Decision-Theoretic and game-theoretic approaches to IT security investment

Journal of Management Information Systems

Volumn 25, Issue 2, 2008, Pages 281-304

  Cavusoglu, Huseyin ^a   Raghunathan, Srinivasan ^a   Yue, Wei T ^a  

^a UNIVERSITY OF TEXAS AT DALLAS   (United States)

Author keywords

Decision theory; Game theory; IT security investments

Indexed keywords

CURRENT PRACTICES; DECISION-THEORETIC; INVESTMENT STRATEGY; IT SECURITY INVESTMENTS; LEARNING MODELS; RATE OF CONVERGENCE; RISK MANAGEMENT TECHNIQUES; SECURITY BUDGET; SECURITY INVESTMENTS; SECURITY THREATS;

COMPUTER CRIME; DECISION THEORY; EDUCATION; INFORMATION TECHNOLOGY; INVESTMENTS; PERSONAL COMPUTING; RISK ANALYSIS; RISK MANAGEMENT; RISK PERCEPTION; SECURITY OF DATA; SECURITY SYSTEMS; STRATEGIC PLANNING;

GAME THEORY;

EID: 66549093519     PISSN: 07421222     EISSN: None     Source Type: Journal    
DOI: 10.2753/MIS0742-1222250211     Document Type: Article

References (44)

1. Barucci, E. Exponentially fading memory learning in forward-looking economic models. Journal of Economic Dynamics and Control, 24, 5 (2000), 1027-1046.
2. Bashir, L; Serafini, E.; and Wall, K. Securing network software applications: Introduction. Communications of the ACM, 44, 2 (2001), 28-30.
3. Berinato, S. Finally, a return on security spending. CIO Magazine (February 2002) (available at www.cio.com.au/index.php/id;557330171;fp;;fpid;).
4. Bodin, L.D.; Gordon, L.A.; and Loeb, M.P. Evaluating information security investments using the analytic hierarchy process. Communications of the ACM, 48, 2 (2005), 78-83.
5. Campbell, J.A. Real options analysis of the timing of IT investment decisions. Information and Management, 39, 5 (2002), 337-344.
6. Campbell, P.; Calvert, B.; and Boswell, B. Security+ Guide to Network Security Fundamentals. Boston: Course Technology, 2003.
7. Cavusoglu, H., and Raghunathan, S. Configuration of detection software: A comparison of decision and game theory approaches. INFORMS Decision Analysis, 1, 3 (2005), 131-148.
8. Cavusoglu, H.; Mishra, B.; and Raghunathan, S. The effect of Internet security breach announcements on market value: Capital market reaction for breached firms and Internet security developers. International Journal of Electronic Commerce, 9, 1 (2004), 69-105.
9. Cavusoglu, H.; Mishra, B.; and Raghunathan, S. A model for evaluating IT security investments. Communications of the ACM, 47, 7 (2004), 87-92.
10. Cavusoglu, H.; Mishra, B.; and Raghunathan, S. The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16, 1 (2005), 28-46.
11. Cavusoglu, H.; Raghunathan, S.; and H. Cavusoglu. Configuration of and interaction between information security technologies: The case of firewalls and intrusion detection systems. Information Systems Research, forthcoming (2008).
12. Clemons, E.K. Evaluation of strategic investments in information technology. Communications of the ACM, 34, 1 (1991), 22-36.
13. Cremonini, M., and Nizovtsev, D. Understanding and influencing attackers' decisions: Implications for security investment strategies. Paper presented at the Workshop on the Economics of Information Security (WEIS), Cambridge, UK, June 26-28, 2006.
14. Crume, J. Inside Internet Security: What Hackers Don't Want You To Know. Harlow, UK: Addison-Wesley, 2001.
15. Fellingham, J.C., and Newman, D.P. Strategic considerations in auditing. Accounting Review, 60, 4 (October 1985), 634-650.
16. Fudenberg, D., and Levine, D.K. The Theory of Learning in Games. Cambridge, MA: MIT Press, 1998.
17. Gal-Or, E.A., and Ghose, A. The economic incentives for sharing security information. Information Systems Research, 16, 2 (2005), 186-208.
18. Gordon, L.A., and Loeb, M.P. The economics of information security investment. ACM Transactions on Information and System Security, 5, 4 (2002), 438-457.
19. Gordon, L.A.; Loeb, M.P; and Lucyshyn, W. Sharing information on computer systems: An economic analysis. Journal of Accounting and Public Policy, 22, 6 (2003), 461-485.
20. Han, K.; Kauffman, R.J.; and Nault, B.R. Information exploitation and interorganizational systems ownership. Journal of Management Information Systems, 21, 2 (Fall 2004), 109-135.
21. Hausken, K. Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25, 6 (2006), 629-665.
22. Hausken, K. Strategic defense and attack for series and parallel reliability systems. European Journal of Operational Research, 186, 2 (2008), 856-881.
23. Hitt, L.M.; Frei, F.X.; and Harker, P.T. How firms decide on technology. In R.E. Litan and A.M. Santomero (eds.), Brookings/Wharton Papers on Financial Services. Washington, DC: Brookings Institution Press, 1999, pp. 93-136.
24. Hoo, K.J.S. How much security is enough? A risk management approach to computer security. Ph.D. dissertation, Department of Marketing, Stanford University, 2000.
25. Kaplan, R.S. Must CIM be justified by faith alone. Harvard Business Review, 64, 2 (March-April 1986), 87-95.
26. Karofsky, E. Return on security investment: Calculating the security investment equation. Secure Business Quarterly, 1, 2 (2001).
27. Kohli, R.; Sherer, S.A.; and Baron, A. Editorial - IT investment payoff in e-business environments: Research issues. Information Systems Frontiers, 5, 3 (2003), 239-247.
28. Kumar, R.L. A note on project risk and option values of investments in information technologies. Journal of Management Information Systems, 13, 1 (Summer 1996), 187-193.
29. Kunreuther, H., and Heal, G. Interdependent security. Journal of Risk and Uncertainty, 26, 3(2003), 231-249.
30. Leeson, P., and Coyne, C.J. The economics of computer hacking. Journal of Law, Economics and Policy, 1, 2 (2006), 511-532.
31. Longstaff, T.; Chittister, C.; Pethia, R.; and Haimes, Y. Are we forgetting the risk of information technology? IEEE Computer, 33, 12 (December 2000), 43-51.
32. Moitra, S.D., and Konda, S.L. The survivability of network systems: An empirical analysis. CMU/SEI-2000-TR-021, Software Engineering Institute/Computer Emergency Response Team (SEI/CERT) Report, Carnegie Mellon University, Pittsburgh, PA, December 2000.
33. Power, R. 2002 CSI/FBI computer crime and security survey. Computer Security Journal, 17, 2 (Spring 2002), 29-51.
34. Rainer, R.K.; Snyder, C.A.; and Carr, H.H. Risk analysis for information technology. Journal of Management Information Systems, 8, 1 (Summer 1991), 129-148.
35. Rasmussen, E. Information and Games. New York: Basil Blackwell, 1989.
36. Rockart, J.F.; Earl, M.J.; and Ross, J.W. Eight imperatives for the new IT organization. Sloan Management Review, 38, 1 (1996), 43-55.
37. Rothke, B. Hackers then and now: Answers to some perennial questions. Computer Security Journal, 16, 3 (2000), 11-14.
38. Schechter, S.E., and Smith, M.D. How much security is enough to stop a thief? In R.N. Wright (ed.), Proceedings of the Seventh International Financial Cryptography Conference. New York: Springer-Verlag, 2003, pp. 122-137.
39. Shaw, D.S.; Post, J.M.; and Ruby, K.G. Inside the minds of the insider. Security Management, 43, 12 (December 1999), 34-44.
40. Sieberg, D. Hackers shift focus to financial gain. CNN.com (available at www.cnn.com/2005/TECH/internet/09/26/identity.hacker/).
41. Stoneburner, G.; Goguen, A.; and Feringa, A. Risk management guide for information technology systems. National Institute of Standards and Technology Special Publications 800-30, White Paper, U.S. Department of Commerce, Gaithersburg, MD, 2002.
42. Sun, L.; Srivastava, R.P.; and Mock, T.J. An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. Journal of Management Information Systems, 22, 4 (Spring 2006), 109-142.
43. Varian, H. System reliability and free riding. Paper presented at the Workshop on the Economics of Information Security (WEIS), Berkeley, CA, May 16-17, 2002.
44. Yue, W, and Çakanyildirim, M. Intrusion prevention in information systems: Reactive and proactive response. Journal of Management Information Systems, 24, 1 (Summer 2007), 329-353.