Optimal information system security investment: A control-theoretic approach to balancing continuous maintenance and periodic upgrades

The cost of cyberattacks is expected to exceed $10 trillion in 2025, making investment decisions in information system security in a fast-changing threat environment critical. The objective of this research is to develop a control-theoretic model to manage a firm’s information security level over time by addressing the optimal balance between continuous maintenance and major periodic upgrades. Existing models typically focus on using only one type of investment, either continuous or periodic (discrete). Our research focuses on determining how firms can develop optimal dynamic security policies that may consist of continuous maintenance alone, periodic upgrades alone, or a dual policy combining both approaches. We offer a structured framework to design information security policies tailored to a firm’s specific needs and operational environment by modeling the trade-offs between upgrade costs, breach-related losses, and deterioration of system security. The main findings are: (1) The dual policy is preferred for systems vulnerable to technological changes or cyberattacks, where continuous maintenance alone is insufficient; (2) The periodic upgrades-only policy is suitable for smaller systems with lower risks and less frequent updates; and (3) The continuous maintenance-only policy is appropriate for low-risk environments where the security infrastructure is simple. In particular, the dual policy exhibits a predictable, cyclical structure that simplifies decision-making by establishing consistent threshold-driven actions over regular intervals.