Investment strategy analysis of information systems with different security levels

At present, some firms use a few information systems with different security levels to protect different information assets and some firms use the information system with a single security level to protect all the information assets. Which choice is rational? How to configure the investment if the first choice is necessary? This paper gives an optimal investment strategy analysis through modeling the game between the firm and the attacker and gives a numerical simulation finally. Some conclusions include that the firm should use the information systems with a single security level to protect all the information assets instead of using a few sets of information systems with different security levels to protect different assets for more utilities etc. And the conclusions can help decision-making.