Article

Choosing Protection: User Investments in Security Measures for Cyber Risk Management

Authors:

Yoav Ben Yaakov,

Bo AnAuthors Info & Claims

Decision and Game Theory for Security: 10th International Conference, GameSec 2019, Stockholm, Sweden, October 30 – November 1, 2019, Proceedings

Pages 33 - 44

https://doi.org/10.1007/978-3-030-32430-8_3

Published: 30 October 2019 Publication History

Abstract

Firewalls, Intrusion Detection Systems (IDS), and cyber-insurance are widely used to protect against cyber-attacks and their consequences. The optimal investment in each of these security measures depends on the likelihood of threats and the severity of the damage they cause, on the user’s ability to distinguish between malicious and non-malicious content, and on the properties of the different security measures and their costs. We present a model of the optimal investment in the security measures, given that the effectiveness of each measure depends partly on the performance of the others. We also conducted an online experiment in which participants classified events as malicious or non-malicious, based on the value of an observed variable. They could protect themselves by investing in a firewall, an IDS or insurance. Four experimental conditions differed in the optimal investment in the different measures. Participants tended to invest preferably in the IDS, irrespective of the benefits from this investment. They were able to identify the firewall and insurance conditions in which investments were beneficial, but they did not invest optimally in these measures. The results imply that users’ intuitive decisions to invest resources in risk management measures are likely to be non-optimal. It is important to develop methods to help users in their decisions.

References

[1]

Bajcsy R, Benzel T, et al. Cyber defense technology networking and evaluation Commun. ACM 2004 47 3 58-61

[2]

Ben-Asher N and Meyer J The triad of risk-related behaviors (TriRB): a three-dimensional model of cyber risk taking Hum. Factors 2018 60 8 1163-1178

[3]

Bissell, K., Ponemon, L.: The cost of cybercrime - unlocking the value of improved cybersecurity protection (2019). https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf

[4]

Borgida E and Nisbett RE The differential impact of abstract vs. concrete information on decisions 1 J. Appl. Soc. Psychol. 1977 7 3 258-271

[5]

Botzer A, Meyer J, Bak P, and Parmet Y Cue threshold settings for binary categorization decisions J. Exp. Psychol.: Appl. 2010 16 1 1-15

[6]

Botzer Assaf, Meyer Joachim, Borowsky Avinoam, Gdalyahu Ido, and Shalom Yoav Ben Effects of cues on target search behavior Journal of Experimental Psychology: Applied 2015 21 1 73-88

[7]

Bowen, B.M., Devarajan, R., Stolfo, S.: Measuring the human factor of cyber security. In: 2011 IEEE International Conference on Technologies for Homeland Security (HST), pp. 230–235. IEEE (2011)

[8]

Cavusoglu H, Mishra B, and Raghunathan S A model for evaluating it security investments Commun. ACM 2004 47 7 87-92

[9]

Cisco: Cisco website. https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html. Accessed 2 May 2019

[10]

Lindros: CIO website. https://www.cio.com/article/3065655/what-is-cyber-insurance-and-why-you-need-it.html. Accessed 2 May 2019

[11]

Marcum J A statistical theory of target detection by pulsed radar IRE Trans. Inf. Theory 1960 6 2 59-267

[12]

MAS: Annual report 2014/15. http://www.parliament.gov.sg/lib/sites/default/files/paperpresented/pdf/2015/. Accessed 2 May 2019

[13]

Meyer J Conceptual issues in the study of dynamic hazard warnings Hum. Factors 2004 46 2 196-204

[14]

Meyer J and Sheridan TB The intricacies of user adjustment of system properties Hum. Factors 2017 59 6 901-910

[15]

Möller S, Ben-Asher N, Engelbrecht KP, Englert R, and Meyer J Modeling the behavior of users who are confronted with security mechanisms Comput. Secur. 2011 30 4 242-256

[16]

Nevin John A. SIGNAL DETECTION THEORY AND OPERANT BEHAVIOR: A Review of David M. Green and John A. Swets' Signal Detection Theory and Psychophysics.1 Journal of the Experimental Analysis of Behavior 1969 12 3 475-480

[17]

Pastore R and Scheirer C Signal detection theory: considerations for general application Psychol. Bull. 1974 81 12 945

[18]

Tanner WP Jr and Swets JA A decision-making theory of visual detection Psychol. Rev. 1954 61 6 401

[19]

de Vries, J.: What drives cybersecurity investment?: organizational factors and perspectives from decision-makers. Master’s thesis, System engineering, Policy Analysis and Management, Technical University Delft, Delft (2017)

[20]

West R The psychology of security Commun. ACM 2008 51 4 34

[21]

Wickens TD Elementary Signal Detection Theory 2002 USA Oxford University Press

Index Terms

Choosing Protection: User Investments in Security Measures for Cyber Risk Management
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

Integrated cyber security risk management-insurance and investment cost analysis

An insurer offers cyber insurance coverage to several firms with risk averse decision makers. The cyber insurance premium offered depends on the cyber security implemented at the firm. Each firm faces attacks by multiple types of hackers and decides on ...
On the insurability of cyber warfare: An investigation into the German cyber insurance market
Abstract
Insurance is an important part of a constellation of institutions that assist in the provision of security, resilience and welfare. This is true across a range of threats, including those in the cyber domain. Cyber risks, particularly those ...
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Decision and Game Theory for Security: 10th International Conference, GameSec 2019, Stockholm, Sweden, October 30 – November 1, 2019, Proceedings

Oct 2019

595 pages

ISBN:978-3-030-32429-2

DOI:10.1007/978-3-030-32430-8

Editors:
Tansu Alpcan
University of Melbourne, Melbourne, VIC, Australia
,
Yevgeniy Vorobeychik
Washington University in St. Louis, St. Louis, MO, USA
,
John S. Baras
University of Maryland, College Park, College Park, MD, USA
,
György Dán
KTH Royal Institute of Technology, Stockholm, Sweden

© Springer Nature Switzerland AG 2019.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 30 October 2019

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

View Options

View options

Media

Figures

Other

Tables

View Table of Contents