Optimal Investment for Securing Enterprise Information Systems

Abstract:

Several research works were developed in the literature to compute the optimal amount of security investment from the financial and economic perspective [8], [6], [10], [13]. However, these works did not differentiate between the different types of vulnerabilities and threats affecting an information system, and did not take into consideration the dynamic aspects of vulnerabilities and their potential variation over the period of investment. We propose in this work to use the utility theory to compute the optimal security investment, considering the variation of the vulnerabilities rate over time and the characteristics of each type of them. Predicting and forecasting of the evolution of vulnerabilities over time are conducted using regressions over a 14-year statistics available in the National Vulnerabilities Database (NVD). A methodology is proposed to compute the total amount of optimal investment protecting against all types of vulnerabilities. An analysis of the different obtained expressions is conducted to assess the variation of the optimal investment and breach probab