Optimal information security investment with penetration testing

  • Authors:
  • Rainer Böhme;Márk Félegyházi

  • Affiliations:
  • International Computer Science Institute, Berkeley, California;International Computer Science Institute, Berkeley, California

  • Venue:
  • GameSec'10 Proceedings of the First international conference on Decision and game theory for security
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

Penetration testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds penetration testing to the realm of information security investment. Penetration testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue penetration testing until a secure state is reached. Further analysis using a new metric for the return on penetration testing suggests that penetration testing almost always increases the per-dollar efficiency of security investment.