| In the current era of rapid development of information technology,information security issues are also highly valued.At the same time,Managed security service providers(MSSPs)emerged and provided their clients with additional cost-saving and professional solutions to address information security issues.MSSPs invest in three categories of security services,including prevention,detection,and response,to meet their clients' security requirements,and realize business value by receiving payments from clients.They play different roles in the process of information security work and jointly protect the information security of client firms.This paper considers the principal-agent relationship between MSSP and its client companies,the realization process of this relationship,and the process by which MSSP attracts clients through security investment to realize business value as a complex dynamic system by identifying the key factors involved in the system.Thus we develop a system dynamics model of the interactions between an MSSP's security investment strategies and the impact on its business value.Simulations under opportunistic and targeted attacks are performed to discuss the effects of the MSSP's different security investment strategies on its business value.The results indicate that prevention investment has a stronger effect on the MSSP's business value than detection and response,and that security investments on opportunistic attacks are more efficient than on targeted attacks.The sensitivity analysis shows the robustness of our system dynamics model,and it indicates that it is better not to invest on detection instead of a very small amount investment under insufficient development of detection technology.Finally,through the analysis and summary of the model and results,this paper provides some suggestions for MSSP and information security management of frim,and looks forward to future research. |
PDF Full Text Request