Economics of Information Security Investment in the Case of Simultaneous Attacks

With billions of dollars being spent on information security related products and services each year, the economics of information security investment has become an important area of research, with significant implications for management practices. Drawing on recent studies that examine optimal security investment levels under various attack scenarios, we propose an economic model that considers simultaneous attacks from multiple external agents with distinct characteristics, and derive optimal investments based on the principle of benefit maximization. The relationships among the major variables, such as systems vulnerability, security breach probability, potential loss of security breach, and security investment levels, are investigated via analytical and numerical analyses subject to various boundary conditions. In particular, our model shows how a firm should allocate its limited security budget to defend against two types of security attacks (distributed and targeted) simultaneously. Among the results of these analyses, we find that a firm with a small security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Further, when the potential loss from the targeted attacks and the system vulnerability are relatively large, the focal firm should allocate most of its budget to such attacks.