Journal of the Korean Operations Research and Management Science Society (한국경영과학회지)

The Korean Operations Research and Management Science Society (한국경영과학회)
권호 표지

Probabilistic Modeling for Evaluation of Information Security Investment Portfolios

확률모형을 이용한 정보보호 투자 포트폴리오 분석

  • 양원석 (한국전자통신연구원 기술전략본부 서비스정책연구부) ;
  • 김태성 (충북대학교 경영정보학과/BK21사업팀) ;
  • 박현민 (부경대학교 시스템경영공학과)
  • Published : 2009.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

We develop a probability model to evaluate information security investment portfolios. We assume that organizations install portfolios of information security countermeasures to mitigate the damage such as loss of the transaction being processed, damage of hardware and data, etc. A queueing model and Its expected value analysis are used to derive the lost cost of transactions being processed, the replacement cost of hardwares, and the recovery cost of data. The net present value for each portfolio is derived and organizations can select the optimal information security investment portfolio by comparing portfolios.

Keywords

References

  1. 공희경, 김태성, '정보보호 투자효과에 대한 연구 동향', '정보보호학회지', 제17권, 제4호(2007), pp.12-19
  2. 행정안전부, 한국정보사회진흥원, 2008 정보화통계집, 한국정보사회진흥원, 2008
  3. Bodin, L.D., L.A. Gordon, and M.P. Loeb, 'Evaluating information security investments using the analytic hierarchy process,' Communications of the ACM, Vol.48, No.2 (2005), pp.79-83 https://doi.org/10.1145/1042091.1042094
  4. Campbell, K., L.A. Gordon, M.P. Loeb, and L. Zhou, 'The economic cost of publicly announced information security breaches : Empirical evidence from the stock market,' Journal of Computer Security, Vol.11, No.3 (2003), pp.431-448 https://doi.org/10.3233/JCS-2003-11308
  5. Cavusoglu, H., B. Mishra, and S. Raghunathan, 'A model for evaluating IT security investments,' Communications of the ACM, Vol.47, No.7(2004), pp.87-92 https://doi.org/10.1145/1005817.1005828
  6. Cavusoglu, H., B. Mishra, and S. Raghunathan, 'The value of intrusion detection systems in information technology security architecture,' Information Systems Research, Vol.16, No.1(2005), pp.28-46 https://doi.org/10.1287/isre.1050.0041
  7. Computer Security Institute, CSI/FBI Computer Crime and Security Suruey, 2006
  8. Gordon, L.A. and M.P. Loeb, 'The economics of information security investment,' ACM Transactions on Information and System Security, Vol.5, No.4(2002), pp.438-457 https://doi.org/10.1145/581271.581274
  9. Gordon, L.A., M.P. Loeb, and W. Lucyshyn, 'Information security expenditures and real options: A wait and see approach,' Computer Security Journal, Vol.19, No.2(2003), pp.1-7
  10. Harrison, P.G. and E. Pitel, 'Sojourn times in single-server queues with negative customers,' Journal of Applied Probability, Vol.30, No.4(1993), pp.943-963 https://doi.org/10.2307/3214524
  11. Harrison, P.G. and E. Pitel, 'The M/G/l queue with negative customers,' Advances in Applied Probability, Vol.28, No.2(1996). pp.540-566 https://doi.org/10.2307/1428071
  12. Mendenhall, W., R. Scheaffer, and D.D. Wackerly, Mathematical Statistics with Applications, 3rd edition, Duxbury Press, Boston, 1986
  13. Towsley, D. and S.K. Tripathi, 'A single server priority queue with server failures and queue flushing,' Operations Research Letters, Vol.10, No.6(1991). pp.353-362 https://doi.org/10.1016/0167-6377(91)90008-D
  14. Yang, W.S. and K.C. Chae, 'A note on the GI/M/l queue with Poisson negative arrivals,' Journal of Applied Probability, Vol.38, No.4(2001). pp.1081-1085 https://doi.org/10.1239/jap/1011994196
  15. Yang, W.S., J.D. Kim, and K.C. Chae, 'Analysis of M/G/l stochastic clearing systems', Stochastic Analysis and Applications, Vol. 20, No.5(2002), pp.1083-1100 https://doi.org/10.1081/SAP-120014554