Journal of Intelligence and Information Systems (지능정보연구)

Korea Intelligent Information System Society (한국지능정보시스템학회)
권호 표지
DOI QR코드

DOI QR Code

Game Theoretic Optimization of Investment Portfolio Considering the Performance of Information Security Countermeasure

정보보호 대책의 성능을 고려한 투자 포트폴리오의 게임 이론적 최적화

  • 이상훈 (충북대학교 경영정보학과) ;
  • 김태성 (충북대학교 경영정보학과)
  • Received : 2020.06.03
  • Accepted : 2020.07.19
  • Published : 2020.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Information security has become an important issue in the world. Various information and communication technologies, such as the Internet of Things, big data, cloud, and artificial intelligence, are developing, and the need for information security is increasing. Although the necessity of information security is expanding according to the development of information and communication technology, interest in information security investment is insufficient. In general, measuring the effect of information security investment is difficult, so appropriate investment is not being practice, and organizations are decreasing their information security investment. In addition, since the types and specification of information security measures are diverse, it is difficult to compare and evaluate the information security countermeasures objectively, and there is a lack of decision-making methods about information security investment. To develop the organization, policies and decisions related to information security are essential, and measuring the effect of information security investment is necessary. Therefore, this study proposes a method of constructing an investment portfolio for information security measures using game theory and derives an optimal defence probability. Using the two-person game model, the information security manager and the attacker are assumed to be the game players, and the information security countermeasures and information security threats are assumed as the strategy of the players, respectively. A zero-sum game that the sum of the players' payoffs is zero is assumed, and we derive a solution of a mixed strategy game in which a strategy is selected according to probability distribution among strategies. In the real world, there are various types of information security threats exist, so multiple information security measures should be considered to maintain the appropriate information security level of information systems. We assume that the defence ratio of the information security countermeasures is known, and we derive the optimal solution of the mixed strategy game using linear programming. The contributions of this study are as follows. First, we conduct analysis using real performance data of information security measures. Information security managers of organizations can use the methodology suggested in this study to make practical decisions when establishing investment portfolio for information security countermeasures. Second, the investment weight of information security countermeasures is derived. Since we derive the weight of each information security measure, not just whether or not information security measures have been invested, it is easy to construct an information security investment portfolio in a situation where investment decisions need to be made in consideration of a number of information security countermeasures. Finally, it is possible to find the optimal defence probability after constructing an investment portfolio of information security countermeasures. The information security managers of organizations can measure the specific investment effect by drawing out information security countermeasures that fit the organization's information security investment budget. Also, numerical examples are presented and computational results are analyzed. Based on the performance of various information security countermeasures: Firewall, IPS, and Antivirus, data related to information security measures are collected to construct a portfolio of information security countermeasures. The defence ratio of the information security countermeasures is created using a uniform distribution, and a coverage of performance is derived based on the report of each information security countermeasure. According to numerical examples that considered Firewall, IPS, and Antivirus as information security countermeasures, the investment weights of Firewall, IPS, and Antivirus are optimized to 60.74%, 39.26%, and 0%, respectively. The result shows that the defence probability of the organization is maximized to 83.87%. When the methodology and examples of this study are used in practice, information security managers can consider various types of information security measures, and the appropriate investment level of each measure can be reflected in the organization's budget.

사물 인터넷, 빅데이터, 클라우드, 인공지능 등 다양한 정보통신기술이 발전하면서, 정보보호의 대상이 증가하고있다. 정보통신기술의 발전에 비례해서 정보보호의 필요성이 확대되고 있지만, 정보보호 투자에 대한 관심은 저조한 상황이다. 일반적으로 정보보호와 관련된 투자는 효과를 측정하기 어렵기 때문에 적절한 투자가 이루어지지 않고 있으며, 대부분의 조직은 투자 규모를 줄이고 있다. 또한 정보보호 대책의 종류와 특성이 다양하기 때문에 객관적인 비교와 평가가 힘들고, 객관적인 의사결정 방법이 부족한 실정이다. 하지만 조직의 발전을 위해서는 정보보호와 관련된 정책과 의사결정이 필수적이며 적정 수준의 투자와 이에 대한 투자 효과를 측정 할 필요가 있다. 이에 본 연구에서는 게임 이론을 이용하여 정보보호 대책 투자 포트폴리오를 구성하는 방법을 제안하고 선형계획법을 이용하여 최적 방어 확률을 도출한다. 2인 게임 모형을 이용하여 정보보호 담당자와 공격자를 게임의 경기자로 구성한 뒤, 정보보호 대책을 정보보호 담당자의 전략으로, 정보보호 위협을 공격자의 전략으로 각각 설정한다. 게임 모형은 경기자의 보수의 합이 0인 제로섬 게임을 가정하고, 여러개의 전략 사이에서 일정한 확률 분포에 따라 전략을 선택하는 혼합 전략 게임의 해를 도출한다. 여러 종류의 위협이 존재하는 현실에서는 한 개의 정보보호 대책만으로 일정 수준 이상의 방어가 힘들기 때문에, 다수의 정보보호 대책을 고려해야한다. 따라서 다수의 정보보호 위협에 따른 정보보호 대책이 배치된 환경에서 정보보호 대책의 방어 비율을 이용하여 정보보호 대책 투자 포트폴리오를 산출한다. 또한 최적화된 포트폴리오를 이용하여 방어 확률을 최대화하는 게임 값을 도출한다. 마지막으로 정보보호 대책의 실제 성능 데이터를 이용하여 수치 예제를 구성하고, 제안한 게임 모델을 적용하고 평가한다. 본 연구에서 제시한 최적화 모델을 이용하면 조직의 정보보호 담당자는 정보보호 대책의 방어 비율을 고려하여 정보보호 대책의 투자 가중치를 구할 수 있고, 효과적인 투자 포트폴리오를 구성하여 최적의 방어 확률을 도출 할 수 있을 것이다.

Keywords

References

  1. Bodin, L. D., L. A. Gordon, M. P. Loeb, "Evaluating information security investments using the analytic hierarchy process," Communications of the ACM, Vol.48, No.2(2005), 78-83. https://doi.org/10.1145/1042091.1042094
  2. Cavusoglu, H., B. Mishra, S. Raghunathan, "A model for evaluating IT security investments," Communications of the ACM, Vol.47, No.7(2004), 87-92. https://doi.org/10.1145/1005817.1005828
  3. Cavusoglu, H., B. Mishra, S. Raghunathan, "The value of intrusion detection systems in information technology security architecture," Information Systems Research, Vol.16, No.1(2005), 28-46. https://doi.org/10.1287/isre.1050.0041
  4. Cavusoglu, H., S. Raghunathan, W. T. Yue, "Decision-theoretic and game-theoretic approaches to IT security investment," Journal of Management Information Systems, Vol.25, No.2(2008), 281-304. https://doi.org/10.2753/MIS0742-1222250211
  5. Fielder, A., E. Panaousis, P. Malacaria, C. Hankin, F. Smeraldi, "Decision support approaches for cyber security investment," Decision Support Systems, Vol.86(2016), 13-23. https://doi.org/10.1016/j.dss.2016.02.012
  6. Gordon, L. A., M. P. Loeb, "The economics of information security investment," ACM Transactions on Information and System Security, Vol.5, No.4(2002), 438-457. https://doi.org/10.1145/581271.581274
  7. Gupta, M., J. Rees, A. Chaturvedi, J. Chi, "Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach," Decision Support Systems, Vol.41, No.3(2006), 592-603. https://doi.org/10.1016/j.dss.2004.06.004
  8. Jeong, G. H., S. R. Jeong, "The effect of information protection control activities on organizational effectiveness: Mediating effects of information application," Journal of Intelligence and Information Systems, Vol.17, No.1(2011), 71-90. https://doi.org/10.13088/JIIS.2011.17.1.071
  9. Kong, H. K., T. S. Kim, J. Kim, "An analysis on effects of information security investments: a BSC perspective," Journal of Intelligent Manufacturing, Vol. 23, No.4(2012), 941-953. https://doi.org/10.1007/s10845-010-0402-7
  10. Kumar, R. L., S. Park, C. Subramaniam, "Understanding the value of countermeasure portfolios in information systems security," Journal of Management Information Systems, Vol.25, No.2(2008), 241-280. https://doi.org/10.2753/MIS0742-1222250210
  11. Kwon, Y. O., "A study on the use of a business intelligence system: the role of explanations," Journal of Intelligence and Information Systems, Vol.20, No.4(2014), 155-169. https://doi.org/10.13088/jiis.2014.20.4.155
  12. National Intelligence Service, Ministry of Science and ICT, Ministry of the Interior and Safety, Korea Communications Commission, Financial Services Commission, 2019 Nation Information Security White Paper, 2019a.
  13. Ministry of Science and ICT, Korea Information Security Industry Association, 2019 Survey on Information Security, 2019b.
  14. Nash, J., "Non-cooperative games," Annals of Mathematics, Vol.54, No.2(1951), 286-295. https://doi.org/10.2307/1969529
  15. Rakes, T. R., J. K. Deane, L. P. Rees, "IT security planning under uncertainty for high-impact events," Omega, Vol.40, No.1(2012), 79-88. https://doi.org/10.1016/j.omega.2011.03.008
  16. Richardson, R., 2010/2011 CSI Computer Crime and Security Survey, 2011.
  17. Sawik, T., "Selection of optimal countermeasure portfolio in IT security planning," Decision Support Systems, Vol.55, No.1(2013), 156-164. https://doi.org/10.1016/j.dss.2013.01.001
  18. Seo, B. G., D. H. Park, "The theory of games and the evolution of animal conflicts," Journal of Intelligence and Information Systems, Vol.23, No.1(2017), 143-159. https://doi.org/10.13088/jiis.2017.23.1.143
  19. Smith, J. M., "The theory of games and the evolution of animal conflicts," Journal of Theoretical Biology, Vol.47, No.1(1974), 209-221. https://doi.org/10.1016/0022-5193(74)90110-6
  20. Von Neumann, J., O. Morgenstern, Game Theory and Economic Behavior, John Wiley and Sons, New York, 1944.
  21. Von Solms, R., J. Van Niekerk, "From information security to cyber security," Computers & Security, Vol.38(2013), 97-102. https://doi.org/10.1016/j.cose.2013.04.004