Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

Christos Ioannidis, David J. Pym, Julian Williams

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

This paper introduces and demonstrates a simple analytically tractable method of mapping utility theory to information security problems and in particular optimal timing for vulnerability management. Our primary focus is on the decision to defer costly deterministic investment, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with fixed and variable costs that imports a nominal rigidity into the investment decision-making profile. The rigidity introduces a delay in the implementation of security measures, resulting in cyclical investments in information security. We show how such cycles emerge endogenously from the policy-maker's chosen trade-offs between system and security attributes.
Original languageEnglish
Title of host publicationEconomics of Information Security and Privacy III
EditorsBruce Schneier
Place of PublicationNew York
PublisherSpringer
Pages171-191
Number of pages21
ISBN (Electronic)978-1-4614-1981-5
ISBN (Print)978-1-4614-1980-8, 978-1-4939-0036-7
DOIs
Publication statusPublished - 2013
EventThe Tenth Workshop on Economics of Information Security (WEIS 2011) - Virginia, United Kingdom
Duration: 14 Jun 201115 Jun 2011

Conference

ConferenceThe Tenth Workshop on Economics of Information Security (WEIS 2011)
CountryUnited Kingdom
CityVirginia
Period14/06/1115/06/11

    Fingerprint

Cite this

Ioannidis, C., Pym, D. J., & Williams, J. (2013). Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach. In B. Schneier (Ed.), Economics of Information Security and Privacy III (pp. 171-191). New York: Springer . https://doi.org/10.1007/978-1-4614-1981-5_8