As the development of internet technology and information industry, information security incidents are increasing, which have caused enormous loss to the enterprise. It is reported in 2009 that hacker's attacking on computers produced a loss of as many as 7 billion RMB in China every year, especially in financial industry. Firms have been increasing their information security budgets significantly, but with little success. How to determine the appropriate level of information security investment has become one of the critical decisions faced by the enterprise and academic circles. In practice, managers often use traditional decision theory techniques such as decision-tree approach to determine security investments. This method is incomplete because it neglects the strategic nature between the enterprise and the hacker, which leads to a wrong decision. This paper proposes game theory for determining information security investment levels, in which the firm and the hacker are interdependent, and analyzes the action timing's impact on security investment decision.At first, we introduce decision-tree model and game theory model, static game,dynamic game I (firms move first, then the hack move) and dynamic game II (hackers move first, then the firm moves). And then we compare game models with decision-tree model and find that in the dynamic game II, the firm's payoff is the maximum, whereas the investment level is the lowest. The firm's payoff is the lowest when they play a static game. In addition, the investment level is determined by the estimation of the hacker cost under the decision-tree approach. And the firm's payoff from the investment when under the decision-tree model is equal to that when under a game model only if the estimation is precise enough. Finally, comparative static analysis on vulnerability,firms'expected loss and hackers'payoff is made to determine how the investment level changes with these parameters. And we show that although the investment level increases with the vulnerability (the firm's expect loss and the hacker's payoff), the increasing speed of the investment level decreases with firms'expect loss. These conclusions will supply useful references to managers. |