This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Making the Best Use of Cybersecurity Economic Models
July/August 2009 (vol. 7 no. 4)
pp. 52-60
This article describes an analysis of several representative cybersecurity economic models, where the authors seek to determine whether each model's underlying assumptions are realistic and useful. They find that many of the assumptions are the same across disparate models, and most assumptions are far from realistic. They recommend several changes so that the predictions from economic models can be more relevant and useful.

1. R. Rue, S.L. Pfleeger, and D. Ortiz, "A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making," Proc. WEIS 2007, 2007; http://weis2007.econinfosec.org/papers76.pdf .
2. S.L. Pfleeger and R. Rue, "Cybersecurity Economic Issues: Clearing the Path to Good Practice," IEEE Software, vol. 25, no. 1, 2008, pp. 35–42.
3. P. Honeyman, G.A. Schwartz, and A. Van Assche, "Interdependence of Reliability and Security," Proc. WEIS 2007, 2007; http://weis2007.econinfosec.org/papers71.pdf .
4. V. Kumar, R. Telang, and T. Mukhopadhyay, "Optimally Securing Interconnected Information Systems and Assets," Proc. WEIS 2007, 2007; http://weis2007.econinfosec.org/papers64.pdf .
5. D.J. Clark and K.A. Konrad, "Asymmetric Conflict: Weakest Link against Best Shot," J. Conflict Resolution, vol. 51, no. 3, 2007, pp. 457–468; http://jcr.sagepub.com/cgi/content/abstract/ 51/3457.
6. H. Cavusoglu, B. Mishra, and S. Raghunathan, "A Model for Evaluating IT Security Investments," Comm. ACM, vol. 47, no. 7, 2004; http://info.freeman.tulane.edu/huseyin/paper investment.pdf.
7. R. Adkins, "An Insurance-Style Model for Determining the Appropriate Investment Level against Maximum Loss Arising from an Information Security Breach," Proc. WEIS 2004, 2004; www.dtc.umn.edu/weis2004adkins.pdf.
8. R. Brady, R. Anderson, and R.C. Ball, Murphy's Law, the Fitness of Evolving Species, and the Limits of Software Reliability, tech. report 471, Cambridge Univ. Computer Lab., 1999; www.cl.cam.ac.uk/techreportsUCAM-CL-TR-471.pdf .
9. K. Hausken, Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability, Springer Science + Business Media, 2006; www.springerlink.com/content92rph61467758553 /.
10. A. Ozment, "Improving Vulnerability Discovery Models," Proc. 2007 ACM Workshop on Quality of Protection, ACM Press, 2007, pp. 6-11; http://portal.acm.orgcitation.cfm?id=1314257.1314261 .
11. E. Nakashima, "Bush Order Expands Network Monitoring," The Washington Post,26 Jan. 2008, p. A03.
12. P.S. Antón et al., Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology, RAND report MR-1601, RAND Corp., 2004; www.rand.org/pubs/monograph_reportsMR1601 /.

Index Terms:
Cybersecurity, economic models, vulnerability, security function, security and privacy
Citation:
Rachel Rue, Shari Lawrence Pfleeger, "Making the Best Use of Cybersecurity Economic Models," IEEE Security & Privacy, vol. 7, no. 4, pp. 52-60, July-Aug. 2009, doi:10.1109/MSP.2009.98
Usage of this product signifies your acceptance of the Terms of Use.