Security metrics and security investment models

Authors:
Rainer Böhme
Affiliations:
International Computer Science Institute, Berkeley, California
Venue:
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Year:
2010

Citing 16
Cited 1

The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
Toward cost-sensitive modeling for intrusion detection and response

Journal of Computer Security
Evaluating information security investments using the analytic hierarchy process

Communications of the ACM - Medical image modeling
The Value of Intrusion Detection Systems in Information Technology Security Architecture

Information Systems Research
The Economic Incentives for Sharing Security Information

Information Systems Research
Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability

Information Systems Frontiers
Security Metrics: Replacing Fear, Uncertainty, and Doubt

Security Metrics: Replacing Fear, Uncertainty, and Doubt
Secure or insure?: a game-theoretic analysis of information security games

Proceedings of the 17th international conference on World Wide Web
Intrusion Prevention in Information Systems: Reactive and Proactive Responses

Journal of Management Information Systems
Investments in Information Security: A Real Options Perspective with Bayesian Postaudit

Journal of Management Information Systems
Uncertainty in the weakest-link security game

GameNets'09 Proceedings of the First ICST international conference on Game Theory for Networks
Economic security metrics

Dependability metrics
Fuzzy economic decision-models for information security investment

IMCAS'10 Proceedings of the 9th WSEAS international conference on Instrumentation, measurement, circuits and systems
Optimal information security investment with penetration testing

GameSec'10 Proceedings of the First international conference on Decision and game theory for security
A comparison of market approaches to software vulnerability disclosure

ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Outsourcing internet security: economic analysis of incentives for managed security service providers

WINE'05 Proceedings of the First international conference on Internet and Network Economics

Cyber-risk decision models: To insure IT or not?

Decision Support Systems

Quantified Score

Hi-index	0.01

Visualization

Abstract

Planning information security investment is somewhere between art and science. This paper reviews and compares existing scientific approaches and discusses the relation between security investment models and security metrics. To structure the exposition, the high-level security production function is decomposed into two steps: cost of security is mapped to a security level, which is then mapped to benefits. This allows to structure data sources and metrics, to rethink the notion of security productivity, and to distinguish sources of indeterminacy as measurement error and attacker behavior. It is further argued that recently proposed investment models, which try to capture more features specific to information security, should be used for all strategic security investment decisions beneath defining the overall security budget.