Martin P. Loeb

• University of Maryland, College Park

The primary objective of the current study is to analytically examine the economic benefits an organization can obtain by receiving and processing cyber threat intelligence (CTI) shared by the US government. Our results show that the benefits from receiving CTI are closely associated with the difference between the threat level indicated by the CTI...

The National Institute for Standards and Technology (NIST) Cybersecurity Framework has rapidly become a widely accepted approach to facilitating cybersecurity risk management within organizations. An insightful aspect of the NIST Cybersecurity Framework is its explicit recognition that the activities associated with managing cybersecurity risk are...

In today's interconnected digital world, cybersecurity risks and resulting breaches are a fundamental concern to organizations and public policy setters. Accounting firms, as well as other firms providing risk advisory services, are concerned about their clients’ potential and actual breaches. Organizations cannot, however, eliminate all cybersecur...

Given the importance of cybersecurity to the survival of an organization, a fundamental economics based question that must be addressed by all organizations is: How much should be invested in cybersecurity related activities? Gordon and Loeb [1] presented a model to address this question, and that model has received a significant amount of attentio...

The primary objective of this article is to develop an economics-based analytical framework for assessing the impact of government incentives/regulations designed to offset the tendency to under-invest in cybersecurity related activities by private sector firms. The analysis provided in the article shows that the potential for government incentives...

Maintaining adequate cybersecurity is crucial for a firm to maintain the integrity of its external and internal financial reports, as well as to protect the firm’s strategic proprietary information. This paper demonstrates how information sharing could encourage firms to take a more proactive, as compared to a reactive, approach toward cybersecurit...

Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and governme...

By analyzing a panel data set of over 1300 observations covering 124 countries, for the period from 1996 through 2009, this paper tests the basic argument that the adoption of International Foreign Reporting Standards (IFRSs) by a country results in increased foreign direct investment (FDI) inflows. Analysis of the data using an ordinary least squa...

By analyzing evidence of stock returns using a sophisticated market model over a long period and over two distinct and naturally arising sub-periods, this study helps resolve conflicting evidence from previous studies concerning the effect of information security breaches on market returns of firms. This study has three major findings. First, the i...

Information security is a fundamental concern for corporations operating in today's digital economy. The number of firms disclosing items concerning their information security on reports filed with the U.S. Securities and Exchange Commission (SEC) has increased in recent years. A question then arises as to whether or not there is value to the volun...

This paper investigates whether entrepreneurs manipulate earnings in the periods prior to taking their firms public through the choice of accounting conventions. The preponderance of evidence, using powerful accrual tests that were able to detect earnings management in other contexts, indicates little, if any, manipulation. To the extent that there...

This paper considers an intrafirm resource allocation model with a single principal and n agents. Each agent represents a division manager who uses a centrally provided input together with other inputs, including effort, to produce and sell final products. The principal represents an owner who is responsible for providing an input to the divisions....

In recent years, a paradigm shift has occurred regarding the way organizations view risk management. Instead of looking at risk management from a silo-based perspective, the trend is to take a holistic view of risk management. This holistic approach toward managing an organization's risk is commonly referred to as enterprise risk management (ERM)....

The design and use of management control systems can play a key role in dealing with cybersecurity issues that have arisen in tandem with the emergence of the Internet. Efficient management control systems will reduce a firm's likelihood of suffering significant losses from cybersecurity breaches. Drawing on and extending the extant agency-based ca...

Some measures that consider various aspects of information security risk and propose a methodology that allows decision makers to combine them into a single composite metric, the perceived composite risk (PCR) are discussed. The Analytic Hierarchy Process (AHP) is recommended to determine the weighting factors needed to combine risk measures into t...

The evolution of some of the key issues related to capital budgeting makes it clear that informational impediments is a fundamental theme that has dominated much of the capital budgeting literature over the last sixty years. This chapter reviews the literature espousing this theme in the context of the following three specific, albeit related, issu...

This paper empirically examines the impact of the Sarbanes-Oxley Act (SOX) of 2002 on the voluntary disclosure of information security activities by corporations. The empirical evidence provided clearly indicates that SOX is having a positive impact on such disclosure. These findings provide strong indirect evidence that corporate information secur...

Famed economist, Joseph A. Schumpeter's notion of creative destruction has created an impact on the computer and cyber security breaches. Schumpeter's notion of creative destruction refers to the general idea that, in a capitalist society, entrepreneurs confront problems, such as computer security breaches, in a creative manner that ultimately lead...

This paper chronicles the development of economics of information security as an academic area of research. It also describes the contributions of the papers in the special section of this issue devoted to the topic.

An empirical study to examine the way corporations make decisions regarding information security expenditures is conducted. The study assessed whether firms approach the budgeting process for information security expenditures in a rational economic manner-based on cost-benefit analysis. Emperical evidence shows that cost-benefit analysis is a sound...

In today's information-based economy, organizations must avoid costly information security breaches. Unfortunately, organizations cannot make all of their information 100% secure all of the time. There are economic, as well as technical, impediments that prevent perfect information security. Accordingly, organizations usually prepare an annual fixe...

Survey of computer security practitioners.

This study examines the economic effect of information security breaches reported in newspapers on publicly traded US corporations. We find limited evidence of an overall negative stock market reaction to public announcements of information security breaches. However, further investigation reveals that the nature of the breach affects this result....

This paper examines the deferment option explanation for why information security breaches are so prevalent. Our examination will focus on security breaches within major U.S. corporations and will include some empirical evidence to support our discussion. As will be seen, the evidence presented supports the argument that the ubiquitous nature of se...

Various aspects related to the use of recently developed cyber-risk insurance policies aimed at providing coverage against losses from internet related breaches in information security are discussed. A generic framework for using cyber-risk insurance for helping to manage information security risk is described. The framework is based on the entire...

The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accoun...

This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its inv...

Information security (IS) breaches are a growing concern. In fact, 90% of the respondents in a recent survey of private and public organizations conducted by the Computer Security Institute and the FBI had detected security breaches in the previous year. To protect the confidentiality, integrity, and availability of information, while also assuring...

This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its inv...

Competitor Analysis Systems (CAS) seems to be entering an era of almost unlimited vistas due to the information age. In fact, nearly every organization is both a CAS predator and CAS prey in today's IT environment. In today's information environment, a logical competitive response to having the firm become a part of the CAS of a rival firm is infor...

The Computer Security Institute has started a joint survey on Computer Crime and Security Survey with San Francisco Federal Bureau of Investigation's Computer Intrusion Squad. The survey is in its 11th year and is the longest-running continuous survey in the information security field. The 2006 survey addresses the issues considered in earlier CSI/...

Many have predicted that if the millennium bug crashes computers, the economic repercussions will be negative and severe. But those companies that have made their systems Y2K-compliant have realized many positive side effects that have made them more competitive and perform better.

Cost-plus procurement contracts are widely used by the government. Although prior studies have recognized that payment ceilings are a common element in cost-plus procurement contracts, these studies have not examined the endogenous determination or the welfare effects of such ceilings. In this paper, a simple agency model is used to examine the opt...

This paper presents a two-period model of the audit market. In the first period, all auditors have symmetric information and adopt identical bidding strategies. In the process of performing the audit, the incumbent auditor learns the actual costs, thereby becoming informationally advantaged in the second period. In the model presented, unlike earli...

We consider a monopolist selling one product to a commercial market and a related, but distinct, product to the government. In the absence of sales to the government, the usual welfare loss associated with too little quantity being sold at too high a price arises. Using an agency model, the welfare consequences of using a cost-plus contract for pro...

This paper focuses on the optimality of a purchaser using ex-post costs in compensating a supplier in the context of sole source procurement. Traditional agency work has shown that, under certain conditions, it may be optimal for an agent to be held responsible for uncontrollable outcomes. In this paper, limiting conditions are examined under which...

Recent research has refined the notion that a manager's evaluation should be based only on controllable measures of performance. Introducing an explicit measure of non-controllable performance into the evaluation has been shown to reduce agency problems by allowing compensation to have a lesser dependence on non-controllable performance. While the...

The question of how, or even whether, indirect costs should be allocated for pricing decisions has been controversial and unresolved. This paper takes a step toward answering this question by examining the special case of a firm that must incur incremental fixed costs to complete any or all of the several projects for which it is submitting simulta...

Conventional wisdom related to capital budgeting suggests that providing a project sponsor with an improved cash flow forecasting system should lead to higher firm value. Recent agency theoretic work related to the value of an information system makes such wisdom suspect. However, such work has implicitly assumed that, where communication between t...

Firms that supply goods to the government often produce these goods in conjunction with other goods, incurring joint or common production costs. When the government uses costs as a basis for contracting with such firms, questions of cost allocation naturally arise. This paper presents, in the context of a bidding model, conditions under which a fix...

The question of why firms allocate costs for internal reporting has been brought to the forefront of accounting research. This cost allocation literature focuses on finding settings in which cost allocations arise as a part of optimal contracting, under conditions of assymetric information and divergence of preferences. This paper presents a settin...

Considered in this paper is the problem of intrafirm resource allocation. Two incentive schemes, the Groves scheme and profit sharing, have been presented in the literature as ways of dealing with this problem under conditions of asymmetric information. In the absence of effort aversion by division managers, it has been shown that truth-telling for...

This paper examines the problems of coordinating and controlling divisions of a large firm. Divisions are typically interdependent and the corporate headquarters plays an important role in coordinating such decisions as pricing, allocation of funds to the divisions, and determining the level of corporate-wide research and development. One important...

A new institutional arrangement for regulating utilities is suggested that minimizes the costs of natural monopolies. A mixture of regulation and franchising, the plan draws on the advantages of each and eliminates many of the problems. The proposal allows utilities to set their own price on the basis of demand and marginal-cost projections. Subsid...

The study attempts to shed additional light on the issue of the costs and benefits of using the mean-variance criterion as opposed to stochastic dominance criteria for investment decisions. Relevant probabilities which facilitate measurement of these costs and benefits are identified. The mean-variance criterion is shown to be useful to some extent...

The informational incentive properties of a scheme proposed by Ronen to ensure efficient allocations in the presence of interfirm externalities are examined. While sending accurate information is a noncooperative (Nash) equilibrium in the game defined by Ronen's scheme, it is not the only such equilibrium. Others such that all firms are better off...

Considered in this paper is a mechanism to coordinate the decision to provide a public input to a group of firms designed to overcome the ‘free rider’ problem. The coordinating agent relies on information communicated by the firms and it is shown that the mechanism provides an incentive for each firm to send truthful information so that an optimal...

A model is developed which demonstrates that control systems for investments in information security have a positive net economic impact on an organization. This positive effect is an increasing function of the degree of asymmetric information (related to moral hazard and adverse selection) between Chief Security Officers and Chief Financial Office...