企业信息系统安全技术策略选择:自主防御还是外包  被引量：7

作　　者：方玲 仲伟俊[2] 梅姝娥[2] FANG Ling;ZHONG Wei-jun;MEI Shu-e(Business College,Yangzhou University,Yangzhou 225127,China;Department of Economics and Management,Southeast University,Nanjing 211100,China)

机构地区：[1]扬州大学商学院,江苏扬州225127 [2]东南大学经济管理学院,江苏南京211100

出　　处：《管理工程学报》2019年第1期205-213,共9页Journal of Industrial Engineering and Engineering Management

基　　金：国家自然科学基金资助项目(71071033);江苏省普通高校研究生科研创新计划项目(CXLX13_124)

摘　　要：企业信息系统安全技术策略实施不仅可以考虑自主防御还可以考虑外包,两者之间存在选择边界。令企业选择信息系统安全技术外包和选择自主防御时所达到的安全水平是一致的,从而可对两种方式下的期望收益展开比较,构建了博弈模型和数学优化模型,研究认为,企业外包信息系统安全技术的成本之和总是高于其自主防御时各种安全技术成本之和;企业外包各种信息系统安全技术的成本之和与其自主防御时各种技术成本之和的差值在临界值及以下,企业可选择外包。Literature review shows that defending is the main task for an enterprise that chooses to defend its information system itself,select proper security technology portfolios and configurations,and implement manual investigation strategy according to the results of technology.In addition,it is important to make and implement outsourcing contract to make sure all kinds of fees with one or more Managed Security Service Providers(MSSPs).The main targets for an enterprise to choose defending its information system itself are to minimize its cost,improve its information system security level,and improve the efficiency of its security technologies.The big challenge for this kind of enterprise is over-investment or under-investment in information system security,which could be eased by outsourcing.In order to make the selection and configuration of security technologies more scientific and economic for the enterprise,this paper would like to construct models to find out the boundary between defending autonomously and outsourcing the security technologies and services.Firstly,the situation of defending autonomously was explained with the examples of Intrusion Detection System and Vulnerability Scanning technology portfolio.Moreover,this paper studied enterprise’s and attacker’s optimal strategies and max payoffs under conditions of fixed technology cost and variable technology cost.Under the condition of fixed technology cost,the expected payoff of the enterprise will be improved with the improvement of linkage detection and the zero expected payoff of the attacker,no matter the linkage detection was high or low.Under the condition of variable technology cost,the higher detection of IDS and Vulnerability Scanning the more secure the information system,the higher marginal cost of technology would be.The expected payoff of information system security would be decreased when technology cost was too high.In order to receive max expected payoff,the marginal cost of configuring IDS and Vulnerability Scanning should not be ove

关 键 词：信息系统安全 安全技术配置 自主防御 外包 博弈 

分 类 号：C931.6[经济管理—管理学] F272.3