A value-at-risk approach to information security investment
成果类型:
Article
署名作者:
Wang, Jingguo; Chaudhury, Aby; Rao, H. Raghav
署名单位:
University of Texas System; University of Texas Arlington; Bryant University; State University of New York (SUNY) System; University at Buffalo, SUNY
刊物名称:
INFORMATION SYSTEMS RESEARCH
ISSN/ISSBN:
1047-7047
DOI:
10.1287/isre.1070.0143
发表日期:
2008
页码:
106-120
关键词:
autoregressive time-series
MODEL
摘要:
Information security investment has been getting increasing attention in recent years. Various methods have been proposed to determine the effective level of security investment. However, traditional expected value methods (such as annual loss expectancy) cannot fully characterize the information security risk confronted by organizations, considering some extremal yet perhaps relatively rare cases in which a security failure may be critical and cause high losses. In this research note we introduce the concept of value-at-risk to measure the risk of daily losses an organization faces due to security exploits and use extreme value analysis to quantitatively estimate the value at risk. We collect a set of internal daily activity data from a large financial institution in the northeast United States and then simulate its daily losses with information based on data snapshots and interviews with security managers at the institution. We illustrate our methods using these simulated daily losses. With this approach, decision makers can make a proper investment choice based on their own risk preference instead of pursuing a solution that minimizes only the expected cost.
来源URL: