Network structures, audit policies and the cost of security breaches
Ghosh, Vashkar Anand, Paul Zhang, Na Zhu, Lingjiong
Ghosh, Vashkar
Anand, Paul
Zhang, Na
Zhu, Lingjiong
Citations
Altmetric:
Other Names
Location
Time Period
Advisors
Original Date
Digitization Date
Issue Date
2025-06-25
Type
Article
Genre
Keywords
Audit policies,Cost of breach,Network,Security breaches
Subjects (LCSH)
Citation
Ghosh, V., Paul, A., Zhang, N., & Zhu, L. (2025). Network Structures, Audit Policies and the Cost of Security Breaches. Production and Operations Management, 0(0). https://doi.org/10.1177/10591478251356431
Abstract
In the last decade and recently, a wide range of industries and organizations have been subject to IT-related security threats and cybersecurity breaches of varying degrees of severity at an alarming rate. A common practice adopted by organizations to ensure system and network security is to conduct regular audits and assessments. This paper takes on an organizational strategy perspective to analytically model the cost impact of random breaches in various types of networks subject to different types of audit policy. The analysis focuses on the interplay between the cost associated with a security breach on the one hand, and audit policy on the other. We develop a model for a non-stationary stochastic arrival process of security breaches and analyze the impact on mean and variance of total cost of different network configurations and audit policies. The generality of our modeling of the arrival process and the cost function permits a variety of attack and cost landscapes to be modeled and analyzed, with different breach intensities and costs (as functions of time) leading to different recommendations in terms of effective audit policy. Our analysis highlights the impact of intensity of security breach and cost of breach on the interaction between different network configurations and audit policies. One of our counter-intuitive findings is that under high security threat conditions a centralized network has a lower mean as well as a lower variance of total cost than a decentralized network, in case of cyclic and random audits; this analytically derived proposition is an interesting instance of a dual risk-pooling effect that goes beyond conventional risk-pooling. We extend our analysis to consider an asymmetric network and correlated breaches. © The Author(s) 2025
Table of Contents
Description
This is an open access article under the CC BY license.
Publisher
SAGE Publications Ltd
Journal
Production and Operations Management
Book Title
Series
Digital Collection
Finding Aid URL
Use and Reproduction
Archival Collection
PubMed ID
ISSN
10591478