Skip to main content
SpringerLink
Log in

Optimal Information Security Investment with Penetration Testing

  • Conference paper
Book cover Decision and Game Theory for Security (GameSec 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6442))

Included in the following conference series:

Abstract

Penetration testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds penetration testing to the realm of information security investment. Penetration testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue penetration testing until a secure state is reached. Further analysis using a new metric for the return on penetration testing suggests that penetration testing almost always increases the per-dollar efficiency of security investment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Su, X.: An overview of economic approaches to information security management. Technical Report TR-CTIT-06-30, University of Twente (2006)

    Google Scholar 

  2. Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS), University College, London, UK (2009)

    Google Scholar 

  3. Böhme, R., Moore, T.W.: The iterated weakest link. IEEE Security & Privacy 8(1), 53–55 (2010)

    Article  Google Scholar 

  4. Panjwani, S., Tan, S., Jarrin, K.M., Cukier, M.: An experimental evaluation to determine if port scans are precursors to an attack. In: Proc. of Int’l. Conf. on Dependable Systems and Networks (DSN 2005), Yokkohama, Japan (2005)

    Google Scholar 

  5. Gordon, L.A., Loeb, M.P., Lucysshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6) (2003)

    Google Scholar 

  6. Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005)

    Article  Google Scholar 

  7. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002)

    Article  Google Scholar 

  8. Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1), 28–46 (2005)

    Article  Google Scholar 

  9. Barth, A., Rubinstein, B., Sundararajan, M., Mitchell, J., Song, D., Bartlett, P.L.: A learning-based approach to reactive security. In: Radu, S. (ed.) FC 2010. LNCS, vol. 6052, pp. 192–206. Springer, Heidelberg (2010)

    Google Scholar 

  10. Ogut, H., Cavusoglu, H., Raghunathan, S.: Intrusion detection policies for it security breaches. INFORMS Journal on Computing 20(1), 112–123 (2008)

    Article  Google Scholar 

  11. Geer, D., Harthorne, J.: Penetration testing: A duet. In: Proc. of the 18th Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV, USA (2002)

    Google Scholar 

  12. Arkin, B., Stender, S., McGraw, G.: Software penetration testing. IEEE Security & Privacy 3(1), 84–87 (2005)

    Article  Google Scholar 

  13. Richardson, R.: CSI Computer Crime and Security Survey. Computer Security Institute (2007)

    Google Scholar 

  14. Miura-Ko, R.A., Bambos, N.: SecureRank: A risk-based vulnerability management scheme for computing infrastructures. In: IEEE International Conference on Communications (Proc. of ICC), pp. 1455–1460 (2007)

    Google Scholar 

  15. Böhme, R., Nowey, T.: Economic security metrics. In: Eusgeld, I., Freiling, F.C., Reussner, R. (eds.) Dependability Metrics. LNCS, vol. 4909, pp. 176–187. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  16. Purser, S.A.: Improving the ROI of the security management process. Computers & Security 23, 542–546 (2004)

    Article  Google Scholar 

  17. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Conference on Computer and Communications Security (Proc. of ACM CCS), Alexandria, Virginia, pp. 3–14 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. International Computer Science Institute, Berkeley, California, USA

    Rainer Böhme & Márk Félegyházi

Authors
  1. Rainer Böhme
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Márk Félegyházi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Deutsche Telekom Laboratories, Technische Universität Berlin, 10587, Berlin, Germany

    Tansu Alpcan

  2. Laboratory of Cryptography and System Security (CrySyS), Budapest University of Technology and Economics, Budapest, Hungary

    Levente Buttyán

  3. Department of Electrical and Computer Engineering, University of Maryland, College Park, MD, USA

    John S. Baras

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Böhme, R., Félegyházi, M. (2010). Optimal Information Security Investment with Penetration Testing. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds) Decision and Game Theory for Security. GameSec 2010. Lecture Notes in Computer Science, vol 6442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17197-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17197-0_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17196-3

  • Online ISBN: 978-3-642-17197-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation