强制性约束下企业信息安全投资与网络保险的最优决策分析

doi:10.16381/j.cnki.issn1003-207x.2019.1057

Abstract

Abstract: The management and prevention of information security risks have become the most concern for enterprises and government departments. The security investment and cyber insurance are the most efficient tools for firms to reduce the loss of information security risks, which caused by hacker attacks or improper security operations. With the promulgation of Cyberspace Security Law of China and the General Data Protection Regulations of the European Union and other mandatory rules and regulations, the firms' information security investment and security level will be affected by these mandatory constraints.
In this context, the optimal decision problem of information security investment and cyber insurance under mandatory constraints is studied in this paper. And the optimal security investment and cyber insurance premium determination based on bankruptcy probability constraint under observable enterprise loss and unobservable enterprise loss were compared. Research results show that:
(1) In the observed loss and fair premium cases, when to maximize the expected utility of individual enterprises, the optimal security investment was explored, and the optimal values could be improved by the government subsidies and mandatory constraint. But when all enterprises maximize utility, the firms' security investment and her total utility could be increased only by the mandatory constraint. What's more, the optimal security investment has nothing to do with the loss of the observable degree.
(2) In the case of unobservable loss, when the expected utility of a single firm is maximized, the security investment of the firm will be increased; while when the utility of all firms are maximized, any firm cannot easily reduce the security investment, even if other firms reduce the security investment.
(3) Under the constraint of ruin probability and actuarially fair policy, the amount of security investment of the firm would not be affected by the premium formulation. So the security investment, vulnerability level and expected utility of the firm remain unchanged. But as the premium increases, the amount of claims increases continuously. Under the constraint of ruin probability and the ratio of coverage policy, the firm's security investment is increased, but the firm's security investment and expected utility is decreased.
The policy implication of this paper could be applied by firms to control information security risks and guide the investment of information security and cyber insurance. However, the dynamic distribution of information security risk loss and the deductible of insurance are not considered in this research. In future work, the dynamic risk measurement method and CVaR method should be taken into consideration.

Key words: information security investment, cyber insurance, mandatory constraints, observable loss, unobservable loss

CLC Number:

F840.4

DONG Kun-xiang, XIE Zong-xiao, ZHEN Jie. Optimal Decision Analysis of Information Security Investment and Cyber Insurance under Mandatory Constraints[J]. Chinese Journal of Management Science, 2021, 29(6): 70-81.

References

[1] Gordon L A, Loeb M P. The economics of information security investment[J]. ACM Transactions on Information and System Security, 2002, 5(4):438-457.
[2] Gordon L A, Loeb M P, Sohail T. A framework for using insurance for cyber-risk management[J]. Communications of the ACM, 2003, 46(3):81-85.
[3] Anderson R, Moore T. The economics of information security[J]. Science, 2006, 314(5799):610-613.
[4] Herath H S B, Herath T C. Investments in information security:A real options perspective with bayesian postaudit[J]. Journal of Management Information Systems, 2008, 25(3):337-375.
[5] Benaroch M. Real options models for proactive uncertainty-reducing mitigations and applications in cybersecurity investment decision making[J]. Information Systems Research, 2018, 29(2):315-340.
[6] Gao Xing, Zhong Weijun. A differential game approach to security investment and information sharing in a competitive environment[J]. IIE Transactions, 2016, 48(6):511-526.
[7] Nagurney A, Daniele P, Shukla S. A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints[J]. Annals of Operations Research, 2017, 248(1-2):405-427.
[8] 吕俊杰, 邱菀华, 王元卓. 基于相互依赖性的信息安全投资博弈[J]. 中国管理科学, 2006, 14(3):7-12. Lyu Junjie, Qiu Wanhua, Wang Yuanzhuo. An analysis of games of information security investment based on interdependent security[J]. Chinese Journal of Management Science, 2006, 14(3):7-12.
[9] Ezhei M, Tork Ladani B. Interdependency analysis in security investment against strategic attacks[J]. Information Systems Frontiers, 2018:1-15.
[10] Hasheminasab S A, Tork Ladani B. Security investment in contagious networks[J]. Risk Analysis, 2018, 38(8):1559-1575.
[11] Marotta A, Martinelli F, Nanni S, et al. Cyber-insurance survey[J]. Computer Science Review, 2017, 24:35-61.
[12] 向尚, 邹凯, 蒋知义,等. 基于随机森林的智慧城市信息安全风险预测[J]. 中国管理科学, 2016, 24(S1):277-281. Xiang Shang, Zou Kai, Jiang Zhiyi, et al. Risk prediction of smart city information security based on random forest[J]. Chinese Journal of Management Science, 2016, 24(S1):277-281.
[13] Eling M, Schnell W. What do we know about cyber risk and cyber risk insurance?[J]. The Journal of Risk Finance, 2016, 17(5):474-491.
[14] Khalili M M, Naghizadeh P, Liu M. Designing cyber insurance policies:The role of pre-screening and security interdependence[J]. IEEE Transactions on Information Forensics and Security, 2018, 13(9):2226-2239.
[15] Vakilinia I, Sengupta S. A coalitional cyber-insurance framework for a common platform[J]. IEEE Transactions on Information Forensics and Security, 2019, 14(6):1526-1538.
[16] 顾建强, 梅姝娥, 仲伟俊. 基于网络安全保险的信息系统安全投资激励机制[J]. 系统工程理论与实践, 2015, 35(4):1057-1062. Gu Jianqiang, Mei Sue, Zhong Weijun. Cyber insurance as an incentive for information system security[J]. Systems Engineering Theory & Practice, 2015, 35(4):1057-1062.
[17] Massacci F, Swierzbinski J, Williams J. Cyberinsurance and public policy:Self-protection and insurance with endogenous adversaries[J]. Paragraph, 2017, 1(2):1-38.
[18] 董坤祥, 谢宗晓, 甄杰,等. 相依风险下保险公司投资信息安全软件的最优决策分析[J]. 保险研究, 2019, 6:66-80. Dong Kunxiang, Xie Zongxiao, Zhen Jie. Optimal decision analysis of insurance company investment information security software under dependent risk[J]. Insurance Studies, 2019, (6):66-80.
[19] Zhao X, Xue L, Whinston A B. Managing interdependent information security risks:Cyberinsurance, managed security services, and risk pooling arrangements[J]. Journal of Management Information Systems, 2013, 30(1):123-152.
[20] Öǧüt H, Raghunathan S, Menon N. Cyber security risk management:Public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection[J]. Risk Analysis:An International Journal, 2011, 31(3):497-512.
[21] Lee C H, Geng X, Raghunathan S. Mandatory standards and organizational information security[J]. Information Systems Research, 2016, 27(1):70-86.
[22] Laube S, B hme R. The economics of mandatory security breach reporting to authorities[J]. Journal of Cybersecurity, 2016, 2(1):29-41.
[23] Woods D, Simpson A. Policy measures and cyber insurance:A framework[J]. Journal of Cyber Policy, 2017, 2(2):209-226.

Optimal Decision Analysis of Information Security Investment and Cyber Insurance under Mandatory Constraints

PDF (PC)

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 2

Metrics

Comments

Recommended 0

[1]	DUAN Bai-ge, ZHANG Lian-zeng. Stochastic Reserves Development Methods Based on the Correlation Among Paid-Incurred Payments Data and Their Improvement [J]. Chinese Journal of Management Science, 2014, 22(4): 9-16.
[2]	SUN Yan, GUO Ju-e, WANG Le. The Game Analysis on Financing Guarantee Contract with Debt Exceeding [J]. Chinese Journal of Management Science, 2009, 17(3): 159-165.