How Much Security Is Enough to Stop a Thief?
We address the question of how much security is required to protect a packaged system, installed in a large number of organizations, from thieves who would exploit a single vulnerability to attack multiple installations. While our work is motivated by the need to help organizations make decisions about how to defend themselves, we also show how they can better protect themselves by helping to protect each other.
KeywordsSecurity Economics Threat Models Theft Exploits
Unable to display preview. Download preview PDF.
- 1.Schechter, S.E.: Quantitatively differentiating system security. In: The First Workshop on Economics and Information Security (2002) Google Scholar
- 2.Young, A., Yung, M.: Cryptovirology: Extortion-based security threats and countermeasures. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 129–140 (1996) Google Scholar
- 3.Counterpane Internet Security, Lloyd’s of London: Counterpane Internet Security announces industry’s first broad insurance coverage backed by Lloyd’s of London for e-commerce and Internet security, http://www.counterpane.com/pr-lloyds.html (2000)
- 4.The Honeynet Project: Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. Addison-Wesley, Reading (2001) Google Scholar
- 8.Gordon, L.A., Loeb, M.P., Lucyshyn, W.: An economics perspective on the sharing of information related to security breaches: Concepts and empirical evidence. In: The First Workshop on Economics and Information Security (2002) Google Scholar
- 10.Anderson, R.J.: Why information security is hard, an economic perspective. In: 17th Annual Computer Security Applications Conference (2001) Google Scholar
- 12.Varian, H.R.: System reliability and free riding. In: The First Workshop on Economics and Information Security (2002) Google Scholar
- 13.Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C.: Timing the application of security patches for optimal uptime. In: Proceedings of LISA 2002: 16th Systems Administration Conference (2002) Google Scholar
- 14.Rescorla, E.: Security holes... who cares? (2002), http://www.rtfm.com/upgrade.pdf
- 15.Schechter, S.E.: How to buy better testing: Using competition to get the most security and robustness for your dollar. In: Proceedings of the Infrastructure Security Conference (2002) Google Scholar
- 16.Camp, L.J., Wolfram, C.: Pricing security. In: Proceedings of the CERT Information Survivability Workshop, pp. 31–39 (2000)Google Scholar