The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
IEEE Security and Privacy
The Value of Intrusion Detection Systems in Information Technology Security Architecture
Information Systems Research
The Economic Incentives for Sharing Security Information
Information Systems Research
An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Spamalytics: an empirical analysis of spam marketing conversion
Proceedings of the 15th ACM conference on Computer and communications security
Intrusion-Detection Policies for IT Security Breaches
INFORMS Journal on Computing
IEEE Security and Privacy
Dependability metrics
A learning-based approach to reactive security
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Security metrics and security investment models
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
A move in the security measurement stalemate: elo-style ratings to quantify vulnerability
Proceedings of the 2012 workshop on New security paradigms
Hi-index | 0.00 |
Penetration testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds penetration testing to the realm of information security investment. Penetration testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue penetration testing until a secure state is reached. Further analysis using a new metric for the return on penetration testing suggests that penetration testing almost always increases the per-dollar efficiency of security investment.