvement in information security increases its service quality and good
reputation as diffused by word of mouth. Thus, the optimal upgrade time for the
monopolist’s investment in information security occurs when the gross profits in two
generations are the same. An earlier upgrade time as compared to the optimal timing
results in a higher revenue loss from the first generation of service than the revenue
gain from the second generation of service, and vice versa. Indeed, Gordon et al.
(2003) found that senior managers of technology-savvy firms tend to adopt a wait-
and-see strategy, in which they may wait until an actual breach occurs before
spending all of the funds allocated to security.
5. CONCLUSIONS
Information security in enterprises should be considered to be a strategic variable
more than merely defensive maneuvers used to help them achieve operational
optimization. This study establishes the threat versus investment model of a profit-
maximizing monopolist in which the successful entry ratio approximates the
intangible benefit of IS investment into measurable sales profit. The optimal IS
investment strategy for a profit-maximizing monopoly that sells products online and
faces an attack from cyber criminals is found to strictly increase with market
potential and degree of threat, but the increment of the optimal investment strictly
decreases with changes in market potential and degree of threat. The benefit-cost
ratio of the optimal IS investment reaches its highest point when the degree of threat
is within the intermediate range. Further, when the discount rate between time
periods is low or zero, the optimal IS investment in the dynamic setup monotonically
decreases with the awareness diffusion effect over time until the end of the time
period. Finally, in a dynamic process in which the IS improvement increases its
service quality and in which a good reputation is diffused by word of mouth, the
optimal upgrade time for the monopolist’s investment in IS occurs whenever the
gross profits of the product in two generations are the same.
The existing literature has dealt with enterprises’ strategic investments on IS
mostly by one-period theoretical models (see, Gordon and Loeb, 2002; Cavusoglu et
al., 2004a; Iheagwara et al., 2004), and thus, it could not capture the dynamic
characteristics of IS investment behavior. Alternative approaches to optimal
strategic investments (see, Bayuk, 2001; Iheagwara et al., 2005; Borka and Bojanc,
2008) have adopted financial metric indexes and methodical methods of return of
investment (ROI), net present value (NPV), and internal rate of return (IRR).
However, the expected benefits and cost of IS investment in these models were
evaluated separately, and no correlation between the two were assumed. For
example, the more Internet security is invested in by e-commerce or e-shopping
enterprises, the more consumers are willing to purchase the products from them and
thus, their revenues increase. Indeed, Stephanides (2005) asserted that there should
be non-financial benefits (or intangible profits) derived from security investments,
such as improved image, gain of customer trust, prevention of security breaches, and
impact on operations, mission performance, or customer satisfaction. However, to our
best knowledge, no literature has evaluated these non-financial benefits.
Based on the above discussions, this study provides two contributions to the
literature as follows: First, time-varying characteristics of network security are
considered in the theoretical model. The dynamic optimization technique is adopted
to analyze enterprises’ optimal strategy for network security investment by using the
awareness diffusion in which information security improvement increases the size of
the potential consumer population and by using time-discounting values of cash flows.
Moreover, this study analyzes enterprises’ optimal upgrade time, which should be an
important factor in the strategy-making process (Neubauer and Hartl, 2009). Next,
this study transforms the intangible profit of security investment into measurable
sales benefit by using a successful entry ratio that links the relationships among IS
investment, security improvement, and increases in consumer’ demand. Thus, the
isolated independence between benefit and cost of IS investment in the literature is
extended to a more realistic model setup.
There are a few possible directions for future research. First, the characteristics in
network security that include network externality and the learning effect of hackers
could be incorporated and considered in the models. Network externality refers to a
change in the benefit and surplus that an agent derives from a service when the
number of other agents consuming the same kind of service changes. When antivirus
software use and the amount of IT security investments increase in popularity, the
probability of each computer system being cyber-attacked decreases. Also, hackers
alter their hacking strategies through forum discussions in response to enterprises’
investment strategies. Next, the empirical approach on enterprises’ IS investment
behavior, which has seldom been examined in the literature, would be an interesting
one. Cavusoglu et al. (2004b) focused on the impact of security event shocks on stock
prices, and Tanaka et al. (2005) used actual information from security investments of
e-local governments in Japan to derive a concave relationship between the optimal
level of IS investment and network vulnerability. The data of enterprises’ IS
investment and financial performance needed can be obtained from the enterprises’
annual reports and the surveys released from market research institutes such as the
Market Intelligence Center (MIC, 2007). However, it would be a challenging task to
find reasonable proxies for the threat probability, the probability of hacker attacks,
and expenditures for information security. For example, the percentage of detected
attacks over actual traffic and the percentage of successful attacks over actual
network traffic can be used as the proxies for the probability of hacker attacks and
the probability of threat, respectively.
REFERENCES
ANDERSON, R. 2001. Why information security is hard—An economic perspective. In Proceedings of 17th
Annual Computer Security Applications Conference (ACSAC) (New Orleans, La. Dec. 10–14).
BAYUK, J. L. 2001. Security metrics: How to justify security dollars and what to spend them on. Comput.
Sec. J. 17, 1, 1-12.
BOJANC, R. AND BORKA J. B. 2008. An economic modeling approach to information security risk
management. Int. J. Inf. Manage. 28, 5, 413-422.
CAMPBELL, K., GORDON, L. A., LOEB, M. P. AND ZHOU, L. 2003. The economic cost of publicly
announced information security breaches: Empirical evidence from the stock market. J. Comput. Sec.
11, 3, 431-448.
CAMP, L. J., AND WOLFRAM, C. 2004. Pricing security. In Economics of Information Security, L. Camp
AND S. Lewis, Eds. Springer, New York, U.S.
CAREY, A. 2002. Worldwide information security services forecast, 2001–2006, IDC Report. Number:
26899., MarketResearch.com
CAVUSOGLU, H., RAGHUNATHAN, S. AND MISHRA, B. 2002. Optimal design of IT security
architecture. In Proceedings of International Conference on Information Systems (ICIS),
Barcelona. Spain, December 2002.
CAVUSOGLU, H., MISHRA, B AND RAGHUNATHAN, S. 2004a. A model for evaluating IT security
investments. Commun. ACM 47, 7 (July 2004), 87-92.
CAVUSOGLU, H., MISHRA, B. K., AND RAGHUNATHAN, S. 2002. The effect of internet security breach
announcements on market value of breached firms and internet security developers. Workshop on
Information Systems and Economics Program, Barcelona, Spain, December.
CAVUSOGLU, H., MISHRA, B AND RAGHUNATHAN, S. 2004b. The effect of internet security breach
announcements on market value of breached firms and internet security developers. Int. J. Electron.
Commerce. 9, 1, 69–104.
Cisco Systems Inc. 2011. Global e-commerce to hit $1.4 trillion by 2015. http://www.cisco.com/
CompTIA, 2007. Information security spending on the rise. http://www.comptia.org/home.aspx
DYNES, S., ANDRIJCIC, E., AND JOHNSON, M. E. 2006. Costs to the U.S. economy of information
infrastructure failures: Estimates from field studies and economic data. In Proceedings of the Fifth
Workshop on the Economics of Information Security, Cambridge: Cambridge University. England.
GEER, D. Jr., HOO, K. S. AND JAQUITH, A. 2003. Information security: Why the future belongs to the
quants. IEEE Sec. and Privacy. 1, 4, 24-32.
GORDON, L. A. AND LOEB, M. P. 2002. The economics of investment in information security. ACM Trans.
Inf. Syst. Sec. 5, 4, 438-457.
GORDON, L. A., LOEB, M. P. AND LUCYSHYN, W. 2002. An economics perspective on the sharing of
information related to security breaches: Concepts and empirical evidence. Paper presented at
Workshop on Economics and Information Security, Berkeley. U.S. Available at
http://www.cl.cam.ac.uk/~rja14/econws.html
GORDON, L. A., LOEB, M. P. AND LUCYSHYN, W. 2003. Information security expenditures and real
options: A wait-and-see approach. Compu. Sec. J. 19, 2, 1-6.
HOO, K. S. 2000. How much is enough? A risk-management approach to computer security. Working paper,
available at http://iis-db.stanford.edu/ pubs/11900/soohoo.pdf
HUANG, C. D., HU, Q., AND BEHARA, R. S. 2008. Economics of information security investment in the
case of simultaneous attacks. Int. J. Prod. Econ., 114, 2, 793-804.
IHEAGWARA, C., ARTHUR, S. AND ACAR, Y. 2005. The different metrics of ROI: Implications for
information assurance. Information System Audit and Control Association, ISACA. Available at
www.isaca-washdc.org/pages/articles/article-nov2005-print.htm.
IHEAGWARA, C., BLYTHB, A., KEVINC, T., KINN, D. 2004. Cost effective management frameworks: The
impact of IDS deployment technique on threat mitigation. Inf. Softw.Technol. 46, 10, 651-664.
JORGENSON, D. W. 2001. Information technology and the U.S. economy. The Am. Econ. Rev., 9, 1, 1-32.
J. P. Morgan, 2011. Global e-commerce revenue to grow by 19 percent in 2011 to $680b.
http://techcrunch.com/2011/01/03/ j-p-morgan-global-e-commerce-revenue-to-grow-by-19-percent-in-
2011-to-680b/
KESAN, J. P., MAJUCA, R. P. AND YURCIK, W. J. 2004. The economic case for cyber insurance. Law and
Economics Working Paper. University of Illinois College of Law, Illinois, U.S.
MIZZI, A. 2005. Return on Information Security Investment. Are you Spending Enough? Are you spending
too much?. ITtoolbox Security. Available at http://www.
infosecwriters.com/text_resources/pdf/ROISI.pdf.
MOITRA, S. AND KONDA, S. 2000. The survivability of network systems: An empirical analysis.
Technical Report. Number: CMU/SEI-2000-TR-021., Carnegie Mellon Software Engineering Institute.
NEUBAUER, T. AND HARTL, C. 2009. On the singularity of valuating IT security investments. In
Proceedings of the 2009 Eigth IEEE/ACIS International Conference on Computer and Information
Science (ICIS '09). IEEE Computer Society, Washington, DC, USA, 549-556.
PURSER, S. 2004. Improving the ROI of the security management process. Comput. Sec. 23, 7, 542–546.
ROWE, B. AND GALLAHER, M. P. 2006. Could IPv6 improve network security? And, if so, at what cost?
Cybersecurity. I/S: A J. Law and Pol. Inf. Society. 2, 2, 231-267.
TANAKA, H., MATSUURA, K. AND SUDOH, O. (2005). Vulnerability and information security
investment: An empirical analysis of e-Local government in Japan. J.Account Public Pol. 24, 37-59
The Computer Technology Documentation Project, 2001. Network and Computer Security Tutorial Version
0.4.0 April 16. http://www.comptechdoc.org/
TSIAKIS, T. AND STEPHANIDES, G. 2005. The economic approach of information security. Comput. Sec.
24, 2, 105-108.
U.S. Department Commerce, 2011. U.S. Census Bureau News-Quarterly retail E-commerce sale 3rd
quarter 2011. Available at http://www.census.gov/retail/ mrts/www/data/pdf/ec_current.pdf.
WANG, Y. C. 2007. Taiwanese small and medium enterprises' information security investment, 2006-2009.
MIC Topical Report. Market Intelligence Center. available at http://mic.iii.org.tw/english/
store/en_3_mic_store_1_2_1.asp?doc_sqno=4662.
WEAVER, N. and PAXSON, V. 2004. A worst-case worm. In Proceedings (online) of the Third Annual
Workshop on Economics and Information Security (WEIS'04), Minneapolis, MN, May 2004. available
at http: //www.dtc.umn.edu/weis2004/weaver.pdf.