Managing the security of information systems with partially observable vulnerability
研究了信息系统安全维护问题,其中漏洞程度部分可观测,通过付费检查可获知确切程度。决策者需在什么都不做、检查后修复、直接修复中做选择,最优策略遵循阈值结构。对电信运营商的应用表明,该策略能显著降低安全维护成本,且检查对中大型运营商更有利。
We consider the security maintenance of information systems where the extent of vulnerability is partially observable. However, the exact extent of the vulnerability can be observed by paying an inspection fee. In each period, the decision‐maker needs to take one of three decisions: (i) do nothing, (ii) inspect and implement (fix the vulnerability) if needed, and (iii) directly implement. We prove that the optimal policy follows a threshold structure. For each value of k (the known vulnerability), there are two thresholds for the partial information: the lower of the two thresholds dictates whether for this value of k , inspection is optimal before a possible implementation or whether direct implementation (i.e., without inspection) is optimal. If inspection is done, another threshold determines whether an implementation is done or not. If neither threshold applies, it is optimal to do nothing. We develop a numerical procedure to find the decision variables in the maintenance policy. We extend the main model to include variable implementation and inspection costs. The optimality of the threshold policy is shown to hold under more general settings. We apply the model to a real‐world problem and demonstrate its applicability and value in managing security systems. Here, we study the security maintenance policies for three different real‐world telecommunications operators and find that these operators can significantly reduce the cost of managing their security by adopting our proposed policy. Another finding is that inspection is more beneficial for medium‐sized to large‐sized operators.