Advances in Information and Computer Security

Volume 6434 of the series Lecture Notes in Computer Science pp 10-24

Security Metrics and Security Investment Models

  • Rainer BöhmeAffiliated withInternational Computer Science Institute

* Final gross prices may vary according to local VAT.

Get Access


Planning information security investment is somewhere between art and science. This paper reviews and compares existing scientific approaches and discusses the relation between security investment models and security metrics. To structure the exposition, the high-level security production function is decomposed into two steps: cost of security is mapped to a security level, which is then mapped to benefits. This allows to structure data sources and metrics, to rethink the notion of security productivity, and to distinguish sources of indeterminacy as measurement error and attacker behavior. It is further argued that recently proposed investment models, which try to capture more features specific to information security, should be used for all strategic security investment decisions beneath defining the overall security budget.