Abstract
The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure of an information network due to attacks that exploits known software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. We show that considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting costs due to lack of availability into account leads to over-investment in homogeneous software installations. The notion of using diversity to limit correlated failure is a widely accepted risk management strategy in many fields e.g. insurance and portfolio management. However, these approaches are advantageous only for risk-averse agents as the expected loss remains unchanged. Using software diversification as a managerial lever, we show that the expected loss under homogeneous software deployment is higher than the expected loss under diverse software deployment, making diversification appealing to even risk-neutral firms. Our analysis suggests that security risk is a cost that firms should take into consideration in developing their IT infrastructure. Exploiting characteristics unique to information systems, we present an analytical framework that allows us to quantify security loss faced by a firm as a function of investment in security technologies to avert attacks, software diversification to limit correlated failure under attacks and IT resources to repair failures due to attacks. We analyze the effectiveness of diversification strategy under different operating conditions.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
