The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.04 - July/August (2009 vol.7)
pp: 52-60
Rachel Rue , RAND
ABSTRACT
This article describes an analysis of several representative cybersecurity economic models, where the authors seek to determine whether each model's underlying assumptions are realistic and useful. They find that many of the assumptions are the same across disparate models, and most assumptions are far from realistic. They recommend several changes so that the predictions from economic models can be more relevant and useful.
INDEX TERMS
Cybersecurity, economic models, vulnerability, security function, security and privacy
CITATION
Rachel Rue, Shari Lawrence Pfleeger, "Making the Best Use of Cybersecurity Economic Models", IEEE Security & Privacy, vol.7, no. 4, pp. 52-60, July/August 2009, doi:10.1109/MSP.2009.98
REFERENCES
1. R. Rue, S.L. Pfleeger, and D. Ortiz, "A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making," Proc. WEIS 2007, 2007; http://weis2007.econinfosec.org/papers76.pdf .
2. S.L. Pfleeger and R. Rue, "Cybersecurity Economic Issues: Clearing the Path to Good Practice," IEEE Software, vol. 25, no. 1, 2008, pp. 35–42.
3. P. Honeyman, G.A. Schwartz, and A. Van Assche, "Interdependence of Reliability and Security," Proc. WEIS 2007, 2007; http://weis2007.econinfosec.org/papers71.pdf .
4. V. Kumar, R. Telang, and T. Mukhopadhyay, "Optimally Securing Interconnected Information Systems and Assets," Proc. WEIS 2007, 2007; http://weis2007.econinfosec.org/papers64.pdf .
5. D.J. Clark and K.A. Konrad, "Asymmetric Conflict: Weakest Link against Best Shot," J. Conflict Resolution, vol. 51, no. 3, 2007, pp. 457–468; http://jcr.sagepub.com/cgi/content/abstract/ 51/3457.
6. H. Cavusoglu, B. Mishra, and S. Raghunathan, "A Model for Evaluating IT Security Investments," Comm. ACM, vol. 47, no. 7, 2004; http://info.freeman.tulane.edu/huseyin/paper investment.pdf.
7. R. Adkins, "An Insurance-Style Model for Determining the Appropriate Investment Level against Maximum Loss Arising from an Information Security Breach," Proc. WEIS 2004, 2004; www.dtc.umn.edu/weis2004adkins.pdf.
8. R. Brady, R. Anderson, and R.C. Ball, Murphy's Law, the Fitness of Evolving Species, and the Limits of Software Reliability, tech. report 471, Cambridge Univ. Computer Lab., 1999; www.cl.cam.ac.uk/techreportsUCAM-CL-TR-471.pdf .
9. K. Hausken, Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability, Springer Science + Business Media, 2006; www.springerlink.com/content92rph61467758553 /.
10. A. Ozment, "Improving Vulnerability Discovery Models," Proc. 2007 ACM Workshop on Quality of Protection, ACM Press, 2007, pp. 6-11; http://portal.acm.orgcitation.cfm?id=1314257.1314261 .
11. E. Nakashima, "Bush Order Expands Network Monitoring," The Washington Post,26 Jan. 2008, p. A03.
12. P.S. Antón et al., Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology, RAND report MR-1601, RAND Corp., 2004; www.rand.org/pubs/monograph_reportsMR1601 /.
6 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool