| The computer-based information systems are widely used that not only greatly improves the work efficiency and the enterprises' management level,but also makes enterprises face more and more complex and serious information system security problems.In the era of networking,an enterprise's information system is no longer an isolated information island,but it has been interlinked with other information systems.Therefore,both internal factors and external environment factors about enterprises' information system security and investment strategies need to be considered.Using methods of game theory and theories of information system security management based on case analysis and modeling analysis,this thesis studies the information system security investment strategies comprehensively considering objects such as enterprises,hackers and inter-enterprise relations to help improve the scientificity and rationality of security investment decisions.Firstly,the thesis studies information system security investment strategies of enterprises under information sharing.In the first place,it studies the risk-averse enterprises' information security investment strategies under information sharing comprehensively considering factors such as hacker attack types and enterprises' risk preferences.It is found that the optimal information system security investment always increases with the information sharing coefficient and has nothing to do with hacker's attack types and enterprises' risk preferences when two enterprises share security information.Under the situation of the targeted attack,when the enterprise is extremely risk averse,the optimal information system security investment increases with risk-averse level and decrease with information system security investment efficiency.The hacker attack types directly influence the decision-making of enterprises' optimal information system security investment.In the second place,the thesis studies information system security investment strategies of enterprises under information sharing and information systems are in parallel.It is found that the optimal information system security investment always increases with the information sharing coefficient,the hacker's attack probability and the information system value.And the stabilities of the two enterprises' systems are independent of each other and has nothing to do with the information sharing between the two enterprises.The types of two enterprises affect the information system security investment strategies.When the two enterprises share information,the number of parallel components in the information systems and the network exposure affect the optimal information security investment.Secondly,the thesis studies information system security investment strategies of enterprises under investment budget constraints.In the first place,it studies the information security investment strategies comprehensively considering investment budget constraints,hacker attack types and attack preference.It is found that the total security investment budget constraints has a minimum that changes with the hacker's attack preferences and has nothing to do with the hacker's attack types.The optimal information system security investment changes with network exposure when the enterprise faces different types of attack.And the relations between the total investment amount and the amount of investment,the investment allocation to defense different types of attack are different.In the second place,the thesis studies information system security investment strategies comprehensively considering the investment budget constraints and information system security defense level.It is found that,when the information system security level to defense against the opportunistic attack is high and the security level to defense against the targeted attack is low,security investment budget constraints has a minimum as the network exposure maintains large and security investment budget constraints has a maximum as the network exposure maintains small.The amount and allocation of investment to defense against different types of attack change with the network exposure.When the information system security level to defense against the targeted attack is high and the security level to defense against the opportunistic attack is low,investment amount against the targeted attack increases with the total investment budget constraints but investment allocation proportion decreases with the total investment budget constraints.Thirdly,it develops the model to study information system security investment strategies under the condition of information security outsourcing.In the first place,the thesis analyzes choices of information system security management modes in consideration of the hacker attack.It is found that,when the enterprise choses to cooperate with MSSP,higher cooperation efficiency is not always better.When the cooperation efficiency is high,the hacker's maximum expected utility increases with intrusion probability and decreases with the cooperation efficiency between enterprises and MSSP.When the cooperation efficiency is low,the hacker's maximum expected utility decreases with intrusion probability and increases with the cooperation efficiency.In the second place,game models are built to study information system security investment strategies of two enterprises and multiple enterprises respectively in consideration of both the investment externality and the risk relevance.It is found that,when two enterprises connected,there exists an equilibrium point deciding by the factors such as the attack probability,the ratio of risk relevance coefficient and the investment externality in the two cases of the positive externality and the negative externality.When multiple enterprises connected,there exists an equilibrium point in the case of the positive externality while there doesn't exist an equilibrium point in the case of the negative externality.Fourthly,an evolutionary game model between multiple connected enterprises and multiple hackers is built to analyze the dynamic evolution between them under cases of hackers' opportunistic attack and targeted attack.It is found that,there are six evolutionary stable states in the case of the opportunistic attack and the targeted attack respectively.The enterprises can reduce the cost of security investment by adjusting the relation among the network exposure,the potential loss and the security investment efficiency on the basis of estimating the hacker attack probability when facing the opportunistic attack.When facing the targeted attack,enterprises can reduce the cost of security investment by improving the security investment efficiency,reducing the potential loss and reducing the network exposure.Finally,the thesis gives a summary of conclusions and suggestions for information system security investment and summarizes the innovative ideas,and the further research directions are put forward. |
PDF Full Text Request