Wei T. Yue

Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment

Firms have been increasing their information technology (IT) security budgets significantly to deal with increased security threats. An examination of current practices reveals that managers view security investment as any other and use traditional decision-theoretic risk management techniques to determine security investments. We argue in this paper that this method is incomplete because of the problems strategic nature—hackers alter their hacking strategies in response to a firms investment strategies. We propose game theory for determining IT security investment levels and compare game theory and decision theory approaches on several dimensions such as the investment levels, vulnerability, and payoff from investments. We show that the sequential game results in the maximum payoff to the firm, but requires that the firm move first before the hacker. Even if a simultaneous game is played, the firm enjoys a higher payoff than that in the decision theory approach, except when the firms estimate of the hacker effort in the decision theory approach is sufficiently close to the actual hacker effort. We also show that if the firm learns from prior observations of hacker effort and uses these to estimate future hacker effort in the decision theory approach, then the gap between the results of decision theory and game theory approaches diminishes over time. The rate of convergence and the extent of loss the firm suffers before convergence depend on the learning model employed by the firm to estimate hacker effort.

Firm bankruptcy prediction: experimental comparison of isotonic separation and other classification approaches

A newly introduced method called isotonic separation is evaluated in the prediction of firm bankruptcy. Feature reduction methods are first applied to reduce the ratios used in the prediction. Then, various classification methods, including discriminant analysis, neural networks, decision tree induction, learning vector quantization, rough sets, and isotonic separation, are used with the reduced ratios. Experiments show that the isotonic separation method is a viable technique, performing generally better than other methods for short-term bankruptcy prediction.

Network externalities, layered protection and IT security risk management

This paper considers two important issues related to security risk management. First, the presence of network externalities in security risks. Second, the distinction of general (network) and system-specific protection measures. We found the optimal allocation of security resources (investments) in protecting every system in an organization. The results show that the consideration of network externalities and layered protection changes the risk mitigation decisions significantly. In addition, accurate estimation of system risk plays a critical role in the success of risk management. Otherwise, the use of a uniform baseline protection approach may be more desirable when the misjudgment of relative system risks is likely to occur.

Intrusion Prevention in Information Systems: Reactive and Proactive Responses

Intrusion prevention requires effective identification of and response to malicious events. In this paper, we model two important managerial decisions involved in the intrusion prevention process: the configuration of the detection component, and the response by the reaction component. The configuration decision affects the number of alarms the firm has to investigate. It is well known that the traditional intrusion detection system generates too many false alarms. The response decision determines whether alarms are going to be investigated or rejected outright. By jointly optimizing these two decision variables, a firm may apply different strategies in protecting its informational assets: slow but accurate, rapid but inaccurate, or a mixture of the two strategies. We use the optimal control approach to study the problem. Unlike previous literature, which studied the problem with a static model, in our model, the decision on balancing the desire to detect all malicious events with the opportunity costs required to do so is time dependent. Furthermore, we show how the choice of an optimal mixture of reactive and proactive responses depends on the values of cost parameters and investigation rate parameters. We find that in our model, a high damage cost does not immediately translate to a preference of proactive response, or a high false rejection cost does not translate to a preference of reactive response. The dynamics of the problem, such as how fast alarms accumulate and how fast they can be cleared, also affect the decisions.

When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination

This paper analyzes interactions between a firm that seeks to discriminate between normal users and hackers that try to penetrate and compromise the firms information assets. We develop an analytical model in which a variety of factors are balanced to best manage the detection component within information security management. The approach not only considers conventional factors such as detection rate and false-positive rate, but also factors associated with hacker behavior that occur in response to improvements in the detection system made by the firm. Detection can be improved by increasing the systems discrimination ability (i.e., the ability to distinguish between attacks and normal usage) through the application of maintenance effort. The discrimination ability deteriorates over time due to changes in the environment. Also, there is the possibility of sudden shocks that can sharply degrade the discrimination ability. The firms cost increases as hackers become more knowledgeable by disseminating security knowledge within the hacker population. The problem is solved to reveal the presence of a steady-state solution in which the level of system discrimination ability and maintenance effort are held constant. We find an interesting result where, under certain conditions, hackers do not benefit from disseminating security knowledge among one another. In other situations, we find that hackers benefit because the firm must lower its detection rate in the presence of knowledge dissemination. Other insights into managing detection systems are provided. For example, the presence of security shocks can increase or decrease the optimal discrimination level as compared to the optimal level without shocks.

Information Security Outsourcing with System Interdependency and Mandatory Security Requirement

The rapid growth of computer networks has led to a proliferation of information security standards. To meet these security standards, some organizations outsource security protection to a managed security service provider (MSSP). However, this may give rise to system interdependency risks. This paper analyzes how such system interdependency risks interact with a mandatory security requirement to affect the equilibrium behaviors of an MSSP and its clients. We show that a mandatory security requirement will increase the MSSPs effort and motivate it to serve more clients. Although more clients can benefit from the MSSPs protection, they are also subjected to greater system interdependency risks. Social welfare will decrease if the mandatory security requirement is high, and imposing verifiability may exacerbate social welfare losses. Our results imply that recent initiatives such as issuing certification to enforce computer security protection, or encouraging auditing of managed security services, may not be advisable.

Agent-based simulation approach to information warfare in the SEAS environment

Information warfare refers to actions taken by an agent to achieve information superiority in support of national military strategy by affecting an adversarys information and information systems while leveraging and protecting its own information and information systems. It employs the same basic tools as used by hackers and criminals: computer, modem, telephone, and software. The paper analyzes the behaviors of the three major types of agents: government, firms and perpetrators in an experimental setting. The experiments were designed and conducted at the Synthetic Environment for Analysis and Simulation (SEAS) Lab at Krannert Graduate School of Management, Purdue University.

The management of intrusion detection: Configuration, inspection, and investment

This paper analyzes intrusion detection decisions in the presence of multiple alarm types, which differ in occurrence probabilities, damage and investigation costs. Specifically, multi-period optimization models are used to study three critical decisions associated with intrusion detection: (i) Allocation of the investigation budget to different periods and to different alarm types; (ii) Configuration of an intrusion detection system (IDS), i.e. choosing a false alarm rate for a given IDS; and (iii) Allocation of an appropriate amount of the investigation budget in the presence of alternative investment opportunities. Three models that cascade onto each other are presented. We minimize the sum of security costs including damages, due to ignored alarms, the investigation cost and the undetected intrusion cost. We show that it can be optimal to ignore non-critical alarms in order to allocate more of the investigation budget to critical alarms that may occur in the future. We establish that the security costs decrease as the investigation budget increases. Our last model deals with security investments--in the form of an investigation budget. The investigation budget must be increased until the rate of increase in savings in security costs due to the additional budget are equal to the internal rate of return of an organization. These analyses are done with explicit (derived) cost functions, as opposed to implicit (assumed) cost functions. We conclude by providing additional managerial insights and numerical examples.

The classification of hackers by knowledge exchange behaviors

This paper examines messages posted in a hacker forum and constructs four user profiles based on the observed behavior patterns. It starts with the development of an automated forum post classification system to understand the knowledge transfer pattern exhibited by each user over time. Two patterns, knowledge acquisition and knowledge provision, are noted to be particularly informative. Based on these two and other user characteristics, user profiles are classified into four types: guru hackers, casual hackers, learning hackers, and novice hackers. Guru hackers are knowledgeable and respectable. They usually share ideas and advice with others. Casual hackers tend to act as observers. They can be skilled hackers who show interest mainly in deriving usable information from the forum. Learning hackers are also expert hackers who utilize the forum basically for learning. They actively seek knowledge and tend to share more of it over time. Novice hackers are new learners who typically join the forum for a short period. Overall, it is found that hacker communities very much represent learning communities where meritocracy is in place.

Big data analytics for security and criminal investigations

Applications of various data analytics technologies to security and criminal investigation during the past three decades have demonstrated the inception, growth, and maturation of criminal analytics. We first identify five cutting‐edge data mining technologies such as link analysis, intelligent agents, text mining, neural networks, and machine learning. Then, we explore their recent applications to the criminal analytics domain, and discuss the challenges arising from these innovative applications. We also extend our study to big data analytics which provides some state‐of‐the‐art technologies to reshape criminal investigations. In this paper, we review the recent literature, and examine the potentials of big data analytics for security intelligence under a criminal analytics framework. We examine some common data sources, analytics methods, and applications related to two important aspects of social network analysis namely, structural analysis and positional analysis that lay the foundation of criminal analytics. Another contribution of this paper is that we also advocate a novel criminal analytics methodology that is underpinned by big data analytics. We discuss the merits and challenges of applying big data analytics to the criminal analytics domain. Finally, we highlight the future research directions of big data analytics enhanced criminal investigations. WIREs Data Mining Knowl Discov 2017, 7:e1208. doi: 10.1002/widm.1208