[1] | Gordon, L. and Loeb, M. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457. http://dx.doi.org/10.1145/581271.581274
|
[2] | Gordon, L., Loeb, M., Lucyshyn and Zhou, L. (2015) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 4-30. http://dx.doi.org/10.4236/jis.2015.61003
|
[3] | Farrow, S. (2007) The Economics of Homeland Security Expenditures: Foundational Expected Cost-Effectiveness Approaches. Contemporary Economic Policy, 25, 14-26. http://dx.doi.org/10.1111/j.1465-7287.2006.00029.x
|
[4] | Hausken, K. (2006) Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability. Information Systems Frontiers, 8, 338-349. http://dx.doi.org/10.1007/s10796-006-9011-6
|
[5] | Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. Proceedings of the 11th Workshop on the Economics of Information Security (WEIS), Berlin, 25-26 June 2012.
|
[6] | Gordon, L., Loeb, M. and Lucyshyn, W. (2003) Sharing Information on Computer Systems Security: An Economic Analysis. Journal of Accounting and Public Policy, 22, 461-485. http://dx.doi.org/10.1016/j.jaccpubpol.2003.09.001
|
[7] | Gordon, L. and Loeb, M. (2011) You May Be Fighting the Wrong Security Battles. Wall Street Journal, September 26.
|
[8] | Kunreuther, H. and Heal, G. (2003) Interdependent Security. Journal of Risk and Uncertainty, 26, 231-249. http://dx.doi.org/10.1023/A:1024119208153
|
[9] | Willemson, J. (2010) Extending the Gordon and Loeb Model for Information Security Investment. 2010 International Conference on Availability, Reliability and Security, Krakow, 15-18 February 2010, 258-261. http://dx.doi.org/10.1109/ARES.2010.37
|
[10] | Bagnoli, M. and Bergstrom, T. (2005) Log-Concave Probability and Its Applications. Economic Theory, 26, 445-469. http://dx.doi.org/10.1007/s00199-004-0514-4
|
[11] | Cohen, M.A. (2000) Measuring the Costs and Benefits of Crime and Justice. In: Duffee, D., Ed., Measurement and Analysis of Crime and Justice, Criminal Justice 2000, Vol. 4, National Institute of Justice, Washington DC, 263-316. http://www.ncjrs.org/criminal_justice2000/vol_4/04f.pdf
|
[12] | Heartland Payment Systems, Inc., Customer Data Security Breach Litigation (2012) 851 F. Supp. 2d 1040 (S.D. Tex.).
|
[13] | Graves, J., Acquisti, A. and Christin, N. (2014) Should Payment Card Issuers Reissue Cards in Response to a Data Breach? WEIS: Workshop on the Economics of Information Security, Pennsylvania State University, State College, 23-24 June 2014. http://www.econinfosec.org/archive/weis2014/papers/GravesAcquistiChristin-WEIS2014.pdf
|
[14] | Crosman, P. (2014) How Much Do Data Breaches Cost? Two Studies Attempt a Tally. American Banker. http://www.americanbanker.com/issues/179_176/how-much-do-data-breaches-cost-two-studies-attempt-
a-tally-1069893-1.html
|
[15] | Silver-Greenberg, J. and Schwartz, N. (2012) MasterCard and Visa Investigate Data Breach. The New York Times, 31 March 2012. http://www.nytimes.com/2012/03/31/business/mastercard-and-visa-look-into-possible-attack.html?_r=0
|
[16] | Clapper v. Amnesty International (2013) 133 S. Ct. 1138.
|
[17] | Lujan v. Defenders of Wildlife (1992) 504 U.S. 555, 560-61.
|
[18] | Zappos.com, Inc., Customer Data Sec. Breach Litig. (2015). No. 3:12-cv-00325-RCJ-VPC, (D. Nev.).
|
[19] | Willett, B. (2015) Employees Can’t Sue Hospital for Negligence, Breach of Contract, After Personal Data Breach. Reed Smith Technology Law Dispatch, 12 June 2015.
|
[20] | The Huntington National Bank v. Kokoska, et al. (2011) Docket No. 1:11-cv-00063 (N.D. W. Va. Apr 25).
|
[21] | Schmidt, M. and Sanger, D. (2014) 5 in China Army Face U.S. Charges of Cyberattacks. The New York Times, 19 May 2014. http://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html
|
[22] | Andrijcic, E. and Horowitz, B. (2006) A Macro-Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property. Risk Analysis, 26, 907-923. http://dx.doi.org/10.1111/j.1539-6924.2006.00787.x
|
[23] | Critical Infrastructures Protection Act (2001) 42 U.S.C. § 5195c(e).
|
[24] | Miller, C. (2009) Russia Confirms Involvement with Estonia DDOS Attacks. SC Magazine, 12 March 2009. http://www.scmagazine.com/russia-confirms-involvement-with-estonia-ddos-attacks/article/128737/
|
[25] | Tanner, J. (2007) Estonia Moves Soviet Statue to Cemetery. The Associated Press, 30 April 2007. http://www.washingtonpost.com/wp-dyn/content/article/2007/04/30/AR2007043000478.html
|
[26] | Hollis, D. (2011) Cyberware Case Study: Georgia 2008. Small Wars Journal, 6 January 2011. http://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf
|
[27] | Markoff, J. (2008) Before the Gunfire, Cyberattacks. The New York Times, 13 August 2008. http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0
|
[28] | Keizer, G. (2010) Estonia Blamed Russia for Backing 2007 Cyberattacks, Says Leaked Cable. Computer World, 9 December 2010. http://www.computerworld.com/article/2511704/vertical-it/estonia-blamed-russia-for-backing-2007-cyberattacks
--says-leaked-cable.html
|
[29] | Landler, M. and Markoff, J. (2007) Digital Fears Emerge After Data Siege in Estonia. The New York Times, 29 May 2007. http://www.nytimes.com/2007/05/29/technology/29estonia.html?pagewanted=all
|
[30] | Richards, J. (2009) Denial-of-Service: The Estonian Cyberwar and Its Implications for US National Security. International Affairs Review, 18. http://www.iar-gwu.org/node/65
|
[31] | Hobemagi, T. (2010) Price of Cyberattacks to Hansabank: 10 Million Euros. Baltic Business News, 12 August 2010. http://balticbusinessnews.com/article/2010/12/08/Price-of-cyberattacks-to-Hansabank-10-million-euros
|
[32] | Herzog, S. (2011) Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses. Journal of Strategic Security, 4, 49-60. http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1105&context=jss http://dx.doi.org/10.5038/1944-0472.4.2.3
|
[33] | Crawford, J. (2014) The US Government Thinks China Could Take Down the Power Grid. CNN.com, 21 November 2014. http://www.cnn.com/2014/11/20/politics/nsa-china-power-grid/
|
[34] | Lloyd’s of London (2015) Business Blackout: The Insurance Implications of a Cyber Attack on the US Power Grid. Lloyd’s Emerging Risk Report-2015. https://www.lloyds.com/~/media/files/news%20and%20insight/risk%20insight/2015/business
%20blackout/business%20blackout20150708.pdf
|
[35] | Liptak, A. (2003) The Blackout of 2003: Lawsuits; Plaintiffs to Face Hurdles Proving Liability. The New York Times, 15 August 2003. http://www.nytimes.com/2003/08/15/us/the-blackout-of-2003-lawsuits-plaintiffs-to-face-hurdles-
proving-liability.html
|
[36] | Garrison v. Pac. Nw. Bell (1980) 608 P.2d 1206, 1211.
|
[37] | Food Pageant, Inc. v. Consol. Edison Co. (1981) 429 N.E.2d 738, 740.
|
[38] | Singer Co., Link Simulation Sys. Div. v. Baltimore Gas & Elec. Co. (1989) 558 A.2d 419, 428.
|
[39] | Frankel, A. (2012) Can Customers Sue Power Companies for Outages? Yes, But It’s Hard to Win. Reuters.com, 9 November 2012. http://blogs.reuters.com/alison-frankel/2012/11/09/can-customers-sue-power-companies-for-outages-yes -but-its-hard-to-win/
|
[40] | Zhang, Z. (2013) Cybersecurity Policy for the Electricity Sector: The First Step to Protecting Our Critical Infrastructure from Cyber Threats. Boston University Journal of Science and Technology Law, 19, 319-366.
|
[41] | Wei, L., Debaise, C. and Bray, C. (2003) Blackout Exposes Power Companies to Potential Lawsuits. Dow Jones Newswires New York, 18 August 2003. http://www.oandb.com/blackoutexposes.html
|
[42] | Venable LLP (2014) The SAFETY Act: Providing Critical Liability Protections for Cyber and Physical Security Efforts. https://www.venable.com/files/Publication/6c0b031e-c2c5-4029-9ac7-13cb1d8c0d07/Presentation/
PublicationAttachment/e81d24a3-fc57-4ece-8e1f-179418baf994/The_SAFETY_Act_Providing_
Critical_Liability_Protections_for_Cyber_and_Physical_Securi.pdf
|
[43] | Eeckhoudt, L., Gollier, C. and Schlesinger, H. (2005) Economic and Financial Decisions under Risk. Princeton University Press, Princeton.
|
[44] | Huang, C.D., Hu, Q. and Behara, R.S. (2008) An Economic Analysis of the Optimal Information Security Investment in the Case of a Risk-Averse Firm. International Journal of Production Economics, 114, 793-804. http://dx.doi.org/10.1016/j.ijpe.2008.04.002
|
[45] | Cook, P. and Graham, D. (1977) The Demand for Insurance and Protection: A Case of Irreplaceable Commodities. Quarterly Journal of Economics, 92, 143-156. http://dx.doi.org/10.2307/1883142
|
[46] | Lucas, D. (2014) Rebutting Arrow and Lind: Why Governments Should Use Market Rates for Discounting. Journal of Natural Resources Policy Research, 6, 85-91. http://dx.doi.org/10.1080/19390459.2013.874106
|
[47] | Stewart, M., Ellingwood, B. and Mueller, J. (2011) Homeland Security: A Case Study in Risk Aversion for Public Decision Making. International Journal of Risk Assessment and Management, 15, 367-386. http://dx.doi.org/10.1504/IJRAM.2011.043690
|
[48] | Stewart, M. and Mueller, J. (2013) Aviation Security, Risk Assessment, and Risk Aversion for Public Decisionmaking. Journal of Policy Analysis and Management, 32, 615-633. http://dx.doi.org/10.1002/pam.21704
|
[49] | Farrow, S. and Scott, M. (2013) Comparing Multi-State Expected Damages, Option Price and Cumulative Prospect Measures for Valuing Flood Protection. Water Resources Research, 49, 2638-2648. http://dx.doi.org/10.1002/wrcr.20217
|