You are here: Home Contents V12 N2 V12N2_Mai.html
Personal tools

Vulnerability Enhancement vs. Loss Mitigation: Optimal Information Security Investment



Full text

Journal of Information Systems Security
Volume 12, Number 2 (2016)
Pages 7590
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Bin Mai — University of North Texas, Denton, USA
Shailesh Kulkarni — University of North Texas, Denton, USA
Mohammad Salehan — State Polytechnic University, Pomona, USA
Information Institute Publishing, Washington DC, USA




In this paper, we study information security investment for target asset protection. Most existing studies focus on the investment in information security that impacts the target asset’s vulnerability while assuming that the loss resulting from a successful security breach is irrelevant to the security investment. We recognize the practice of information security investment in mitigating the resultant loss of security breaches and incorporate this important aspect of information security investment decision making in a mathematical modeling framework. We address the simultaneous impacts of security investment on not only the vulnerability of the target system, but also to the potential loss if the attack succeeds. Our results shed significant new light on optimal information security investment, including the conditions under which the information security investment should be focused more on vulnerability enhancement than loss mitigation, or vice versa; how the target asset’s inherent vulnerability and potential loss after successful breach would impact the investment on either aspect, and how total a budget constraint would affect the optimal investment decision.




Information Security, Optimal Investment, Information Systems, Optimization, Vulnerability, Loss Mitigation




Blakley, B., McDermott, E., and Geer, D. (2001). Information security is information risk management. Proceedings of the 2001 workshop on New security paradigms, ACM, pp. 97-104.

Bojanc, R., and Jerman-Blažič, B. (2012). Quantitative model for economic analyses of information security investment in an enterprise information System. Organizacija (45:6), pp. 276-288.

Cutter, S. L. (1996). Vulnerability to environmental hazards. Progress in Human Geography, Vol. 10, No. 4, pp. 529 - 539.

FEMA. (2010). Tribal multi-hazard mitigation planning guidance.

guidance_may2010.pdf, accessed on July 14, 2015.

FEMA. (2011). National preparedness goal., accessed pm July 14, 2015.

Ganeshan, R., Shailesh, K., and Boone, T. (2001). Production economics and process quality: A taguchi perspective. International Journal of Production Economics, Vol. 71, No. 1-3, pp. 343-350.

Gordon, L.A., and Loeb, M.P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (5:4), pp. 438-457.

Grossklags, J., Christin, N. and Chuang, J. (2008). Secure or Insure? A Game-Theoretic Analysis of Information Security Games. 17th International World Wide Web Conference, Beijing, China.

Hausken, K. (2006). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, (8:5), pp . 338-349.

Hausken, K. (2014). Returns to information security investment: Endogenizing the expected loss. Information Systems Frontiers, (16:2), pp. 329-336.

Huang, C.D., and Behara, R.S. (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, (141:1), pp. 255-268.

Huang, C.D., Hu, Q., and Behara, R.S. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, (114:2), pp. 793-804.

IBM. (2013). The economics of IT risk and reputation: What business continuity and IT security really mean to your organization., accessed on October 4, 2015

Lenstra, A. and Voss, T. (2004). Information Security Risk Assessment, Aggregation, and Mitigation, in H. Wang et al. (Eds.): ACISP 2004, LNCS 3108, pp. 391–401.

Kulkarni, S. and Prybutok, V. (2004). Process investment and loss functions: Models and analysis. European Journal of Operational Research, Vol. 157, No. 1, pp. 120-129.

Maiwald, E. (2001). Network security: a beginner's guide, McGraw-Hill Professional.

Okolita, K. (2009). How to Perform a Disaster Recovery Business Impact Analysis., accessed on October 4, 2015.

Willemson, J. (2006). On the Gordon & Loeb model for information security investment. Workshop on the Economics of Information Security, UK: Cambridge.

Ye, R.Y., Jiang, Z., and Wang, Q. (2014). Economics of information security investment integrated with IDS and attacker’s behavior. Applied Mechanics and Materials, Trans Tech Publ, pp. 928-931.