Technical Reports


Click here for full text: PDF

Systems Modelling for Economic Analyses of Security Investments: A Case Study in Identity and Access Management

Baldwin, Adrian; Casassa Mont, Marco; Pym, David; Shiu, Simon
HP Laboratories


Keyword(s): security analytics, identity management, economics

Abstract: Identity and Access Management (IAM) is a key issue for systems security managers such as CISOs. More specifically, it is a difficult problem to understand how different investments in people, process, and technology affect the intended security outcomes. We position this problem within the framework of optimal control models in macroeconomics, and use a process model to understand the dynamics of the utility of possible trade-offs between investment, access, and security incidents (breaches). A utility function is used to express the security manager's IAM preferences, and the functional behaviour of its components is described via a process model. Executing our process model as Monte Carlo simulations, we illustrate the behaviour of the utility function for varying levels of investment and threat, and so provide the beginnings of a decision-support tool for systems security managers.

6 Pages

Additional Publication Information: Presented in Trust Economics Workshop, London, June 2009

External Posting Date: July 21, 2009 [Fulltext]. Approved for External Publication
Internal Posting Date: July 21, 2009 [Fulltext]

Back to Index