Information security outsourcing in a resource-sharing environment: The impacts of attack modes
通过博弈模型分析两家共享信息资源的公司在机会攻击和定向攻击下,内部决策与外包给安全服务提供商时的成本与收益差异,发现定向攻击下公司预期成本可能更低,而服务提供商可能受益于资源共享程度。
Information security outsourcing has become an emerging trend in the operations of information security, but the relation between information assets of firms and attack modes of hackers have failed to be considered. Through building a game-theoretic model, this article analyzes security outsourcing of two firms who share their information resource with each other and are confronted with opportunistic attacks and targeted attacks. We find that in the case of security decisions in-house, the firms may obtain a lower expected cost and the hacker may derive a lower expected benefit under targeted attacks than under opportunistic attacks, even though targeted attacks are widely deemed to be more harmful to the firms. When outsourcing security operations to a MSSP (Managed Security Service Provider), we reveal that under targeted attacks the MSSP can reap a higher expected benefit and the hacker can still derive a lower expected benefit. Finally, we examine the effects of key security elements and find some interesting results. In particular, the MSSP may or may not benefit from the degree of resource sharing, and the hacker may suffer from its learning ability.