【作者】 高娟；

【导师】 薛明皋；

【作者基本信息】 华中科技大学 ， 企业管理， 2010， 硕士

【摘要】 随着互联网技术及信息产业化的发展,信息安全事件呈大幅增长趋势。据2009年统计,每年中国因遭受网络攻击造成的损失就多达70多亿元,其中银行、金融机构尤为突出。尽管企业不断增加信息安全投资预算,然而效果并不明显。如何确定安全投资水平是当今企业和学术界面临的重点和难点问题。实践中大多数企业在分析信息安全投资问题时都是采用传统的分析方法如决策树方法等,这些方法的不足之处就在于忽略了企业和黑客之间的战略对抗性,由此造成投资决策的失误。本文考虑了企业和黑客决策的相互依赖性,引入博弈论方法分析信息安全投资问题,并分析了企业和黑客的行动次序对安全投资决策的影响。本文首先介绍了决策树模型、静态模型、企业先行动的动态模型及企业后行动的动态模型。然后将各种模型的结果进行了比较,发现企业在静态博弈模型中安全投资收益最低,企业后行动时安全投资水平最低但投资收益最高。另外,当采用决策树方法时,企业的安全投资水平和收益取决于其对黑客攻击成本估计值的大小,只有当估计的偏差足够小时其安全投资水平和收益才与博弈结果相同。最后本文还对脆弱性、预期损失和黑客收益这三个参数进行了比较静态分析。结果表明,安全投资水平分别是这三个参数的增函数;但安全投资水平占预期损失的比例却是预期损失的减函数。这些结论可以为实践中企业的安全投资决策提供参考。更多还原

【Abstract】 As the development of internet technology and information industry, information security incidents are increasing, which have caused enormous loss to the enterprise. It is reported in 2009 that hacker’s attacking on computers produced a loss of as many as 7 billion RMB in China every year, especially in financial industry. Firms have been increasing their information security budgets significantly, but with little success. How to determine the appropriate level of information security investment has become one of the critical decisions faced by the enterprise and academic circles. In practice, managers often use traditional decision theory techniques such as decision-tree approach to determine security investments. This method is incomplete because it neglects the strategic nature between the enterprise and the hacker, which leads to a wrong decision. This paper proposes game theory for determining information security investment levels, in which the firm and the hacker are interdependent, and analyzes the action timing’s impact on security investment decision.At first, we introduce decision-tree model and game theory model, static game、dynamic game I (firms move first, then the hack move) and dynamic game II (hackers move first, then the firm moves). And then we compare game models with decision-tree model and find that in the dynamic game II, the firm’s payoff is the maximum, whereas the investment level is the lowest. The firm’s payoff is the lowest when they play a static game. In addition, the investment level is determined by the estimation of the hacker cost under the decision-tree approach. And the firm’s payoff from the investment when under the decision-tree model is equal to that when under a game model only if the estimation is precise enough. Finally, comparative static analysis on vulnerability、firms’expected loss and hackers’payoff is made to determine how the investment level changes with these parameters. And we show that although the investment level increases with the vulnerability (the firm’s expect loss and the hacker’s payoff), the increasing speed of the investment level decreases with firms’expect loss. These conclusions will supply useful references to managers.更多还原