Abstract
Security audits with subsequent certification appear to be the tool of choice to cure failures in providing the right level of security between different interacting parties, e.,g., between an outsourcing provider and its clients. Our game-theoretic analysis scrutinizes this view and identifies conditions under which security audits are most effective, and when they are not. We find that basic audits are hardly ever useful, and in general, the thoroughness of security audits needs to be carefully tailored to the situation. Technical, managerial, and policy implications for voluntary, mandatory, unilateral, and bilateral security audits are discussed. The analysis is based on a model of interdependent security which takes as parameters the efficiency of security investment in reducing individual risk, the degree of interdependence as a measure of interconnectedness, and the thoroughness of the security audit.
Keywords
- Nash Equilibrium
- Security Level
- Coordination Problem
- Social Optimum
- Security Investment
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security Economics and the Internal Market. Study commissioned by ENISA (2008)
Anderson, R.J.: Why information security is hard – An economic perspective (2001)
Armbrust, M., et al.: Above the clouds: A Berkeley view of cloud computing. Technical Report EECS–2009–28, University of California, Berkeley (2009)
Axelrod, R.: The Evolution of Cooperation. Basic Books, New York (1984)
Baye, M.R., Morgan, J.: Red queen pricing effects in e-retail markets. Working Paper (2003)
Böhme, R.: Security Metrics and Security Investment Models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 10–24. Springer, Heidelberg (2010)
Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS). University College London, UK (2009)
Brynjolfsson, E., Hitt, L.: Computing productivity: Firm-level evidence. The Review of Economics and Statistics 85(4), 793–808 (2003)
Carr, N.G.: IT doesn’t matter. Harvard Business Review 81(5), 41–49 (2003)
Edelman, B.: Adverse selection in online “trust” certifications. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. on Information and System Security 5(4), 438–457 (2002)
Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proc. of the Int’l Conference on World Wide Web (WWW), pp. 209–218. ACM Press, Beijing (2008)
Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41, 371–386 (1983)
Jacquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley (2007)
Johnson, B., Böhme, R., Grossklags, J.: Security Games with Market Insurance. In: Baras, J.S., Katz, J., Altman, E. (eds.) GameSec 2011. LNCS, vol. 7037, pp. 117–130. Springer, Heidelberg (2011)
Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–249 (2003)
Liu, W., Tanaka, H., Matsuura, K.: An empirical analysis of security investment in countermeasures based on an enterprise survey in Japan. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)
Molnar, D., Schechter, S.: Self hosting vs. cloud hosting: Accounting for the security impact of hosting in the cloud. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2010)
Ogut, H., Menon, N., Raghunathan, S.: Cyber insurance and it security investment: Impact of interdependent risk. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2005)
Parameswaran, M., Whinston, A.B.: Incentive mechanisms for internet security. In: Rao, H.R., Upadhyaya, S. (eds.) Handbooks in Information Systems, Emerald, vol. 4, pp. 101–138 (2009)
Rice, D.: Geekonomics – The Real Cost of Insecure Software. Addison-Wesley, New York (2007)
Rowe, B.R.: Will outsourcing IT security lead to a higher social level of security? In: Workshop on the Economics of Information Security (WEIS). Carnegie Mellon University, Pittsburgh (2007)
Sackmann, S., Strüker, J., Accorsi, R.: Personalization in privacy-aware highly dynamic systems. Communications of the ACM 49(9), 32–38 (2006)
Schelling, T.: The Strategy of Conflict. Oxford University Press, Oxford (1965)
Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and internet security. In: Workshop on Economics of Information Security (WEIS). University College London, UK (2009)
Telang, R., Yang, Y.: Do security certifications work? Evidence from Common Criteria certification. In: IEEE International Conference on Technologies for Homeland Security (2011)
Varian, H.R.: System reliability and free riding. In: Workshop on the Economics of Information Security (WEIS). University of California, Berkeley (2002)
Winkler, S., Proschinger, C.: Collaborative penetration testing. In: Business Services: Konzepte, Technologien, Anwendungen (9. Internationale Tagung Wirtschaftsinformatik), vol. 1, pp. 793–802 (2009)
Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: A study of cyberinsurance, managed security service and risk pooling. In: Proceedings of ICIS (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Böhme, R. (2012). Security Audits Revisited. In: Keromytis, A.D. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7397. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32946-3_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-32946-3_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32945-6
Online ISBN: 978-3-642-32946-3
eBook Packages: Computer ScienceComputer Science (R0)
