Cyber-security breaches inflict significant costs on organizations. Hence, the development of an information-systems defense capability through cyber-security investment is a prerequisite. The question of how to determine the optimal amount to invest in cyber-security has been widely investigated in the literature. In this respect, the Gordon-Loeb model and its extensions received wide-scale acceptance. However, such models predominantly rely on restrictive assumptions that are not adapted for analyzing dynamic aspects of cyber-security investment. Yet, understanding such dynamic aspects is a key feature for studying cyber-security investment in the context of a fast-paced and continuously evolving technological landscape. We propose an extension of the Gordon-Loeb model by considering multi-period and relaxing the assumption of a continuous security-breach probability function. Such theoretical adaptations enable to capture dynamic aspects of cyber-security investment such as the advent of a disruptive technology and its investment consequences. Such a proposed extension of the Gordon-Loeb model gives room for a hypothetical decrease of the optimal level of cyber-security investment, due to a potential technological shift. While we believe our framework should be generalizable across the cyber-security milieu, we illustrate our approach in the context of critical-infrastructure protection, where security-cost reductions related to risk events are of paramount importance as potential losses reach unaffordable proportions. Moreover, despite the fact that some technologies are considered as disruptive and thus promising for critical-infrastructure protection, their effects on cyber-security investment have been discussed little.
翻译:因此,通过网络安全投资开发信息系统防御能力是一个先决条件。我们提议扩大Gordon-Loeb模式,考虑多期并放宽持续安全突破概率功能的假设,从而扩大Gordon-Loeb模式及其扩展范围,从而能够捕捉网络安全投资的动态方面,如破坏性技术的出现及其投资后果等。提议扩大Gordon-Loeb模式后,可以假设网络安全投资的最佳水平会因潜在的技术变化而下降。我们认为,在网络安全环境中,我们的框架应该普遍化,考虑多期并放松对持续安全突破概率功能的假设。这种理论调整有助于捕捉到网络安全投资的动态方面,例如破坏性技术的出现及其投资后果。由于可能的技术变化,Gordon-Loeb模式的扩大,使得假定网络安全投资的最佳水平会下降。我们认为,我们的框架应该在整个网络安全环境环境中推广,我们所考虑的网络安全风险是巨大的,因此,在核心基础设施保护方面,我们所考虑的风险是潜在的,因此,在核心基础设施保护方面,其潜在的安全风险是潜在的,因此,因此,在关键的基础设施保护是潜在的风险是潜在的。