APPLICATION OF ECONOMIC-COST MODEL OF INFORMATION RISKS FOR EVALUATION LIMITЕВ VOLUME OF INVESTMENT IN INFORMATION SECURITY

Authors

  • Александр Евгеньевич Архипов National University of Ukraine «Kyiv Polytechnic Institute»

DOI:

https://doi.org/10.18372/2410-7840.17.9517

Keywords:

risk, risk modeling, economic and cost models, the range of reasonable investment.

Abstract

The article analyzes the problem of determination of themaximum amount of investment in information security. Itis studied the approach of Gordon-Loeb, which justifiedthe limit investment in information security. It is analyzedthe publications containing materials related to the exposureand the development of this approach. It is shownthat this approach does not ensure univocal answer. Thereason for this is a subjective formal-approximation way ofdefining of a model, which is basis for the solution. Thisway gives multiplicity of possible models and, as the resulting,multiplicity of solutions. It is offered an approach tosolving the problem of determining the amount of investmentin the system of protection of information, which isbased on study of the model of information risks. Formationof its structure and parameters are based on the useof information about the actual mechanisms of the developmentand implementation of information threats. It isapplied economic-cost model, which is used to estimate theprobability of successful implementation of the attack ofinformation system vulnerability. The paper proposes theestimation of the maximum amount of investment in informationsecurity. This investment amounts to 25% of thevalue of the protected information resource (or losses arising from the implementation of the threat to this resource).It is noted that the in the case of application of highperformancetechnology/decisions in the system of informationsecurity level of investment may be reduced to 11-13%. It is considered the prospects of application of modelsbased on motivational and resource relations which arecharacteristic to of the situation "attack-defense" in theinformation sphere.

Author Biography

Александр Евгеньевич Архипов, National University of Ukraine «Kyiv Polytechnic Institute»

Dr. Sci. Tech., Professor at the Department of Information Defence at National University of Ukraine «Kyiv Polytechnic Institute»

References

Лукацкий А. В. Процент безопасности [Электронный ресурс]. – 2013. – Режим доступа:http://www.it-world.ru/safety/58323.html

Петренко С. А Управление информационными рисками / С. А. Петренко, С. В. Симонов. – М.: Компания АйТи, ДМК Пресс, 2004. – 384 с.

Gordon L.A., Loeb M.P. The Economics of Information Security Investment // ACM Transaction on Information and System Security –

– Vol.5. – No4. – pp. 438-457.

Hausken K. Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment

and Sensitivity to Vulnerability // Information Systems Frontiers. – 2006. – No. 5(8). – pp. 338-349.

Willemson J. On the Gordon & Loeb Model for Information Security Investment // Proceedings of The Fifth Workshop on the Economics of

Information Security (WEIS 2006), 2006. pp.101-112

Willemson J. Extending the Gordon&Loeb Model for Information Security Investment // Fifth International Conference on Availability, Reliability,

and Security (ARES 2010), 2010. pp 258-261.

Gordon, L.A., and Loeb, M.P. and Lucyshyn, W. and Zhou, L. Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model // Journal

of Information Security, 2015, vol. 6, pp.24-30

Архипов А.Е. Применения мотивационно-стоимостных моделей для описания вероятностных соотношений в системе «атака-защита»/ А.Е. Архипов, С.А. Архипова //Правове, нормативне та метрологічне забезпечення системи захисту інформації в Україні – 2008. – вип. 1(16). – С. 57-61.

Архипов А.Е. Применение экономико-мотивационных соотношений для оценивания вероятностных параметров информационных рисков

// Захист інформації – 2011. – №2 (51) – С. 69-76.

Архипов О.Є. Інформаційні ризики: методи та способи дослідження, моделі ризиків і методи їх ідентифікації / О.Є. Архипов, А.В. Скиба // Захист інформації. – 2013. – Том15, №4. – С.366-375.

Архипов А.Е. Применение затратно-стоимостных моделей для оценивания вероятностных параметров информационных рисков /

А.Е.Архипов, С.А.Архипова, А.В. Скиба // Інформаційна безпека. – 2013. – №2(10). – C.11-18.

Архипов О. Є. Критерії визначення можливої шкоди національній безпеці України у разі розголошення інформації, що охороняється державою: моногр. / О.Є. Архипов, О.Є. Муратов. – К:

Наук.-вид. відділ НА СБ України, 2011. – 195 с.

Downloads

Published

2015-11-03

Issue

Vol. 17 No. 3 (2015)

Section

Articles

License

Authors who publish with this journal agree to the following terms:

  1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

  2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).