Given the importance of cybersecurity to the survival of an organization,
a fundamental economics-based question that must be addressed by all
organizations is: How much should be invested in cybersecurity related
activities? Gordon and Loeb [1] presented a model to address this question, and
that model has received a significant amount of attention in the academic and
practitioner literature. The primary objective of this paper is to discuss the
Gordon-Loeb Model with a focus on gaining insights for the model’s use in a
practical setting.
References
[1]
Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457. http://dx.doi.org/10.1145/581271.581274
[2]
Gordon, L.A. and Loeb, M.P. (2006) Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill, Inc., New York.
[3]
Rue, R. and Pfleeger, S.L. (2009) Making the Best Use of Cybersecurity Economic Models. IEEE Security & Privacy, 7, 52-60. http://dx.doi.org/10.1109/MSP.2009.98
[4]
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) A Model Evaluating IT Security Investments. Communications of the ACM, 47, 87-92. http://dx.doi.org/10.1145/1005817.1005828
[5]
Wang, J., Chaudhury, A. and Rao, H.R. (2008) Research Note—A Value-at-Risk Approach to Information Security Investment. Information Systems Research, 19, 106-120. http://dx.doi.org/10.1287/isre.1070.0143
[6]
AFCEA (Armed Forces Communications and Electronics Association) Cyber Committee Report (2013) The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment.
[7]
Gordon, L.A. and Loeb, M.P. (2011) You May Be Fighting the Wrong Security Battles. The Wall Street Journal, 26September.
[8]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cybersecurity Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. http://dx.doi.org/10.4236/jis.2015.61003
[9]
Gordon, L.A., Loeb, M.P. and Zhou, L. (2011) The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs? Journal of Computer Security, 19, 33-56.
[10]
Lelarge, M. (2012) Coordination in Network Security Games. In: Greenberg, A.G. and Sohraby, K., Eds., INFOCOM, IEEE, 2856-2860. http://dx.doi.org/10.1109/infcom.2012.6195715
[11]
Lelarge, M. (2012) Coordination in Network Security Games: A Monotone Comparative Statics Approach. Selected Areas in Communications, IEE Journal, 30, 2210-2219. http://dx.doi.org/10.1109/JSAC.2012.121213
[12]
Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. Workshop on Economics and Information Security, Berlin. http://weis2012.econinfosec.org/papers
[13]
Willemson, J. (2006) On the Gordon & Loeb Model for Information Security Investment. The Fifth Workshop on Economics of Information Security (WEIS), University of Cambridge. http://www.econinfosec.org/archive/weis2006/docs/12.pdf
[14]
Hausken, K. (2006) Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability. Information Systems Frontiers, 8, 338-349. http://dx.doi.org/10.1007/s10796-006-9011-6
[15]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective. Journal of Accounting and Public Policy, 34, 509-519. http://dx.doi.org/10.1016/j.jaccpubpol.2015.05.001
[16]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Increasing Cybersecurity Investments in Private Sector Firms. Journal of Cybersecurity, 1, 3-17. http://dx.doi.org/10.1093/cybsec/tyv011
[17]
Tanaka, H., Matsuura, K. and Sudoh, O. (2005) Vulnerability and Information Security Investment: An Empirical Analysis of e-Local Government in Japan. Journal of Accounting and Public Policy, 24, 37-59. http://dx.doi.org/10.1016/j.jaccpubpol.2004.12.003
[18]
Bodin, L., Gordon, L.A. and Loeb, M.P. (2008) Information Security and Risk Management. Communications of the ACM, 51, 64-68. http://dx.doi.org/10.1145/1330311.1330325
