不同攻击类型下风险厌恶型企业信息安全投资策略  被引量：8

作　　者：潘崇霞[1] 仲伟俊[1] 梅姝娥[1] Pan Chongxia;Zhong Weijun;Mei Shue(School of Economics&Management,Southeast University,Nanjing 211189,China)

机构地区：[1]东南大学经济管理学院

出　　处：《系统工程学报》2019年第4期497-510,共14页Journal of Systems Engineering

基　　金：国家自然科学基金资助项目(71371050)

摘　　要：基于期望效用理论,通过建立两企业的投资博弈模型,并考虑随机攻击和定向攻击两种情形,对风险厌恶型企业的信息安全投资决策进行了研究,给出了信息共享情况下企业的最优信息安全投资策略,并分析了风险厌恶水平,黑客攻击概率与网络暴露程度等相关因素对最优安全投资策略的影响.研究结果表明,随机攻击情形下,当企业极度厌恶风险时,企业最优信息安全投资随着风险厌恶水平的增加而增加;当企业轻微厌恶风险时,若潜在损失较小或者黑客攻击概率较小或者网络暴露程度太高或者太低时,企业的最优信息安全投资随着风险厌恶水平的增加而减小,若潜在损失较大或者黑客攻击概率较大或者网络暴露程度中等时,最优信息安全投资随着风险厌恶水平的增加而增加.而定向攻击情形下,当企业极度厌恶风险时,企业最优信息安全投资随着风险厌恶水平的增加而减小.This paper investigates information security investment decisions in consideration of opportunistic attacks and targeted attacks by establishing an investment game between two risk-averse firms based on expected utility theory.It gives the optimal security investment strategies under the condition of information sharing and analyzes the influences of relevant factors such as risk aversion degree,the hacker’s attack probability and network exposure on the optimal security investment strategies.It is found that the optimal information security investment increases with the risk-aversion coefficient when risk-averse firms defend against opportunistic attacks and the risk-aversion coefficient is very high.When the risk-aversion degree is low,or the potential loss remains small,or the attack probability remains small,or either the network exposure is very high or very low,the optimal information security investment is decreasing with the risk-aversion coefficient;otherwise,the optimal information security investment is increasing with the risk-aversion coefficient when the potential loss remains large,or attack probability remains high,or network exposure is medium.On the contrary,the optimal information security investment is decreasing with the risk-aversion coefficient when risk-averse firms are faced with targeted attacks and they are extremely risk averse.

关 键 词：信息安全投资 风险厌恶型企业 随机攻击 定向攻击 信息共享 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]