Abstract
Firewalls, Intrusion Detection Systems (IDS), and cyber-insurance are widely used to protect against cyber-attacks and their consequences. The optimal investment in each of these security measures depends on the likelihood of threats and the severity of the damage they cause, on the user’s ability to distinguish between malicious and non-malicious content, and on the properties of the different security measures and their costs. We present a model of the optimal investment in the security measures, given that the effectiveness of each measure depends partly on the performance of the others. We also conducted an online experiment in which participants classified events as malicious or non-malicious, based on the value of an observed variable. They could protect themselves by investing in a firewall, an IDS or insurance. Four experimental conditions differed in the optimal investment in the different measures. Participants tended to invest preferably in the IDS, irrespective of the benefits from this investment. They were able to identify the firewall and insurance conditions in which investments were beneficial, but they did not invest optimally in these measures. The results imply that users’ intuitive decisions to invest resources in risk management measures are likely to be non-optimal. It is important to develop methods to help users in their decisions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bajcsy, R., Benzel, T., et al.: Cyber defense technology networking and evaluation. Commun. ACM 47(3), 58–61 (2004)
Ben-Asher, N., Meyer, J.: The triad of risk-related behaviors (TriRB): a three-dimensional model of cyber risk taking. Hum. Factors 60(8), 1163–1178 (2018)
Bissell, K., Ponemon, L.: The cost of cybercrime - unlocking the value of improved cybersecurity protection (2019). https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf
Borgida, E., Nisbett, R.E.: The differential impact of abstract vs. concrete information on decisions 1. J. Appl. Soc. Psychol. 7(3), 258–271 (1977)
Botzer, A., Meyer, J., Bak, P., Parmet, Y.: Cue threshold settings for binary categorization decisions. J. Exp. Psychol.: Appl. 16(1), 1–15 (2010)
Botzer, A., Meyer, J., Borowsky, A., Gdalyahu, I., Shalom, Y.B.: Effects of cues on target search behavior. J. Exp. Psychol. 21(1), 73–88–539 (2014)
Bowen, B.M., Devarajan, R., Stolfo, S.: Measuring the human factor of cyber security. In: 2011 IEEE International Conference on Technologies for Homeland Security (HST), pp. 230–235. IEEE (2011)
Cavusoglu, H., Mishra, B., Raghunathan, S.: A model for evaluating it security investments. Commun. ACM 47(7), 87–92 (2004)
Cisco: Cisco website. https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html. Accessed 2 May 2019
Lindros: CIO website. https://www.cio.com/article/3065655/what-is-cyber-insurance-and-why-you-need-it.html. Accessed 2 May 2019
Marcum, J.: A statistical theory of target detection by pulsed radar. IRE Trans. Inf. Theory 6(2), 59–267 (1960)
MAS: Annual report 2014/15. http://www.parliament.gov.sg/lib/sites/default/files/paperpresented/pdf/2015/. Accessed 2 May 2019
Meyer, J.: Conceptual issues in the study of dynamic hazard warnings. Hum. Factors 46(2), 196–204 (2004)
Meyer, J., Sheridan, T.B.: The intricacies of user adjustment of system properties. Hum. Factors 59(6), 901–910 (2017)
Möller, S., Ben-Asher, N., Engelbrecht, K.P., Englert, R., Meyer, J.: Modeling the behavior of users who are confronted with security mechanisms. Comput. Secur. 30(4), 242–256 (2011)
Nevin, J.A.: Signal detection theory and operant behavior: a review of David M. Green and John A. Swets’ signal detection theory and psychophysics1. J. Exp. Anal. Behav. 12(3), 475 (1969)
Pastore, R., Scheirer, C.: Signal detection theory: considerations for general application. Psychol. Bull. 81(12), 945 (1974)
Tanner Jr., W.P., Swets, J.A.: A decision-making theory of visual detection. Psychol. Rev. 61(6), 401 (1954)
de Vries, J.: What drives cybersecurity investment?: organizational factors and perspectives from decision-makers. Master’s thesis, System engineering, Policy Analysis and Management, Technical University Delft, Delft (2017)
West, R.: The psychology of security. Commun. ACM 51(4), 34 (2008)
Wickens, T.D.: Elementary Signal Detection Theory. Oxford University Press, USA (2002)
Acknowledgements
The research was partly funded by the Israel Cyber Authority through the Interdisciplinary Center for Research on Cyber (ICRC) at Tel Aviv University. This research was also supported by NCR2016NCR-NCR001-0002, MOE, and NTU.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Yaakov, Y.B., Wang, X., Meyer, J., An, B. (2019). Choosing Protection: User Investments in Security Measures for Cyber Risk Management. In: Alpcan, T., Vorobeychik, Y., Baras, J., Dán, G. (eds) Decision and Game Theory for Security. GameSec 2019. Lecture Notes in Computer Science(), vol 11836. Springer, Cham. https://doi.org/10.1007/978-3-030-32430-8_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-32430-8_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32429-2
Online ISBN: 978-3-030-32430-8
eBook Packages: Computer ScienceComputer Science (R0)