Security audits with subsequent certification appear to be the tool of choice to cure failures in providing the right level of security between different interacting parties, e.,g., between an outsourcing provider and its clients. Our game-theoretic analysis scrutinizes this view and identifies conditions under which security audits are most effective, and when they are not. We find that basic audits are hardly ever useful, and in general, the thoroughness of security audits needs to be carefully tailored to the situation. Technical, managerial, and policy implications for voluntary, mandatory, unilateral, and bilateral security audits are discussed. The analysis is based on a model of interdependent security which takes as parameters the efficiency of security investment in reducing individual risk, the degree of interdependence as a measure of interconnectedness, and the thoroughness of the security audit.


Nash Equilibrium Security Level Coordination Problem Social Optimum Security Investment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security Economics and the Internal Market. Study commissioned by ENISA (2008)Google Scholar
  2. 2.
    Anderson, R.J.: Why information security is hard – An economic perspective (2001)Google Scholar
  3. 3.
    Armbrust, M., et al.: Above the clouds: A Berkeley view of cloud computing. Technical Report EECS–2009–28, University of California, Berkeley (2009)Google Scholar
  4. 4.
    Axelrod, R.: The Evolution of Cooperation. Basic Books, New York (1984)Google Scholar
  5. 5.
    Baye, M.R., Morgan, J.: Red queen pricing effects in e-retail markets. Working Paper (2003)Google Scholar
  6. 6.
    Böhme, R.: Security Metrics and Security Investment Models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 10–24. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS). University College London, UK (2009)Google Scholar
  8. 8.
    Brynjolfsson, E., Hitt, L.: Computing productivity: Firm-level evidence. The Review of Economics and Statistics 85(4), 793–808 (2003)CrossRefGoogle Scholar
  9. 9.
    Carr, N.G.: IT doesn’t matter. Harvard Business Review 81(5), 41–49 (2003)Google Scholar
  10. 10.
    Edelman, B.: Adverse selection in online “trust” certifications. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)Google Scholar
  11. 11.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. on Information and System Security 5(4), 438–457 (2002)CrossRefGoogle Scholar
  12. 12.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proc. of the Int’l Conference on World Wide Web (WWW), pp. 209–218. ACM Press, Beijing (2008)Google Scholar
  13. 13.
    Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41, 371–386 (1983)CrossRefGoogle Scholar
  14. 14.
    Jacquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley (2007)Google Scholar
  15. 15.
    Johnson, B., Böhme, R., Grossklags, J.: Security Games with Market Insurance. In: Baras, J.S., Katz, J., Altman, E. (eds.) GameSec 2011. LNCS, vol. 7037, pp. 117–130. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–249 (2003)zbMATHCrossRefGoogle Scholar
  17. 17.
    Liu, W., Tanaka, H., Matsuura, K.: An empirical analysis of security investment in countermeasures based on an enterprise survey in Japan. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)Google Scholar
  18. 18.
    Molnar, D., Schechter, S.: Self hosting vs. cloud hosting: Accounting for the security impact of hosting in the cloud. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2010)Google Scholar
  19. 19.
    Ogut, H., Menon, N., Raghunathan, S.: Cyber insurance and it security investment: Impact of interdependent risk. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2005)Google Scholar
  20. 20.
    Parameswaran, M., Whinston, A.B.: Incentive mechanisms for internet security. In: Rao, H.R., Upadhyaya, S. (eds.) Handbooks in Information Systems, Emerald, vol. 4, pp. 101–138 (2009)Google Scholar
  21. 21.
    Rice, D.: Geekonomics – The Real Cost of Insecure Software. Addison-Wesley, New York (2007)Google Scholar
  22. 22.
    Rowe, B.R.: Will outsourcing IT security lead to a higher social level of security? In: Workshop on the Economics of Information Security (WEIS). Carnegie Mellon University, Pittsburgh (2007)Google Scholar
  23. 23.
    Sackmann, S., Strüker, J., Accorsi, R.: Personalization in privacy-aware highly dynamic systems. Communications of the ACM 49(9), 32–38 (2006)CrossRefGoogle Scholar
  24. 24.
    Schelling, T.: The Strategy of Conflict. Oxford University Press, Oxford (1965)Google Scholar
  25. 25.
    Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and internet security. In: Workshop on Economics of Information Security (WEIS). University College London, UK (2009)Google Scholar
  26. 26.
    Telang, R., Yang, Y.: Do security certifications work? Evidence from Common Criteria certification. In: IEEE International Conference on Technologies for Homeland Security (2011)Google Scholar
  27. 27.
    Varian, H.R.: System reliability and free riding. In: Workshop on the Economics of Information Security (WEIS). University of California, Berkeley (2002)Google Scholar
  28. 28.
    Winkler, S., Proschinger, C.: Collaborative penetration testing. In: Business Services: Konzepte, Technologien, Anwendungen (9. Internationale Tagung Wirtschaftsinformatik), vol. 1, pp. 793–802 (2009)Google Scholar
  29. 29.
    Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: A study of cyberinsurance, managed security service and risk pooling. In: Proceedings of ICIS (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Rainer Böhme
    • 1
  1. 1.Department of Information SystemsUniversity of MünsterGermany

Personalised recommendations