Effect of security investment strategy on the business value of managed security service providers

Managed security service providers (MSSPs) have long provided clients with cost-effective methods and professional solutions for addressing issues related to information security. MSSPs provide three categories of security services, namely, prevention, detection, and response, to satisfy their clients' security requirements and realize business value. This study develops a system dynamics model of the correlation between the security investment strategies of an MSSP and the effect of its business value. Simulations under opportunistic and targeted attacks are performed to discuss the effects of the various security investment strategies of an MSSP on its business value. The study results indicate that investing in prevention has a stronger effect on the business value of an MSSP than investing in detection and response and that security investments on opportunistic attacks are more efficient than those on targeted attacks. Sensitivity analysis shows the robustness of the system dynamics model proposed in this study.