The management of intrusion detection: Configuration, inspection, and investment

This paper analyzes intrusion detection decisions in the presence of multiple alarm types, which differ in occurrence probabilities, damage and investigation costs. Specifically, multi-period optimization models are used to study three critical decisions associated with intrusion detection: (i) Allocation of the investigation budget to different periods and to different alarm types; (ii) Configuration of an intrusion detection system (IDS), i.e. choosing a false alarm rate for a given IDS; and (iii) Allocation of an appropriate amount of the investigation budget in the presence of alternative investment opportunities. Three models that cascade onto each other are presented. We minimize the sum of security costs including damages, due to ignored alarms, the investigation cost and the undetected intrusion cost. We show that it can be optimal to ignore non-critical alarms in order to allocate more of the investigation budget to critical alarms that may occur in the future. We establish that the security costs decrease as the investigation budget increases. Our last model deals with security investments—in the form of an investigation budget. The investigation budget must be increased until the rate of increase in savings in security costs due to the additional budget are equal to the internal rate of return of an organization. These analyses are done with explicit (derived) cost functions, as opposed to implicit (assumed) cost functions. We conclude by providing additional managerial insights and numerical examples.