Managed security service providers (MSSPs) have long provided clients with cost-effective methods and professional solutions for addressing issues related to information security. MSSPs provide three categories of security services, namely, prevention, detection, and response, to satisfy their clients’ security requirements and realize business value. This study develops a system dynamics model of the correlation between the security investment strategies of an MSSP and the effect of its business value. Simulations under opportunistic and targeted attacks are performed to discuss the effects of the various security investment strategies of an MSSP on its business value. The study results indicate that investing in prevention has a stronger effect on the business value of an MSSP than investing in detection and response and that security investments on opportunistic attacks are more efficient than those on targeted attacks. Sensitivity analysis shows the robustness of the system dynamics model proposed in this study.
Bibliographical noteFunding Information:
The authors are very grateful to all anonymous reviewers whose invaluable comments and suggestions substantially helped improve the quality of the article. The research was supported by the National Natural Science Foundation of China (nos. 71871155 and 71631003 ).
© 2019 Elsevier B.V.
- Business value
- Managed security service
- Security investment
- System dynamics