This
paper provides an analysis of how the benefits of information segmentation can assist
an organization to derive the appropriate amount to invest in cybersecurity
from a cost-benefit perspective. An analytical model based on the framework of
the Gordon-Loeb Model ([1]) is presented that provides a set of sufficient conditions for
information segmentation to lower the total investments in cybersecurity and
the expected loss from cybersecurity breaches. A numerical example illustrating
the insights gained from the model is also presented.
References
[1]
Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457. https://doi.org/10.1145/581271.581274
[2]
Dosal, E. (2019) What Are the Benefits of Network Segmentation? https://www.compuquip.com/blog/4-security-benefits-of-network-segmentation
[3]
TrustNet (2020) Network Segmentation: Security Benefits and Best Practices. https://www.trustnetinc.com/network-segmentation/
[4]
Velimirovic, A. (2020) 7 Network Segmentation Security Best Practices. https://phoenixnap.com/blog/network-segmentation-security
[5]
Wang, S. (2017) Optimal Level and Allocation of Cybersecurity Spending: Model and Formula. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3010029 https://doi.org/10.2139/ssrn.3010029
[6]
Xu, L., Li, Y.H. and Fu, J. (2019) Cybersecurity Investment Allocation for a Multi-Branch Firm: Modeling and Optimization. Mathematics, 7, 587. https://doi.org/10.3390/math7070587
[7]
Bodin, L.D., Gordon, L.A. and Loeb, M.P. (2005) Evaluating Information Security Investments Using the Analytic Hierarchy Process. Communications of the ACM, 48, 78-83. https://doi.org/10.1145/1042091.1042094
[8]
Smeraldi, F. and Malacaria, P. (2014) How to Spend It: Optimal Investment for Cyber Security. Proceedings of the 1st International Workshop on Agents and CyberSecurity, Paris, May 2014, Article No. 8. https://doi.org/10.1145/2602945.2602952
[9]
Zhuo, Y.R. and Solak, S. (2014) Measuring and Optimizing Cybersecurity Investments: A Quantitative Portfolio Approach. IIE Annual Conference. Proceedings, Institute of Industrial and Systems Engineers, Peachtree Corners.
[10]
Gordon, L.A., Loeb, M.P. and Sohail, T. (2003) A Framework for Using Insurance for Cyber-Risk Management. Communications of the ACM, 46, 81-85. https://doi.org/10.1145/636772.636774
[11]
Böhme, R. and Schwartz, G. (2010) Modeling Cyber-Insurance: Towards a Unifying Framework. https://www.econinfosec.org/archive/weis2010/papers/session5/weis2010_boehme.pdf
[12]
Herath, H. and Herath, T. (2011) Copula-Based Actuarial Model for Pricing Cyber-Insurance Policies. Insurance Markets and Companies: Analyses and Actuarial Computations, 2, 7-20.
[13]
Marotta, A., Martinelli, F., Nanni, S., Orlando, A. and Yautsiukhin, A. (2017) Cyber-Insurance Survey. Computer Science Review, 24, 35-61. https://doi.org/10.1016/j.cosrev.2017.01.001
[14]
U.S Department of Homeland Security (2012) Cybersecurity Insurance Workshop Readout Report. National Protection and Programs Directorate, Washington DC. https://www.cisa.gov/sites/default/files/publications/November%202012%20Cybersecurity %20Insurance%20Workshop.pdf
[15]
Bodin, L.D., Gordon, L.A., Loeb, M.P. and Wang, A. (2018) Cybersecurity Insurance and Risk-Sharing. Journal of Accounting and Public Policy, 37, 527-544. https://doi.org/10.1016/j.jaccpubpol.2018.10.004
[16]
Hoo, K.S. (2002) How Much Is Enough? A Risk Management Approach to Computer Security. Workshop on the Economics of Information Security. http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/06.doc
[17]
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) A Model for Evaluating IT Security Investments. Communications of the ACM, 47, 87-92. https://doi.org/10.1145/1005817.1005828
[18]
Tanaka, H., Matsuura, K. and Sudoh, O. (2005) Vulnerability and Information Security Investment: An Empirical Analysis of E-Local Government in Japan. Journal of Accounting and Public Policy, 24, 37-59. https://doi.org/10.1016/j.jaccpubpol.2004.12.003
[19]
Hausken, K. (2006) Income, Interdependence, and Substitution Effects Affecting Incentives for Security Investment. Journal of Accounting and Public Policy, 25, 629-665. https://doi.org/10.1016/j.jaccpubpol.2006.09.001
[20]
Huang, C.D., Hu, Q. and Behara, R.S. (2008) An Economic Analysis of the Optimal Information Security Investment in the Case of a Risk-Averse Firm. International Journal of Production Economics, 114, 793-804. https://doi.org/10.1016/j.ijpe.2008.04.002
[21]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2014) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. http://dx.doi.org/10.4236/jis.2015.61003
[22]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective. Journal of Accounting and Public Policy, 34, 509-519. https://doi.org/10.1016/j.jaccpubpol.2015.05.001
[23]
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C. and Smeraldi, F. (2016) Decision Support Approaches for Cyber Security Investment. Decision Support Systems, 86, 13-23. https://doi.org/10.1016/j.dss.2016.02.012
[24]
Gordon, L.A., Loeb, M.P. and Zhou, L. (2016) Investing in Cybersecurity: Insights from the Gordon-Loeb Model. Journal of Information Security, 7, 49-59. http://dx.doi.org/10.4236/jis.2016.72004
[25]
Gordon, L.A., Loeb, M.P. and Zhou, L. (2020) Integrating Cost-Benefit Analysis into the NIST Cybersecurity Framework via the Gordon-Loeb Model. Journal of Cybersecurity, 6, tyaa005. https://doi.org/10.1093/cybsec/tyaa005
[26]
Fanelli, B., Pessanha, R., Gwiazdowski, A., Chng-Castor, A. and Auger, G. (2017) 2017 State of Cyber Security among Small Businesses in North America, 1-24. https://www.bbb.org/globalassets/shared/media/state-of-cybersecurity/updates/cybersecurity_final-lowres.pdf
[27]
Haapamäki, E. and Sihvonen, J. (2019) Cybersecurity in Accounting Research. Managerial Auditing Journal, 34, 808-834. https://doi.org/10.1108/MAJ-09-2018-2004
[28]
Schechter, S.E. and Smith, M.D. (2003) How Much Security Is Enough to Stop A Thief? International Conference on Financial Cryptography, Guadeloupe, 27-30 January 2003, 122-137. https://doi.org/10.1007/978-3-540-45126-6_9
[29]
National Institute of Standards and Technology (2018) National Institute of Standards and Technology. Version 1.1. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
[30]
European Union (2016) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC. http://data.europa.eu/eli/reg/2016/679/oj
