Abstract
This paper introduces and demonstrates a simple analytically tractable method of mapping utility theory to information security problems and in particular optimal timing for vulnerability management. Our primary focus is on the decision to defer costly deterministic investment, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with fixed and variable costs that imports a nominal rigidity into the investment decision-making profile. The rigidity introduces a delay in the implementation of security measures, resulting in cyclical investments in information security. We show how such cycles emerge endogenously from the policy-maker's chosen trade-offs between system and security attributes.
| Original language | English |
|---|---|
| Title of host publication | Economics of Information Security and Privacy III |
| Editors | Bruce Schneier |
| Place of Publication | New York |
| Publisher | Springer |
| Pages | 171-191 |
| Number of pages | 21 |
| ISBN (Electronic) | 978-1-4614-1981-5 |
| ISBN (Print) | 978-1-4614-1980-8, 978-1-4939-0036-7 |
| DOIs | |
| Publication status | Published - 2013 |
| Event | The Tenth Workshop on Economics of Information Security (WEIS 2011) - Virginia, United Kingdom Duration: 14 Jun 2011 → 15 Jun 2011 |
Conference
| Conference | The Tenth Workshop on Economics of Information Security (WEIS 2011) |
|---|---|
| Country/Territory | United Kingdom |
| City | Virginia |
| Period | 14/06/11 → 15/06/11 |