Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Framework for Making Decision on Optimal Security Investment to the Proactive and Reactive Security Solutions management

이 기종의 보안 솔루션 통합 운영을 위한 최적의 보안 투자 결정 모델

  • Choi, Yoon-Ho (Department Of Convergence Security, Kyonggi University)
  • Received : 2014.01.22
  • Accepted : 2014.04.08
  • Published : 2014.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

While IT security investment of organizations has been increased, the amount of the monetary loss of organizations caused by IT security breaches did not decrease as much as their expectation. Also, from surveys, it was discovered that the poor usage of their security budget thwarted the improvement of the organization's security level. In this paper, to resolve the poor usage of security budget of organizations, we propose a comprehensive economic model for determining the optimal amount of investment in security solutions, including the proactive security solutions(PSSs) and the reactive security solutions(RSSs). Using the proposed analytical model under different parameters of security solutions, we show the optimal condition to maximize the expected net benefits from IT security investment of organizations. Also, we verify the common belief that the optimal level of investment in security solutions is an increasing function of vulnerability. Through simulations, we find the optimal level of IT security investment, given parameters of different characteristics of security solutions.

IT 보안의 중요성으로 인해 IT 보안 솔루션의 성능 및 기업의 보안에 대한 투자는 꾸준히 증가하고 있지만, 보안 사고 발생으로 인한 기업의 금전적 손실 감소는 여전히 기대에 미치지 못하고 있는 상황이다. 보안 솔루션을 운영하고 있는 기업을 상대로 한 조사 결과에 따르면, 기업의 보안 솔루션에 대한 이해 부족과 잘못된 투자 전략이 기업의 투자 대비 보안 효율성 향상을 기대에 미치지 못하게 하는 주요한 원인으로 분석되었다. 본 논문에서는 기업의 보안 솔루션에 대한 잘못된 투자로 인한 투자 대비 보안 효율성 저하 문제를 해결하기 위한 보안 투자 결정 모델을 제안한다. 구체적으로는, IT 자산의 취약성 이용 공격으로 인한 조직의 피해 발생 이전에 보안 사고 예방이 가능한 사전 보안 솔루션(Proactive Security Solutions, PSSs)과 조직의 피해 발생 이후에 보안 사고를 조사 및 분석할 수 있는 사후 보안 솔루션 (Reactive Security Solutions, PSSs)에 대한 기업의 투자 방법론을 결정하기 위한 포괄적인 수학적 모델을 제안한다. 또한, 제안된 분석 모델을 사용하여 보안 솔루션의 다양한 매개 변수 영향력 아래에서 조직의 IT 보안 투자 예상 순 이익(expected net benefit)을 극대화하기 위한 최적의 방안을 모색한다.

Keywords

References

  1. L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson, "2006 CSI/FBI Computer Crime and Security Survey," http://americas.utimaco.com/encryption/fbi_csi_2006_p2.html, 2006.
  2. "McAfee threats report", http://www.mcafee.com/us/resources/reports/ rpquarterlythreat-q2-2012.pdf, 2012.
  3. Scott Berinato, "Finally, a real return on security spending," CIO Magazine, 2002.
  4. Bodin, L., L. A. Gordon and M. P. Loeb, "Evaluating Information Security Investments Using the Analytical Hierarchy Process," Communications of the ACM, 2005.
  5. Campbell, K., L. A. Gordon, M. P. Loeb and L. Zhou, "The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market," Journal of Computer Security, vol. 11, no. 3, pp. 431-448, 2003. https://doi.org/10.3233/JCS-2003-11308
  6. Thomas A. Longstaff, Clyde Chittister, Rich Pethia Yacov and Y. Haimes, "Are we forgetting the risk of information technology," IEEE Computer(The flagship magazine of the IEEE Computer Society), vol. 33, no. 12, pp. 43-51, 2000. https://doi.org/10.1109/2.889092
  7. Lawrence A. Gordon and Martin P. Loeb, "The economics of information security investment," ACM Transactions on Information and System Security (TIScapabilityC), vol. 5, no. 4, pp. 438-457, 2002. https://doi.org/10.1145/581271.581274
  8. Kevin J. Soo Hoo, "How much is enough? A risk management approach to computer security," pages: 100, Center for International Security And Cooperation(CISAC), 2000.
  9. J. E. Gaffney and J. W. Ulvila, "Evaluation of intrusion detectors: A decision theory approach," In Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 50-61, 2001.
  10. B. R. Rowe and Michael P. Gallaher, "Private Sector Cyber Security Investment: An Empirical Analysis," The Fifth Workshop on the Economics of Information Security(WEIS 2006), pp. 1-23, 2006.
  11. H. Cavusoglu, B. Mishara, and S. Raghunathan, "A model for evaluating IT security investment," Communications of the ACM, vol. 47, no. 7, pp. 87-92, 2004.
  12. Gordon, L. and Loeb, M, "Managing Cybersecurity Resources: A Cost-Benefit Analysis," pages: 211, McGraw-Hill, New York, 2006.
  13. Y.-H. Choi, H.-Y. Jeong, S.-W. Seo, "Information-Theoretic Analysis for the Efficiency of the Integrated Security Solutions," ITC-CSCC 2009, pp. 1478-1479, 2009.
  14. Gordon, L., Loeb, M. and Lucyshyn, W, "Sharing information on computer systems: An economic analysis," Journal of Accounting and Public Policy, vol. 22, no. 6, pp. 461-485, 2003. https://doi.org/10.1016/j.jaccpubpol.2003.09.001
  15. Gordon, L. and Loeb, M, "Budgeting process for information security expenditures: Empirical evidence," Communications of the ACM, vol. 49, no. 1, pp. 121-125, 2006. https://doi.org/10.1145/1107458.1107465
  16. Moitra, S. and Konda, S, "The survivability of network systems: An empirical analysis," Carnegie Mellon Software Engineering Institute, Technical Report, CMU/SEI-2000-TR-021, 2000.
  17. Secure Business Quarterly, "Issue on Return on Security Investment (Q4, 2001)," 2001.
  18. Hasan C., Huseyin C. and Srinivasan R, "Economics Of IT Security Management: Four Improvements To Current Security Practices," Communications of the Association for Information Systems, vol. 14, pp. 65-75, 2004.
  19. T. Cover, and J. Thomas, "Elements of Information Theory 2/E," pages: 776, John Wiley & Sons Inc, 2006.

Cited by

  1. A Quantitative Model for Evaluating the Efficiency of Proactive and Reactive Security Countermeasures vol.E98.D, pp.3, 2015, https://doi.org/10.1587/transinf.2014EDP7042