Network Structures, Audit Policies and the Cost of Security Breaches
成果类型:
Article; Early Access
署名作者:
Ghosh, Vashkar; Paul, Anand; Zhang, Na; Zhu, Lingjiong
署名单位:
University of North Carolina; University of North Carolina Greensboro; State University System of Florida; University of Florida; Wichita State University; State University System of Florida; Florida State University
刊物名称:
PRODUCTION AND OPERATIONS MANAGEMENT
ISSN/ISSBN:
1059-1478
DOI:
10.1177/10591478251356431
发表日期:
2025
关键词:
Security Breaches
Cost of Breach
network
Audit Policies
摘要:
In the last decade and recently, a wide range of industries and organizations have been subject to IT-related security threats and cybersecurity breaches of varying degrees of severity at an alarming rate. A common practice adopted by organizations to ensure system and network security is to conduct regular audits and assessments. This paper takes on an organizational strategy perspective to analytically model the cost impact of random breaches in various types of networks subject to different types of audit policy. The analysis focuses on the interplay between the cost associated with a security breach on the one hand, and audit policy on the other. We develop a model for a non-stationary stochastic arrival process of security breaches and analyze the impact on mean and variance of total cost of different network configurations and audit policies. The generality of our modeling of the arrival process and the cost function permits a variety of attack and cost landscapes to be modeled and analyzed, with different breach intensities and costs (as functions of time) leading to different recommendations in terms of effective audit policy. Our analysis highlights the impact of intensity of security breach and cost of breach on the interaction between different network configurations and audit policies. One of our counter-intuitive findings is that under high security threat conditions a centralized network has a lower mean as well as a lower variance of total cost than a decentralized network, in case of cyclic and random audits; this analytically derived proposition is an interesting instance of a dual risk-pooling effect that goes beyond conventional risk-pooling. We extend our analysis to consider an asymmetric network and correlated breaches.