Optimal Information Security Investment with Penetration Testing

  • Rainer Böhme
  • Márk Félegyházi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6442)


Penetration testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds penetration testing to the realm of information security investment. Penetration testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue penetration testing until a secure state is reached. Further analysis using a new metric for the return on penetration testing suggests that penetration testing almost always increases the per-dollar efficiency of security investment.


Information Security Weak Link Intrusion Detection System Secure State Penetration Testing 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Su, X.: An overview of economic approaches to information security management. Technical Report TR-CTIT-06-30, University of Twente (2006)Google Scholar
  2. 2.
    Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS), University College, London, UK (2009)Google Scholar
  3. 3.
    Böhme, R., Moore, T.W.: The iterated weakest link. IEEE Security & Privacy 8(1), 53–55 (2010)CrossRefGoogle Scholar
  4. 4.
    Panjwani, S., Tan, S., Jarrin, K.M., Cukier, M.: An experimental evaluation to determine if port scans are precursors to an attack. In: Proc. of Int’l. Conf. on Dependable Systems and Networks (DSN 2005), Yokkohama, Japan (2005)Google Scholar
  5. 5.
    Gordon, L.A., Loeb, M.P., Lucysshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6) (2003)Google Scholar
  6. 6.
    Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005)CrossRefGoogle Scholar
  7. 7.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002)CrossRefGoogle Scholar
  8. 8.
    Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1), 28–46 (2005)CrossRefGoogle Scholar
  9. 9.
    Barth, A., Rubinstein, B., Sundararajan, M., Mitchell, J., Song, D., Bartlett, P.L.: A learning-based approach to reactive security. In: Radu, S. (ed.) FC 2010. LNCS, vol. 6052, pp. 192–206. Springer, Heidelberg (2010)Google Scholar
  10. 10.
    Ogut, H., Cavusoglu, H., Raghunathan, S.: Intrusion detection policies for it security breaches. INFORMS Journal on Computing 20(1), 112–123 (2008)CrossRefGoogle Scholar
  11. 11.
    Geer, D., Harthorne, J.: Penetration testing: A duet. In: Proc. of the 18th Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV, USA (2002)Google Scholar
  12. 12.
    Arkin, B., Stender, S., McGraw, G.: Software penetration testing. IEEE Security & Privacy 3(1), 84–87 (2005)CrossRefGoogle Scholar
  13. 13.
    Richardson, R.: CSI Computer Crime and Security Survey. Computer Security Institute (2007)Google Scholar
  14. 14.
    Miura-Ko, R.A., Bambos, N.: SecureRank: A risk-based vulnerability management scheme for computing infrastructures. In: IEEE International Conference on Communications (Proc. of ICC), pp. 1455–1460 (2007)Google Scholar
  15. 15.
    Böhme, R., Nowey, T.: Economic security metrics. In: Eusgeld, I., Freiling, F.C., Reussner, R. (eds.) Dependability Metrics. LNCS, vol. 4909, pp. 176–187. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Purser, S.A.: Improving the ROI of the security management process. Computers & Security 23, 542–546 (2004)CrossRefGoogle Scholar
  17. 17.
    Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Conference on Computer and Communications Security (Proc. of ACM CCS), Alexandria, Virginia, pp. 3–14 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Rainer Böhme
    • 1
  • Márk Félegyházi
    • 1
  1. 1.International Computer Science InstituteBerkeleyUSA

Personalised recommendations