Improving it security through security measures: Using our game-theory-based model of it security implementation

Abstract

We developed a quantitative model based on game theory related to IT security promotion and implementation in an organization. This model clarified the kinds of organizational conditions in which an employee does or does not carry out security measures. We also clarified the desired and undesired conditions for security implementation in an organization. In addition, we showed that an extremely undesirable dilemma that hitherto has not attracted attention might occur. Then we applied this model to an incident that occurred at a certain school. Using public information and survey data, we calculated the parameters of the model quantitatively. Then we found what kinds of changes to the parameters would be effective for making security improvements. Furthermore, we used the model to show the appropriate order of promoting security measures.