IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v27y2016i4p897-918.html
   My bibliography  Save this article

When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security

Author

Listed:
  • Yonghua Ji

    (School of Business, University of Alberta, Edmonton, Alberta T6G 2R6, Canada)

  • Subodha Kumar

    (Mays Business School, Texas A&M University, College Station, Texas 77840)

  • Vijay Mookerjee

    (Naveen Jindal School of Management, University of Texas at Dallas, Richardson, Texas 75083)

Abstract

We study operational and managerial problems arising in the context of security monitoring where sessions, rather than raw individual events, are monitored to prevent attacks. The objective of the monitoring problem is to maximize the benefit of monitoring minus the monitoring cost. The key trade-off in our model is that as more sessions are monitored, the attack costs should decrease. However, the monitoring cost would likely increase with the number of sessions being monitored. A key step in solving the problem is to derive the probability density of a system with n sessions being monitored with a session’s age measured as the time elapsed since it last generated a suspicious event. We next optimize the number of sessions monitored by trading off the attack cost saved with the cost of monitoring. A profiling step is added prior to monitoring and a resulting two-dimensional optimization problem is studied. Through numerical simulation, we find that a simple size-based policy is quite robust for a very reasonable range of values and, under typical situations, performs almost as well as the two more sophisticated policies do. Also, we find that adopting a simplified policy without using the option of managing sessions using age threshold can greatly increase the ease of finding an optimal solution, and reduce operational overhead with little performance loss compared with a policy using such an option. The insights gained from the mechanics of profiling and monitoring are leveraged to suggest a socially optimal contract for outsourcing these activities in a reward-based contract. We also study penalty-based contracts. Such contracts (specifically, when the penalty is levied as a percentage of the monthly service fee) do not achieve the social optimum. We show how an appropriate penalty coefficient can be chosen to implement a socially optimal penalty-based contract. In addition, we provide a high-level comparison between reward- and penalty-based contracts. In a penalty-based contract, the setting of the fixed payment can be challenging because it requires additional knowledge of the total expected malicious event rate, which needs to be observed through a period of no monitoring.

Suggested Citation

  • Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    • Handle: RePEc:inm:orisre:v:27:y:2016:i:4:p:897-918
    DOI: 10.1287/isre.2016.0677
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2016.0677
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2016.0677?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Huseyin Cavusoglu & Byungwan Koh & Srinivasan Raghunathan, 2010. "An Analysis of the Impact of Passenger Profiling for Transportation Security," Operations Research, INFORMS, vol. 58(5), pages 1287-1302, October.
    2. Laura A. McLay & Sheldon H. Jacobson & John E. Kobza, 2006. "A multilevel passenger screening problem for aviation security," Naval Research Logistics (NRL), John Wiley & Sons, vol. 53(3), pages 183-197, April.
    3. Anindya Datta & Kaushik Dutta & Helen Thomas & Debra VanderMeer, 2003. "World Wide Wait: A Study of Internet Scalability and Cache-Based Approaches to Alleviate It," Management Science, INFORMS, vol. 49(10), pages 1425-1444, October.
    4. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    5. Leslie P. Willcocks & Mary C. Lacity, 2009. "The Practice of Outsourcing," Palgrave Macmillan Books, Palgrave Macmillan, number 978-0-230-24084-1.
    6. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    7. Hulisi Ogut & Huseyin Cavusoglu & Srinivasan Raghunathan, 2008. "Intrusion-Detection Policies for IT Security Breaches," INFORMS Journal on Computing, INFORMS, vol. 20(1), pages 112-123, February.
    8. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    9. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    10. Robert Garfinkel & Ram Gopal & Steven Thompson, 2007. "Releasing Individually Identifiable Microdata with Privacy Protection Against Stochastic Threat: An Application to Health Information," Information Systems Research, INFORMS, vol. 18(1), pages 23-41, March.
    11. Xiao Fang & Olivia R. Liu Sheng & Wei Gao & Balakrishna R. Iyer, 2006. "A Data-Mining-Based Prefetching Approach to Caching for Network Storage Systems," INFORMS Journal on Computing, INFORMS, vol. 18(2), pages 267-282, May.
    12. Jacob W. Ulvila & John E. Gaffney, 2004. "A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems," Decision Analysis, INFORMS, vol. 1(1), pages 35-50, March.
    13. Seungjin Whang, 1992. "Contracting for Software Development," Management Science, INFORMS, vol. 38(3), pages 307-324, March.
    14. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    15. Julie L. Virta & Sheldon H. Jacobson & John E. Kobza, 2003. "Analyzing the Cost of Screening Selectee and Non‐Selectee Baggage," Risk Analysis, John Wiley & Sons, vol. 23(5), pages 897-908, October.
    16. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2014. "Outsourcing Information Security: Contracting Issues and Security Implications," Management Science, INFORMS, vol. 60(3), pages 638-657, March.
    17. Vijay S. Mookerjee & Yong Tan, 2002. "Analysis of a Least Recently Used Cache Management Policy for Web Browsers," Operations Research, INFORMS, vol. 50(2), pages 345-357, April.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    2. Fu-Hsiang Chen & Ming-Fu Hsu & Kuang-Hua Hu, 2022. "Enterprise’s internal control for knowledge discovery in a big data environment by an integrated hybrid model," Information Technology and Management, Springer, vol. 23(3), pages 213-231, September.
    3. Sam Ransbotham & Robert G. Fichman & Ram Gopal & Alok Gupta, 2016. "Special Section Introduction—Ubiquitous IT and Digital Vulnerabilities," Information Systems Research, INFORMS, vol. 27(4), pages 834-847, December.
    4. Suyuan Luo & Tsan‐Ming Choi, 2022. "E‐commerce supply chains with considerations of cyber‐security: Should governments play a role?," Production and Operations Management, Production and Operations Management Society, vol. 31(5), pages 2107-2126, May.
    5. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    2. Huseyin Cavusoglu & Byungwan Koh & Srinivasan Raghunathan, 2010. "An Analysis of the Impact of Passenger Profiling for Transportation Security," Operations Research, INFORMS, vol. 58(5), pages 1287-1302, October.
    3. Huseyin Cavusoglu & Young Kwark & Bin Mai & Srinivasan Raghunathan, 2013. "Passenger Profiling and Screening for Aviation Security in the Presence of Strategic Attackers," Decision Analysis, INFORMS, vol. 10(1), pages 63-81, March.
    4. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.
    5. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    6. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    7. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    8. Kartik Hosanagar & Yong Tan, 2012. "Cooperative Cashing? An Economic Analysis of Document Duplication in Cooperative Web Caching," Information Systems Research, INFORMS, vol. 23(2), pages 356-375, June.
    9. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    10. Kjell Hausken, 2017. "Information Sharing Among Cyber Hackers in Successive Attacks," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 19(02), pages 1-33, June.
    11. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    12. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    13. Yan, Xihong & Ren, Xiaorong & Nie, Xiaofeng, 2022. "A budget allocation model for domestic airport network protection," Socio-Economic Planning Sciences, Elsevier, vol. 82(PB).
    14. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    15. Chuanxi Cai & Shue Mei & Weijun Zhong, 2019. "Configuration of intrusion prevention systems based on a legal user: the case for using intrusion prevention systems instead of intrusion detection systems," Information Technology and Management, Springer, vol. 20(2), pages 55-71, June.
    16. ÇakanyIldIrIm, Metin & Yue, Wei T. & Ryu, Young U., 2009. "The management of intrusion detection: Configuration, inspection, and investment," European Journal of Operational Research, Elsevier, vol. 195(1), pages 186-204, May.
    17. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    18. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    19. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2014. "Outsourcing Information Security: Contracting Issues and Security Implications," Management Science, INFORMS, vol. 60(3), pages 638-657, March.
    20. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:27:y:2016:i:4:p:897-918. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.