Security metrics and security investment models

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 6434 LNCS, Issue , 2010, Pages 10-24

  Böhme, Rainer ^a  

^a INTERNATIONAL COMPUTER SCIENCE INSTITUTE   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BUDGET CONTROL; INVESTMENTS;

ART AND SCIENCE; HIGHER-LEVEL SECURITY; INFORMATION SECURITY INVESTMENT; INVESTMENT MODELS; PLANNING INFORMATION; PRODUCTION FUNCTION; SECURITIES INVESTMENTS; SECURITY LEVEL; SECURITY METRICS; STRUCTURE DATA;

SECURITY OF DATA;

EID: 78650003609     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-16825-3_2     Document Type: Conference Paper

References (50)

1. Canalys Enterprise Security Analysis: Global enterprise security market to grow 13.8% in 2010 (2010), http://www.canalys.com/pr/2010/r2010072.html
2. Richardson, R.: CSI Computer Crime and Security Survey. Computer Security Institute (2008)
3. METI: Report on survey of actual condition of it usage in FY 2009 (June 2009), http://www.meti.go.jp/statistics/zyo/zyouhou/result-1.html
4. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438-457 (2002)
5. Willemson, J.: On the Gordon & Loeb model for information security investment. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)
6. Hausken, K.: Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5), 338-349 (2006)
7. Matsuura, K.: Productivity space of information security in an extension of the Gordon-Loeb's investment model. In: Workshop on the Economics of Information Security (WEIS), Tuck School of Business, Dartmouth College, Hanover, NH (2008)
8. Tatsumi, K.i., Goto, M.: Optimal timing of information security investment: A real options approach. In:Workshop on the Economics of Information Security (WEIS). University College London, UK (2009)
9. Böhme, R., Moore, T.W.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security (WEIS), University College London, UK (2009)
10. Tanaka, H.,Matsuura, K., Sudoh, O.: Vulnerability and information security investment: An empirical analysis of e-local government in Japan. Journal of Accounting and Public Policy 24, 37-59 (2005)
11. Brocke, J., Grob, H., Buddendick, C., Strauch, G.: Return on security investments. Towards a methodological foundation of measurement systems. In: Proc. of AMCIS (2007)
12. Jacquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley, Reading (2007)
13. Alberts, C.J., Dorofee, A.J.: An introduction to the OCTAVETM method (2001), http://www.cert.org/octave/methodintro.html
14. Bodin, L.D., Gordon, L.A., Loeb, M.P.: Evaluating information security investments using the analytic hierarchy process. Communications of the ACM 48(2), 79-83 (2005)
15. Su, X.: An overview of economic approaches to information security management. Technical Report TR-CTIT-06-30, University of Twente (2006)
16. Böhme, R., Nowey, T.: Economic security metrics. In: Eusgeld, I., Freiling, F.C., Reussner, R. (eds.) Dependability Metrics. LNCS, vol. 4909, pp. 176-187. Springer, Heidelberg (2008)
17. Sheen, J.: Fuzzy economic decision-models for information security investment. In: Proc. of IMCAS, Hangzhou, China, pp. 141-147 (2010)
18. Schryen, G.: A fuzzy model for it security investments. In: Proc. of ISSE/GISICHERHEIT, Berlin, Germany (to appear, 2010)
19. Soo Hoo, K.J.: How much is enough? A risk-management approach to computer security. In: Workshop on Economics and Information Security (WEIS), University of California, Berkeley, CA (2002)
20. Geer, D.E., Conway, D.G.: Hard data is good to find. IEEE Security & Privacy 10(2), 86-87 (2009)
21. Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security Economics and the Internal Market. Study commissioned by ENISA (2008)
22. Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK (2001)
23. Böhme, R.: A comparison of market approaches to software vulnerability disclosure. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298-311. Springer, Heidelberg (2006)
24. Purser, S.A.: Improving the ROI of the security management process. Computers & Security 23, 542-546 (2004)
25. Schneier, B.: Security ROI: Fact or fiction? CSO Magazine (September 2008)
26. Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Information security expenditures and real options: A wait-and-see approach. Computer Security Journal 14(2), 1-7 (2003)
27. Herath, H.S.B., Herath, T.C.: Investments in information security: A real options perspective with Bayesian postaudit. Journal of Management Information Systems 25(3), 337-375 (2008)
28. Yue, W.T., Çakanyildirim, M.: Intrusion prevention in information systems: Reactive and proactive responses. Journal of Management Information Systems 24(1), 329-353 (2007)
29. Grossklags, J., Johnson, B.: Uncertainty in the weakest-link security game. In: Proceedings of the International Conference on Game Theory for Networks (GameNets 2009), Istanbul, Turkey, pp. 673-682. IEEE Press, Los Alamitos (2009)
30. Gordon, L.A., Loeb, M.P., Lucysshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6) (2003)
31. Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186-208 (2005) (Pubitemid 43057222)
32. Lee,W., Fan,W., Miller, M., Stolfo, S.J., Zadok, E.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10(1-2), 5-22 (2002) (Pubitemid 34531411)
33. Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1), 28-46 (2005) (Pubitemid 40701107)
34. Böhme, R., Félegyházi, M.: Optimal information security investment with penetration testing. In: Decision and Game Theory for Security (GameSec), Berlin, Germany (to appear, 2010)
35. Allen, J., Gabbard, D., May, C.: Outsourcing managed Security Services. Carnegie Mellon Software Engineering Institute, Pittsburgh (2003)
36. Jensen, M.C., Meckling, W.H.: Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of Financial Economics 3(4), 305-360 (1976)
37. Ding, W., Yurcik, W., Yin, X.: Outsourcing internet security: Economic analysis of incentives for managed security service providers. In: Deng, X., Ye, Y. (eds.) WINE 2005. LNCS, vol. 3828, pp. 947-958. Springer, Heidelberg (2005)
38. Ding, W., Yurcik, W.: Outsourcing internet security: The effect of transaction costs o managed service providers. In: Prof. of Intl. Conf.on Telecomm. Systems, pp. 947-958 (2005)
39. Rowe, B.R.: Will outsourcing IT security lead to a higher social level of security? In: Workshop on the Economics of Information Security (WEIS), Carnegie Mellon University, Pittsburgh, PA (2007)
40. Schneier, B.: Why Outsource? Counterpane Inc. (2006)
41. Cezar, A., Cavusoglu, H., Raghunathan, S.: Outsourcing information security: Contracting issues and security implications. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2010)
42. Böhme, R., Schwartz, G.: Modeling cyber-insurance: Towards a unifying framework. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2010)
43. Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: A study of cyberinsurance, managed security service and risk pooling. In: Proc. of ICIS (2009)
44. Varian, H.R.: System reliability and free riding. In: Workshop on the Economics of Information Security (WEIS), University of California, Berkeley (2002)
45. Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41, 371-386 (1983)
46. Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231-249 (2003)
47. Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceeding of the International Conference on World Wide Web (WWW), Beijing, China, pp. 209-218. ACM Press, New York (2008)
48. Cremonini, M., Nizovtsev, D.: Understanding and influencing attackers' decisions: Implications for security investment strategies. In: Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK (2006)
49. Liu, W., Tanaka, H., Matsuura, K.: An empirical analysis of security investment in countermeasures based on an enterprise survey in Japan. In: Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK (2006)
50. Berthold, S., Böhme, R.: Valuating privacy with option pricing theory. In: Workshop on the Economics of Information Security (WEIS), University College London, UK (2009)