Crafting Global Competitive Economies: 2020 Vision Strategic Planning & Smart Implementation

Optimal Investment for Securing Enterprise Information Systems

Yosra Miaoui1, Noureddine Boudriga1, and Ezzeddine Abaoub2
1
Communication Networks and Security Research Lab, University of Carthage, Tunisia.
2
Faculty of Economic Sciences and Management of Tunis, University of Tunis El Manar, Tunisia.
Emails: yosra.miaoui@gmail.com, noure.boudriga2@gmail.com, abaoub.ezzeddine@planet.tn

Several research works were developed in the literature to compute the optimal amount of security
investment from the financial and economic perspective (Gordon and Loeb, 2002a; Cavusoglu et al.,
2004; Huang and Behara, 2013; Joh, 2013). However, these works did not differentiate between the
different types of vulnerabilities and threats affecting an information system, and did not take into
consideration the dynamic aspects of vulnerabilities and their potential variation over the period of
investment.
We propose in this work to use the utility theory to compute the optimal security investment, considering
the variation of the vulnerabilities rate over time and the characteristics of each type of them. Predicting
and forecasting of the evolution of vulnerabilities over time are conducted using regressions over a 14-
year statistics available in the National Vulnerabilities Database (NVD). A methodology is proposed to
compute the total amount of optimal investment protecting against all types of vulnerabilities. An analysis
of the different obtained expressions is conducted to assess the variation of the optimal investment and
breach probability with respect to the investment horizon for the different types of vulnerabilities.

Keywords: Optimal Security Investment, financial security, security vulnerabilities, utility theory.

With the continuous development of Information and Communication Technologies, the number and the
variety of cyber attacks and security breaches keep increasing. As these attacks can cause financial loss,
reputation damage, and reduction of partners’ confidence, decision-makers should invest in information
security countermeasures.

Determining the optimal amount of security investment is still an open issue for decision-makers, as: a)
the financial budget allocated to information security is limited; b) completely securing an enterprise
information system is almost impossible to achieve, c) an under-investment in security leads to an
unacceptable security risk, while an over-investment in security does not bring a justifiable return on
investment, d) several factors, including the nature of the information assets, the type and number of
vulnerabilities affecting an information system, the expected potential loss due to a potential security
breach, and the nature of security threats to an information system; and e) vulnerabilities are highly
dynamic and their variation may affect the efficiency of the optimal investment during the investment
horizon (i.e., the period of time following the investment where the system security is expected to remain
under control).

Several research works were conducted to afford the optimal security investment problem from the
financial and economic perspective. They can be classified according to the framework/theory they use:
a) risk-return analysis frameworks and expected utility theory (Gordon and Loeb, 2002b; Bodin et al.,
2005; Huang et al., 2008); b) game theory (Cavusoglu et al., 2004; Cremonini and Martini, 2005) to
model the interactions between the attackers and the firm that invest in security solutions to protect its
assets, and achieve an optimum stable situation between them; c) real options theory (Ullrich, 2013) to
adapt financial options’ valuation techniques to support investment decision under uncertainty.