信息安全的经济学分析及管理策略研究
|
摘要
随着信息技术和互联网的不断发展,信息安全已经扩展到了国家的政治、经济、社会等各个领域。网络袭击和信息安全问题使人们遭受越来越严重的损失。尤为严重的是,我国广泛使用的计算机硬件产品和主流操作系统等IT(信息技术)产品都是从国外引进的。这些IT产品具有大量的漏洞和安全隐患。而单一的密码和安全技术机制不能根本解决这些信息安全问题,还需要管理和技术运营策略等系统对策和方案。如果要制定出正确的管理对策和技术投资方案,必须对信息安全问题进行经济分析。根据信息安全问题的经济分析结果进行管理策略的设计和选择,是实现信息安全的重要前提。本文的主要内容如下:
1.分别从IT产品、在线组织及国家公共管理的角度,对信息安全问题进行经济学理论分析。网络环境下的信息安全问题,主要是由于IT产品(硬件、软件和网络等产品)和信息系统存有大量的漏洞引起。如果没有漏洞,则信息系统就会具有应对内、外部攻击的免疫性。本文以软件产品的漏洞为例,分析发现信息不对称和安全需求不足是IT产品存在大量漏洞的关键动因,即漏洞的产生是IT产品安全性双向逆向选择和信息安全需求不足的结果。在信息技术一定的条件下,在线企业和人的安全行为努力程度决定信息安全结果。由于组织和人员的安全投资和努力行为的不可观察性而形成了双边道德风险问题,组织内部人为的行为和安全投资管理正是组织的信息安全管理重点。目前信息安全已经成为国家安全的重要部分,是我国未来政治、军事、经济发展的重要保障。为提高国家对信息安全管理的效率和水平,需要从宏观层面上证明信息安全的公共物品性质。
2.为规避IT产品安全性的双向逆向选择问题,以漏洞报告为信号,根据信号显示原理推理出漏洞市场模型,目的是实现IT产品漏洞的可测试性、可交易性和可管理性。因此,提出漏洞信息交易市场的特点假设,推导出漏洞信息交易的贝耶斯纳什均衡并提出漏洞信息的拍卖定价模型和IT产品的补丁优化管理策略模型,以清除和弥补IT产品的漏洞。
3.为定量研究信息安全投资对在线企业的市场竞争行为的影响和解决信息安全道德风险行为的对策,构建了一个双寡头垄断竞争两阶段博弈的信息安全投资收益模型,第一阶段厂商决定最优的信息安全投资及其收益,第二阶段厂商决定竞争价格和市场地位。利用最优化信息投资的决策方法分析了具有较高安全性的厂商具有较高的期望收益,证明了信息安全投资可以扩大市场需求和增加利润,并得出在寡占市场条件下的企业最优信息安全投资和均衡的市场价格,证明了率先进行信息安全投资的厂商可以成为市场的领导者的结论。这一结论对在线企业的信息安全投资决策的制定和克服信息安全行为的道德风险具有积极的指导作用。在分析漏洞类型和信息安全措施的基础上,为企业组织提供一个简单适用的改进的二进制粒子群(particle swarm optimization, PSO)智能化信息安全投资决策方法。
4.为定量研究信息安全社会化投资措施的最优化部署和威胁的关系问题。构建了网络中组织的信息安全投资的决策模型。发现信息安全措施的投资与组织信息化规模正相关。在网络中的大多数中小企业因为没有安全投资动力而较少投资安全措施,对整个网络构成巨大的威胁。确定了当企业面对独立性网络攻击时,企业可以自行最优化决策其信息安全措施。当网络攻击为传染性的,大型企业即使部署了信息安全措施,仍会因为网络传染而遭受巨大的损失,这时需要从网络整体分析信息安全的社会投资及优化问题。
5.研究国家的信息安全公共管理和技术产业化策略。因为信息安全具有准公共物品的性质,需要国家从战略性高度发展信息安全核心技术并与产业化联系起来,因此,构建了实物期权博弈模型以研究产业化的投资收益和投资时机问题,为我国信息安全技术产业化决策提供理论支持。
最后以信息安全管理策略为例,对本文的理论和方法进行了实验和数值验证。
As IT and Internet developing, Information security has expanded into political, economical, social areas of nation. People was suffered more and more losses by net attacks and information security issues. But a long time, China export computer products, operation system from foreign countrys with a lot of unknown vulnerabilities. But sole cryptogram and security technology mechanism don’t solved information security thoroughly; information security problem is not only technology, and also economics, management and operation issues. Main contents of the research are as follows.
1. Economics analysis of information security problem from IT productions\online enterprises\public management. It is an important to make information security decisions according to economical analysis results. Without vulnerabilities in products, information systems are immunity to attacks. We illustrate soft production with vulnerabilities, find that information asymmetry and requirement of security lack are mainly economical reason of vulnerability left in information production, vulnerability is result of double adverse selection and lack requirement. If security technology is certain, orgernazation information security measurement determines result of security. Each agent`s information security investment is costly to observe and verify by third parties that are reason of double moral hazard. Information security on networks has become a critical factor of national security, which should research it as public goods provided by government.
2. To avoid adverse selection of seurity in information system, takeing vulnerabilities as signals metric. The metric of quality, which can be measured throughout the testing process, is the market price to find, demonstrate, and report a previously undetected defect in the system. Vulnerability market characaters model is constructed and additional assumptions so that a Bayesian-Nash equilibrium analysis may be performed. We try to give a vulnerability auction market model and patch management model, so vulnerabilities are eliminated.
3. Under conditions of double moral hazard, considering the competition impacts of e-business optimal investment in information security, a two-stage game-theoretic model is constructed that addresses the economic revenue for investment in added information security in Dual-Oligopoly Market. In the model, an e-business firm with a higher level of security is able to earn a higher expected revenue, the expected revenue gains resulting from investments in security. The model gains the optimal investment in security and price in equilibrium in Oligopoly Market. The preemption of investment in security is becoming leader of e-business,so it is a very efficient tool for e-business to avoid moral hazard of investment in information security decisions.
An improved binary particle swarm optimization (PSO)-based approach is presented for organizations to choose a simple tool for supporting information security investment decisions making.
4. In order to analyze the online enterprises Information Security optimal measures quantitatively, a firm information security decision model is constructed. Based on the information security decision model, the information security measures are increasing in firm size. Lots of online small-and-medium-enterprises become huge threads without incentive investment in security measures. When firms are attacked by independent threads, the enterprise can deploy security measures optimization, but net attacks are contagious threats, the enterprises will loss enormous profits in spite of deployed security measures. Then the whole net vulnerability is necessary considered to realize social information security investment optimization.
5. We propose a real option game model to the Industrialization of the national information security high technology strategies that different uncertainties effect on research and development project`s option value and the participant`s entry threshold. The last some sugustions about government information security controlling are provided,a security case experiment and number cacaulations is applied.
1.分别从IT产品、在线组织及国家公共管理的角度,对信息安全问题进行经济学理论分析。网络环境下的信息安全问题,主要是由于IT产品(硬件、软件和网络等产品)和信息系统存有大量的漏洞引起。如果没有漏洞,则信息系统就会具有应对内、外部攻击的免疫性。本文以软件产品的漏洞为例,分析发现信息不对称和安全需求不足是IT产品存在大量漏洞的关键动因,即漏洞的产生是IT产品安全性双向逆向选择和信息安全需求不足的结果。在信息技术一定的条件下,在线企业和人的安全行为努力程度决定信息安全结果。由于组织和人员的安全投资和努力行为的不可观察性而形成了双边道德风险问题,组织内部人为的行为和安全投资管理正是组织的信息安全管理重点。目前信息安全已经成为国家安全的重要部分,是我国未来政治、军事、经济发展的重要保障。为提高国家对信息安全管理的效率和水平,需要从宏观层面上证明信息安全的公共物品性质。
2.为规避IT产品安全性的双向逆向选择问题,以漏洞报告为信号,根据信号显示原理推理出漏洞市场模型,目的是实现IT产品漏洞的可测试性、可交易性和可管理性。因此,提出漏洞信息交易市场的特点假设,推导出漏洞信息交易的贝耶斯纳什均衡并提出漏洞信息的拍卖定价模型和IT产品的补丁优化管理策略模型,以清除和弥补IT产品的漏洞。
3.为定量研究信息安全投资对在线企业的市场竞争行为的影响和解决信息安全道德风险行为的对策,构建了一个双寡头垄断竞争两阶段博弈的信息安全投资收益模型,第一阶段厂商决定最优的信息安全投资及其收益,第二阶段厂商决定竞争价格和市场地位。利用最优化信息投资的决策方法分析了具有较高安全性的厂商具有较高的期望收益,证明了信息安全投资可以扩大市场需求和增加利润,并得出在寡占市场条件下的企业最优信息安全投资和均衡的市场价格,证明了率先进行信息安全投资的厂商可以成为市场的领导者的结论。这一结论对在线企业的信息安全投资决策的制定和克服信息安全行为的道德风险具有积极的指导作用。在分析漏洞类型和信息安全措施的基础上,为企业组织提供一个简单适用的改进的二进制粒子群(particle swarm optimization, PSO)智能化信息安全投资决策方法。
4.为定量研究信息安全社会化投资措施的最优化部署和威胁的关系问题。构建了网络中组织的信息安全投资的决策模型。发现信息安全措施的投资与组织信息化规模正相关。在网络中的大多数中小企业因为没有安全投资动力而较少投资安全措施,对整个网络构成巨大的威胁。确定了当企业面对独立性网络攻击时,企业可以自行最优化决策其信息安全措施。当网络攻击为传染性的,大型企业即使部署了信息安全措施,仍会因为网络传染而遭受巨大的损失,这时需要从网络整体分析信息安全的社会投资及优化问题。
5.研究国家的信息安全公共管理和技术产业化策略。因为信息安全具有准公共物品的性质,需要国家从战略性高度发展信息安全核心技术并与产业化联系起来,因此,构建了实物期权博弈模型以研究产业化的投资收益和投资时机问题,为我国信息安全技术产业化决策提供理论支持。
最后以信息安全管理策略为例,对本文的理论和方法进行了实验和数值验证。
As IT and Internet developing, Information security has expanded into political, economical, social areas of nation. People was suffered more and more losses by net attacks and information security issues. But a long time, China export computer products, operation system from foreign countrys with a lot of unknown vulnerabilities. But sole cryptogram and security technology mechanism don’t solved information security thoroughly; information security problem is not only technology, and also economics, management and operation issues. Main contents of the research are as follows.
1. Economics analysis of information security problem from IT productions\online enterprises\public management. It is an important to make information security decisions according to economical analysis results. Without vulnerabilities in products, information systems are immunity to attacks. We illustrate soft production with vulnerabilities, find that information asymmetry and requirement of security lack are mainly economical reason of vulnerability left in information production, vulnerability is result of double adverse selection and lack requirement. If security technology is certain, orgernazation information security measurement determines result of security. Each agent`s information security investment is costly to observe and verify by third parties that are reason of double moral hazard. Information security on networks has become a critical factor of national security, which should research it as public goods provided by government.
2. To avoid adverse selection of seurity in information system, takeing vulnerabilities as signals metric. The metric of quality, which can be measured throughout the testing process, is the market price to find, demonstrate, and report a previously undetected defect in the system. Vulnerability market characaters model is constructed and additional assumptions so that a Bayesian-Nash equilibrium analysis may be performed. We try to give a vulnerability auction market model and patch management model, so vulnerabilities are eliminated.
3. Under conditions of double moral hazard, considering the competition impacts of e-business optimal investment in information security, a two-stage game-theoretic model is constructed that addresses the economic revenue for investment in added information security in Dual-Oligopoly Market. In the model, an e-business firm with a higher level of security is able to earn a higher expected revenue, the expected revenue gains resulting from investments in security. The model gains the optimal investment in security and price in equilibrium in Oligopoly Market. The preemption of investment in security is becoming leader of e-business,so it is a very efficient tool for e-business to avoid moral hazard of investment in information security decisions.
An improved binary particle swarm optimization (PSO)-based approach is presented for organizations to choose a simple tool for supporting information security investment decisions making.
4. In order to analyze the online enterprises Information Security optimal measures quantitatively, a firm information security decision model is constructed. Based on the information security decision model, the information security measures are increasing in firm size. Lots of online small-and-medium-enterprises become huge threads without incentive investment in security measures. When firms are attacked by independent threads, the enterprise can deploy security measures optimization, but net attacks are contagious threats, the enterprises will loss enormous profits in spite of deployed security measures. Then the whole net vulnerability is necessary considered to realize social information security investment optimization.
5. We propose a real option game model to the Industrialization of the national information security high technology strategies that different uncertainties effect on research and development project`s option value and the participant`s entry threshold. The last some sugustions about government information security controlling are provided,a security case experiment and number cacaulations is applied.
引文
1 Ross Anderson. Why Cryptosystems Fail. Communications of the ACM. 1994,37(11):32-40
2 Ross Anderson, Tyler Moore.The Economics of Information Security. Science .2006, 314 (5799) :610–613
3 Hal R.Varian. Managing Online Security Risks. New York Times; New York, N.Y.; Jun 1, 2000:2-3
4 Ross. Anderson. Why information security is hard-An economic perspective. In: Proceeding of 17th Annual Computer Security Applications Conference, New Orleans, LA 2001:15-20
5 Lawrence A. Gordon, Martin P. Loeb,William Lucyshyn. Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy.2003 ,22 :461–485
6 Alfredo Garcia, Barry Horowitz. The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy. The Fifth Workshop on Economics and Information Security, University of Cambridge,2006:32-43
7 Andrew Odlyzko.Cryptographic abundance and pervasive computing. iMP: Information Impacts Magazine. 2000, 6:25-37
8 John Adams. CARS, CHOLERA, AND COWS--The Management of Risk and Uncertainty. Policy analysis.1999,335:1-49
9 Benjamin Edelman, Adverse Selection in Online “Trust” Certifications. The Fifth Workshop on the Economics of Information Security, University of Cambridge, 2006,6:52-67
10 Nicholas Bohm, Ian Brown ,Brian Gladman. Electronic Commerce: Who Carries the Risk of Fraud? Journal of Information, Law and Technology. 2000, 3:1-34
11 Douglas A. Barnes. Deworming the Internet. Texas Law Review. 2004, 83: 279-329
12 Economides N. The economics of networks. International Journal of Industrial Organization .1996 ,1 (14) : 673 -700
13 Katz Michael , Carl Shapiro. Technology adoption in the presence of network externalities. Journal of Political Economy .1985 ,94 :822 – 841
14 Shapiro C ,Varian H.信息规则.北京:中国人民大学出版社,2000:88-90
15 Jari Raman. Network Effects and Software Development-Implications for Security. Proceedings of the 37th Hawaii International Conference on System Sciences. Hawaii, US,2004:38-46
16 Howard Kunreuther, Geoffrey Heal. Interdependent security. Journal of Risk and Uncertainty.2003, 26 (231): 231–249
17 Gordon, L. A., & Richardson, R. The New Economics of Information Security. Information Week, 2004: 53-56
18 Lawrence A. Gordon and Martin P. Loeb.The Economics of Information Security Investment. ACM Transactions on Information and System Security, 2002, 5(4): 438–457
19 Lawrence D. Bodin, Lawrence A. Gordon, And Martin P. Loeb.Evaluating Information Security Investments Using The Analytic Hierarchy Process. Communications of The ACM. 2005, 48(2):79-83
20 Jan Willemson .On the Gordon & Loeb Model for Information Security Investment. Fifth Workshop on the Economics of Information Security, University of Cambridge, 2006,6:68-75
21 Varian H.R. Systems reliability and free riding . In Economics of Information Security, L. J. Camp, S. Lewis, eds. (Kluwer Academic Publishers, 2004), vol. 12 of Advances in Information Security :1-15
22 Charles Iheagwara. The effect of intrusion detection management methods on the return on investment. Computers & Security .2004, 23: 213-228
23 Costas Lambrinoudakisa,T, Stefanos Gritzalisa, Petros Hatzopoulos ,et al. A formal model for pricing information systems insurance contracts. Computer Standards & Interfaces.2005, 27: 521–532
24 Bharat B. Madan, Katerina Go?eva-Popstojanova ,Kalyanaraman Vaidyanathan, et al. A method for modeling and quantifying the security attributes of intrusion tolerant systems. Performance Evaluation. 2004, 56:167–186
25 Mukul Gupta, Jackie Rees, Alok Chaturvedi, et al. Matching information security vulnerabilities to organizational security profiles: a geneticalgorithm approach. Decision Support Systems. 2006, 41: 592– 603
26 Gus Rodewald. Aligning Information Security Investments with a Firm's Risk Tolerance. Information Security Curriculum Development (InfoSecCD) Conference '05, Kennesaw, GA, USA,2005:89-112
27 Gal-Or, E. and A. Ghose. The Economic Consequences of Sharing Security Information[A]. Camp and Lewis (Eds), The Economics of Information Security[C], Kluwer, July 2004: 95-104
28 Gal-Or, E. and A. Ghose. The Economic Incentives for Sharing Security Information. Information Systems Research. 2005,16(2): 186-208
29 Anindya Ghose, Uday Rajan. The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare. Workshop on Economics and Information Security, Cambridge University, 2006,6:79-94
30 Krsul, I., Spafford, E. & Tripunitara, M. Computer vulnerability analysis. Department of Computer Sciences , Purdue University , West Lafayette : Technical Report Coast TR 98207 , 1998:34-61
31 Howard, J. An Analysis of Security Incidents On the Internet, PHD thesis, Carnegie Mellon University, 1998:31-53
32 Lipson, H. Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, CERT/CC special report 2002:74-83
33 Shimeall, T. & Williams, P. Models of Information Security Trend Analysis, 2002, CERT/CC report,69-87
34 Arbaugh, W.A., Fithen, W. L. & McHugh, J. Windows of Vulnerability: A Case Study Analysis.,IEEE Computer, 2000,5:38-45
35 Stuart Schechter. How to buy better testing: Using competition to get the most security and robustness for your dollar. In Infrastructure Security Conference, Bristol, UK, October 2002:97-113
36 Stuart Schechter. Quantitatively differentiating system security. In Workshop on Economics and Information Security, Berkeley, CA, USA, May 2002:163-179
37 Stuart E. Schechter. Computer Security Strength &Risk: A Quantitative Approach. PhD thesis, Harvard University, Cambridge, MA, 2004:58-85
38 Andy Ozment. Bug Auctions: Vulnerability Markets Reconsidered.Workshop on Economics and Information Security. Minneapolis, MN, USA, May 13-14, 2004: 587-595
39 Camp, L. & Wolfram, C. Pricing Security. In Proceedings of the CERT Information Survivability Workshop, Boston, MA Oct. 24-26. 2000:320-339
40 Arora, A., Caulkins, J.P. & Telang, R. Provision of Software Quality in the Presence of Patching Technology, Carnegie Mellon University, working paper. 2003:23-54
41 Rainer Bohme.Vulnerability Markets- What is the economic value of a zero-day exploit? Proc. of 22C3, Berlin, Germany, 27–30 December 2005:59-76
42 Schneier, B., Computer Security: It's the Economics, Stupid. Workshop on Economics and Information Security, UC, Berkeley, 2002:203-214
43 Hoo, K. S.How Much Is Enough? A Risk Management Approach to Computer Security.Workshop on Economics and Information Security, University of California, Berkeley, CA, 2000:348-369
44 Karthik Kannan,Rahul Telang .An Economic Analysis of Market for Software Vulnerabilities. Workshop on Economics and Information Security . University of Minnesota ,USA,May 3, 2004:213-224
45 CERT (2003). CERT/CC Statistics 1988-2003, http://www.cert.org/stats/.
46 Jay Pil Choi, Chaim Fershtman, Neil. Preliminary and Incomplete Internet Security, Vulnerability Disclosure, and Software Provision. Workshop on Economics and Information Security . Harvard University,2005:78-84
47 Banker, R., Davis, G. & Slaughter, S. Software Development Practices, Software Engineering Complexities, and Software Maintenance. Management Science.1998,44: 433–450
48 Kenneth S. Corts.The interaction of task and asset allocation. International Journal of Industrial Organization .2006, 24: 887– 906
49 Dacey, R. F. Effective patch management is critical to mitigating software vulnerabilities. GAO-03-1138T.2003:57-62
50 Thomson K L , Solms R V. Information Security Obedience :A Definition . Computers & Security. 2005 , 24(1) :69--75.
51 Eric Rescorla. Is finding security holes a good idea? Workshop on Economics and Information Security, University of Minnesota USA,2004:43-75
52 Shostack, A. Quantifying patch management. Secure Business Quarterly. 2003.3(2):18-23
53 McGhie, L. Software patch management - the new frontier. Secure Business Quarterly, 2003.3(2):23-45
54 Donner, M. Patch management - bits, bad guys, and bucks! Secure Business Quarterly, 2003.3(2):45-52
55 Pruitt, S. Software users hit a rough patch. PC World, 2003, 10:48-58
56 Huseyin Cavusoglu, Hasan Cavusoglu, Jun Zhang.Economics of Security Patch Management. Workshop on Economics and Information Security, Cambridge, England, 2006:180-198
57 Ashish Arora, Ramayya Krishnan, Anand Nandkumar, et al. Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis. In Workshop on Economics and Information Security, University of Minnesota,USA, 2004:22-35
58 Arora Ashish, Rahul Telang and Hao Xu. Timing Disclosure of Software Vulnerability for Optimal Social Welfare,.Carnegie Mellon University working paper, April 2004:67-98
59 Ashish Arora, Rahul Telang and Hao Xu. Optimal Policy for Software Vulnerability Disclosure. Workshop on Economics and Information Security, University of Minnesota,USA,May 3, 2004:318-326
60 郑志彬,吴昊,辛阳.建立产学研结合的信息安全人才培养道路. 北京电子科技学院学报.2006,14(1):23-27
61 Michael E.Whitman, Herbert J.Mattord,徐焱译(M).信息安全原理.北京:清华大学出版社,2003: 67-96
62 李鹤田,刘云,何德全.信息系统安全风险评估研究综述. 中国安全科学学报.2006,16(1):108-113
63 刘艳, 曹鸿强.信息安全经济学初探.网络安全技术与应用.2003.3:21-23
64 刘卫东,刘毅,马丽等.论国家安全的概念及其特点. 世界地理研究. 2002, 11(2): 1-7
65 巨乃岐.信息安全的内涵与意义.齐鲁学刊. 2003,2:92-95
66 冯登国.可证明安全性理论与方法研究.软件学报. 2005,16(10):1743-1756
67 韩权印, 张玉清,王闵.信息安全管理实施要点研究. 计算机工程. 2005, 31(20):64-66
68 姜彦福, 雷家骕,曹宁.关于基于经济安全的信息安全问题. 清华大学学报(哲学社会科学版).2000,15(1):36-42
69 姚春序,范世涛.信息安全中的政治经济学问题.经济导刊.2002,7:43-45
70 王国才.网络外部性、差异化竞争与主流化策略研究. 中国管理科学. 2005,13(5):105-110
71 孙玉芳.Linux 真给国产操作系统发展提供了机遇吗?计算机科学. 2002, 29(7): 13-18
72 史晋川,刘晓东.软件商业模式与操作系统的市场结构——Windows 与 Linux 两种模式的比较研究.财贸经济.2005,4:66-71
73 吕俊杰,邱菀华,王元卓.网络安全投资外部性及博弈策略. 北京航空航天大学学报.2006,32(12):1499-1502
74 黄梯云,冯玉强,周宽久.决策支持系统中的建模知识表示研究.管理科学学报.2001, 4(1):45-51
75 孙剑颖.企业信息安全投资的经济学决策模型浅析.东北财经大学报. 2005,3:67-68
76 魏忠,邓高峰,孙绍荣,叶铭.信息安全管理集成原理探究.计算机工程与应用.2002,14:64-65
77 崔光耀.信息安全的经济视角.信息安全与通信保密.2004,4:13-15
78 王会杰.公安局域网感染病毒的原因及防治对策. 中国人民公安大学学报(自然科学版).2004,1: 63-64
79 张冰.电信网网络安全漏洞与补丁管理研究.电信网技术. 2006,7:14-18
80 王琳,张小梅.软件补丁管理在网络信息安全中的作用及趋势. 武汉理工大学学报.2005,27(3).87-89
81 王耀忠,黄丽华,王小卫,等.网络组织的结构及协调机制研究. 系统工程理论方法应用.2002,11(1):20-24
82 钱钢,达庆利.基于系统安全工程能力成熟模型的信息系统风险评估.管理工程学报.2001,15(4): 58-60
83 冯登国,张阳,张玉清.信息安全风险评估综述.通信学报.2004, 25 (7):10-18
84 王娜,方滨兴,罗建中.“5432”战略国家信息安全保障体系框架研究. 通信学报.2004,25(7):1-9
85 沈昌祥.基于可信平台构筑积极防御的信息安全保障框架.信息安全与通信保密.2004,9:17-18
86 江汉,尹浩,李学军,等.C4 ISR 体系对抗仿真中的信息优势度量. 系统工程与电子技术.2006, 28(1):88-90
87 陈宝国,李为.信息安全产业与信息安全经济分析. 中国安全科学学报. 2004,14(12):82-86
88 Bajari, P., Tadelis, S. Incentives versus transaction costs: a theory of procurement contracts. Rand Journal of Economics 2001,32: 387– 407
89 Akerlof, George. The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism. Quarterly Journal of Economics. 1970, 84: 488-500
90 Chiappori, Pierre-Andre, and Salanie, Bernard. Testing for Asymmetric Information in Insurance Markets. Journal of Political Economy. 2000,108 : 56-78
91 Finkelstein, Amy, and Poterba, James,. Adverse Selection in Insurance Markets: Policy holder Evidence from the U.K. Annuity Market. Journal of Political Economy, 2004,112: 183- 208
92 王刊良,刘庆.我国推进信息化代价的系统分析. 科学学与科学技术管理.2005,10:18-21
93 朱敏,张振辉,陈景艳.经济全球化环境中的网络脆弱性研究. 科研管理. 2002, 23(5):36-41
94 Nir Kshetri. Information and communications technologies, strategic asymmetry and national security. Journal of International Management.2005, 11: 563–580
95 黄元飞,何德全,陈明.CC 安全功能组件形式化分析.通信学报. 2003, 24(7): 164-169
96 蔡 研 , 赵 千 川 . 网 络 拓 扑 与 容 量 的 关 系 初 探 . 计 算 机 工 程 与 应用.2003,15:178-182
97 田莹杰,李南,江可申.小世界网络(SWN)及其在经济管理领域的应用.世界经济研究.2001,6: 83-87
98 Baoxian Zhang, Krunz M, Mouftah H T ea al.Stateless Qos routing in IP network. In globle telecommunications conference, Globecom Ieee.2001,3:1600-1604
99 TANG Yong,MA Yong-kai.Information Diffusion in Small-world Social Networks. Journal of System Simulation.2006,18(4):1084-1087
100 Sahasrabuddhe L H, Mukherjee B. Multicast routing algorithms and protocols: a tutorial.IEEE Network.2000,14(1):90-102
101 S. Nagaraja, R. J. Anderson. The topology of covert conflict. In Fifth workshop on the Economics of Information Security, Cambridge, England 2006:343-356
102 闵应骅.计算机网络路由研究综述. 计算机学报.2003,26(6):641-649
103 哈尔.R.范里安,费方域等译.微观经济学: 现代观点. 上海:上海三联书店, 上海人民出版社.2006:528-530
104 张维迎.博弈论与信息经济学.上海: 上海三联书店,上海人民出版社.2004:50-53
105 Vincent P. Crawford, Ping-Sing Kuo. A dual Dutch auction in Taipei: the choice of numeraire and auction form in multi-object auctions with bundling. Journal of Economic Behavior & Organization. 2003,51: 427–442
106 黎志成,刘枚莲.电子商务环境下的消费者行为研究.中国管理科学. 2002,10(6):88-91
107 谢康, 肖静华, 赵刚. 电子商务经济学.北京:电子工业出版社,2003:168-170
108 Matsuura, K. Information security and economics in computer networks: An interdisciplinary survey and a proposal of integrated optimization of investment, The 9th International Conference of Computing in Economics and Finance, 2003
109 Theodosios. Tsiakis, George.Stephanides.The economic approach of information security, Computers & Security.2005, 24:105-108
110 周曦民,陈长松.具有主动防御能力的智能信息安全管理系统.信息安全与通信保密.2004,10:84-86
111 J. Kennedy, R.C. Eberhart, Particle swarm optimization, Proc. IEEE Internat. Conf. on Neural Networks, Perth, Australia, Vol. 4, IEEE Service Center, Piscataway, NJ,1995,1942–1948
112 R.C. Eberhart, J. Kennedy, A new optimizer using particle swarm theory, 6th Internat. Symp. on Micro Machine and Human Science, Nagoya, Japan, IEEE Service Center, Piscataway, NJ, 1995: 39–43
113 M. Clerc, J. Kennedy, The particle swarm: explosion stability and convergence in a multi-dimensional complex space, IEEE Trans. Evolutionary Comput. 2002, 6(1):58–73
114 R.H. Anderson, et al, Securing the U.S. Defense Information Infrastructure:A Proposed Approach, RAND Document MR-993-OSD/NSA/DARPA (1999)
115 Jun Wang, Xiang Yang LI. Personalized On-line Service of Particle Swarm Optimization Cluster Analysis Algorithm.The Proceedings of the 6th World Congress on Control and Automation, 2006
116 J. Kennedy, R.C. Eberhart, A discrete binary version of the particle swarm algorithm, Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, 1997:4104–4108
117 张庆武, 郭东强.企业信息化投资的博弈分析.国土资源科技管理. 2002, 4 : 61-65
118 张庆武, 郭东强.国家政策对信息化投资的影响.信息技术.2003,20:67-71
119 黄学军, 吴冲锋.不确定环境下研发投资决策的期权博弈模型.中国管理科学.2006, 14(5): 33-37
120 余冬平,邱菀华.双寡头战略期权执行博弈均衡投资决策研究.北京航空航天大学学报 (社会科学版). 2006,19(4):5-8
121 杨勇,达庆利.不对称双寡头企业技术创新投资决策研究. 中国管理科学. 2005,13(4):94-99
122 简志宏,李楚霖.高新技术产业化的实物期权分析. 管理工程学报. 2002, 16 (4) : 76-79
123 Debasis Mishra, Dharmaraj Veeramani. Production, Manufacturing and Logistics Vickrey – Dutch procurement auction for multiple items. European Journal of Operational Research. 2007,180:617–629
124 Bart Lambrecht, William Perraudin. Real options and preemption under incomplete Information. Journal of Economic Dynamics & Control. 2003,27: 619–643
125 Han Hong, Matthew Shum.Econometric models of asymmetric ascending Auctions. Journal of Econometrics. 2003,112: 327–358
2 Ross Anderson, Tyler Moore.The Economics of Information Security. Science .2006, 314 (5799) :610–613
3 Hal R.Varian. Managing Online Security Risks. New York Times; New York, N.Y.; Jun 1, 2000:2-3
4 Ross. Anderson. Why information security is hard-An economic perspective. In: Proceeding of 17th Annual Computer Security Applications Conference, New Orleans, LA 2001:15-20
5 Lawrence A. Gordon, Martin P. Loeb,William Lucyshyn. Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy.2003 ,22 :461–485
6 Alfredo Garcia, Barry Horowitz. The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy. The Fifth Workshop on Economics and Information Security, University of Cambridge,2006:32-43
7 Andrew Odlyzko.Cryptographic abundance and pervasive computing. iMP: Information Impacts Magazine. 2000, 6:25-37
8 John Adams. CARS, CHOLERA, AND COWS--The Management of Risk and Uncertainty. Policy analysis.1999,335:1-49
9 Benjamin Edelman, Adverse Selection in Online “Trust” Certifications. The Fifth Workshop on the Economics of Information Security, University of Cambridge, 2006,6:52-67
10 Nicholas Bohm, Ian Brown ,Brian Gladman. Electronic Commerce: Who Carries the Risk of Fraud? Journal of Information, Law and Technology. 2000, 3:1-34
11 Douglas A. Barnes. Deworming the Internet. Texas Law Review. 2004, 83: 279-329
12 Economides N. The economics of networks. International Journal of Industrial Organization .1996 ,1 (14) : 673 -700
13 Katz Michael , Carl Shapiro. Technology adoption in the presence of network externalities. Journal of Political Economy .1985 ,94 :822 – 841
14 Shapiro C ,Varian H.信息规则.北京:中国人民大学出版社,2000:88-90
15 Jari Raman. Network Effects and Software Development-Implications for Security. Proceedings of the 37th Hawaii International Conference on System Sciences. Hawaii, US,2004:38-46
16 Howard Kunreuther, Geoffrey Heal. Interdependent security. Journal of Risk and Uncertainty.2003, 26 (231): 231–249
17 Gordon, L. A., & Richardson, R. The New Economics of Information Security. Information Week, 2004: 53-56
18 Lawrence A. Gordon and Martin P. Loeb.The Economics of Information Security Investment. ACM Transactions on Information and System Security, 2002, 5(4): 438–457
19 Lawrence D. Bodin, Lawrence A. Gordon, And Martin P. Loeb.Evaluating Information Security Investments Using The Analytic Hierarchy Process. Communications of The ACM. 2005, 48(2):79-83
20 Jan Willemson .On the Gordon & Loeb Model for Information Security Investment. Fifth Workshop on the Economics of Information Security, University of Cambridge, 2006,6:68-75
21 Varian H.R. Systems reliability and free riding . In Economics of Information Security, L. J. Camp, S. Lewis, eds. (Kluwer Academic Publishers, 2004), vol. 12 of Advances in Information Security :1-15
22 Charles Iheagwara. The effect of intrusion detection management methods on the return on investment. Computers & Security .2004, 23: 213-228
23 Costas Lambrinoudakisa,T, Stefanos Gritzalisa, Petros Hatzopoulos ,et al. A formal model for pricing information systems insurance contracts. Computer Standards & Interfaces.2005, 27: 521–532
24 Bharat B. Madan, Katerina Go?eva-Popstojanova ,Kalyanaraman Vaidyanathan, et al. A method for modeling and quantifying the security attributes of intrusion tolerant systems. Performance Evaluation. 2004, 56:167–186
25 Mukul Gupta, Jackie Rees, Alok Chaturvedi, et al. Matching information security vulnerabilities to organizational security profiles: a geneticalgorithm approach. Decision Support Systems. 2006, 41: 592– 603
26 Gus Rodewald. Aligning Information Security Investments with a Firm's Risk Tolerance. Information Security Curriculum Development (InfoSecCD) Conference '05, Kennesaw, GA, USA,2005:89-112
27 Gal-Or, E. and A. Ghose. The Economic Consequences of Sharing Security Information[A]. Camp and Lewis (Eds), The Economics of Information Security[C], Kluwer, July 2004: 95-104
28 Gal-Or, E. and A. Ghose. The Economic Incentives for Sharing Security Information. Information Systems Research. 2005,16(2): 186-208
29 Anindya Ghose, Uday Rajan. The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare. Workshop on Economics and Information Security, Cambridge University, 2006,6:79-94
30 Krsul, I., Spafford, E. & Tripunitara, M. Computer vulnerability analysis. Department of Computer Sciences , Purdue University , West Lafayette : Technical Report Coast TR 98207 , 1998:34-61
31 Howard, J. An Analysis of Security Incidents On the Internet, PHD thesis, Carnegie Mellon University, 1998:31-53
32 Lipson, H. Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, CERT/CC special report 2002:74-83
33 Shimeall, T. & Williams, P. Models of Information Security Trend Analysis, 2002, CERT/CC report,69-87
34 Arbaugh, W.A., Fithen, W. L. & McHugh, J. Windows of Vulnerability: A Case Study Analysis.,IEEE Computer, 2000,5:38-45
35 Stuart Schechter. How to buy better testing: Using competition to get the most security and robustness for your dollar. In Infrastructure Security Conference, Bristol, UK, October 2002:97-113
36 Stuart Schechter. Quantitatively differentiating system security. In Workshop on Economics and Information Security, Berkeley, CA, USA, May 2002:163-179
37 Stuart E. Schechter. Computer Security Strength &Risk: A Quantitative Approach. PhD thesis, Harvard University, Cambridge, MA, 2004:58-85
38 Andy Ozment. Bug Auctions: Vulnerability Markets Reconsidered.Workshop on Economics and Information Security. Minneapolis, MN, USA, May 13-14, 2004: 587-595
39 Camp, L. & Wolfram, C. Pricing Security. In Proceedings of the CERT Information Survivability Workshop, Boston, MA Oct. 24-26. 2000:320-339
40 Arora, A., Caulkins, J.P. & Telang, R. Provision of Software Quality in the Presence of Patching Technology, Carnegie Mellon University, working paper. 2003:23-54
41 Rainer Bohme.Vulnerability Markets- What is the economic value of a zero-day exploit? Proc. of 22C3, Berlin, Germany, 27–30 December 2005:59-76
42 Schneier, B., Computer Security: It's the Economics, Stupid. Workshop on Economics and Information Security, UC, Berkeley, 2002:203-214
43 Hoo, K. S.How Much Is Enough? A Risk Management Approach to Computer Security.Workshop on Economics and Information Security, University of California, Berkeley, CA, 2000:348-369
44 Karthik Kannan,Rahul Telang .An Economic Analysis of Market for Software Vulnerabilities. Workshop on Economics and Information Security . University of Minnesota ,USA,May 3, 2004:213-224
45 CERT (2003). CERT/CC Statistics 1988-2003, http://www.cert.org/stats/.
46 Jay Pil Choi, Chaim Fershtman, Neil. Preliminary and Incomplete Internet Security, Vulnerability Disclosure, and Software Provision. Workshop on Economics and Information Security . Harvard University,2005:78-84
47 Banker, R., Davis, G. & Slaughter, S. Software Development Practices, Software Engineering Complexities, and Software Maintenance. Management Science.1998,44: 433–450
48 Kenneth S. Corts.The interaction of task and asset allocation. International Journal of Industrial Organization .2006, 24: 887– 906
49 Dacey, R. F. Effective patch management is critical to mitigating software vulnerabilities. GAO-03-1138T.2003:57-62
50 Thomson K L , Solms R V. Information Security Obedience :A Definition . Computers & Security. 2005 , 24(1) :69--75.
51 Eric Rescorla. Is finding security holes a good idea? Workshop on Economics and Information Security, University of Minnesota USA,2004:43-75
52 Shostack, A. Quantifying patch management. Secure Business Quarterly. 2003.3(2):18-23
53 McGhie, L. Software patch management - the new frontier. Secure Business Quarterly, 2003.3(2):23-45
54 Donner, M. Patch management - bits, bad guys, and bucks! Secure Business Quarterly, 2003.3(2):45-52
55 Pruitt, S. Software users hit a rough patch. PC World, 2003, 10:48-58
56 Huseyin Cavusoglu, Hasan Cavusoglu, Jun Zhang.Economics of Security Patch Management. Workshop on Economics and Information Security, Cambridge, England, 2006:180-198
57 Ashish Arora, Ramayya Krishnan, Anand Nandkumar, et al. Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis. In Workshop on Economics and Information Security, University of Minnesota,USA, 2004:22-35
58 Arora Ashish, Rahul Telang and Hao Xu. Timing Disclosure of Software Vulnerability for Optimal Social Welfare,.Carnegie Mellon University working paper, April 2004:67-98
59 Ashish Arora, Rahul Telang and Hao Xu. Optimal Policy for Software Vulnerability Disclosure. Workshop on Economics and Information Security, University of Minnesota,USA,May 3, 2004:318-326
60 郑志彬,吴昊,辛阳.建立产学研结合的信息安全人才培养道路. 北京电子科技学院学报.2006,14(1):23-27
61 Michael E.Whitman, Herbert J.Mattord,徐焱译(M).信息安全原理.北京:清华大学出版社,2003: 67-96
62 李鹤田,刘云,何德全.信息系统安全风险评估研究综述. 中国安全科学学报.2006,16(1):108-113
63 刘艳, 曹鸿强.信息安全经济学初探.网络安全技术与应用.2003.3:21-23
64 刘卫东,刘毅,马丽等.论国家安全的概念及其特点. 世界地理研究. 2002, 11(2): 1-7
65 巨乃岐.信息安全的内涵与意义.齐鲁学刊. 2003,2:92-95
66 冯登国.可证明安全性理论与方法研究.软件学报. 2005,16(10):1743-1756
67 韩权印, 张玉清,王闵.信息安全管理实施要点研究. 计算机工程. 2005, 31(20):64-66
68 姜彦福, 雷家骕,曹宁.关于基于经济安全的信息安全问题. 清华大学学报(哲学社会科学版).2000,15(1):36-42
69 姚春序,范世涛.信息安全中的政治经济学问题.经济导刊.2002,7:43-45
70 王国才.网络外部性、差异化竞争与主流化策略研究. 中国管理科学. 2005,13(5):105-110
71 孙玉芳.Linux 真给国产操作系统发展提供了机遇吗?计算机科学. 2002, 29(7): 13-18
72 史晋川,刘晓东.软件商业模式与操作系统的市场结构——Windows 与 Linux 两种模式的比较研究.财贸经济.2005,4:66-71
73 吕俊杰,邱菀华,王元卓.网络安全投资外部性及博弈策略. 北京航空航天大学学报.2006,32(12):1499-1502
74 黄梯云,冯玉强,周宽久.决策支持系统中的建模知识表示研究.管理科学学报.2001, 4(1):45-51
75 孙剑颖.企业信息安全投资的经济学决策模型浅析.东北财经大学报. 2005,3:67-68
76 魏忠,邓高峰,孙绍荣,叶铭.信息安全管理集成原理探究.计算机工程与应用.2002,14:64-65
77 崔光耀.信息安全的经济视角.信息安全与通信保密.2004,4:13-15
78 王会杰.公安局域网感染病毒的原因及防治对策. 中国人民公安大学学报(自然科学版).2004,1: 63-64
79 张冰.电信网网络安全漏洞与补丁管理研究.电信网技术. 2006,7:14-18
80 王琳,张小梅.软件补丁管理在网络信息安全中的作用及趋势. 武汉理工大学学报.2005,27(3).87-89
81 王耀忠,黄丽华,王小卫,等.网络组织的结构及协调机制研究. 系统工程理论方法应用.2002,11(1):20-24
82 钱钢,达庆利.基于系统安全工程能力成熟模型的信息系统风险评估.管理工程学报.2001,15(4): 58-60
83 冯登国,张阳,张玉清.信息安全风险评估综述.通信学报.2004, 25 (7):10-18
84 王娜,方滨兴,罗建中.“5432”战略国家信息安全保障体系框架研究. 通信学报.2004,25(7):1-9
85 沈昌祥.基于可信平台构筑积极防御的信息安全保障框架.信息安全与通信保密.2004,9:17-18
86 江汉,尹浩,李学军,等.C4 ISR 体系对抗仿真中的信息优势度量. 系统工程与电子技术.2006, 28(1):88-90
87 陈宝国,李为.信息安全产业与信息安全经济分析. 中国安全科学学报. 2004,14(12):82-86
88 Bajari, P., Tadelis, S. Incentives versus transaction costs: a theory of procurement contracts. Rand Journal of Economics 2001,32: 387– 407
89 Akerlof, George. The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism. Quarterly Journal of Economics. 1970, 84: 488-500
90 Chiappori, Pierre-Andre, and Salanie, Bernard. Testing for Asymmetric Information in Insurance Markets. Journal of Political Economy. 2000,108 : 56-78
91 Finkelstein, Amy, and Poterba, James,. Adverse Selection in Insurance Markets: Policy holder Evidence from the U.K. Annuity Market. Journal of Political Economy, 2004,112: 183- 208
92 王刊良,刘庆.我国推进信息化代价的系统分析. 科学学与科学技术管理.2005,10:18-21
93 朱敏,张振辉,陈景艳.经济全球化环境中的网络脆弱性研究. 科研管理. 2002, 23(5):36-41
94 Nir Kshetri. Information and communications technologies, strategic asymmetry and national security. Journal of International Management.2005, 11: 563–580
95 黄元飞,何德全,陈明.CC 安全功能组件形式化分析.通信学报. 2003, 24(7): 164-169
96 蔡 研 , 赵 千 川 . 网 络 拓 扑 与 容 量 的 关 系 初 探 . 计 算 机 工 程 与 应用.2003,15:178-182
97 田莹杰,李南,江可申.小世界网络(SWN)及其在经济管理领域的应用.世界经济研究.2001,6: 83-87
98 Baoxian Zhang, Krunz M, Mouftah H T ea al.Stateless Qos routing in IP network. In globle telecommunications conference, Globecom Ieee.2001,3:1600-1604
99 TANG Yong,MA Yong-kai.Information Diffusion in Small-world Social Networks. Journal of System Simulation.2006,18(4):1084-1087
100 Sahasrabuddhe L H, Mukherjee B. Multicast routing algorithms and protocols: a tutorial.IEEE Network.2000,14(1):90-102
101 S. Nagaraja, R. J. Anderson. The topology of covert conflict. In Fifth workshop on the Economics of Information Security, Cambridge, England 2006:343-356
102 闵应骅.计算机网络路由研究综述. 计算机学报.2003,26(6):641-649
103 哈尔.R.范里安,费方域等译.微观经济学: 现代观点. 上海:上海三联书店, 上海人民出版社.2006:528-530
104 张维迎.博弈论与信息经济学.上海: 上海三联书店,上海人民出版社.2004:50-53
105 Vincent P. Crawford, Ping-Sing Kuo. A dual Dutch auction in Taipei: the choice of numeraire and auction form in multi-object auctions with bundling. Journal of Economic Behavior & Organization. 2003,51: 427–442
106 黎志成,刘枚莲.电子商务环境下的消费者行为研究.中国管理科学. 2002,10(6):88-91
107 谢康, 肖静华, 赵刚. 电子商务经济学.北京:电子工业出版社,2003:168-170
108 Matsuura, K. Information security and economics in computer networks: An interdisciplinary survey and a proposal of integrated optimization of investment, The 9th International Conference of Computing in Economics and Finance, 2003
109 Theodosios. Tsiakis, George.Stephanides.The economic approach of information security, Computers & Security.2005, 24:105-108
110 周曦民,陈长松.具有主动防御能力的智能信息安全管理系统.信息安全与通信保密.2004,10:84-86
111 J. Kennedy, R.C. Eberhart, Particle swarm optimization, Proc. IEEE Internat. Conf. on Neural Networks, Perth, Australia, Vol. 4, IEEE Service Center, Piscataway, NJ,1995,1942–1948
112 R.C. Eberhart, J. Kennedy, A new optimizer using particle swarm theory, 6th Internat. Symp. on Micro Machine and Human Science, Nagoya, Japan, IEEE Service Center, Piscataway, NJ, 1995: 39–43
113 M. Clerc, J. Kennedy, The particle swarm: explosion stability and convergence in a multi-dimensional complex space, IEEE Trans. Evolutionary Comput. 2002, 6(1):58–73
114 R.H. Anderson, et al, Securing the U.S. Defense Information Infrastructure:A Proposed Approach, RAND Document MR-993-OSD/NSA/DARPA (1999)
115 Jun Wang, Xiang Yang LI. Personalized On-line Service of Particle Swarm Optimization Cluster Analysis Algorithm.The Proceedings of the 6th World Congress on Control and Automation, 2006
116 J. Kennedy, R.C. Eberhart, A discrete binary version of the particle swarm algorithm, Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, 1997:4104–4108
117 张庆武, 郭东强.企业信息化投资的博弈分析.国土资源科技管理. 2002, 4 : 61-65
118 张庆武, 郭东强.国家政策对信息化投资的影响.信息技术.2003,20:67-71
119 黄学军, 吴冲锋.不确定环境下研发投资决策的期权博弈模型.中国管理科学.2006, 14(5): 33-37
120 余冬平,邱菀华.双寡头战略期权执行博弈均衡投资决策研究.北京航空航天大学学报 (社会科学版). 2006,19(4):5-8
121 杨勇,达庆利.不对称双寡头企业技术创新投资决策研究. 中国管理科学. 2005,13(4):94-99
122 简志宏,李楚霖.高新技术产业化的实物期权分析. 管理工程学报. 2002, 16 (4) : 76-79
123 Debasis Mishra, Dharmaraj Veeramani. Production, Manufacturing and Logistics Vickrey – Dutch procurement auction for multiple items. European Journal of Operational Research. 2007,180:617–629
124 Bart Lambrecht, William Perraudin. Real options and preemption under incomplete Information. Journal of Economic Dynamics & Control. 2003,27: 619–643
125 Han Hong, Matthew Shum.Econometric models of asymmetric ascending Auctions. Journal of Econometrics. 2003,112: 327–358