Socially Optimal IT Investment for Cybersecurity
Economics, Finance and Quantitative Analysis
This paper uses the concept of social cost, comprised of private and externality costs, to capture the time-elapsed economic value of losses inflicted on users of a service under cyberattack. Our approach offers a holistic treatment of cybersecurity that not only employs prevention as a first defense but also uses detection & containment safeguards to mitigate the damage of successful attacks. It examines the optimal balance between these two safeguards under three sources of uncertainty through a robust optimization model with the help of distribution-free ellipsoidal uncertainty sets to ease the challenge of providing exact estimates for uncertain input. Our method is more appropriate than stochastic programming and other competing RO methods in addressing cybersecurity parameter uncertainty. Tested on a case study, results from 25 deterministic scenarios first reveal a strong resource-allocation preference for the prevention safeguard, but when the budget constraint is relaxed, preference shifts toward the containment & detection safeguard. Results from 54 robust test instances indicate that, for the three sources of uncertainty, the adjusted effectiveness of the prevention safeguard has the greatest impact on both social cost and the optimal configuration of safeguards. Our analysis points to some serious flaws in the existing cybersecurity framework's reliance on prevention and provides decisionmakers with urgently needed guidelines.
Decision Support Systems
Digital Object Identifier (DOI)