Security Metrics and Security Investment Models

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6434)


Planning information security investment is somewhere between art and science. This paper reviews and compares existing scientific approaches and discusses the relation between security investment models and security metrics. To structure the exposition, the high-level security production function is decomposed into two steps: cost of security is mapped to a security level, which is then mapped to benefits. This allows to structure data sources and metrics, to rethink the notion of security productivity, and to distinguish sources of indeterminacy as measurement error and attacker behavior. It is further argued that recently proposed investment models, which try to capture more features specific to information security, should be used for all strategic security investment decisions beneath defining the overall security budget.


Information Security Security Level Intrusion Detection System Investment Model Security Investment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Canalys Enterprise Security Analysis: Global enterprise security market to grow 13.8% in 2010 (2010),
  2. 2.
    Richardson, R.: CSI Computer Crime and Security Survey. Computer Security Institute (2008)Google Scholar
  3. 3.
    METI: Report on survey of actual condition of it usage in FY 2009 (June 2009),
  4. 4.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002)CrossRefGoogle Scholar
  5. 5.
    Willemson, J.: On the Gordon & Loeb model for information security investment. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)Google Scholar
  6. 6.
    Hausken, K.: Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5), 338–349 (2006)CrossRefGoogle Scholar
  7. 7.
    Matsuura, K.: Productivity space of information security in an extension of the Gordon–Loeb’s investment model. In: Workshop on the Economics of Information Security (WEIS), Tuck School of Business, Dartmouth College, Hanover, NH (2008)Google Scholar
  8. 8.
    Tatsumi, K.i., Goto, M.: Optimal timing of information security investment: A real options approach. In: Workshop on the Economics of Information Security (WEIS). University College London, UK (2009)Google Scholar
  9. 9.
    Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS), University College London, UK (2009)Google Scholar
  10. 10.
    Tanaka, H., Matsuura, K., Sudoh, O.: Vulnerability and information security investment: An empirical analysis of e-local government in Japan. Journal of Accounting and Public Policy 24, 37–59 (2005)CrossRefGoogle Scholar
  11. 11.
    Brocke, J., Grob, H., Buddendick, C., Strauch, G.: Return on security investments. Towards a methodological foundation of measurement systems. In: Proc. of AMCIS (2007)Google Scholar
  12. 12.
    Jacquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley, Reading (2007)Google Scholar
  13. 13.
    Alberts, C.J., Dorofee, A.J.: An introduction to the OCTAVE\(^{\rm TM} \) method (2001),
  14. 14.
    Bodin, L.D., Gordon, L.A., Loeb, M.P.: Evaluating information security investments using the analytic hierarchy process. Communications of the ACM 48(2), 79–83 (2005)CrossRefGoogle Scholar
  15. 15.
    Su, X.: An overview of economic approaches to information security management. Technical Report TR-CTIT-06-30, University of Twente (2006)Google Scholar
  16. 16.
    Böhme, R., Nowey, T.: Economic security metrics. In: Eusgeld, I., Freiling, F.C., Reussner, R. (eds.) Dependability Metrics. LNCS, vol. 4909, pp. 176–187. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Sheen, J.: Fuzzy economic decision-models for information security investment. In: Proc. of IMCAS, Hangzhou, China, pp. 141–147 (2010)Google Scholar
  18. 18.
    Schryen, G.: A fuzzy model for it security investments. In: Proc. of ISSE/GI-SICHERHEIT, Berlin, Germany (to appear, 2010)Google Scholar
  19. 19.
    Soo Hoo, K.J.: How much is enough? A risk-management approach to computer security. In: Workshop on Economics and Information Security (WEIS), University of California, Berkeley, CA (2002)Google Scholar
  20. 20.
    Geer, D.E., Conway, D.G.: Hard data is good to find. IEEE Security & Privacy 10(2), 86–87 (2009)Google Scholar
  21. 21.
    Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security Economics and the Internal Market. Study commissioned by ENISA (2008)Google Scholar
  22. 22.
    Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK (2001)Google Scholar
  23. 23.
    Böhme, R.: A comparison of market approaches to software vulnerability disclosure. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298–311. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Purser, S.A.: Improving the ROI of the security management process. Computers & Security 23, 542–546 (2004)CrossRefGoogle Scholar
  25. 25.
    Schneier, B.: Security ROI: Fact or fiction? CSO Magazine (September 2008)Google Scholar
  26. 26.
    Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Information security expenditures and real options: A wait-and-see approach. Computer Security Journal 14(2), 1–7 (2003)Google Scholar
  27. 27.
    Herath, H.S.B., Herath, T.C.: Investments in information security: A real options perspective with Bayesian postaudit. Journal of Management Information Systems 25(3), 337–375 (2008)CrossRefGoogle Scholar
  28. 28.
    Yue, W.T., Çakanyildirim, M.: Intrusion prevention in information systems: Reactive and proactive responses. Journal of Management Information Systems 24(1), 329–353 (2007)CrossRefGoogle Scholar
  29. 29.
    Grossklags, J., Johnson, B.: Uncertainty in the weakest-link security game. In: Proceedings of the International Conference on Game Theory for Networks (GameNets 2009), Istanbul, Turkey, pp. 673–682. IEEE Press, Los Alamitos (2009)CrossRefGoogle Scholar
  30. 30.
    Gordon, L.A., Loeb, M.P., Lucysshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6) (2003)Google Scholar
  31. 31.
    Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005)CrossRefGoogle Scholar
  32. 32.
    Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok, E.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10(1-2), 5–22 (2002)CrossRefGoogle Scholar
  33. 33.
    Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1), 28–46 (2005)CrossRefGoogle Scholar
  34. 34.
    Böhme, R., Félegyházi, M.: Optimal information security investment with penetration testing. In: Decision and Game Theory for Security (GameSec), Berlin, Germany (to appear, 2010)Google Scholar
  35. 35.
    Allen, J., Gabbard, D., May, C.: Outsourcing managed Security Services. Carnegie Mellon Software Engineering Institute, Pittsburgh (2003)CrossRefGoogle Scholar
  36. 36.
    Jensen, M.C., Meckling, W.H.: Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of Financial Economics 3(4), 305–360 (1976)CrossRefGoogle Scholar
  37. 37.
    Ding, W., Yurcik, W., Yin, X.: Outsourcing internet security: Economic analysis of incentives for managed security service providers. In: Deng, X., Ye, Y. (eds.) WINE 2005. LNCS, vol. 3828, pp. 947–958. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  38. 38.
    Ding, W., Yurcik, W.: Outsourcing internet security: The effect of transaction costs o managed service providers. In: Prof. of Intl. Conf.on Telecomm. Systems, pp. 947–958 (2005)Google Scholar
  39. 39.
    Rowe, B.R.: Will outsourcing IT security lead to a higher social level of security? In: Workshop on the Economics of Information Security (WEIS), Carnegie Mellon University, Pittsburgh, PA (2007)Google Scholar
  40. 40.
    Schneier, B.: Why Outsource? Counterpane Inc. (2006)Google Scholar
  41. 41.
    Cezar, A., Cavusoglu, H., Raghunathan, S.: Outsourcing information security: Contracting issues and security implications. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2010)Google Scholar
  42. 42.
    Böhme, R., Schwartz, G.: Modeling cyber-insurance: Towards a unifying framework. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2010)Google Scholar
  43. 43.
    Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: A study of cyberinsurance, managed security service and risk pooling. In: Proc. of ICIS (2009)Google Scholar
  44. 44.
    Varian, H.R.: System reliability and free riding. In: Workshop on the Economics of Information Security (WEIS), University of California, Berkeley (2002)Google Scholar
  45. 45.
    Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41, 371–386 (1983)CrossRefGoogle Scholar
  46. 46.
    Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–249 (2003)CrossRefzbMATHGoogle Scholar
  47. 47.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceeding of the International Conference on World Wide Web (WWW), Beijing, China, pp. 209–218. ACM Press, New York (2008)CrossRefGoogle Scholar
  48. 48.
    Cremonini, M., Nizovtsev, D.: Understanding and influencing attackers’ decisions: Implications for security investment strategies. In: Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK (2006)Google Scholar
  49. 49.
    Liu, W., Tanaka, H., Matsuura, K.: An empirical analysis of security investment in countermeasures based on an enterprise survey in Japan. In: Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK (2006)Google Scholar
  50. 50.
    Berthold, S., Böhme, R.: Valuating privacy with option pricing theory. In: Workshop on the Economics of Information Security (WEIS), University College London, UK (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.International Computer Science InstituteBerkeleyUSA

Personalised recommendations