Optimal Information Security Investment with Penetration Testing
نویسندگان
چکیده
Penetration testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds penetration testing to the realm of information security investment. Penetration testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue penetration testing until a secure state is reached. Further analysis using a new metric for the return on penetration testing suggests that penetration testing almost always increases the per-dollar efficiency of security investment.
منابع مشابه
The Optimal Investment Strategy of Information Security
This study analyzes an optimal investment strategy for information security (IS) for a profit-maximizing online monopoly when it is facing attacks from cyber criminals by considering a network security theoretical model with time-varying characteristics. The intangible profit of security investment is transformed into a measurable sales benefit by using a successful entry ratio that links the r...
متن کاملSimulated Penetration Testing and Mitigation Analysis
Penetration testing is a well-established practical concept for the identification of potentially exploitable security weaknesses and an important component of a security audit. Providing a holistic security assessment for networks consisting of several hundreds hosts is hardly feasible though without some sort of mechanization. Mitigation, prioritizing countermeasures subject to a given budget...
متن کاملHacking and Penetration Testing with Low Power Devices
We live in an increasingly digital world. The number of interconnected devices in our world is constantly on the rise. Businesses worldwide rely on computers, tablets, smartphones, and other digital devices in order to compete in a global economy. Many businesses are necessarily connected to the Internet. Newly connected systems can come under attack by malicious persons and/or organizations in...
متن کاملA Fuzzy Behavioral Portfolio Model Based on Text Sentiment Analysis
A Fuzzy Behavioral Portfolio model (FBPM) is proposed for security investment with insufficient market information and uncertain emotion influence on investment return and risk. Based on the general behavioral portfolio theory, trapezoidal fuzzy number is employed to characterize investment return and risk. Text emotion analysis based on emotional lexicons is introduced to obtain the market inv...
متن کاملTowards Side-Effects-free Database Penetration Testing
Penetration testing is one of the most traditional and widely used techniques to detect security flaws in systems by conducting simulated-attacks to the target systems. Organizations can develop a tool based on this technique to assess their own security systems or use third party softwares. However, besides its advantages in exploring real security vulnerabilities without false results, this t...
متن کامل