Skip to main content
SpringerLink
Log in

Security Metrics and Security Investment Models

  • Conference paper
Book cover Advances in Information and Computer Security (IWSEC 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6434))

Included in the following conference series:

Abstract

Planning information security investment is somewhere between art and science. This paper reviews and compares existing scientific approaches and discusses the relation between security investment models and security metrics. To structure the exposition, the high-level security production function is decomposed into two steps: cost of security is mapped to a security level, which is then mapped to benefits. This allows to structure data sources and metrics, to rethink the notion of security productivity, and to distinguish sources of indeterminacy as measurement error and attacker behavior. It is further argued that recently proposed investment models, which try to capture more features specific to information security, should be used for all strategic security investment decisions beneath defining the overall security budget.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Canalys Enterprise Security Analysis: Global enterprise security market to grow 13.8% in 2010 (2010), http://www.canalys.com/pr/2010/r2010072.html

  2. Richardson, R.: CSI Computer Crime and Security Survey. Computer Security Institute (2008)

    Google Scholar 

  3. METI: Report on survey of actual condition of it usage in FY 2009 (June 2009), http://www.meti.go.jp/statistics/zyo/zyouhou/result-1.html

  4. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002)

    Article  Google Scholar 

  5. Willemson, J.: On the Gordon & Loeb model for information security investment. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)

    Google Scholar 

  6. Hausken, K.: Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5), 338–349 (2006)

    Article  Google Scholar 

  7. Matsuura, K.: Productivity space of information security in an extension of the Gordon–Loeb’s investment model. In: Workshop on the Economics of Information Security (WEIS), Tuck School of Business, Dartmouth College, Hanover, NH (2008)

    Google Scholar 

  8. Tatsumi, K.i., Goto, M.: Optimal timing of information security investment: A real options approach. In: Workshop on the Economics of Information Security (WEIS). University College London, UK (2009)

    Google Scholar 

  9. Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS), University College London, UK (2009)

    Google Scholar 

  10. Tanaka, H., Matsuura, K., Sudoh, O.: Vulnerability and information security investment: An empirical analysis of e-local government in Japan. Journal of Accounting and Public Policy 24, 37–59 (2005)

    Article  Google Scholar 

  11. Brocke, J., Grob, H., Buddendick, C., Strauch, G.: Return on security investments. Towards a methodological foundation of measurement systems. In: Proc. of AMCIS (2007)

    Google Scholar 

  12. Jacquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley, Reading (2007)

    Google Scholar 

  13. Alberts, C.J., Dorofee, A.J.: An introduction to the OCTAVE\(^{\rm TM} \) method (2001), http://www.cert.org/octave/methodintro.html

  14. Bodin, L.D., Gordon, L.A., Loeb, M.P.: Evaluating information security investments using the analytic hierarchy process. Communications of the ACM 48(2), 79–83 (2005)

    Article  Google Scholar 

  15. Su, X.: An overview of economic approaches to information security management. Technical Report TR-CTIT-06-30, University of Twente (2006)

    Google Scholar 

  16. Böhme, R., Nowey, T.: Economic security metrics. In: Eusgeld, I., Freiling, F.C., Reussner, R. (eds.) Dependability Metrics. LNCS, vol. 4909, pp. 176–187. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  17. Sheen, J.: Fuzzy economic decision-models for information security investment. In: Proc. of IMCAS, Hangzhou, China, pp. 141–147 (2010)

    Google Scholar 

  18. Schryen, G.: A fuzzy model for it security investments. In: Proc. of ISSE/GI-SICHERHEIT, Berlin, Germany (to appear, 2010)

    Google Scholar 

  19. Soo Hoo, K.J.: How much is enough? A risk-management approach to computer security. In: Workshop on Economics and Information Security (WEIS), University of California, Berkeley, CA (2002)

    Google Scholar 

  20. Geer, D.E., Conway, D.G.: Hard data is good to find. IEEE Security & Privacy 10(2), 86–87 (2009)

    Google Scholar 

  21. Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security Economics and the Internal Market. Study commissioned by ENISA (2008)

    Google Scholar 

  22. Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK (2001)

    Google Scholar 

  23. Böhme, R.: A comparison of market approaches to software vulnerability disclosure. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298–311. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  24. Purser, S.A.: Improving the ROI of the security management process. Computers & Security 23, 542–546 (2004)

    Article  Google Scholar 

  25. Schneier, B.: Security ROI: Fact or fiction? CSO Magazine (September 2008)

    Google Scholar 

  26. Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Information security expenditures and real options: A wait-and-see approach. Computer Security Journal 14(2), 1–7 (2003)

    Google Scholar 

  27. Herath, H.S.B., Herath, T.C.: Investments in information security: A real options perspective with Bayesian postaudit. Journal of Management Information Systems 25(3), 337–375 (2008)

    Article  Google Scholar 

  28. Yue, W.T., Çakanyildirim, M.: Intrusion prevention in information systems: Reactive and proactive responses. Journal of Management Information Systems 24(1), 329–353 (2007)

    Article  Google Scholar 

  29. Grossklags, J., Johnson, B.: Uncertainty in the weakest-link security game. In: Proceedings of the International Conference on Game Theory for Networks (GameNets 2009), Istanbul, Turkey, pp. 673–682. IEEE Press, Los Alamitos (2009)

    Chapter  Google Scholar 

  30. Gordon, L.A., Loeb, M.P., Lucysshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6) (2003)

    Google Scholar 

  31. Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005)

    Article  Google Scholar 

  32. Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok, E.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10(1-2), 5–22 (2002)

    Article  Google Scholar 

  33. Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1), 28–46 (2005)

    Article  Google Scholar 

  34. Böhme, R., Félegyházi, M.: Optimal information security investment with penetration testing. In: Decision and Game Theory for Security (GameSec), Berlin, Germany (to appear, 2010)

    Google Scholar 

  35. Allen, J., Gabbard, D., May, C.: Outsourcing managed Security Services. Carnegie Mellon Software Engineering Institute, Pittsburgh (2003)

    Book  Google Scholar 

  36. Jensen, M.C., Meckling, W.H.: Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of Financial Economics 3(4), 305–360 (1976)

    Article  Google Scholar 

  37. Ding, W., Yurcik, W., Yin, X.: Outsourcing internet security: Economic analysis of incentives for managed security service providers. In: Deng, X., Ye, Y. (eds.) WINE 2005. LNCS, vol. 3828, pp. 947–958. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  38. Ding, W., Yurcik, W.: Outsourcing internet security: The effect of transaction costs o managed service providers. In: Prof. of Intl. Conf.on Telecomm. Systems, pp. 947–958 (2005)

    Google Scholar 

  39. Rowe, B.R.: Will outsourcing IT security lead to a higher social level of security? In: Workshop on the Economics of Information Security (WEIS), Carnegie Mellon University, Pittsburgh, PA (2007)

    Google Scholar 

  40. Schneier, B.: Why Outsource? Counterpane Inc. (2006)

    Google Scholar 

  41. Cezar, A., Cavusoglu, H., Raghunathan, S.: Outsourcing information security: Contracting issues and security implications. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2010)

    Google Scholar 

  42. Böhme, R., Schwartz, G.: Modeling cyber-insurance: Towards a unifying framework. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2010)

    Google Scholar 

  43. Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: A study of cyberinsurance, managed security service and risk pooling. In: Proc. of ICIS (2009)

    Google Scholar 

  44. Varian, H.R.: System reliability and free riding. In: Workshop on the Economics of Information Security (WEIS), University of California, Berkeley (2002)

    Google Scholar 

  45. Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41, 371–386 (1983)

    Article  Google Scholar 

  46. Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–249 (2003)

    Article  MATH  Google Scholar 

  47. Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceeding of the International Conference on World Wide Web (WWW), Beijing, China, pp. 209–218. ACM Press, New York (2008)

    Chapter  Google Scholar 

  48. Cremonini, M., Nizovtsev, D.: Understanding and influencing attackers’ decisions: Implications for security investment strategies. In: Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK (2006)

    Google Scholar 

  49. Liu, W., Tanaka, H., Matsuura, K.: An empirical analysis of security investment in countermeasures based on an enterprise survey in Japan. In: Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK (2006)

    Google Scholar 

  50. Berthold, S., Böhme, R.: Valuating privacy with option pricing theory. In: Workshop on the Economics of Information Security (WEIS), University College London, UK (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. International Computer Science Institute, Berkeley, California, USA

    Rainer Böhme

Authors
  1. Rainer Böhme
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. National Institute of Informatics, 2-1-2 Hitotsubashi, 101-8430, Chiyoda-ku, Tokyo, Japan

    Isao Echizen

  2. School of Frontier Sciences, Department of Complexity Science and Engineering, University of Tokyo, 5-1-5 Kashiwanoha, Kashiwa-shi, 277-8561, Chiba, Japan

    Noboru Kunihiro

  3. School of Science and Technology for Future Life, Department of Information Systems and Multi Media, Tokyo Denki University, 2-2 Kanda-Nishiki-cho, 101-8457, Chiyoda-ku, Tokyo, Japan

    Ryoichi Sasaki

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Böhme, R. (2010). Security Metrics and Security Investment Models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds) Advances in Information and Computer Security. IWSEC 2010. Lecture Notes in Computer Science, vol 6434. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16825-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-16825-3_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-16824-6

  • Online ISBN: 978-3-642-16825-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation