Optimal information security investment with penetration testing

Authors:
Rainer Böhme;Márk Félegyházi
Affiliations:
International Computer Science Institute, Berkeley, California;International Computer Science Institute, Berkeley, California
Venue:
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
Year:
2010

Citing 11
Cited 2

The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
Penetration Testing: A Duet

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Software Penetration Testing

IEEE Security and Privacy
The Value of Intrusion Detection Systems in Information Technology Security Architecture

Information Systems Research
The Economic Incentives for Sharing Security Information

Information Systems Research
An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack

DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Spamalytics: an empirical analysis of spam marketing conversion

Proceedings of the 15th ACM conference on Computer and communications security
Intrusion-Detection Policies for IT Security Breaches

INFORMS Journal on Computing
The Iterated Weakest Link

IEEE Security and Privacy
Economic security metrics

Dependability metrics
A learning-based approach to reactive security

FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security

Security metrics and security investment models

IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
A move in the security measurement stalemate: elo-style ratings to quantify vulnerability

Proceedings of the 2012 workshop on New security paradigms

Quantified Score

Hi-index	0.00

Visualization

Abstract

Penetration testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds penetration testing to the realm of information security investment. Penetration testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue penetration testing until a secure state is reached. Further analysis using a new metric for the return on penetration testing suggests that penetration testing almost always increases the per-dollar efficiency of security investment.