Research On Information Security Investment Based On Game Theory

With the rapid development of information technology,information plays an increasingly important role in all fields of social life.However,information security technology has not been promoted accordingly,and the number and harm of information security accidents is improving.How to correctly conduct information security investment decision-making is an important question in the information security research and practice.The entity of information security investment is in the environment of conflict of interest dependence,and its decision is affected by the attacker and other investors.Game theory is the theory that studies the decision makers' behavior of mutual influence.As an important method in the information security economics,game theory can be a powerful tool for the analysis of information security investment.In this paper,the game theory is used to study the decision-making behavior of information security investment,and the law of information security investment is presented.The main research contents and contributions of this paper are as follows:1.The Gordon-Loeb model,the famous theory on information security investment,is extended to multi-organization game environment.This paper establishes the positive and negative externality model respectively when faced the targeted and opportunistic,and investigates the relationship of optimal information security investment with other risk parameters,and the result is compared with the optimal results under the condition of society optimum.The results show that the information security investment behavior of the organization is very contrasting under the positive and negative externalities,and the investment under the negative externalities is more negative.When investing,organizations must distinguish the types of attacks,and pay attention to the characteristics that the targeted attack is more difficult to resist under high vulnerability.2.This paper considers the attacker strategy,the attacker is divided into internal and external attackers,and the signal game model of information security investment is proposed.This paper creates a hypothesis that the attacker's role is variable,which can adjust its own strategy,and innovatively uses the signal game to model this strategy and uncertainty.It is found that the effect of signal transmission is significant only when external attacker does not attack and internal attacker attacks.In order to better balance the game oriented,namely that the both of internal and external attackers does not attack,the defenders need to make scientific investment decision of information security,reduce potential losses,improve the internal cost of the attacker's attack,and relax the information security policy.3.This paper establishes the information security investment interdependence model,analyzes the nature of the interdependence of the investment entities,includes the cyber insurance in the study of generalized information security investment,consider the risk factors,and combines game theory with utility theory to analyze the information security investment of different interdependence.It is found that there is a certain relationship between the externality type and the change rule of information security investment.Self protection investment and cyber insurance investment complement each other,and self protection investment is a rigid expenditure which is independent of risk aversion.4.This paper includes information security investment into research of classic quantity output competition model in economics.It uses the Cournot model to obtain the conditions that the optimal yield and the optimal amount of information security investment must meet,analyzes the relationship between competitive firms that invest in information security,the relationship between information security investment and consumer preferences,and the influence of information security investment on the yield and profit,compares the similarities and differences with the conclusion derived from the Stackelberg model,and further studies the long-term decision-making behavior of limited rational manufacturers.The results prove the positive impact of information security investment on the yield and profit of firms,and show the role of diminishing returns of information security investment.The results find the influence of antecedent advantage and explain the long-term investment intention of manufacturers.In conclusion,the results of this study can help organizations to make information security decisions,plan reasonable information security expenses,reduce blindness in information security investment,and help enrich and improve the theoretical system of information security economics and information security investment decisions.