Security Audits Revisited

Böhme, Rainer

doi:10.1007/978-3-642-32946-3_11

Security Audits Revisited

Rainer Böhme¹⁷

Conference paper

5294 Accesses
11 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7397)

Abstract

Security audits with subsequent certification appear to be the tool of choice to cure failures in providing the right level of security between different interacting parties, e.,g., between an outsourcing provider and its clients. Our game-theoretic analysis scrutinizes this view and identifies conditions under which security audits are most effective, and when they are not. We find that basic audits are hardly ever useful, and in general, the thoroughness of security audits needs to be carefully tailored to the situation. Technical, managerial, and policy implications for voluntary, mandatory, unilateral, and bilateral security audits are discussed. The analysis is based on a model of interdependent security which takes as parameters the efficiency of security investment in reducing individual risk, the degree of interdependence as a measure of interconnectedness, and the thoroughness of the security audit.

Keywords

Nash Equilibrium
Security Level
Coordination Problem
Social Optimum
Security Investment

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 59.99; Price excludes VAT (USA)

Softcover Book: USD 74.99; Price excludes VAT (USA)

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security Economics and the Internal Market. Study commissioned by ENISA (2008)
Google Scholar
Anderson, R.J.: Why information security is hard – An economic perspective (2001)
Google Scholar
Armbrust, M., et al.: Above the clouds: A Berkeley view of cloud computing. Technical Report EECS–2009–28, University of California, Berkeley (2009)
Google Scholar
Axelrod, R.: The Evolution of Cooperation. Basic Books, New York (1984)
Google Scholar
Baye, M.R., Morgan, J.: Red queen pricing effects in e-retail markets. Working Paper (2003)
Google Scholar
Böhme, R.: Security Metrics and Security Investment Models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 10–24. Springer, Heidelberg (2010)
CrossRef Google Scholar
Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS). University College London, UK (2009)
Google Scholar
Brynjolfsson, E., Hitt, L.: Computing productivity: Firm-level evidence. The Review of Economics and Statistics 85(4), 793–808 (2003)
CrossRef Google Scholar
Carr, N.G.: IT doesn’t matter. Harvard Business Review 81(5), 41–49 (2003)
Google Scholar
Edelman, B.: Adverse selection in online “trust” certifications. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)
Google Scholar
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. on Information and System Security 5(4), 438–457 (2002)
CrossRef Google Scholar
Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proc. of the Int’l Conference on World Wide Web (WWW), pp. 209–218. ACM Press, Beijing (2008)
Google Scholar
Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41, 371–386 (1983)
CrossRef Google Scholar
Jacquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley (2007)
Google Scholar
Johnson, B., Böhme, R., Grossklags, J.: Security Games with Market Insurance. In: Baras, J.S., Katz, J., Altman, E. (eds.) GameSec 2011. LNCS, vol. 7037, pp. 117–130. Springer, Heidelberg (2011)
CrossRef Google Scholar
Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–249 (2003)
MATH CrossRef Google Scholar
Liu, W., Tanaka, H., Matsuura, K.: An empirical analysis of security investment in countermeasures based on an enterprise survey in Japan. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)
Google Scholar
Molnar, D., Schechter, S.: Self hosting vs. cloud hosting: Accounting for the security impact of hosting in the cloud. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2010)
Google Scholar
Ogut, H., Menon, N., Raghunathan, S.: Cyber insurance and it security investment: Impact of interdependent risk. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2005)
Google Scholar
Parameswaran, M., Whinston, A.B.: Incentive mechanisms for internet security. In: Rao, H.R., Upadhyaya, S. (eds.) Handbooks in Information Systems, Emerald, vol. 4, pp. 101–138 (2009)
Google Scholar
Rice, D.: Geekonomics – The Real Cost of Insecure Software. Addison-Wesley, New York (2007)
Google Scholar
Rowe, B.R.: Will outsourcing IT security lead to a higher social level of security? In: Workshop on the Economics of Information Security (WEIS). Carnegie Mellon University, Pittsburgh (2007)
Google Scholar
Sackmann, S., Strüker, J., Accorsi, R.: Personalization in privacy-aware highly dynamic systems. Communications of the ACM 49(9), 32–38 (2006)
CrossRef Google Scholar
Schelling, T.: The Strategy of Conflict. Oxford University Press, Oxford (1965)
Google Scholar
Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and internet security. In: Workshop on Economics of Information Security (WEIS). University College London, UK (2009)
Google Scholar
Telang, R., Yang, Y.: Do security certifications work? Evidence from Common Criteria certification. In: IEEE International Conference on Technologies for Homeland Security (2011)
Google Scholar
Varian, H.R.: System reliability and free riding. In: Workshop on the Economics of Information Security (WEIS). University of California, Berkeley (2002)
Google Scholar
Winkler, S., Proschinger, C.: Collaborative penetration testing. In: Business Services: Konzepte, Technologien, Anwendungen (9. Internationale Tagung Wirtschaftsinformatik), vol. 1, pp. 793–802 (2009)
Google Scholar
Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: A study of cyberinsurance, managed security service and risk pooling. In: Proceedings of ICIS (2009)
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Information Systems, University of Münster, Germany
Rainer Böhme

Authors

Rainer Böhme
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027-7003, New York, NY, USA
Angelos D. Keromytis

Rights and permissions

Reprints and Permissions

Copyright information

About this paper

Cite this paper

Böhme, R. (2012). Security Audits Revisited. In: Keromytis, A.D. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7397. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32946-3_11

Download citation

DOI: https://doi.org/10.1007/978-3-642-32946-3_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32945-6
Online ISBN: 978-3-642-32946-3
eBook Packages: Computer ScienceComputer Science (R0)