Optimal Information Security Investment with Penetration Testing

Penetration testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds penetration testing to the realm of information security investment. Penetration testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue penetration testing until a secure state is reached. Further analysis using a new metric for the return on penetration testing suggests that penetration testing almost always increases the per-dollar efficiency of security investment.

[1]  Daniel Geer,et al.  Penetration testing: a duet , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[2]  Nicholas Bambos,et al.  SecureRank: A Risk-Based Vulnerability Management Scheme for Computing Infrastructures , 2007, 2007 IEEE International Conference on Communications.

[3]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.

[4]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[5]  Xiaomeng Su,et al.  An Overview of Economic Approaches to Information Security Management , 2006 .

[6]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[7]  Tyler Moore,et al.  The iterated weakest link , 2010, IEEE Security & Privacy.

[8]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[9]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[10]  Steve Purser Improving the ROI of the security management process , 2004, Comput. Secur..

[11]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[12]  Huseyin Cavusoglu,et al.  Intrusion-Detection Policies for IT Security Breaches , 2008, INFORMS J. Comput..

[13]  Tyler Moore,et al.  The Iterated Weakest Link - A Model of Adaptive Security Investment , 2016, WEIS.

[14]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[15]  Rainer Böhme,et al.  Economic Security Metrics , 2005, Dependability Metrics.