Abstract
Planning information security investment is somewhere between art and science. This paper reviews and compares existing scientific approaches and discusses the relation between security investment models and security metrics. To structure the exposition, the high-level security production function is decomposed into two steps: cost of security is mapped to a security level, which is then mapped to benefits. This allows to structure data sources and metrics, to rethink the notion of security productivity, and to distinguish sources of indeterminacy as measurement error and attacker behavior. It is further argued that recently proposed investment models, which try to capture more features specific to information security, should be used for all strategic security investment decisions beneath defining the overall security budget.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Canalys Enterprise Security Analysis: Global enterprise security market to grow 13.8% in 2010 (2010), http://www.canalys.com/pr/2010/r2010072.html
Richardson, R.: CSI Computer Crime and Security Survey. Computer Security Institute (2008)
METI: Report on survey of actual condition of it usage in FY 2009 (June 2009), http://www.meti.go.jp/statistics/zyo/zyouhou/result-1.html
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002)
Willemson, J.: On the Gordon & Loeb model for information security investment. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)
Hausken, K.: Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5), 338–349 (2006)
Matsuura, K.: Productivity space of information security in an extension of the Gordon–Loeb’s investment model. In: Workshop on the Economics of Information Security (WEIS), Tuck School of Business, Dartmouth College, Hanover, NH (2008)
Tatsumi, K.i., Goto, M.: Optimal timing of information security investment: A real options approach. In: Workshop on the Economics of Information Security (WEIS). University College London, UK (2009)
Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS), University College London, UK (2009)
Tanaka, H., Matsuura, K., Sudoh, O.: Vulnerability and information security investment: An empirical analysis of e-local government in Japan. Journal of Accounting and Public Policy 24, 37–59 (2005)
Brocke, J., Grob, H., Buddendick, C., Strauch, G.: Return on security investments. Towards a methodological foundation of measurement systems. In: Proc. of AMCIS (2007)
Jacquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley, Reading (2007)
Alberts, C.J., Dorofee, A.J.: An introduction to the OCTAVE\(^{\rm TM} \) method (2001), http://www.cert.org/octave/methodintro.html
Bodin, L.D., Gordon, L.A., Loeb, M.P.: Evaluating information security investments using the analytic hierarchy process. Communications of the ACM 48(2), 79–83 (2005)
Su, X.: An overview of economic approaches to information security management. Technical Report TR-CTIT-06-30, University of Twente (2006)
Böhme, R., Nowey, T.: Economic security metrics. In: Eusgeld, I., Freiling, F.C., Reussner, R. (eds.) Dependability Metrics. LNCS, vol. 4909, pp. 176–187. Springer, Heidelberg (2008)
Sheen, J.: Fuzzy economic decision-models for information security investment. In: Proc. of IMCAS, Hangzhou, China, pp. 141–147 (2010)
Schryen, G.: A fuzzy model for it security investments. In: Proc. of ISSE/GI-SICHERHEIT, Berlin, Germany (to appear, 2010)
Soo Hoo, K.J.: How much is enough? A risk-management approach to computer security. In: Workshop on Economics and Information Security (WEIS), University of California, Berkeley, CA (2002)
Geer, D.E., Conway, D.G.: Hard data is good to find. IEEE Security & Privacy 10(2), 86–87 (2009)
Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security Economics and the Internal Market. Study commissioned by ENISA (2008)
Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK (2001)
Böhme, R.: A comparison of market approaches to software vulnerability disclosure. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298–311. Springer, Heidelberg (2006)
Purser, S.A.: Improving the ROI of the security management process. Computers & Security 23, 542–546 (2004)
Schneier, B.: Security ROI: Fact or fiction? CSO Magazine (September 2008)
Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Information security expenditures and real options: A wait-and-see approach. Computer Security Journal 14(2), 1–7 (2003)
Herath, H.S.B., Herath, T.C.: Investments in information security: A real options perspective with Bayesian postaudit. Journal of Management Information Systems 25(3), 337–375 (2008)
Yue, W.T., Çakanyildirim, M.: Intrusion prevention in information systems: Reactive and proactive responses. Journal of Management Information Systems 24(1), 329–353 (2007)
Grossklags, J., Johnson, B.: Uncertainty in the weakest-link security game. In: Proceedings of the International Conference on Game Theory for Networks (GameNets 2009), Istanbul, Turkey, pp. 673–682. IEEE Press, Los Alamitos (2009)
Gordon, L.A., Loeb, M.P., Lucysshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6) (2003)
Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005)
Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok, E.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10(1-2), 5–22 (2002)
Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1), 28–46 (2005)
Böhme, R., Félegyházi, M.: Optimal information security investment with penetration testing. In: Decision and Game Theory for Security (GameSec), Berlin, Germany (to appear, 2010)
Allen, J., Gabbard, D., May, C.: Outsourcing managed Security Services. Carnegie Mellon Software Engineering Institute, Pittsburgh (2003)
Jensen, M.C., Meckling, W.H.: Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of Financial Economics 3(4), 305–360 (1976)
Ding, W., Yurcik, W., Yin, X.: Outsourcing internet security: Economic analysis of incentives for managed security service providers. In: Deng, X., Ye, Y. (eds.) WINE 2005. LNCS, vol. 3828, pp. 947–958. Springer, Heidelberg (2005)
Ding, W., Yurcik, W.: Outsourcing internet security: The effect of transaction costs o managed service providers. In: Prof. of Intl. Conf.on Telecomm. Systems, pp. 947–958 (2005)
Rowe, B.R.: Will outsourcing IT security lead to a higher social level of security? In: Workshop on the Economics of Information Security (WEIS), Carnegie Mellon University, Pittsburgh, PA (2007)
Schneier, B.: Why Outsource? Counterpane Inc. (2006)
Cezar, A., Cavusoglu, H., Raghunathan, S.: Outsourcing information security: Contracting issues and security implications. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2010)
Böhme, R., Schwartz, G.: Modeling cyber-insurance: Towards a unifying framework. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2010)
Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: A study of cyberinsurance, managed security service and risk pooling. In: Proc. of ICIS (2009)
Varian, H.R.: System reliability and free riding. In: Workshop on the Economics of Information Security (WEIS), University of California, Berkeley (2002)
Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41, 371–386 (1983)
Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–249 (2003)
Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceeding of the International Conference on World Wide Web (WWW), Beijing, China, pp. 209–218. ACM Press, New York (2008)
Cremonini, M., Nizovtsev, D.: Understanding and influencing attackers’ decisions: Implications for security investment strategies. In: Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK (2006)
Liu, W., Tanaka, H., Matsuura, K.: An empirical analysis of security investment in countermeasures based on an enterprise survey in Japan. In: Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK (2006)
Berthold, S., Böhme, R.: Valuating privacy with option pricing theory. In: Workshop on the Economics of Information Security (WEIS), University College London, UK (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Böhme, R. (2010). Security Metrics and Security Investment Models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds) Advances in Information and Computer Security. IWSEC 2010. Lecture Notes in Computer Science, vol 6434. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16825-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-16825-3_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16824-6
Online ISBN: 978-3-642-16825-3
eBook Packages: Computer ScienceComputer Science (R0)