Optimal Investment In Is Security: A Game Theoretical Approach
MetadataShow full item record
Type of WorkText
DepartmentBusiness and Management
ProgramDoctor of Philosophy
RightsThis item is made available by Morgan State University for personal, educational, and research purposes in accordance with Title 17 of the U.S. Copyright Law. Other uses may require permission from the copyright owner.
Information storage and retrieval systems--Security measures
With the development and popularity of personal computers, networks, the Internet, and Information Technologies (IT), the scale and scope of cyber attacks on IT-based information systems is on the rise. Recurring intrusions into information systems (IS) have increased financial losses, becoming burdensome to the operational budgets of many organizations. The objective of IS security is to minimize organizations' potential losses by balancing the investment cost and financial losses from IS breaches. However, the optimal investment decision has been overlooked in the area of IS security. In this dissertation, we analyzed the optimal IS investment decision and its sensitivity to key factors. To accomplish this, we reviewed the literature in several fields, including IS security, cyber terrorism, economics, and deterrence. In this dissertation, game theory and stochastic games were used to analyze the investment as the outcome of a game between organizations and hackers. We proposed a general one-stage static game model and a two-stage dynamic stochastic game model, both of which can be applied to all cyber crimes. The simulation results proved that breach function sensitivity, hacker's self-deterrence, and hacker's preferences affected the optimal investment in IS security. The major contribution of this study is the proposal of new approaches to determine the optimal investment for IS security. We integrated the IS security economic investment discipline with the game theory discipline to address the drawbacks in each of these disciplines. We applied the reinforcement learning theory to IS security investment. Our stochastic game model properly modeled IS security investment and its reinforcement learning process. The stochastic game theoretical approach allowed us to model organizations' factors and hacker's factors, both of which affected the optimal investment. The stochastic game model also incorporated the time element, which most of the prior research on IS security did not take into account. This dissertation provides more insight and understanding into IS security management. The results of our study can be generalized to other areas such as cyber terrorism and financial fraud prevention.