An important requirement of an intrusion detection system (IDS) is that it be effective and efficient; that is, it should detect a large percentage of intrusions, while still keeping the false alarm rate at an acceptable level. In order to meet this requirement, the model and algorithm used by the IDS need to be calibrated or configured. The optimal configuration depends on several factors. The first factor is the quality profile of the IDS as indicated by its ROC (receiver operating characteristics), curve that relates the detection accuracy and the false alarm rate. The shape of the ROC curve depends on the detection technology used by the IDS. The second factor is the cost structure of the firm using the IDS. The third factor is the strategic behavior of hackers. A hacker’s behavior is influenced by the likelihood that (s)he will be caught, which, in turn, is dependent on the configuration of the IDS. In this article, we present an economic optimization model based on game theory that provides insights into optimal configuration of IDS. We present analytical as well as computational results. Our work extends the growing literature on the economics of information security. The main innovation of our approach is the inclusion of strategic interactions between IDS, firm, and hackers in the determination of optimal configuration and algorithm to do so.

入侵检测系统（IDS）的一项重要要求是有效且高效。也就是说，它应该检测到很大一部分入侵，同时仍将误报率保持在可接受的水平。为了满足此要求，需要对IDS使用的模型和算法进行校准或配置。最佳配置取决于几个因素。第一个因素是IDS的ROC（接收器工作特性）所表示的IDS质量曲线，该曲线与检测精度和虚警率相关。ROC曲线的形状取决于IDS使用的检测技术。第二个因素是使用IDS的公司的成本结构。第三个因素是黑客的战略行为。黑客的行为受（可能）被捕获的可能性的影响，而这又取决于IDS的配置。在本文中，我们提出了一种基于博弈论的经济优化模型，该模型提供了对IDS最佳配置的见解。我们提出分析和计算结果。我们的工作扩展了关于信息安全经济学的日益增长的文献。我们方法的主要创新之处在于，在确定最佳配置和算法时，应将IDS，企业和黑客之间的战略互动纳入其中。