博弈论在信息安全投资中的应用
|
摘要
随着互联网技术及信息产业化的发展,信息安全事件呈大幅增长趋势。据2009年统计,每年中国因遭受网络攻击造成的损失就多达70多亿元,其中银行、金融机构尤为突出。尽管企业不断增加信息安全投资预算,然而效果并不明显。如何确定安全投资水平是当今企业和学术界面临的重点和难点问题。实践中大多数企业在分析信息安全投资问题时都是采用传统的分析方法如决策树方法等,这些方法的不足之处就在于忽略了企业和黑客之间的战略对抗性,由此造成投资决策的失误。本文考虑了企业和黑客决策的相互依赖性,引入博弈论方法分析信息安全投资问题,并分析了企业和黑客的行动次序对安全投资决策的影响。
本文首先介绍了决策树模型、静态模型、企业先行动的动态模型及企业后行动的动态模型。然后将各种模型的结果进行了比较,发现企业在静态博弈模型中安全投资收益最低,企业后行动时安全投资水平最低但投资收益最高。另外,当采用决策树方法时,企业的安全投资水平和收益取决于其对黑客攻击成本估计值的大小,只有当估计的偏差足够小时其安全投资水平和收益才与博弈结果相同。最后本文还对脆弱性、预期损失和黑客收益这三个参数进行了比较静态分析。结果表明,安全投资水平分别是这三个参数的增函数;但安全投资水平占预期损失的比例却是预期损失的减函数。这些结论可以为实践中企业的安全投资决策提供参考。
As the development of internet technology and information industry, information security incidents are increasing, which have caused enormous loss to the enterprise. It is reported in 2009 that hacker’s attacking on computers produced a loss of as many as 7 billion RMB in China every year, especially in financial industry. Firms have been increasing their information security budgets significantly, but with little success. How to determine the appropriate level of information security investment has become one of the critical decisions faced by the enterprise and academic circles. In practice, managers often use traditional decision theory techniques such as decision-tree approach to determine security investments. This method is incomplete because it neglects the strategic nature between the enterprise and the hacker, which leads to a wrong decision. This paper proposes game theory for determining information security investment levels, in which the firm and the hacker are interdependent, and analyzes the action timing’s impact on security investment decision.
At first, we introduce decision-tree model and game theory model, static game、dynamic game I (firms move first, then the hack move) and dynamic game II (hackers move first, then the firm moves). And then we compare game models with decision-tree model and find that in the dynamic game II, the firm’s payoff is the maximum, whereas the investment level is the lowest. The firm’s payoff is the lowest when they play a static game. In addition, the investment level is determined by the estimation of the hacker cost under the decision-tree approach. And the firm’s payoff from the investment when under the decision-tree model is equal to that when under a game model only if the estimation is precise enough. Finally, comparative static analysis on vulnerability、firms’expected loss and hackers’payoff is made to determine how the investment level changes with these parameters. And we show that although the investment level increases with the vulnerability (the firm’s expect loss and the hacker’s payoff), the increasing speed of the investment level decreases with firms’expect loss. These conclusions will supply useful references to managers.
本文首先介绍了决策树模型、静态模型、企业先行动的动态模型及企业后行动的动态模型。然后将各种模型的结果进行了比较,发现企业在静态博弈模型中安全投资收益最低,企业后行动时安全投资水平最低但投资收益最高。另外,当采用决策树方法时,企业的安全投资水平和收益取决于其对黑客攻击成本估计值的大小,只有当估计的偏差足够小时其安全投资水平和收益才与博弈结果相同。最后本文还对脆弱性、预期损失和黑客收益这三个参数进行了比较静态分析。结果表明,安全投资水平分别是这三个参数的增函数;但安全投资水平占预期损失的比例却是预期损失的减函数。这些结论可以为实践中企业的安全投资决策提供参考。
As the development of internet technology and information industry, information security incidents are increasing, which have caused enormous loss to the enterprise. It is reported in 2009 that hacker’s attacking on computers produced a loss of as many as 7 billion RMB in China every year, especially in financial industry. Firms have been increasing their information security budgets significantly, but with little success. How to determine the appropriate level of information security investment has become one of the critical decisions faced by the enterprise and academic circles. In practice, managers often use traditional decision theory techniques such as decision-tree approach to determine security investments. This method is incomplete because it neglects the strategic nature between the enterprise and the hacker, which leads to a wrong decision. This paper proposes game theory for determining information security investment levels, in which the firm and the hacker are interdependent, and analyzes the action timing’s impact on security investment decision.
At first, we introduce decision-tree model and game theory model, static game、dynamic game I (firms move first, then the hack move) and dynamic game II (hackers move first, then the firm moves). And then we compare game models with decision-tree model and find that in the dynamic game II, the firm’s payoff is the maximum, whereas the investment level is the lowest. The firm’s payoff is the lowest when they play a static game. In addition, the investment level is determined by the estimation of the hacker cost under the decision-tree approach. And the firm’s payoff from the investment when under the decision-tree model is equal to that when under a game model only if the estimation is precise enough. Finally, comparative static analysis on vulnerability、firms’expected loss and hackers’payoff is made to determine how the investment level changes with these parameters. And we show that although the investment level increases with the vulnerability (the firm’s expect loss and the hacker’s payoff), the increasing speed of the investment level decreases with firms’expect loss. These conclusions will supply useful references to managers.
引文
[1] Soo HooK. How much is enough?A risk-management approach to computer security [J]. Working Paper,Consortium for Research on Information Security and Policy,2000,28:245-268.
[2] Huseyin Cavusoglu,Srinivasan Raghunathan,Wei T.Yue. Decision-theoretic and game-theoretic approaches to IT security investment [J]. Journal of Management Information Systems,2008,25(2):281-304.
[3] Kaplan.R.S. Must CIM be justified by faith alone [J]. Harvard Business Review,1986,64 (2):87-95.
[4] Dixit.A.K.,Pindyck.R.S. The options approach to capital invest [J]. Harvard Business Review,1995:105-115.
[5] Hevert.K.T. Real options primer:A practical synthesis of concepts and valuation approaches [J]. Journal of Applied Corporate Finance,2001,14 (2):25–40.
[6] Copeland T , Antikarov V. Real Options : A Practitioner’s Guide [J]. Thomson-Texere,2003:28-52.
[7] Clemons.E.K. Evaluation of strategic investments in information technology [J]. Communications of the ACM,1991,34(1):22–36.
[8] Dos Santos.B.L. Justifying investments in new information technologies [J]. Journal of Management Information Systems,1991,7(4):71–90.
[9] Dixit.A.K.,Pindyck,R.S. Investment under Uncertainty [J].Princeton University Press,Princeton,1993:78-91.
[10] Kumar.R.L. A note on project risk and option values of investments in information technologies [J].Journal of Management Information Systems,1996,13(1):187–193.
[11] Campbell.J.A. Real options analysis of the timing of IT investment decisions [J].Information and Management,2002,39(5):337–344.
[12] Km YJ,Sanders GL. Strategic actions in information technology investment based on real option theory [J]. Decision Support Systems,2002 (33):1-111.
[13] Benaroch M. Managing Information Technology Investment Risk:A Real Options Perspective [J]. Forthcoming in Journal of Management Information Systems,2002:1-231.
[14] Longstaff.T,Chittister.C,Pethia.R and Haimes.Y. Are we forgetting the risk of information technology? [J]. IEEE Computer,2000,33(12):43–51.
[15] Dutta.A,Mccrohan.K. Management’s role in information security in a cyber economy [J]. California Management Review,2002,45 (1):67–87.
[16] Mercuri R. Analyzing Security Costs [J]. Communications of the ACM. 2003,46(6):15-18.
[17] Acquisti A,Grossklags J. An Experimental Approach to Information Security Attitudes and Behavior. 2nd workshop on Economics and Information Security,2003:48-58.
[18] Farahmand F,Navathe S,et al. Evaluating Damages Caused by Information Systems Security Incidents. 2nd Workshop on Economics and Information Security,2003:26-39.
[19] Kannan K , Telang R. An Economic Analysis of Market for Software Vulnerabilities. 3rd Workshop on Economics and Information Security,Berkeley,2004:156-178.
[20] Gordon.L.A,Richardson.R. The New Economics of Information Security. Information Week,2004:53-56.
[21] Charles Iheagwara. The effect of intrusion detection management methods on the return on investment. Computers & Security,2004,23:213-228.
[22] Sonnenreich W. Return on Security Investment (ROSI):A Practical Quantitative Model. Journal of Research and Practice in Information Technology. 2006,38(1):55-66.
[23] Anderson.R. Why information security is hard:An economic perspective [C]. Pro-ceedings of 17th Annual Computer Security Applications Conference ,December 2001:58-75.
[24] Lawrence D. Bodin , Lawrence A. Gordon , Martin P. Loeb. Evaluating information security investments using the analytic hierarchy process [J]. Communications of the ACM. 2005,48(2):79-83.
[25] Ryan J , Ryan D. Expected benefits of information security investment. Computers& Security. 2006,25:579-588.
[26] Cremonini M,Nizovtsev D. Understanding and influencing attackers’Decisions: Implications for Security Investment Strategies. Fifth Workshop on the Economics of Information Security,England,2006:268-289.
[27] Mukul Gupta,Jackie Rees,Alok Chaturvedi,et al. Matching information security vulnerabilities to organizational security profiles:a genetic algorithm approach. Decision Support Systems. 2006,41:592–603.
[28] Honeyman P. Interdependence of Reliability and Security. Workshop on Economics and Information Security,Berkeley,2007:258-286.
[29] C.Derrick Huang,Qing Hu,Ravi S.Behara. An economic analysis of the optimal information security investment in the case of a risk-averse firm [J]. Int.J. Production Economics,2008,114:793-804.
[30] Jingguo Wang,Aby Chaudhury,H. Raghav Rao. A value-at-risk approach to information security investment [J]. Information Systems Research,2008,19(1): 106-120.
[31] Wang Z,Song H. Towards and optimal information security investment strategy. IEEE International Conference on Networking,Sensing and Control,China,2008: 756-761.
[32]冯·诺依曼,奥斯·摩根斯坦.博弈论与经济行为[M] .上海:上海三联书店,2004:69-136.
[33] Nash J. Equilibrium points in N-person games. Proceedings of the National Academy of Science of the United States of America,1950,36:48-49.
[34] Nash J. Non-cooperative games. Annals of Mathematics,1951,54:286-295.
[35] Selten R. Spieltheoretische Behandlung eines Oligopolmodells mit Nachfagetragheit. Xeitschrift fur die gesamte Staatswissenschaft,1965,12:301-324.
[36] Harsanyi J. Games with incomplete information played by Bayesian players. Management Science,1967,14:489.
[37] Selten R. Re-examination of the Perfect ness Concept for Equilibrium Points in Extensive Games. International Journal of Game,1975,4:25-55.
[38] Camp L.W.,Olfram,C. Pricing Security [C]. In Proceedings of the CERT Information Survivability Workshop,Boston,MA October,2000:245-259.
[39] Howard Kunreuther,Geoffrey Heal. Interdependent security [J]. Journal of Risk and Uncertainty,2003,26 (231):231-249.
[40] Desmedt Y. Using economics to model threats and security in distributed computing. 1st Workshop on Economics and Information Security,Berkeley,2002:289-306.
[41] Gordon,L. A.,Loeb,M. P.,The economics of information security investment. ACM Transactions on Information and Systems Security,2002,5(4):438–457.
[42] Schechter S.E. Computer Security Strength and Risk:A Quantitative Approach. PhD Dissertation,Harvard University,Cambridge,2004,MA.
[43] Cavusoglu H.,Raghunathan S. Configuration of intrusion detection systems:A comparison of decision and game theoretic approaches. INFORMS Journal on Decision Analysis,2004,1 (3):131–148.
[44] Varian H.R. System reliability and free riding. Economics of Information Security,2004:1–15.
[45] Ashish Arora , Ramayya Krishnan , Anand Nandkumar , et al. Impact of Vulnerability Disclosure and Patch Availability-An Empirical Analysis. InWorkshop on Economics and Information Security,2004:22-35.
[46] Arora Ashish , Rahul Telang , Hao Xu. Timing Disclosure of Software Vulnerability for Optimal Social Welfare. Carnegie Mellon University working paper,2004:67-98.
[47] Wang J,Chaudhury.A,Rao.H.R. An extreme value approach to information technology security investment. The 2005 International Conference on Information Systems (ICIS),2005:165-178.
[48] Lu.P, Zang.W,Yu.M. Incentive-based modeling and inference of attack intent,objectives,and strategies. ACM Transactions on Information and Systems Security,2005,8 (1):78–118.
[49] Cavusoglu.H,Mishra.B,Raghunathan.S. The value of intrusion detection systems in information technology security architecture. Information Systems Research,2005,16 (1):28–46.
[50] Gal-or.E.,A.Ghose. The economic incentives for sharing security information. Inform Systems Res,2005,16(2):186–208.
[51] Anindya Ghose,Uday Rajan. The economic impact of regulatory information disclosure on information security investments,competition and social welfare [C]. Workshop on Economics and Information Security,Cambridge University,June 2006:53-65.
[52] Jan Willemson. On the Gordon & Loeb Model for information security investment [C]. Workshop on Economics and Information Security,Cambridge England,2006:136-151.
[53] Alfredo Garcia,Barry Horowitz. The potential for underinvestment in internet security:implications for regulatory policy[C]. Workshop on Economics and Information Security,Cambridge England,2006:75-89.
[54]张维迎.博弈论与信息经济学[M].上海:上海人民出版社,1996:25-40.
[55]谢康,肖静华,赵刚.电子商务经济学[M].北京:电子工业出版社,2003:30-55.
[56]马永红,魏祯,郑晓齐.企业IT投资绩效评价方法探讨[J].管理世界,2004(11):146-147.
[57]刘凌冰.信息化项目投资评价模型比较研究:基于可行性视角[J].中国管理信息化,2008,11(15):27-31.
[58]邓光军,曾勇,刘强.信息系统投资的实物期权定价分析[J].科研管理,2003,24 (5) :109– 115.
[59] Taudesa. Software growth options [J]. Journal of Management Information Systems,1998,15 (1):165– 185.
[60]蔡淑琴,付红桥,李蔚.信息技术投资、价格搜索成本与市场均衡分析[ J ] .华中科技大学学报(自然科学版),2004,32(5):35-37.
[61]林丹明,梁强,曾楚宏.中国制造业IT投资的绩效与行业特征调节效应[J].管理科学,2008,21(2):51-57.
[62]钱钢,达庆利.基于系统安全工程能力成熟模型的信息系统风险评估[J].管理工程学报,2001,15(4):58-60.
[63]姚春序,范世涛.信息安全中的政治经济学问题[J].经济导刊,2002,7:43-45.
[64]刘艳,曹鸿强.信息安全经济学初探[J].网络安全技术与应用,2003,3:21-23.
[65]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报,2004,25(7):10-18.
[66]陈宝国,李为.信息安全产业与信息安全经济分析[J].中国安全科学学报,2004,14(12):82-86.
[67]李鹤田,刘云,何德全.信息系统安全风险评估研究综述[J].中国安全科学学报,2006,16(1):108-113.
[68]吕俊杰,邱菀华,王元卓.基于相互依耐性的信息安全投资博弈[J].中国管理科学,2006,14(3):7-12.
[69]巩国权,王军,强爽.双寡头垄断市场的信息安全投资模型研究[J].中国管理科学,2007,15:444-448.
[70]孙薇,孔祥维,何德全等.信息安全投资的演化博弈分析[[J].系统工程,2008,26(6):124-126.
[71]孙薇,孔祥维,何德全等.运用博弈论探讨信息安全投资问题[J].科技管理研究,2009,1:233-235.
[72] Moitra S.D.,Konda S.L. The survivability of network systems:An empirical analysis[J].Software Engineering Institute/Computer Emergency Response Team (SEI/CERT ) Report,2000:25-65.
[2] Huseyin Cavusoglu,Srinivasan Raghunathan,Wei T.Yue. Decision-theoretic and game-theoretic approaches to IT security investment [J]. Journal of Management Information Systems,2008,25(2):281-304.
[3] Kaplan.R.S. Must CIM be justified by faith alone [J]. Harvard Business Review,1986,64 (2):87-95.
[4] Dixit.A.K.,Pindyck.R.S. The options approach to capital invest [J]. Harvard Business Review,1995:105-115.
[5] Hevert.K.T. Real options primer:A practical synthesis of concepts and valuation approaches [J]. Journal of Applied Corporate Finance,2001,14 (2):25–40.
[6] Copeland T , Antikarov V. Real Options : A Practitioner’s Guide [J]. Thomson-Texere,2003:28-52.
[7] Clemons.E.K. Evaluation of strategic investments in information technology [J]. Communications of the ACM,1991,34(1):22–36.
[8] Dos Santos.B.L. Justifying investments in new information technologies [J]. Journal of Management Information Systems,1991,7(4):71–90.
[9] Dixit.A.K.,Pindyck,R.S. Investment under Uncertainty [J].Princeton University Press,Princeton,1993:78-91.
[10] Kumar.R.L. A note on project risk and option values of investments in information technologies [J].Journal of Management Information Systems,1996,13(1):187–193.
[11] Campbell.J.A. Real options analysis of the timing of IT investment decisions [J].Information and Management,2002,39(5):337–344.
[12] Km YJ,Sanders GL. Strategic actions in information technology investment based on real option theory [J]. Decision Support Systems,2002 (33):1-111.
[13] Benaroch M. Managing Information Technology Investment Risk:A Real Options Perspective [J]. Forthcoming in Journal of Management Information Systems,2002:1-231.
[14] Longstaff.T,Chittister.C,Pethia.R and Haimes.Y. Are we forgetting the risk of information technology? [J]. IEEE Computer,2000,33(12):43–51.
[15] Dutta.A,Mccrohan.K. Management’s role in information security in a cyber economy [J]. California Management Review,2002,45 (1):67–87.
[16] Mercuri R. Analyzing Security Costs [J]. Communications of the ACM. 2003,46(6):15-18.
[17] Acquisti A,Grossklags J. An Experimental Approach to Information Security Attitudes and Behavior. 2nd workshop on Economics and Information Security,2003:48-58.
[18] Farahmand F,Navathe S,et al. Evaluating Damages Caused by Information Systems Security Incidents. 2nd Workshop on Economics and Information Security,2003:26-39.
[19] Kannan K , Telang R. An Economic Analysis of Market for Software Vulnerabilities. 3rd Workshop on Economics and Information Security,Berkeley,2004:156-178.
[20] Gordon.L.A,Richardson.R. The New Economics of Information Security. Information Week,2004:53-56.
[21] Charles Iheagwara. The effect of intrusion detection management methods on the return on investment. Computers & Security,2004,23:213-228.
[22] Sonnenreich W. Return on Security Investment (ROSI):A Practical Quantitative Model. Journal of Research and Practice in Information Technology. 2006,38(1):55-66.
[23] Anderson.R. Why information security is hard:An economic perspective [C]. Pro-ceedings of 17th Annual Computer Security Applications Conference ,December 2001:58-75.
[24] Lawrence D. Bodin , Lawrence A. Gordon , Martin P. Loeb. Evaluating information security investments using the analytic hierarchy process [J]. Communications of the ACM. 2005,48(2):79-83.
[25] Ryan J , Ryan D. Expected benefits of information security investment. Computers& Security. 2006,25:579-588.
[26] Cremonini M,Nizovtsev D. Understanding and influencing attackers’Decisions: Implications for Security Investment Strategies. Fifth Workshop on the Economics of Information Security,England,2006:268-289.
[27] Mukul Gupta,Jackie Rees,Alok Chaturvedi,et al. Matching information security vulnerabilities to organizational security profiles:a genetic algorithm approach. Decision Support Systems. 2006,41:592–603.
[28] Honeyman P. Interdependence of Reliability and Security. Workshop on Economics and Information Security,Berkeley,2007:258-286.
[29] C.Derrick Huang,Qing Hu,Ravi S.Behara. An economic analysis of the optimal information security investment in the case of a risk-averse firm [J]. Int.J. Production Economics,2008,114:793-804.
[30] Jingguo Wang,Aby Chaudhury,H. Raghav Rao. A value-at-risk approach to information security investment [J]. Information Systems Research,2008,19(1): 106-120.
[31] Wang Z,Song H. Towards and optimal information security investment strategy. IEEE International Conference on Networking,Sensing and Control,China,2008: 756-761.
[32]冯·诺依曼,奥斯·摩根斯坦.博弈论与经济行为[M] .上海:上海三联书店,2004:69-136.
[33] Nash J. Equilibrium points in N-person games. Proceedings of the National Academy of Science of the United States of America,1950,36:48-49.
[34] Nash J. Non-cooperative games. Annals of Mathematics,1951,54:286-295.
[35] Selten R. Spieltheoretische Behandlung eines Oligopolmodells mit Nachfagetragheit. Xeitschrift fur die gesamte Staatswissenschaft,1965,12:301-324.
[36] Harsanyi J. Games with incomplete information played by Bayesian players. Management Science,1967,14:489.
[37] Selten R. Re-examination of the Perfect ness Concept for Equilibrium Points in Extensive Games. International Journal of Game,1975,4:25-55.
[38] Camp L.W.,Olfram,C. Pricing Security [C]. In Proceedings of the CERT Information Survivability Workshop,Boston,MA October,2000:245-259.
[39] Howard Kunreuther,Geoffrey Heal. Interdependent security [J]. Journal of Risk and Uncertainty,2003,26 (231):231-249.
[40] Desmedt Y. Using economics to model threats and security in distributed computing. 1st Workshop on Economics and Information Security,Berkeley,2002:289-306.
[41] Gordon,L. A.,Loeb,M. P.,The economics of information security investment. ACM Transactions on Information and Systems Security,2002,5(4):438–457.
[42] Schechter S.E. Computer Security Strength and Risk:A Quantitative Approach. PhD Dissertation,Harvard University,Cambridge,2004,MA.
[43] Cavusoglu H.,Raghunathan S. Configuration of intrusion detection systems:A comparison of decision and game theoretic approaches. INFORMS Journal on Decision Analysis,2004,1 (3):131–148.
[44] Varian H.R. System reliability and free riding. Economics of Information Security,2004:1–15.
[45] Ashish Arora , Ramayya Krishnan , Anand Nandkumar , et al. Impact of Vulnerability Disclosure and Patch Availability-An Empirical Analysis. InWorkshop on Economics and Information Security,2004:22-35.
[46] Arora Ashish , Rahul Telang , Hao Xu. Timing Disclosure of Software Vulnerability for Optimal Social Welfare. Carnegie Mellon University working paper,2004:67-98.
[47] Wang J,Chaudhury.A,Rao.H.R. An extreme value approach to information technology security investment. The 2005 International Conference on Information Systems (ICIS),2005:165-178.
[48] Lu.P, Zang.W,Yu.M. Incentive-based modeling and inference of attack intent,objectives,and strategies. ACM Transactions on Information and Systems Security,2005,8 (1):78–118.
[49] Cavusoglu.H,Mishra.B,Raghunathan.S. The value of intrusion detection systems in information technology security architecture. Information Systems Research,2005,16 (1):28–46.
[50] Gal-or.E.,A.Ghose. The economic incentives for sharing security information. Inform Systems Res,2005,16(2):186–208.
[51] Anindya Ghose,Uday Rajan. The economic impact of regulatory information disclosure on information security investments,competition and social welfare [C]. Workshop on Economics and Information Security,Cambridge University,June 2006:53-65.
[52] Jan Willemson. On the Gordon & Loeb Model for information security investment [C]. Workshop on Economics and Information Security,Cambridge England,2006:136-151.
[53] Alfredo Garcia,Barry Horowitz. The potential for underinvestment in internet security:implications for regulatory policy[C]. Workshop on Economics and Information Security,Cambridge England,2006:75-89.
[54]张维迎.博弈论与信息经济学[M].上海:上海人民出版社,1996:25-40.
[55]谢康,肖静华,赵刚.电子商务经济学[M].北京:电子工业出版社,2003:30-55.
[56]马永红,魏祯,郑晓齐.企业IT投资绩效评价方法探讨[J].管理世界,2004(11):146-147.
[57]刘凌冰.信息化项目投资评价模型比较研究:基于可行性视角[J].中国管理信息化,2008,11(15):27-31.
[58]邓光军,曾勇,刘强.信息系统投资的实物期权定价分析[J].科研管理,2003,24 (5) :109– 115.
[59] Taudesa. Software growth options [J]. Journal of Management Information Systems,1998,15 (1):165– 185.
[60]蔡淑琴,付红桥,李蔚.信息技术投资、价格搜索成本与市场均衡分析[ J ] .华中科技大学学报(自然科学版),2004,32(5):35-37.
[61]林丹明,梁强,曾楚宏.中国制造业IT投资的绩效与行业特征调节效应[J].管理科学,2008,21(2):51-57.
[62]钱钢,达庆利.基于系统安全工程能力成熟模型的信息系统风险评估[J].管理工程学报,2001,15(4):58-60.
[63]姚春序,范世涛.信息安全中的政治经济学问题[J].经济导刊,2002,7:43-45.
[64]刘艳,曹鸿强.信息安全经济学初探[J].网络安全技术与应用,2003,3:21-23.
[65]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报,2004,25(7):10-18.
[66]陈宝国,李为.信息安全产业与信息安全经济分析[J].中国安全科学学报,2004,14(12):82-86.
[67]李鹤田,刘云,何德全.信息系统安全风险评估研究综述[J].中国安全科学学报,2006,16(1):108-113.
[68]吕俊杰,邱菀华,王元卓.基于相互依耐性的信息安全投资博弈[J].中国管理科学,2006,14(3):7-12.
[69]巩国权,王军,强爽.双寡头垄断市场的信息安全投资模型研究[J].中国管理科学,2007,15:444-448.
[70]孙薇,孔祥维,何德全等.信息安全投资的演化博弈分析[[J].系统工程,2008,26(6):124-126.
[71]孙薇,孔祥维,何德全等.运用博弈论探讨信息安全投资问题[J].科技管理研究,2009,1:233-235.
[72] Moitra S.D.,Konda S.L. The survivability of network systems:An empirical analysis[J].Software Engineering Institute/Computer Emergency Response Team (SEI/CERT ) Report,2000:25-65.