Information security trade-offs and optimal patching policies

European Journal of Operational Research

Volumn 216, Issue 2, 2012, Pages 434-444

  Ioannidis, Christos ^a   Pym, David ^b   Williams, Julian ^b  

^a University of Bath   (United Kingdom)

^b UNIVERSITY OF ABERDEEN   (United Kingdom)

Author keywords

Information security; Optimal policy; Risk reduction; Stochastic processes

Indexed keywords

COMMERCE; RANDOM PROCESSES; SECURITY OF DATA; STOCHASTIC MODELS; STOCHASTIC SYSTEMS;

MILITARY ORGANIZATIONS; OPTIMAL FREQUENCY; OPTIMAL POLICIES; RISK REDUCTIONS; SOFTWARE PATCHES; STOCHASTIC NATURE; SYSTEM ARCHITECTURES; THREAT ENVIRONMENT;

ECONOMIC AND SOCIAL EFFECTS;

EID: 84857187741     PISSN: 03772217     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.ejor.2011.05.050     Document Type: Article

References (34)

1. R. Anderson, Why information security is hard: An economic perspective, in: Proc. 17th Annual Computer Security Applications Conference, IEEE, 2001, pp. 358-365.
2. R. Anderson, R. Böhme, R. Clayton, T. Moore, Security economics and the internal market, Report to the European Network and Information Security Agency (ENISA), 2007. .
3. R. Anderson, T. Moore, The economics of information security. Science 314 (2006) 610-613. Extended version available at .
4. A. Arbaugh, W. L. Fithem, J. McHugh, Windows of vulnerability: A case study analysis, IEEE Computer, 2000.
5. A. Arora, R. Telang, H. Xu, Optimal policy for software vulnerability disclosure, Management Science 54 (4) (2008) 642-656.
6. T. August, T. Tunca, Network software security and user incentives, Management Science 52 (11) (2006) 1703-1720.
7. S. Beattie, S. Arnold, C. Cowans, P. Wagle, C. Wright, A. Shostack, Timing the application of security patches for optimal uptime, in: LISA '02:16th System Administration Conference, 2002.
8. A. Beautement, R. Coles, J. Griffin, C. Ioannidis, B. Monahan, D. Pym, A. Sasse, M. Wonham, Modelling the human and technological costs and benefits of USB memory stick security, in: M. Eric Johnson (Ed.), Managing Information Risk and the Economics of Security, Springer, 2008, pp. 141-163.
9. Y. Beres, J. Griffin, S. Shiu, M. Heitman, D. Markle, P. Ventura, Analysing the performance of security solutions to reduce vulnerability exposure window, in: Proceedings of the 2008 Annual Computer Security Applications Conference, IEEE Computer Society Conference Publishing Services (CPS), 2008, pp. 33-42.
10. Y. Beres, D. Pym, S. Shiu, Decision support for systems security investment, in: Network Operations and Management Symposium Workshops (NOMS Wksps), 2010 IEEE/IFIP, 2010, pp. 118-125. doi:10.1109/NOMSW.2010.5486590, ISBN: 978-1-4244-6037-3 (INSPEC Accession Number: 11502735).
11. Catherine Bobtcheff, Stphane Villeneuve, Technology choice under several uncertainty sources, European Journal of Operational Research 206 (3) (2010) 586-600.
12. H. Cavusoglu, H. Cavusoglu, J. Zhang, Security patch management: Share the burden or share the damage, Management Science 54 (4) (2008) 657-670.
13. M. Collinson, B. Monahan, D. Pym, Semantics for structured systems modelling and simulation, in: Proc. Simutools 2010, ICST: ACM Digital Library and EU Digital Library, 2010. ISBN: 78-963-9799-87-5.
14. G. Coulouris, J. Dollimore, T. Kindberg, Distributed Systems: Concepts and Design, Addison Wesley, 2005.
15. D. R. Cox, V. Isham, Point Processes, Monographs on Statistics and Applied Probability, Chapman and Hall, 1980.
16. Demos2k. .
17. S. Frei, M. May, U. Fiedler, B. Plattner, Large-scale vulnerability analysis, in: Proceedings of SIGCOMM'06 Workshop, Association for Computing Machinery, 2006. Available at .
18. M. P. Giannoni, M. Woodford, Optimal Interest-Rate Rules I: General Theory, Working Paper Series 9419, National Bureau of Economic Research, 2002. ISSU 9419, ISSN 0898-2937.
19. Gnosis. .
20. L. Gordon, M. Loeb, W. Lucyshyn, Information security expenditures and real options: A wait-and-see approach, Computer Security Journal 19 (2) (2003) 1-7.
21. L. A. Gordon, M. P. Loeb, The economics of information security investment, ACM Transactions on Information and Systems Security 5 (4) (2002) 438-457.
22. L. A. Gordon, M. P. Loeb, Managing Cybersecurity Resources: A Cost-Benefit Analysis, McGraw Hill, 2006.
23. Kjell Hausken, Vicki M. Bier, Defending against multiple different attackers, European Journal of Operational Research 211 (2) (2011) 370-384.
24. J. C. Hersey, H. C. Kunreuther, P. J. Shoemaker, Sources of bias in assessment procedures for utility functions, Management Science 28 (1982) 936-953.
25. C. Ioannidis, D. Pym, J. Williams, Investments and trade-offs in the economics of information security, in: Roger Dingledine, Philippe Golle (Eds.), Proceedings of Financial Cryptography and Data Security '09, LNCS, vol. 5628, Springer, 2009, pp. 148-166. Preprint available at .
26. J. Y. Jaffrey, Some experimental findings on decision-making under risk and their implications, European Journal of Operational Research 38 (1989) 301-306.
27. A. Jimenéz, S. Ros-Insua, A. Mateos, A decision support system for multiattribute utility evaluation based on imprecise assignments, Decision Support Systems 36 (2003) 65-79.
28. E. Jonsson, A. Olovsson, Quantitative model of the security intrusion process based on attacker behaviour, IEEE Transactions on Software Engineering 23 (4) (1997) 235-245.
29. R. L. Keeney, H. Raiffa, Decisions with Multiple Objectives: Preferences and Value Trade-offs, Wiley, 1976.
30. M. McCord, R. de Neufville, Lottery equivalents: Reduction of the certainty effect problem in utility assessment, Management Science 32 (1986) 56-61.
31. R. A. Nobay, D. A. Peel, Optimal discretionary monetary policy in a model of asymmetric bank preferences, Economic Journal 113 (489) (2003) 657-665.
32. Enrico Pennings, Onno Lint, Market entry, phased rollout or abandonment? a real option approach, European Journal of Operational Research 124 (1) (2000) 125-138.
33. P. Protter, D. Talay, The Euler scheme for levy driven stochastic differential equations, The Annals of Probability 25 (1) (1997) 393-423.
34. B. Schneier, Managed security monitoring: Closing the window of exposure, Counterpane Internet Security, 2000. Manuscript available at: .