Skip to main content



Should I get Norton?

On November 24, 2014, Sony pictures was hacked. The hacker group “Guardians of Peace” subsequently identified themselves as the perpetrators, leaking confidential data from Sony Pictures, including private employee emails, confidential company data, and the film ‘The Interview’ (among others).

In light of such tragedies(Sony Pictures suffered an estimated $15million in losses), it is interesting to think about how organizations decide to invest in cyber-security products. Is there a guideline for when to invest in which security solutions? There are several reasons why such guidelines are unlikely to exist at many companies.

First, it is difficult to judge the benefits of investing in a security solution. Security solutions do not bring in revenue, so you cannot estimate their value without first accurately assessing the potential damages that can be done to the system. Second, because the motivations of various individuals and hacker groups is highly unpredictable, it is also infeasible to estimate the likelihood of being hacked (and hence hard to weight the benefits of paying for security). Third, because no cyber security solution provides fool-proof protection against hackers, investments in cyber security may end up adding to damages against a determined attacker.

Given these uncertainties, it unclear how one can construct a coherent quantitative framework for deciding whether (and how much) to invest in security.

As game theory deals with situations where multiple players with contradictory objectives compete with each other, it can provide a mathematical framework for making such decisions. As an example, Sony and the hacker group Guardians of Peace may be viewed as two competing players participating in a game, with one (Sony) trying to minimize damages and the other (GoP) trying to maximize profits. The payoffs could be determined by a fraction of Sony’s property (which can either be guarded or exploited), the costs involved in investing in a security solution, and the costs involved in mounting an attack. A mixed strategy could be adopted by determining the probability that a hack will occur based on the company’s value.

Needless to say, many more factors must be considered to construct a feasible guideline. However, game theoretical models may be used to analyze each factor at even lower levels. For example, game theory can be used to determine which cyber security solutions to invest in by assessing various strategies in specific fields of cyber security, such as network security: http://ais.cs.memphis.edu/files/papers/Survey.pdf

http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-cost-20150204-story.html

Comments

Leave a Reply

Blogging Calendar

September 2016
M T W T F S S
 1234
567891011
12131415161718
19202122232425
2627282930  

Archives