| With the usage of information system in all kinds of enterprises wider and deeper, information system security has been a critical problem focused by information system researchers and practicers. It reflects the seriousness and urgency of worldwide information system security defending from America Prism Scandal erupted in 2013 to Malaysia Flight MH370 Lost. Information system security refers the internet and information system capability against accidents and malicious behaviors under some established security classification. In the process of information system security defense, kinds of security technologies would be selected to deal with information system security threats by enterprises usually, which would be the enterprises’information system security technology. Information system security technology involves the input and allocation of enterprises’security resources, security benefits, defending efficiency of security technology and so. It is not only a technical problem, but also a managerial problem to enterprises’information system security managers. At the basis of the analysis of relevant researches home and abroad and description of relevant theories, aiming at the deficiencies of existing researches, the selection and configuration optimizing strategy of enterprise information system security technology was studied in depth from following five aspects by scientific methods like game theory, mathematical programming and optimizing, simulation and decision.Firstly, enterprise information system security technology type and number selection strategy was studied. Security technology types were connected with information system security threats types by game theory model. It showed that security technology type selection and its selection probability was decided by all the threats occurrence probabilities and the efficiencies of this technology to deal with all kinds of threats. It also showed that the optimal distribution proportion of information system security resources was decided by occurrence probabilities of threats and selection probability of security technology. The number selection of security technology was connected with the technology’s functions and features by game theory as well. Take the example of technology portfolio of Intrusion Detection System (IDS) and manual investigation, game model with two plays as enterprise and intruder was built, which showed us that multi IDSs could improve intrusion detection rate and reduce manual investigation probability of enterprise; and when multi IDSs have been deployed by enterprise, the reducing range of manual investigation probability would be from large to small under alarm condition and opposite under no alarm condition; and the expected payoff of deploying multi IDSs was not always higher than that of deploying only one IDS.Secondly, configuration optimal strategy of enterprise’s information system security technology has been studied considering vulnerability and security level separately. When it came to vulnerability, taking the example of IDS and vulnerability managing technology portfolio, a game model of enterprise and intruder has been built, displaying that enterprise should investigate a proportion of alarm events and should not investigate any no alarm events when the vulnerability level is comparatively low, and the enterprise should investigate all alarm events and some no alarm events when the vulnerability was comparatively high; and the intrusion rate of intruder was not always improved with the improvements of vulnerability level. When it came to information security level, taking the example of Firewall and IDS, a game model of enterprise and intruder has been built, indicating that the higher the enterprise information system security level, the smaller the intrusion rate would be, no matter the detection rate was high or low; and the manual investigation rate would not be influenced by enterprise information system security level; and the equilibrium strategy of not considering security strategy was a periphery of that of considering security level, which would not be get or without necessity to get.Thirdly, selection and configuration optimal strategy considering risk preference has been studied. Two game models have been built based on technology portfolio of IDS and honeypot and technology portfolio of IDSs and manual investigation respectively, discovering that risk preference both has the same and different influence to different information system security technology portfolio. The same influence was that risk aversion intruder would be investigated manually more by enterprises when the expected benefits for intruder was comparatively low and risk neutral one would be investigated manually more when the expected benefits for intruder was comparatively high, and the intruder would prefer to intrude risk neutral enterprise when the manual investigation cost was low and would prefer to intrude risk aversion one when the manual investigation cost was high. Enterprise should hide its own risk preference and discriminate the intruder’s risk preference. The different influences were according to the security technology types, as the honeypots number deployed by risk aversion enterprise was not always higher than risk neutral one, or as the selection of single IDS or multi IDSs was not influenced directly by risk preference.Fourthly, the optimal implementation of information system security technology strategy was studied. Information system security technology strategy could be implemented by the enterprise itself or by outsourcing to manage security service providers and there were peripheries between the two. Assuming that the security level was consistent when defending by enterprise itself and outsourcing, so that the expected benefits could be compared, a game model and a mathematical programming model were built. The results showed that the total cost of information system security technology outsourcing was always higher than defending by enterprise itself; and outsourcing could be chosen when the difference value between the total cost of information system security technology outsourcing and that of defending by enterprise itself was under critical value.Lastly, three relevant tightly cases were analyzed to reflect the practical application value of the conclusions.
|
PDF Full Text Request