IT Security Risk Management under Network Effects and Layered Protection Strategy

  • Wei T. Yue
  • Metin Cakanyildirim
  • Young U. Ryu
  • Dengpan Liu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3073)

Abstract

This paper considers the implications of network effects and distinction of security measures in the risk management procedure. We compare three models in the risk management procedure: without network effects and general protection measures, without network effects but with general protection, and with both network effects and general protection measures. The paper details the impact in terms of security risks, investment levels, and benefits of security investment, in the three models. We show that the preferable way to conduct risk management procedure is to follow the latter of the three models.

Keywords

Network Effect Security Measure Risk Mitigation Security Risk Successive Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ernst, Y.: Global information security survey 2003. Technical report, Ernst and Young LLP (2003)Google Scholar
  2. 2.
    Richardson, R.: 2003 CSI/FBI computer crime and security survey. Technical report, Computer Security Journal (2003)Google Scholar
  3. 3.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. Special Publication 800-30, National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce (2002)Google Scholar
  4. 4.
    Cavusoglu, H., Raghunathan, S.: Configuration of intrusion detection systems: A comparison of decision and game theory approaches. In: Proceedings of the International Conference on Information Systems (2003)Google Scholar
  5. 5.
    Cavusoglu, H., Mishra, B., Raghunathan, S.: Optimal design of information technology security architecture. In: Proceedings of the Twenty-Third International Conference on Information Systems, Barcelona, Spain, pp. 749–756 (2002)Google Scholar
  6. 6.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5, 438–457 (2002)CrossRefGoogle Scholar
  7. 7.
    Straub, D.W., Welke, R.J.: Coping with systems risk: Security planning models for management decision-making. MIS Quarterly 22, 441–469 (1998)CrossRefGoogle Scholar
  8. 8.
    Straub, D.W.: Effective is security: An empirical study. Information Systems Research 1, 255–276 (1990)CrossRefGoogle Scholar
  9. 9.
    Higgins, M.: Symantec Internet security threat report: Attack trends for Q3 and Q4 2002. Symantec Corporation (2003)Google Scholar
  10. 10.
    Moitra, S.D., Konda, S.L.: A simulation model for managing survivability of networked information systems. SEI/CERT Report CMU/SEI-2000-TR-020, Carnegie Mellon University (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Wei T. Yue
    • 1
  • Metin Cakanyildirim
    • 1
  • Young U. Ryu
    • 1
  • Dengpan Liu
    • 1
  1. 1.Department of Information Systems and Operations ManagementSchool of Management, The University of Texas at DallasRichardsonUSA

Personalised recommendations