全部 标题 作者
关键词 摘要

OALib Journal期刊
ISSN: 2333-9721
费用:99美元

查看量下载量

相关文章

更多...

Cybersecurity Investment Guidance: Extensions of the Gordon and Loeb Model

DOI: 10.4236/jis.2016.72002, PP. 15-28

Keywords: Cybersecurity, Investment, Externality, Log-Convexity, Law

Full-Text   Cite this paper   Add to My Lib

Abstract:

Extensions of the Gordon-Loeb [1] and the Gordon-Loeb-Lucyshyn-Zhou [2] models are presented based on mathematical equivalency with a generalized homeland security model. The extensions include limitations on changes in the probability of attack, simultaneous effects on probability and loss, diversion of attack, and shared non-information defenses. Legal cases are then investigated to assess approximate magnitudes of external effects and the extent they are internalized by the legal system.

References

[1]  Gordon, L. and Loeb, M. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457.
http://dx.doi.org/10.1145/581271.581274
[2]  Gordon, L., Loeb, M., Lucyshyn and Zhou, L. (2015) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 4-30.
http://dx.doi.org/10.4236/jis.2015.61003
[3]  Farrow, S. (2007) The Economics of Homeland Security Expenditures: Foundational Expected Cost-Effectiveness Approaches. Contemporary Economic Policy, 25, 14-26.
http://dx.doi.org/10.1111/j.1465-7287.2006.00029.x
[4]  Hausken, K. (2006) Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability. Information Systems Frontiers, 8, 338-349.
http://dx.doi.org/10.1007/s10796-006-9011-6
[5]  Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. Proceedings of the 11th Workshop on the Economics of Information Security (WEIS), Berlin, 25-26 June 2012.
[6]  Gordon, L., Loeb, M. and Lucyshyn, W. (2003) Sharing Information on Computer Systems Security: An Economic Analysis. Journal of Accounting and Public Policy, 22, 461-485.
http://dx.doi.org/10.1016/j.jaccpubpol.2003.09.001
[7]  Gordon, L. and Loeb, M. (2011) You May Be Fighting the Wrong Security Battles. Wall Street Journal, September 26.
[8]  Kunreuther, H. and Heal, G. (2003) Interdependent Security. Journal of Risk and Uncertainty, 26, 231-249.
http://dx.doi.org/10.1023/A:1024119208153
[9]  Willemson, J. (2010) Extending the Gordon and Loeb Model for Information Security Investment. 2010 International Conference on Availability, Reliability and Security, Krakow, 15-18 February 2010, 258-261.
http://dx.doi.org/10.1109/ARES.2010.37
[10]  Bagnoli, M. and Bergstrom, T. (2005) Log-Concave Probability and Its Applications. Economic Theory, 26, 445-469.
http://dx.doi.org/10.1007/s00199-004-0514-4
[11]  Cohen, M.A. (2000) Measuring the Costs and Benefits of Crime and Justice. In: Duffee, D., Ed., Measurement and Analysis of Crime and Justice, Criminal Justice 2000, Vol. 4, National Institute of Justice, Washington DC, 263-316.
http://www.ncjrs.org/criminal_justice2000/vol_4/04f.pdf
[12]  Heartland Payment Systems, Inc., Customer Data Security Breach Litigation (2012) 851 F. Supp. 2d 1040 (S.D. Tex.).
[13]  Graves, J., Acquisti, A. and Christin, N. (2014) Should Payment Card Issuers Reissue Cards in Response to a Data Breach? WEIS: Workshop on the Economics of Information Security, Pennsylvania State University, State College, 23-24 June 2014.
http://www.econinfosec.org/archive/weis2014/papers/GravesAcquistiChristin-WEIS2014.pdf
[14]  Crosman, P. (2014) How Much Do Data Breaches Cost? Two Studies Attempt a Tally. American Banker.
http://www.americanbanker.com/issues/179_176/how-much-do-data-breaches-cost-two-studies-attempt- a-tally-1069893-1.html
[15]  Silver-Greenberg, J. and Schwartz, N. (2012) MasterCard and Visa Investigate Data Breach. The New York Times, 31 March 2012.
http://www.nytimes.com/2012/03/31/business/mastercard-and-visa-look-into-possible-attack.html?_r=0
[16]  Clapper v. Amnesty International (2013) 133 S. Ct. 1138.
[17]  Lujan v. Defenders of Wildlife (1992) 504 U.S. 555, 560-61.
[18]  Zappos.com, Inc., Customer Data Sec. Breach Litig. (2015). No. 3:12-cv-00325-RCJ-VPC, (D. Nev.).
[19]  Willett, B. (2015) Employees Can’t Sue Hospital for Negligence, Breach of Contract, After Personal Data Breach. Reed Smith Technology Law Dispatch, 12 June 2015.
[20]  The Huntington National Bank v. Kokoska, et al. (2011) Docket No. 1:11-cv-00063 (N.D. W. Va. Apr 25).
[21]  Schmidt, M. and Sanger, D. (2014) 5 in China Army Face U.S. Charges of Cyberattacks. The New York Times, 19 May 2014.
http://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html
[22]  Andrijcic, E. and Horowitz, B. (2006) A Macro-Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property. Risk Analysis, 26, 907-923.
http://dx.doi.org/10.1111/j.1539-6924.2006.00787.x
[23]  Critical Infrastructures Protection Act (2001) 42 U.S.C. § 5195c(e).
[24]  Miller, C. (2009) Russia Confirms Involvement with Estonia DDOS Attacks. SC Magazine, 12 March 2009.
http://www.scmagazine.com/russia-confirms-involvement-with-estonia-ddos-attacks/article/128737/
[25]  Tanner, J. (2007) Estonia Moves Soviet Statue to Cemetery. The Associated Press, 30 April 2007.
http://www.washingtonpost.com/wp-dyn/content/article/2007/04/30/AR2007043000478.html
[26]  Hollis, D. (2011) Cyberware Case Study: Georgia 2008. Small Wars Journal, 6 January 2011.
http://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf
[27]  Markoff, J. (2008) Before the Gunfire, Cyberattacks. The New York Times, 13 August 2008.
http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0
[28]  Keizer, G. (2010) Estonia Blamed Russia for Backing 2007 Cyberattacks, Says Leaked Cable. Computer World, 9 December 2010.
http://www.computerworld.com/article/2511704/vertical-it/estonia-blamed-russia-for-backing-2007-cyberattacks --says-leaked-cable.html
[29]  Landler, M. and Markoff, J. (2007) Digital Fears Emerge After Data Siege in Estonia. The New York Times, 29 May 2007.
http://www.nytimes.com/2007/05/29/technology/29estonia.html?pagewanted=all
[30]  Richards, J. (2009) Denial-of-Service: The Estonian Cyberwar and Its Implications for US National Security. International Affairs Review, 18.
http://www.iar-gwu.org/node/65
[31]  Hobemagi, T. (2010) Price of Cyberattacks to Hansabank: 10 Million Euros. Baltic Business News, 12 August 2010.
http://balticbusinessnews.com/article/2010/12/08/Price-of-cyberattacks-to-Hansabank-10-million-euros
[32]  Herzog, S. (2011) Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses. Journal of Strategic Security, 4, 49-60.
http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1105&context=jss
http://dx.doi.org/10.5038/1944-0472.4.2.3
[33]  Crawford, J. (2014) The US Government Thinks China Could Take Down the Power Grid. CNN.com, 21 November 2014.
http://www.cnn.com/2014/11/20/politics/nsa-china-power-grid/
[34]  Lloyd’s of London (2015) Business Blackout: The Insurance Implications of a Cyber Attack on the US Power Grid. Lloyd’s Emerging Risk Report-2015.
https://www.lloyds.com/~/media/files/news%20and%20insight/risk%20insight/2015/business %20blackout/business%20blackout20150708.pdf
[35]  Liptak, A. (2003) The Blackout of 2003: Lawsuits; Plaintiffs to Face Hurdles Proving Liability. The New York Times, 15 August 2003.
http://www.nytimes.com/2003/08/15/us/the-blackout-of-2003-lawsuits-plaintiffs-to-face-hurdles- proving-liability.html
[36]  Garrison v. Pac. Nw. Bell (1980) 608 P.2d 1206, 1211.
[37]  Food Pageant, Inc. v. Consol. Edison Co. (1981) 429 N.E.2d 738, 740.
[38]  Singer Co., Link Simulation Sys. Div. v. Baltimore Gas & Elec. Co. (1989) 558 A.2d 419, 428.
[39]  Frankel, A. (2012) Can Customers Sue Power Companies for Outages? Yes, But It’s Hard to Win. Reuters.com, 9 November 2012.
http://blogs.reuters.com/alison-frankel/2012/11/09/can-customers-sue-power-companies-for-outages-yes -but-its-hard-to-win/
[40]  Zhang, Z. (2013) Cybersecurity Policy for the Electricity Sector: The First Step to Protecting Our Critical Infrastructure from Cyber Threats. Boston University Journal of Science and Technology Law, 19, 319-366.
[41]  Wei, L., Debaise, C. and Bray, C. (2003) Blackout Exposes Power Companies to Potential Lawsuits. Dow Jones Newswires New York, 18 August 2003.
http://www.oandb.com/blackoutexposes.html
[42]  Venable LLP (2014) The SAFETY Act: Providing Critical Liability Protections for Cyber and Physical Security Efforts.
https://www.venable.com/files/Publication/6c0b031e-c2c5-4029-9ac7-13cb1d8c0d07/Presentation/ PublicationAttachment/e81d24a3-fc57-4ece-8e1f-179418baf994/The_SAFETY_Act_Providing_ Critical_Liability_Protections_for_Cyber_and_Physical_Securi.pdf
[43]  Eeckhoudt, L., Gollier, C. and Schlesinger, H. (2005) Economic and Financial Decisions under Risk. Princeton University Press, Princeton.
[44]  Huang, C.D., Hu, Q. and Behara, R.S. (2008) An Economic Analysis of the Optimal Information Security Investment in the Case of a Risk-Averse Firm. International Journal of Production Economics, 114, 793-804.
http://dx.doi.org/10.1016/j.ijpe.2008.04.002
[45]  Cook, P. and Graham, D. (1977) The Demand for Insurance and Protection: A Case of Irreplaceable Commodities. Quarterly Journal of Economics, 92, 143-156.
http://dx.doi.org/10.2307/1883142
[46]  Lucas, D. (2014) Rebutting Arrow and Lind: Why Governments Should Use Market Rates for Discounting. Journal of Natural Resources Policy Research, 6, 85-91.
http://dx.doi.org/10.1080/19390459.2013.874106
[47]  Stewart, M., Ellingwood, B. and Mueller, J. (2011) Homeland Security: A Case Study in Risk Aversion for Public Decision Making. International Journal of Risk Assessment and Management, 15, 367-386.
http://dx.doi.org/10.1504/IJRAM.2011.043690
[48]  Stewart, M. and Mueller, J. (2013) Aviation Security, Risk Assessment, and Risk Aversion for Public Decisionmaking. Journal of Policy Analysis and Management, 32, 615-633.
http://dx.doi.org/10.1002/pam.21704
[49]  Farrow, S. and Scott, M. (2013) Comparing Multi-State Expected Damages, Option Price and Cumulative Prospect Measures for Valuing Flood Protection. Water Resources Research, 49, 2638-2648.
http://dx.doi.org/10.1002/wrcr.20217

Full-Text

Contact Us

service@oalib.com

QQ:3279437679

WhatsApp +8615387084133