I was mostly interested in works explaining how to show value derived from security operations. (Remember value is mainly or exclusively cost avoidance.) I am really interested in knowing how much it costs to maintain and defend an information infrastructure vs what it costs to exploit it. I found the following to be previous work in related areas.
- Optimally Securing Enterprise Information Systems and Assets by Vineet Kumar, Rahul Telang, Tridas Mukhopadhyay, Carnegie Mellon University
- Assessing the Value of Investments in Network Security Operations: A Systems Analytics Approach by Jonathan Griffin, Brian Monahan, David Pym, Mike Wonham, and Mike Yearworth, HP Laboratories
- Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies by Marco Cremonini and Dmitri Nizovtsev
- Private Sector Cyber Security Investment: An Empirical Analysis by Brent R. Rowe and Michael P. Gallaher
- Evaluating Information Security Investments from Attackers Perspective: the Return-On-Attack (ROA) by Marco Cremonini and Patrizia Martini
You may also remember my review of Managing Cyber-Security Resources: A Cost-Benefit Analysis. It is good background reading.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.