Concepedia

TLDR

IT security budgets are rising, and firms rely on firewalls and intrusion detection systems, yet the community debates the true value of these technologies. This study evaluates the value that intrusion detection systems bring to a firm's IT security architecture. The value of an IDS depends on its detection and false‑alarm rates; a firm gains a positive value only when detection exceeds a critical threshold set by hacker incentives, which then deters attackers, while even sub‑optimal configurations still aid targeted investigations, and optimal tuning guarantees a non‑negative benefit.

Abstract

The increasing significance of information technology (IT) security to firms is evident from their growing IT security budgets. Firms rely on security technologies such as firewalls and intrusion detection systems (IDSs) to manage IT security risks. Although the literature on the technical aspects of IT security is proliferating, a debate exists in the IT security community about the value of these technologies. In this paper, we seek to assess the value of IDSs in a firm’s IT security architecture. We find that the IDS configuration, represented by detection (true positive) and false alarm (false positive) rates, determines whether a firm realizes a positive or negative value from the IDS. Specifically, we show that a firm realizes a positive value from an IDS only when the detection rate is higher than a critical value, which is determined by the hacker’s benefit and cost parameters. When the firm realizes a positive (negative) value, the IDS deters (sustains) hackers. However, irrespective of whether the firm realizes a positive or negative value from the IDS, the IDS enables the firm to better target its investigation of users, while keeping the detection rate the same. Our results suggest that the positive value of an IDS results not from improved detection per se, but from an increased deterrence enabled by improved detection. Finally, we show that the firm realizes a strictly nonnegative value if the firm configures the IDS optimally based on the hacking environment.

References

YearCitations

Page 1