Managing the security of information systems with partially observable vulnerability

We consider the security maintenance of information systems where the extent of vulnerability is partially observable. However, the exact extent of the vulnerability can be observed by paying an inspection fee. In each period, the decision‐maker needs to take one of three decisions: (i) do nothing, (ii) inspect and implement (fix the vulnerability) if needed, and (iii) directly implement. We prove that the optimal policy follows a threshold structure. For each value of k (the known vulnerability), there are two thresholds for the partial information: the lower of the two thresholds dictates whether for this value of k, inspection is optimal before a possible implementation or whether direct implementation (i.e., without inspection) is optimal. If inspection is done, another threshold determines whether an implementation is done or not. If neither threshold applies, it is optimal to do nothing. We develop a numerical procedure to find the decision variables in the maintenance policy. We extend the main model to include variable implementation and inspection costs. The optimality of the threshold policy is shown to hold under more general settings. We apply the model to a real‐world problem and demonstrate its applicability and value in managing security systems. Here, we study the security maintenance policies for three different real‐world telecommunications operators and find that these operators can significantly reduce the cost of managing their security by adopting our proposed policy. Another finding is that inspection is more beneficial for medium‐sized to large‐sized operators.