Penetration testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds penetration testing to the realm of information security investment. Penetration testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nat...

Received: 1 November 2008 Revised: 27 July 2009 Accepted: 27 July 2009 Online publication date: 7 January 2010 Abstract Although multinationals operate under cross-border jurisdictions, the relevance of interstate security relations to international business has received little attention. Despite the impressive accumulation of knowledge in international business and international relations, the...

Hosts (or nodes) in the Internet often face epidemic risks such as virus and worms attack. Despite the awareness of these risks and the availability of anti-virus software, investment in security protection is still scare, hence, epidemic risk is still prevalent. Deciding whether to invest in security protection is an inter-dependent process: security investment decision made by one node can af...

The information security experts are finding it challenging to timely response the emerging threats. The rapid changing of security landscape and dependency on the agile software and system development projects make it challenging to address these threats in a real time. This could create potential risks to the overall business continuity. Furthermore, critical human factors, cost and investmen...

As with all aspects of business and the economy, information security is an economic function. Security can be modeled as a maintenance or insurance cost as a relative function but never in absolute terms. As such, security can be seen as a cost function that leads to the prevention of loss, but not one that can create gains (or profit). With the role of a capital investment to provide a return...

In this paper, we propose an evolutionary game model to analyze the investment decision making process in the cyber offender-defender interaction and provide a quantified approach for defender to calculate the safety threshold to avoid the occurrence of offender-leading game. Then we use simulation as a workbench to discuss the adjustment of each parameter to the security investment threshold. ...

The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative ri...

quantitative and model-based prediction of security in the architecture design stage facilitates early detection of design faults hence reducing modification costs in subsequent stages of software life cycle. however, an important question arises with respect to the accuracy of input parameters. in practice, security parameters can rarely be estimated accurately due to the lack of sufficient kn...