The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Toward cost-sensitive modeling for intrusion detection and response
Journal of Computer Security
Evaluating information security investments using the analytic hierarchy process
Communications of the ACM - Medical image modeling
The Value of Intrusion Detection Systems in Information Technology Security Architecture
Information Systems Research
The Economic Incentives for Sharing Security Information
Information Systems Research
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Secure or insure?: a game-theoretic analysis of information security games
Proceedings of the 17th international conference on World Wide Web
Intrusion Prevention in Information Systems: Reactive and Proactive Responses
Journal of Management Information Systems
Investments in Information Security: A Real Options Perspective with Bayesian Postaudit
Journal of Management Information Systems
Uncertainty in the weakest-link security game
GameNets'09 Proceedings of the First ICST international conference on Game Theory for Networks
Dependability metrics
Fuzzy economic decision-models for information security investment
IMCAS'10 Proceedings of the 9th WSEAS international conference on Instrumentation, measurement, circuits and systems
Optimal information security investment with penetration testing
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
A comparison of market approaches to software vulnerability disclosure
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
WINE'05 Proceedings of the First international conference on Internet and Network Economics
Cyber-risk decision models: To insure IT or not?
Decision Support Systems
Hi-index | 0.01 |
Planning information security investment is somewhere between art and science. This paper reviews and compares existing scientific approaches and discusses the relation between security investment models and security metrics. To structure the exposition, the high-level security production function is decomposed into two steps: cost of security is mapped to a security level, which is then mapped to benefits. This allows to structure data sources and metrics, to rethink the notion of security productivity, and to distinguish sources of indeterminacy as measurement error and attacker behavior. It is further argued that recently proposed investment models, which try to capture more features specific to information security, should be used for all strategic security investment decisions beneath defining the overall security budget.