網路產業已被預言為對一國經濟競爭力，乃至人民生活有重大影響的新興產業。愈來愈多的企業利用電腦網路來進行業務交易、資料共享並聯繫辦公室與工廠，以傳遞內外資訊與溝通聯繫。網路成功的扮演了增加資訊、降低成本的橋樑。
　　然而利、弊始終同在。有心人士利用非法的方式侵入企業內部竊取、讀取、更改、破壞重要資料已成為眾多企業心中的夢靨。複雜的攻擊模式及難解的病毒更往往造成企業巨大的損失。但是資安產品不論軟、硬體皆所費不貲，一般企業難以負擔的。此時，符合成本效益的投資將是決定企業投入於資訊安全的關鍵。
　　本論文企圖指出在各種程度的威脅下最適的資訊安全投資策略。論文分別就靜態與動態下進行最適的投資量之探討，不僅提供企業資安管理者評估資安風險效益的理論背景，也能協助企業達成最符合經濟效益的投資。本研究結論如下：
結論
1.威脅程度不同資訊安全最適投資策略：
a).當威脅程過高的情況下，企業的管理者不適宜將資金集中在資訊安全產品的再購買及投入，應當從員工使用資訊科技產品的安全教育訓練及資訊科技產品本身的脆弱性方向進行探討，才能從根本處解決資訊安全問題並使資金投入有效率的發揮。
b).如果潛在用戶數越多獨占廠商資訊安全最適資金投入將跟著提高。
c).資訊安全最適資金投入的增量將 隨潛在用戶數提高而遞減。
2.動態情況下資訊安全最適投入的條件：
若淨現值為零，則資訊安全最適資金投入將隨時間嚴格遞減。
3.(廠商)資訊安全產品最適升級時間：
廠商第一期毛利潤等於第二期毛利潤時，此時做資訊安全產品升級將可極大化其利潤。

　　This study establishes a threat vs. investment model that considers profit maximization by monopolists, and how the degree of threat influences the optimal investment. The present analysis indicates that the benefit-cost ratio increases weakly with threat. Monopoly firms should consider the threat degree they face and assess a reasonable investment in security to avoid the occurrence of inefficiencies. On the other hand, market populations significantly impact firm’s investment. The present analysis also demonstrates the optimal investment in information security strictly increases with market potential (or firm size), while the optimal investment increment decreases with increasing market potential increasing.
　　In the first dynamic model, the concept of modeling the process of market diffusion of new products is used for the dynamic investment. This study shows whether improving information security can be viewed as a method of improving quality of service and reputation via improving the diffusion of information security diffuse by word of mouth, how monopolists optimize investment strategies in information security via a dynamic process.
　　On the other hand, the product adoption equation then is converted as a sales equation. By proving that firms maximize their profit during two-generation, this study can prove that losses might occur for firms might suffer losses when they suffer from an earlier upgrade time owing to deadweight losses, and moreover adopters can suffer losses when the upgrade time is later because customers will feel that quality of service is reduced and will not adopt safeguards again. Thus, this study proposes that the optimal upgrade time for investment in information security occurs when the first and secondary grosses profit of the firm are equal.

[1] Anderson, R. (2001), “Why Information Security is Hard: An Economic Perspective,” Proceedings of 17th Annual Computer Security Applications Conference.

[2] Campbell, Loeb and Zhou, (2003), “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market,” Journal of Computer Security, 431-448.

[3] Cavusoglu, H., Mishra, B. K. and Raghunathan S. (2002a), “The Value of Intrusion Detection Systems (IDS) in Information Technology (IT) Security,” paper under review.

[4] Cavusoglu, H., Mishra, B. K. and Raghunathan, S. (2002b), “Optimal Design of IT Security Architecture,” International Conference on Information Systems (ICIS), Barcelona.

[5] Ettredge, M. and Richardson, V. J., (2001) “Assessing the Risk in E-Commerce,” Working Paper, University of Kansas, October.
[6] Gordon, L. A. and M. P. Loeb (2002), “The Economics of Investment in Information Security,” ACM Transactions on Information and System Security, Vol. 5, 438-457.

[7] Gordon, L. A., M. P. Loeb, and W. Lucyshyn (2002), “An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence," Proceedings of the First WEIS, UC Berkeley, 16-17.

[8] Gordon, L. A. and M. P. Loeb and W. Lucyshyn (2003), “Information Security Expenditures and Real Options: A wait-and-see Approach ," Computer Security Journal, Volume Number 2,1-6

[9] Jorgenson, D. W. (2001), “Information Technology and the U.S. Economy,” The American Economic Review, Jol.9:1, 1-32.

[10] MichAEL E. W. (2003), “Enemy at the Gate: Threats to Information Security,” ACM Transactions on Information and System Security, Vol.46, No.8

[11] Pakko, M. R. (2002), “The high-tech investment boom and economic growth in the 1990s: Accounting for quality,” Review - Federal Reserve Bank of St. Louis, Jol.84:2.

[12] Richardson, R. (2003), “2002 CSI/FBI Computer Crime and Security Survey,” Computer Security Issues and Trends, 8,1

[13] Shlomo, K.(1985) “A new product adoption model with price, advertising, and uncertainty,” Management Science, No.12,Vol. 31.

[14] Schechter, S. E. and Michael D. Smith, (2003), “How Much Security is Enough to Stop a Thief? The Economics of Outsider Theft via Computer Systems Networks,” Proceedings of the Financial Cryptography Conference, Guadeloupe, 27-30.

[15] Varian, H. (2002), “System Reliability and Free Riding,” Proceedings of the First WEIS, UC Berkeley, 16-17.

[16] Wernerfelt, B. (1986), “A special case of Dynamic Pricing Policy,” Management Science, Dec.12, Vol. 32.1562-6.