Research On Security Investment Strategies Of Information Systems Based On Hackers' Different Attack Types

With the development and wide application of network and information system technology,the frequency of information system security incidents has become higher and higher,and the losses caused by it have also increased yearly.In order to reduce the losses caused by hacker attacks,companies must invest in information system security technologies such as firewalls and intrusion detection technologies.The decision-making of security investment in enterprise information system has become one of the important decision-making issues of modern enterprises.The security investment decision of the enterprise information system not only needs to consider the security requirements of the enterprise information system,but also needs to consider the attack types of the hackers.At the same time,it also needs to consider the risk preference of the investment decision makers.This thesis adopts the theory of expected utility and comprehensively considers the investment attitude of investment decision makers,the type of attack of hackers,and the investment budget constraints of the company itself,and researches the investment strategies of enterprises for information system security.Firstly,this thesis defines information system security,information system security decision-making and technology,and analyzes the main factors affecting enterprise information system security investment decision from several aspects such as environment,enterprise,system and people.Secondly,considering the risk preference of investment decision makers,a model is constructed to analyze the security investment decisions of enterprise information systems under different attack types.The model analysis finds that the optimal security investment increases with the potential loss of security attacks.There is a minimum potential loss,when the potential loss is lower than this value,the optimal security investment amount is 0.At the same time,for the target attack,the security investment increases with the increase of the risk preference coefficient;for random attacks,the optimal security investment decreases firstly and then increases as the risk preference increases.And by attacking the probability function,we find the relationship between optimal safety investment and system vulnerability and investment efficiency.Thirdly,an information system security investment model for investment decision makers under different attack methods is established under consideration of investment constraints and risk preferences,and researches the relationship between target attack security investment and security investment allocation ratio and system vulnerability,potential loss ratio,risk preference coefficient and investment budget.The model analysis finds that: considering investment constraints,the size of risk preference does not affect the investment decision-maker's optimal security investment for both types of attacks.Investment decision makers are best to invest the vast majority of investment funds in an attack type with a limited investment budget,and find that when the information system is highly connected or open,investment decision makers should focus their funds on investing in targeted attacks.