Security Metrics and Security Investment Models

  • Rainer Böhme
Conference paper

DOI: 10.1007/978-3-642-16825-3_2

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6434)
Cite this paper as:
Böhme R. (2010) Security Metrics and Security Investment Models. In: Echizen I., Kunihiro N., Sasaki R. (eds) Advances in Information and Computer Security. IWSEC 2010. Lecture Notes in Computer Science, vol 6434. Springer, Berlin, Heidelberg


Planning information security investment is somewhere between art and science. This paper reviews and compares existing scientific approaches and discusses the relation between security investment models and security metrics. To structure the exposition, the high-level security production function is decomposed into two steps: cost of security is mapped to a security level, which is then mapped to benefits. This allows to structure data sources and metrics, to rethink the notion of security productivity, and to distinguish sources of indeterminacy as measurement error and attacker behavior. It is further argued that recently proposed investment models, which try to capture more features specific to information security, should be used for all strategic security investment decisions beneath defining the overall security budget.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Rainer Böhme
    • 1
  1. 1.International Computer Science InstituteBerkeleyUSA

Personalised recommendations