Abstract
Based on given data center network topology and risk-neutral management, this work proposes a simple but efficient probability-based model to calculate the probability of insecurity of each protected resource and the optimal investment on each security protection device when a data center is under security breach. We present two algorithms that calculate the probability of threat and the optimal investment for data center security respectively. Based on the insecurity flow model (Moskowitz and Kang 1997) of analyzing security violations, we first model data center topology using two basic components, namely resources and filters, where resources represent the protected resources and filters represent the security protection devices. Four basic patterns are then identified as the building blocks for the first algorithm, called Accumulative Probability of Insecurity, to calculate the accumulative probability of realized threat (insecurity) on each resource. To calculate the optimal security investment, a risk-neutral based algorithm, called Optimal Security Investment, which maximizes the total expected net benefit is then proposed. Numerical simulations show that the proposed approach coincides with Gordon’s (Gordon and Loeb, ACM Transactions on Information and Systems Security 5(4):438–457, 2002) single-system analytical model. In addition, numerical results on two common data center topologies are analyzed and compared to demonstrate the effectiveness of the proposed approach. The technique proposed here can be used to facilitate the analysis and design of more secured data centers.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ammann, P., Wijesekera, D., & Kaushik, S. (2002). Scalable, graph-based network vulnerability analysis. Proceedings of the 9th ACM conference of computer and communications security (CCS’02) (pp. 217–224).
Bell, D., & LaPadula, L. (1975). Secure computer systems: Unified exposition and multics interpretation. Bedford: MITRE, Technical Report, MTR-2997.
Bier, V. M., & Abhichandani, V. (2003). Optimal allocation of resources for defense of simple series and parallel systems from determined adversaries. In Risk-based decision making in water resources X (pp. 59–76), Reston, VA: American Society of Civil Engineers.
Bishop, M. (2003). Computer security: Art and science. Boston: Addison-Wesley.
Chen, Y., Boehm, B., & Sheppard, L. (2007). Measuring security investment benefit for off the shelf software systems-a stakeholder value driven approach. The sixth workshop on the economics of information security, Carnegie Mellon University, USA.
Goguen, J. A., & Meseguer, J. (1982). Security policies and security models. Proceeding of the 1982 IEEE symposium on security and privacy (pp. 11–20), Oakland, CA.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and Systems Security, 5(4), 438–457.
Grossklags, J., Christin, N., & Chuang, J. (2008). Security investment (Failures) in five economic environments: A comparison of homogeneous and heterogeneous user agents. The seventh workshop on the economics of information security, Dartmouth, USA.
Harmantzis, F., & Malek, M. (2004). Security risk analysis and evaluation. Proceedings of IEEE international conference on communications, Paris, France, 1897–1901.
Hausken, K. (2006). Returns to information security investment: Effect of alternative breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 5(8), 338–349.
Hoo, K. J. S. (2000). How much is enough? A risk-management approach to computer security. Ph.D. thesis, Stanford University.
Huang, C. D., Hu, Q., & Behara, R. S. (2006). Economics of information security investment in the case of simultaneous attacks. The fifth workshop on the economics of information security, University of Cambridge, England.
Hulthén, R. (2008). Communicating the economic value of security investments; value at security risk. The seventh workshop on the economics of information security, Dartmouth, USA.
Kumar, V., Telang, R., & Mukhopadhyay, T. (2007). Optimally securing interconnected information systems and assets. The sixth workshop on the economics of information security, Carnegie Mellon University, USA.
Maloof, M. A. (2006). Machine learning and data mining for computer security. New York: Springer.
Matsuura, K. (2008). Productivity space of information security in an extension of the Gordon-Loeb’s investment model. The seventh workshop on the economics of information security, Dartmouth, USA.
Moskowitz, I. S., & Kang, M. H. (1997). An insecurity flow model. In New security paradigms workshop, Langdale, Cumbria, UK.
Ortalo, R., Dewarte, Y., & Kaaniche, M. (1999). Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25(5), 633–650.
Phillips, C., & Swiler, L. P. (1998). A graph-based system for network-vulnerability analysis. In New security paradigms workshop (pp. 71–79).
Rue, R., Pfleeger, S. L., & Ortiz, D. (2007). A framework for classifying and comparing models of cyber security investment to support policy and decision-making. The sixth workshop on the economics of information security, Carnegie Mellon University, USA.
Ryan, J. C. H., & Ryan, D. J. (2006). Expected benefits of information security investments. Computers and Security, 25, 579–588.
Schechter, S. E. (2004). Computer security strength and risk: A quantitative approach. Ph.D. thesis, Harvard University DEAS.
Sheyner, O., & Wing, J. (2005). Tools for generating and analyzing attack graphs. Proceedings of formal methods for components and objects, Lecture Notes in Computer Science.
Singhal, A. (2007). Data warehousing and data mining techniques for cyber security. New York: Springer.
Sutherland, D. (1986). A model of information. Proceedings of the 9th national computer security conference, NSA/NIST, Gaithersburg, MD.
Tatsume, K. I., & Goto, M. (2009). Optimal timing of information security investment: A real options approach. The eighth workshop on the economics of information security, University College London, England.
Varian, H. R. (2004). System reliability and free riding. Berkeley: University of California.
Wang, S. L., Stirpe, P. A., & Hong, T. P. (2008). Modeling optimal security investment of information centers. The PAKDD 2008 workshop on data mining for decision making and risk management, Osaka, Japan, 293–304.
Willemson, J. (2006). On the Gordon & Loeb model for information security investment. The fifth workshop on the economics of information security, University of Cambridge, England.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Wang, SL., Chen, JD., Stirpe, P.A. et al. Risk-neutral evaluation of information security investment on data centers. J Intell Inf Syst 36, 329–345 (2011). https://doi.org/10.1007/s10844-009-0109-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10844-009-0109-4