Choosing protection: User investments in security measures for cyber risk management

Author

Yoav Ben YAAKOV
Xinrun WANG, Singapore Management UniversityFollow
Joachim MEYER
Bo AN

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

11-2019

Abstract

Firewalls, Intrusion Detection Systems (IDS), and cyber-insurance are widely used to protect against cyber-attacks and their consequences. The optimal investment in each of these security measures depends on the likelihood of threats and the severity of the damage they cause, on the user’s ability to distinguish between malicious and non-malicious content, and on the properties of the different security measures and their costs. We present a model of the optimal investment in the security measures, given that the effectiveness of each measure depends partly on the performance of the others. We also conducted an online experiment in which participants classified events as malicious or non-malicious, based on the value of an observed variable. They could protect themselves by investing in a firewall, an IDS or insurance. Four experimental conditions differed in the optimal investment in the different measures. Participants tended to invest preferably in the IDS, irrespective of the benefits from this investment. They were able to identify the firewall and insurance conditions in which investments were beneficial, but they did not invest optimally in these measures. The results imply that users’ intuitive decisions to invest resources in risk management measures are likely to be non-optimal. It is important to develop methods to help users in their decisions.

Keywords

Cyber insurance, Cybersecurity, Decision making

Discipline

Information Security

Research Areas

Cybersecurity

Areas of Excellence

Digital transformation

Publication

Decision and Game Theory for Security: 10th International Conference, GameSec 2019, Stockholm, October 30 – November 1: Proceedings

Volume

11836

First Page

33

Last Page

44

ISBN

9783030324292

Identifier

10.1007/978-3-030-32430-8_3

Publisher

Springer

City or Country

Cham

Citation

YAAKOV, Yoav Ben; WANG, Xinrun; MEYER, Joachim; and AN, Bo. Choosing protection: User investments in security measures for cyber risk management. (2019). Decision and Game Theory for Security: 10th International Conference, GameSec 2019, Stockholm, October 30 – November 1: Proceedings. 11836, 33-44.
Available at: https://ink.library.smu.edu.sg/sis_research/9150

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1007/978-3-030-32430-8_3