Configuration of intrusion prevention systems based on a legal user: the case for using intrusion prevention systems instead of intrusion detection systems

An intrusion prevention system (IPS) acts as a new type of information security technology, the configuration and management of which are currently urgent problems; in particular, debate exists regarding the value of these systems. In this paper, we analyse whether a firm realizes a positive or negative value from using an IPS instead of an intrusion detection system (IDS) in a default configuration and an optimal configuration, respectively. Our results suggest: (a) an IPS could hurt the firm when not configured optimally; (b) the optimal configuration of the IPS depends not only on the cost parameters but also on the external environment (quality of the IDS) in which the firm is operating; (c) whether the IDS is optimally configured or not, the firm will make the same decisions between using the IPS instead of the IDS and continuing to use the IDS; and (d) except for the true positive rate of IDS being in a certain region and the blocking cost being sufficiently high, the firm realizes a strictly nonnegative value if the firm configures the IPS optimally.