This Article Full Text (PDF) References Alert me when this article is cited Alert me if a correction is posted Services Email this article to a friend Similar articles in this journal Alert me to new issues of the journal Download to citation manager Citing Articles Citing Articles via HighWire Citing Articles via Google Scholar Google Scholar Articles by Cavusoglu, H. Articles by Raghunathan, S. Search for Related Content

The Value of Intrusion Detection Systems in Information Technology Security Architecture

A. B. Freeman School of Business, Tulane University, 7 McAlister Drive, Goldring/Woldenberg Hall, New Orleans, Louisiana 70118
School of Management, University of Texas at Dallas, Richardson, Texas 75083, and Anderson Graduate School of Management, University of California, Riverside, Riverside, California 92521
School of Management, University of Texas at Dallas, Richardson, Texas 75083
huseyin{at}tulane.edu
barry.mishra{at}ucr.edu
sraghu{at}utdallas.edu

The increasing significance of information technology (IT) security to firms is evident from their growing IT security budgets. Firms rely on security technologies such as firewalls and intrusion detection systems (IDSs) to manage IT security risks. Although the literature on the technical aspects of IT security is proliferating, a debate exists in the IT security community about the value of these technologies. In this paper, we seek to assess the value of IDSs in a firm’s IT security architecture. We find that the IDS configuration, represented by detection (true positive) and false alarm (false positive) rates, determines whether a firm realizes a positive or negative value from the IDS. Specifically, we show that a firm realizes a positive value from an IDS only when the detection rate is higher than a critical value, which is determined by the hacker’s benefit and cost parameters. When the firm realizes a positive (negative) value, the IDS deters (sustains) hackers. However, irrespective of whether the firm realizes a positive or negative value from the IDS, the IDS enables the firm to better target its investigation of users, while keeping the detection rate the same. Our results suggest that the positive value of an IDS results not from improved detection per se, but from an increased deterrence enabled by improved detection. Finally, we show that the firm realizes a strictly nonnegative value if the firm configures the IDS optimally based on the hacking environment.

Key Words: economics of IT security; intrusion detection systems (IDSs); ROC curves; security configuration; IT security management
History: This paper was received on December 5, 2001.

This article has been cited by other articles:

				Y. U. Ryu and H.-S. Rhee Improving Intrusion Prevention Models: Dual-Threshold and Dual-Filter Approaches INFORMS Journal on Computing, June 1, 2008; 20(3): 356 - 367. [Abstract] [PDF]

				T. August and T. I. Tunca Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions Information Systems Research, March 1, 2008; 19(1): 48 - 70. [Abstract] [PDF]

				H. Ogut, H. Cavusoglu, and S. Raghunathan Intrusion-Detection Policies for IT Security Breaches INFORMS Journal on Computing, January 1, 2008; 20(1): 112 - 123. [Abstract] [PDF]

				J. Zhuang and V. M. Bier Balancing Terrorism and Natural Disasters Defensive Strategy with Endogenous Attacker Effort Operations Research, September 1, 2007; 55(5): 976 - 991. [Abstract] [PDF]