Abstract
Four kinds of marginal returns to security investment to protect an information set are decrease, first increase and then decrease (logistic function), increase, and constancy. Gordon, L. A. and Loeb, M. (ACM Trans. Inf. Syst. Secur., 5:438–457, 2002). find for decreasing marginal returns that a firm invests maximum 37% (1 / e) of the expected loss from a security breach, and that protecting moderately rather than extremely vulnerable information sets may be optimal. This article presents classes of all four kinds where the optimal investment is no longer capped at 1 / e. First, investment in information security activities for the logistic function is zero for low vulnerabilities, jumps in a limited “bang-bang” manner to a positive level for intermediate vulnerabilities, and thereafter increases concavely in absolute terms. Second, we present an alternative class with decreasing marginal returns where the investment increases convexly in the vulnerability until a bound is reached, investing most heavily to protect the extremely vulnerable information sets. For the third and fourth kinds the optimal investment is of an all-out “bang-bang” nature, that is, zero for low vulnerabilities, and jumping to maximum investment for intermediate vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
An alternative conception is to substitute z with f (z) where z is effort and f (z) is the monetary cost of effort.
I thank Martin Loeb for realizing that the local negative maximum of ENBIS implies that the corner solution z = 0 applies, and that the local maximum must be positive and thus global in order to cause a strictly positive security investment.
GL did not show that the 37% result holds for all security breach functions satisfying A1, A2, and A3.
Consider two thought experiments. First, imagine that the information set in a suitable format is buried deep inside a mountain with large but finite top notch security around the mountain. Breaching the information set would be possible, but extremely expensive. Securing an information set in such a manner is inconvenient for those one want to have legitimate access to it. This reveals the tradeoff between security and accessibility/availability. Second, and more creatively, imagine that the information set in a suitable format is sent into outer space at the speed of light. Such an information set would be 100% secure, but useless since no one would get access to it.
It is mathematically possible but less expositionally convenient to assume that Eq. 7 applies when \( z < \mu ^{{{ - 1} \mathord{\left/ {\vphantom {{ - 1} k}} \right. \kern-\nulldelimiterspace} k}} - h > 0 \), and that \( S^{{{\text{IV}}}} {\left( {z,v} \right)} = {v\varepsilon } \mathord{\left/ {\vphantom {{v\varepsilon } z}} \right. \kern-\nulldelimiterspace} z \) when \( z \geqslant \mu ^{{{ - 1} \mathord{\left/ {\vphantom {{ - 1} k}} \right. \kern-\nulldelimiterspace} k}} - h > 0 \), where ɛ ≥ 0 and h ≥ 0. Such a function satisfies A5 when z < z u, and satisfies A3 except when z = z u. Through the point z = z u, the function is convex and continuous when \( v{\left( {1 - \mu z^{k}_{{\text{u}}} } \right)} = {v\varepsilon } \mathord{\left/ {\vphantom {{v\varepsilon } {z_{{\text{u}}} }}} \right. \kern-\nulldelimiterspace} {z_{{\text{u}}} } \), but not differentiable.
An alternative to Eq. 17 with qualitatively similar properties is \( S^{{{\text{Va}}}} {\left( {z,v} \right)} = v{\left( {2 - e^{{\xi z}} } \right)} \), \( z \leqslant {Ln{\left( 2 \right)}} \mathord{\left/ {\vphantom {{Ln{\left( 2 \right)}} \xi }} \right. \kern-\nulldelimiterspace} \xi \).
References
Gordon, L. A., & Loeb, M. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5, 438–457.
Hausken, K., & Pluemper, T. (2002). Containing contagious financial crises: The political economy of joint intervention into the Asian crisis. Public Choice, 111(3–4), 209–236.
Lotka, A. J. (1924). Elements of mathematical biology. New York: Dover (1956).
Tanaka, H., Matsuura, K. (2005). Vulnerability and effects of information security investment: A firm level empirical analysis of Japan. In Paper presented at forum on financial information systems and cyber security, College Park, Maryland, May.
Verhulst, P. F. (1845). Recherches Mathématiques sur la Loi d’Accroissement de la Population. Nouveaux Mémoires de l’Académie Royale des Sciences et Belles-Lettres de Bruxelles, 18, 3–38.
Acknowledgment
I thank the editors of this special issue and especially Martin P. Loeb, and Chih-Yang Tseng, and a referee, for excellent comments.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Hausken, K. Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Inf Syst Front 8, 338–349 (2006). https://doi.org/10.1007/s10796-006-9011-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-006-9011-6