Skip to main content

Security Audits Revisited

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7397)

Abstract

Security audits with subsequent certification appear to be the tool of choice to cure failures in providing the right level of security between different interacting parties, e.,g., between an outsourcing provider and its clients. Our game-theoretic analysis scrutinizes this view and identifies conditions under which security audits are most effective, and when they are not. We find that basic audits are hardly ever useful, and in general, the thoroughness of security audits needs to be carefully tailored to the situation. Technical, managerial, and policy implications for voluntary, mandatory, unilateral, and bilateral security audits are discussed. The analysis is based on a model of interdependent security which takes as parameters the efficiency of security investment in reducing individual risk, the degree of interdependence as a measure of interconnectedness, and the thoroughness of the security audit.

Keywords

  • Nash Equilibrium
  • Security Level
  • Coordination Problem
  • Social Optimum
  • Security Investment

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-32946-3_11
  • Chapter length: 19 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-642-32946-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   74.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security Economics and the Internal Market. Study commissioned by ENISA (2008)

    Google Scholar 

  2. Anderson, R.J.: Why information security is hard – An economic perspective (2001)

    Google Scholar 

  3. Armbrust, M., et al.: Above the clouds: A Berkeley view of cloud computing. Technical Report EECS–2009–28, University of California, Berkeley (2009)

    Google Scholar 

  4. Axelrod, R.: The Evolution of Cooperation. Basic Books, New York (1984)

    Google Scholar 

  5. Baye, M.R., Morgan, J.: Red queen pricing effects in e-retail markets. Working Paper (2003)

    Google Scholar 

  6. Böhme, R.: Security Metrics and Security Investment Models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 10–24. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  7. Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS). University College London, UK (2009)

    Google Scholar 

  8. Brynjolfsson, E., Hitt, L.: Computing productivity: Firm-level evidence. The Review of Economics and Statistics 85(4), 793–808 (2003)

    CrossRef  Google Scholar 

  9. Carr, N.G.: IT doesn’t matter. Harvard Business Review 81(5), 41–49 (2003)

    Google Scholar 

  10. Edelman, B.: Adverse selection in online “trust” certifications. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)

    Google Scholar 

  11. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. on Information and System Security 5(4), 438–457 (2002)

    CrossRef  Google Scholar 

  12. Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proc. of the Int’l Conference on World Wide Web (WWW), pp. 209–218. ACM Press, Beijing (2008)

    Google Scholar 

  13. Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41, 371–386 (1983)

    CrossRef  Google Scholar 

  14. Jacquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley (2007)

    Google Scholar 

  15. Johnson, B., Böhme, R., Grossklags, J.: Security Games with Market Insurance. In: Baras, J.S., Katz, J., Altman, E. (eds.) GameSec 2011. LNCS, vol. 7037, pp. 117–130. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  16. Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–249 (2003)

    MATH  CrossRef  Google Scholar 

  17. Liu, W., Tanaka, H., Matsuura, K.: An empirical analysis of security investment in countermeasures based on an enterprise survey in Japan. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)

    Google Scholar 

  18. Molnar, D., Schechter, S.: Self hosting vs. cloud hosting: Accounting for the security impact of hosting in the cloud. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2010)

    Google Scholar 

  19. Ogut, H., Menon, N., Raghunathan, S.: Cyber insurance and it security investment: Impact of interdependent risk. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2005)

    Google Scholar 

  20. Parameswaran, M., Whinston, A.B.: Incentive mechanisms for internet security. In: Rao, H.R., Upadhyaya, S. (eds.) Handbooks in Information Systems, Emerald, vol. 4, pp. 101–138 (2009)

    Google Scholar 

  21. Rice, D.: Geekonomics – The Real Cost of Insecure Software. Addison-Wesley, New York (2007)

    Google Scholar 

  22. Rowe, B.R.: Will outsourcing IT security lead to a higher social level of security? In: Workshop on the Economics of Information Security (WEIS). Carnegie Mellon University, Pittsburgh (2007)

    Google Scholar 

  23. Sackmann, S., Strüker, J., Accorsi, R.: Personalization in privacy-aware highly dynamic systems. Communications of the ACM 49(9), 32–38 (2006)

    CrossRef  Google Scholar 

  24. Schelling, T.: The Strategy of Conflict. Oxford University Press, Oxford (1965)

    Google Scholar 

  25. Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and internet security. In: Workshop on Economics of Information Security (WEIS). University College London, UK (2009)

    Google Scholar 

  26. Telang, R., Yang, Y.: Do security certifications work? Evidence from Common Criteria certification. In: IEEE International Conference on Technologies for Homeland Security (2011)

    Google Scholar 

  27. Varian, H.R.: System reliability and free riding. In: Workshop on the Economics of Information Security (WEIS). University of California, Berkeley (2002)

    Google Scholar 

  28. Winkler, S., Proschinger, C.: Collaborative penetration testing. In: Business Services: Konzepte, Technologien, Anwendungen (9. Internationale Tagung Wirtschaftsinformatik), vol. 1, pp. 793–802 (2009)

    Google Scholar 

  29. Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: A study of cyberinsurance, managed security service and risk pooling. In: Proceedings of ICIS (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Böhme, R. (2012). Security Audits Revisited. In: Keromytis, A.D. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7397. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32946-3_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32946-3_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32945-6

  • Online ISBN: 978-3-642-32946-3

  • eBook Packages: Computer ScienceComputer Science (R0)