异质性视角下中小企业网络安全防御的最优投资策略

王韧, 许豪, 王中杰, 徐徐

系统工程理论与实践 ›› 2023, Vol. 43 ›› Issue (2) : 398-420.

PDF(695 KB)
中国科学院数学与系统科学研究院期刊网
PDF(695 KB)
系统工程理论与实践 ›› 2023, Vol. 43 ›› Issue (2) : 398-420. DOI: 10.12011/SETP2022-1001
论文

异质性视角下中小企业网络安全防御的最优投资策略

    王韧1, 许豪1, 王中杰2, 徐徐2
作者信息 +

Optimal investment strategy for cyber security management of small and medium-sized enterprises based on the heterogeneous perspective

    WANG Ren1, XU Hao1, WANG Zhongjie2, XU Xu2
Author information +
文章历史 +

摘要

信息技术的飞速发展,带来了复杂多样的网络安全问题.越来越多基础安全设施相对薄弱的中小企业开始尝试"风险管理服务+网络安全保险"这一安全防御模式.但防御投资过度或不足均会导致网络安全风险管理效率损失或防御失败.据此,在异质性视角下,以中小企业为研究对象,对其网络安全投资决策模型进行了优化,并探讨了企业决策在多方博弈中的局部和全局最优解.研究表明,企业间安全防御投资行为处于非合作状态时,存在安全防御投资的最优解使风险厌恶型企业财富效用达到最大且稳定均衡;反之,若企业处于合作状态,尽管市场总效用有所提升,但由于存在"囚徒困境",单个企业均存在打破合作的动机,因而在合作状态下,效用并不稳定;最后,讨论了考虑附加保费情形下保险免赔额、安全防御支出与非合作企业财富效用之间的关系,证明了设置一定的免赔额可对企业的财富效用起到促进作用.

Abstract

The rapid development of information technology has brought complex and diverse network security problems. Now, more and more small and medium-sized enterprises, who have weak security foundation, begin to try a new security investment model combining risk management services and cyber security insurance. However, either over-investment or under-investment could result in losses of efficiency in cyber security risk management, and even unacceptable insecurity. Therefore, this paper discusses the small and medium-sized enterprises' local optimal solutions and global optimal solutions to their multi-player games from the perspective of heterogeneity, and tries to optimize their decision-making model in cyber security investment. On one hand, the result shows that there exists optimal solution for the risk-averse enterprises to achieve optimal and stable equilibrium under non-cooperation circumstance. On the other hand, under cooperation circumstance, although the overall utility of the market would increase, each single enterprise has the motivation to break the equilibrium of cooperation because of the prisoner's dilemma. There exists no stable equilibrium. Further, this paper studies the effects of insurance deductible and cyber security expense on the wealth utilities of uncooperative enterprises when taking the additional premium into consideration. It is proved that a reasonable level of insurance deductible could increase the enterprises' wealth utilities.

关键词

异质性 / 网络安全保险 / 安全防御投资 / 中小企业 / 合作与非合作

Key words

heterogeneity / cyber security insurance / security investment / small and medium-sized enterprises / cooperation and non-cooperation

引用本文

EndNote

Ris (Procite)

Bibtex

导出引用
王韧 , 许豪 , 王中杰 , 徐徐. 异质性视角下中小企业网络安全防御的最优投资策略. 系统工程理论与实践, 2023, 43(2): 398-420 https://doi.org/10.12011/SETP2022-1001
WANG Ren , XU Hao , WANG Zhongjie , XU Xu. Optimal investment strategy for cyber security management of small and medium-sized enterprises based on the heterogeneous perspective. Systems Engineering - Theory & Practice, 2023, 43(2): 398-420 https://doi.org/10.12011/SETP2022-1001
中图分类号: F840   

参考文献

[1] 安联全球企业及特殊风险. 把控日趋复杂的互联性:网络安全风险趋势[J]. 上海保险, 2021(1):35-39.AGCS. Controlling increasingly complex Interlinking:Cybersecurity risk trends[J]. Shanghai Insurance Monthly, 2021(1):35-39.
[2] 杨乃定, 王京北, 张延禄, 等. 考虑自适应行为的研发网络风险传播模型构建及仿真[J]. 中国管理科学, 2020, 28(3):182-190.Yang N D, Wang J B, Zhang Y L, et al. Risk propagation modeling and simulation in R&D network when considering the adaptive behaviors[J]. Chinese Journal of Management Science, 2020, 28(3):182-190.
[3] Bolot J C, Lelarge M. A new perspective on internet security using insurance[C]//IEEE INFOCOM 2008—The 27th Conference on Computer Communications, IEEE, 2008:1948-1956.
[4] Khalili M M, Naghizadeh P, Liu M. Designing cyber insurance policies:The role of pre-screening and security interdependence[J]. IEEE Transactions on Information Forensics and Security, 2018, 13(9):2226-2239.
[5] Herath H S B, Herath T C. Investments in information security:A real options perspective with Bayesian postaudit[J]. Journal of Management Information Systems, 2008, 25(3):337-375.
[6] Paté-Cornell M E, Kuypers M, Smith M, et al. Cyber risk management for critical infrastructure:A risk analysis model and three case studies[J]. Risk Analysis, 2018, 38(2):226-241.
[7] Armenia S, Angelini M, Nonino F, et al. A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs[J]. Decision Support Systems, 2021, 147:113580.
[8] 潘崇霞, 仲伟俊, 梅姝娥. 一定预算约束下面对系统不同脆弱性的企业网络安全投资策略研究[J]. 电子科技大学学报(社科版), 2018, 20(4):27-34.Pan C X, Zhong W J, Mei S E, et al. Enterprise network security investment strategies when facing different vulnerabilities with budget constraints[J]. Journal of University of Electronic Science and Technology of China (Social Sciences Edition), 2018, 20(4):27-34.
[9] Gordon L A, Loeb M P, Sohail T. A framework for using insurance for cyber-risk management[J]. Communications of the ACM, 2003, 46(3):81-85.
[10] Majuca R P, Yurcik W, Kesan J P. The evolution of cyber insurance[R]. ACM Computing Research Repository, 2006.
[11] Marotta A, Martinelli F, Nanni S, et al. Cyber-insurance survey[J]. Computer Science Review, 2017, 24:35-61.
[12] 高雷, 吕文豪. 论建立我国网络信息安全保险体系[J]. 保险研究, 2011(7):86-91.Gao L, Lü W H. The establishment of China's insurance system of network information security[J]. Insurance Studies, 2011(7):86-91.
[13] Kunreuther H, Heal G. Interdependent security[J]. Journal of risk and uncertainty, 2003, 26(2):231-249.
[14] Lelarge M, Bolot J. A local mean field analysis of security investments in networks[C]//Proceedings of the 3rd International Workshop on Economics of Networked Systems, 2008:25-30.
[15] Vakilinia I, Sengupta S. A coalitional cyber-insurance framework for a common platform[J]. IEEE Transactions on Information Forensics and Security, 2018, 14(6):1526-1538.
[16] Shetty N, Schwartz G, Felegyhazi M, et al. Competitive cyber-insurance and internet security[M]//Economics of Information Security and Privacy. Boston, MA:Springer, 2010:229-247.
[17] 董坤祥, 谢宗晓, 甄杰,等. 相依风险下保险公司投资信息安全软件的最优决策分析[J]. 保险研究, 2019(6):66-80.Dong K X, Xie Z X, Zhen J, et al. Optimal decision analysis of insurance company investment information security software under dependent risk[J]. Insurance Studies, 2019(6):66-80.
[18] 王新雷, 王玥. 网络安全保险的策略分析——以网络安全保险的生命流程为研究架构[J]. 情报杂志, 2017, 36(11):34-40.Wang X L, Wang Y. Strategic analysis of cyber security risk insurance:Based on the research structure of cyber insurance life process[J]. Journal of Intelligence, 2017, 36(11):34-40.
[19] Yang Z, Lui J C S. Security adoption and influence of cyber-insurance markets in heterogeneous networks[J]. Performance Evaluation, 2014, 74:1-17.
[20] Pal R, Golubchik L, Psounis K, et al. Will cyber-insurance improve network security? A market analysis[C]//IEEE Conference on Computer Communications, IEEE, 2014:235-243.
[21] Schechter S E, Smith M D. How much security is enough to stop a thief?[C]//International Conference on Financial Cryptography. Berlin, Heidelberg:Springer, 2003:122-137.
[22] 董坤祥, 谢宗晓, 甄杰. 强制性约束下企业信息安全投资与网络保险的最优决策分析[J]. 中国管理科学, 2021, 29(6):70-81.Dong K X, Xie Z X, Zhen J. Optimal decision analysis of information security investment and cyber insurance under mandatory constraints[J]. Chinese Journal of Management Science, 2021, 29(6):70-81.
[23] 顾建强, 梅姝娥, 仲伟俊. 基于网络安全保险的信息系统安全投资激励机制[J]. 系统工程理论与实践, 2015, 35(4):1057-1062.Gu J Q, Mei S E, Zhong W J. Cyber insurance as an incentive for infor-mation system security[J]. Systems Engineering-Theory & Practice, 2015, 35(4):1057-1062.
[24] Ponsard C, Grandclaudon J, Dallons G. Towards a cyber security label for SMEs:A European perspective[C]//4th International Conference on Information Systems Security and Privacy, 2018.
[25] 董坤祥, 谢宗晓, 甄杰, 等. 基于数据泄露类型的网络信息安全风险度量与可保性研究[J]. 保险研究, 2019(11):25-41.Dong K X, Xie Z X, Zhen J, et al. The measurement and insurability of cyber security risk based on data breaches types[J]. Insurance Studies, 2019(11):25-41.
[26] 徐蕾艳, 孟志青. 条件风险值下直营连锁企业供销平衡鲁棒策略研究[J]. 系统科学与数学, 2021, 41(8):2149-2169.Xu L Y, Meng Z Q. On robust strategy of supply and marketing balance of direct chain enterprises based on conditional value-at-risk[J]. Journal of Systems Science and Mathematical Sciences, 2021, 41(8):2149-2169.
[27] Gordon L A, Loeb M P. The economics of information security investment[J]. ACM Transactions on Information and Systems Security, 2002, 5(4):438-457.
[28] 宾宁, 朱怀念. 考虑模糊厌恶和时滞效应的随机微分投资与再保险策略[J]. 系统工程理论与实践, 2021, 41(6):1439-1453.Bin N, Zhu H N. Stochastic differential investment and reinsurance strategy with ambiguity aversion and delay[J]. Systems Engineering-Theory & Practice, 2021, 41(6):1439-1453.
[29] 钱茜, 周勇, 晁祥瑞. 考虑关联关系交互作用的企业间信用风险传染研究[J]. 系统工程理论与实践, 2022, 42(1):37-45.Qian X, Zhou Y, Chao X R. Research on credit risk contagion considering the interaction of relationships[J]. Systems Engineering-Theory & Practice, 2022, 42(1):37-45.
[30] Chiaradonna S, Lanchier N. Exact insurance premiums for cyber risk of small and medium-sized enterprises[J]. arXiv preprint arXiv:2110. 08910, 2021.
[31] 吕俊杰, 邱菀华, 王元卓. 基于相互依赖性的信息安全投资博弈[J]. 中国管理科学, 2006(3):7-12.Lü J J, Qiu W H, Wang Y Z. An analysis of games of information security investment based on interdependent security[J]. Chinese Journal of Management Science, 2006(3):7-12.
[32] Alahmari A, Duncan B. Cybersecurity risk management in small and medium-sized enterprises:A systematic review of recent evidence[C]//2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), IEEE, 2020:1-5.
[33] Jevtić P, Lanchier N. Dynamic structural percolation model of loss distribution for cyber risk of small and medium-sized enterprises for tree-based LAN topology[J]. Insurance:Mathematics and Economics, 2020, 91:209-223.
[34] 贺志芳, 文凤华, 黄创霞, 等. 投资者情绪与时变风险补偿系数[J]. 管理科学学报, 2017, 20(12):29-38.He Z F, Wen F H, Huang C X, et al. Investor sentiment and time-varying coefficient of risk compensation[J]. Journal of Management Sciences in China, 2017, 20(12):29-38.
[35] 钱艺平, 林祥, 操君陶. 离散时间多期两个投资者之间的合作投资选择博弈[J]. 系统科学与数学, 2021, 41(11):3109-3127.Qian Y P, Lin X, Cao J T. Cooperative Portfolio selection games among two investors in multi-period discrete time[J]. Journal of Systems Science and Mathematical Sciences, 2021, 41(11):3109-3127.
[36] 张云华, 谢洪涛, 郑俊巍, 等. PPP项目执行阶段控制权动态调整机制的演化博弈[J]. 系统工程理论与实践, 2021, 41(7):1784-1793.Zhang Y H, Xie H T, Zheng J W, et al. Evolutionary game of dynamic adjustment mechanism of control rights in PPP project execution stage[J]. Systems Engineering-Theory & Practice, 2021, 41(7):1784-1793.
[37] Wen F H, Xi T, Xiao H R. Traditional or emerging asset, which is the safe haven during the COVID-19 pandemic?[J]. International Review of Financial Analysis, 2022, 81:102121.
[38] Hofmann A. Internalizing externalities of loss prevention through insurance monopoly:An analysis of interdependent risks[J]. The GENEVA Risk and Insurance Review, 2007, 32(1):91-111.
[39] Böhme R, Schwartz G. Modeling cyber-insurance:Towards a unifying framework[C]//WEIS, 2010.
[40] 王佩, 张玲, 范思雨. 股票误价和信息部分可观测下的时间一致再保险和投资策略[J]. 系统科学与数学, 2021, 41(7):1834-1855.Wang P, Zhang L, Fan S Y. Time-consistent reinsurance and investment strategies with mispricing and partial observation[J]. Journal of Systems Science and Mathematical Sciences, 2021, 41(7):1834-1855.

基金

国家社会科学基金(19BJY161);湖南省自然科学基金(2021JJ30197)
PDF(695 KB)

724

Accesses

0

Citation

Detail
段落导航
相关文章

/