In this paper, we assume the security level of a system is a quantifiable metric and apply the insurance company ruin theory in assessing the defense failure frequencies. The current security level of an information system can be viewed as the initial insurer surplus; defense investment can be viewed as premium income resulting in an increase in the security level; cyberattack arrivals follow a Poisson process, and the impact of attacks is modeled as losses on the security level. The occurrence of cyber breach is modeled as a ruin event. We use this framework to determine optimal investment in cyber security that minimizes the total cyber costs. We show by numerical examples that there is an optimal allocation of total cyber security budget to (1) IT security maintenance/upkeep spending versus (2) external cyber risk transfer.

中文翻译：

---

使用盈余过程模拟支出对网络安全的影响

在本文中，我们假设系统的安全级别是可量化的度量标准，并将保险公司破产理论应用于评估防御失败的频率。信息系统当前的安全级别可以看作是保险公司的初始盈余；国防投资可以看作是保费收入，可以提高安全水平；网络攻击的到达遵循泊松过程，攻击的影响被建模为安全级别上的损失。网络破坏的发生被建模为破坏事件。我们使用此框架来确定最佳的网络安全投资，以最大程度地降低总网络成本。我们通过数字示例显示，总的网络安全预算可以最佳分配给（1）IT安全维护/维护支出与（2）外部网络风险转移。