Journal of Information Security, 2016, 7, 49-59
Published Online March 2016 in SciRes. http://www.scirp.org/journal/jis
How to cite this paper: Gordon, L.A., Loeb, M.P. and Zhou, L. (2016) Investing in Cybersecurity: Insights from the Gordon-
Loeb Model. Journal of Information Security, 7, 49-59. http://dx.doi.org/10.4236/jis.2016.72004
Investing in Cybersecurity: Insights from
the Gordon-Loeb Model
Lawrence A. Gordon, Martin P. Loeb, Lei Zhou
Robert H. Smith School of Business, University of Maryland, College Park, USA
Received 19 January 2016; accepted 20 March 2016; published 23 March 2016
Copyright © 2016 by authors and Scientific Research Publishing Inc.
This work is licensed under the Creative Commons Attribution International License (CC BY).
Given the importance of cybersecurity to the survival of an organization, a fundamental econom-
ics-based question that must be addressed by all organizations is: How much should be invested in
cybersecurity related activities? Gordon and Loeb  presented a model to address this question,
and that model has received a significant amount of attention in the academic and practitioner li-
terature. The primary objective of this paper is to discuss the Gordon-Loeb Model with a focus on
gaining insights for the model’s use in a practical setting.
Economics of Information Security, Cybersecurity Investment
Cybersecurity is a critical concern in today’s interconnected digital world.1 In fact, the major industrialized
countries throughout the world now consider having a cybersecurity strategy as a national policy priority (OECD,
2012). Private sector organizations are equally concerned about cybersecurity, especially in light of the recent
wave of high visibility corporate breaches.2
Given the importance of cybersecurity to the survival of an organization, a fundamental economics-based
question that must be addressed by all organizations is: How much should be invested in cybersecurity related
1For purposes of this paper, the term cybersecurity refers to “the protection of information that is accessed and transmitted via the Internet or
more generally, through any computer network” (, p. 10).
2For example, in the U.S., Target Corporation had a major cybersecurity breach in 2013 (see Target’s 10-
K Report for the fiscal year ending
February 1, 2014, filed with the U.S. Securities and Exchange Commission at:
Morgan Chase & Co. had a major cybersecurity
breach in 2014 (see JP Morgan Chase & Co.’s 8-K Report filed on October 2, 2014 with the U.S. Securities Exchange Commission at
L. A. Gordon et al.
activities? Since organizations have finite resources, answering the above question essentially involves a resource
allocation decision. As with all resource allocation decisions, a good starting place is to assess the costs and
benefits (i.e., conduct a cost-benefit analysis) associated with cybersecurity investments.3 That is, as long as the
expected incremental benefits exceed the expected incremental costs from additional cybersecurity investments,
an argument can be made for increasing additional cybersecurity investments. Mathematically speaking, the op-
timal level of cybersecurity investment for an organization is at the point where the expected marginal investment
costs equal the expected marginal benefits derived from the investment.4 Finding this optimal level of investment
in cybersecurity is, in essence, the Holy Grail that is at the heart of economic aspects of cybersecurity.
One approach for deriving an organization’s optimal level of cybersecurity investment, which has received a
significant amount of attention in the academic and practitioner literature, is referred to as the Gordon-Loeb Model
(hereafter as the GL Model).5,6 The primary objective of this paper is to discuss the GL Model, as well as some
extensions to the model, with a focus on gaining insights for utilizing the GL Model in a practical setting. In other
words, although the GL Model is based on a set of mathematical formulas, the focus of this paper is to show that
the intuition underlying the model’s key components, as well as the model’s findings, provide a useful framework
for guiding organizations in their quest for deriving the right level of cybersecurity investment.
The remainder of this paper will proceed as follows. In the next (second) section of the paper, we briefly review
the GL Model. The third section of the paper focuses on the general insights that can be gleaned from the model.
Based on these insights, the third section of the paper also provides a set of steps an organization could take to
derive its optimal (or at least an appropriate) level of cybersecurity investment. In the fourth section of the paper,
we provide a hypothetical example of how an organization can derive its cybersecurity investment level. The
example also illustrates how to allocate the investment to various information sets, based on the steps provided in
the third section of the paper. The fifth, and final, section of the paper provides some concluding comments, as
well as limitations of the GL Model and directions for future research.
2. The Gordon-Loeb Model
Following is a brief review of the GL Model. This review is based, in large part, on the original article . The
purpose of this review is to highlight the key components of the model, as well as the key findings from the model.
The emphasis will be placed on the intuition underlying the model’s key components and findings, rather than the
mathematics upon which the model is based. As such, this paper builds and expands upon . We refer readers
interested in delving more deeply into the mathematics of the model to the original article , as well as the fol-
low-up article .
The basic assumptions of the GL Model are as follows. First, information sets of organizations are vulnerable to
cyber-attacks. This vulnerability, denoted as v (0 ≤ v ≤ 1), represents the probability that a breach to a specific
information set will occur under current conditions.7 Second, if an information set is breached, the value of the
information set represents the potential loss (i.e., the cost of the breach) and can be expressed as a monetary value,
denoted as L. Thus, vL is equal to the expected loss prior to an investment in additional cybersecurity activities.8
The third assumption is that an investment in cybersecurity, denoted as z, will reduce v based on the productivity
of the cybersecurity investment. The GL Model defines s(z,v) as the security breach probability function. More to
Although a cost-benefit analysis is a good starting place with all resource allocation decisions, other considerations,
many of which cannot
also need to be considered when deciding on how much to spend on cybersecurity activities. More will be said about this
point in the final section of this paper.
4The primary benefits from cybersecurity investments are the cost savings associated with cybersecurity breaches that were prevented due t
investments. In some cases, however, cybersecurity investments could give an organization a competitive advantage that could generate a
ditional benefits (e.g., increased revenues).
5While there is a broad literature dealing with cybersecurity investment (e.g., -), the Gordon-
Loeb Model has been referred to as the
“gold standard” for deriving the amount an organization should invest on cybersecurity activities (e.g., see the Appendix A to ).
6In the original paper, the GL Model used the term information security
rather than cybersecurity. Given the role of the Internet in storing
and transmitting information in today’s interconnected digital economy,
for purposes of this paper the two terms are considered to be inter-
7Our notion of vas the probability
that a successful breach will occur incorporates the threat that an information set will experience a cyber-
security attacked, as well as the information set’s vulnerability to a cybersecurity breach. Gordon and Loeb , for expositional ease,
the threat probability constant so that v was interpreted as the probability of a breach for the given threat level.
8Although not explicitly stated in ,
the GL Model considers situations where some level of cybersecurity already exists within an organi-
zation and thus the concern is to derive the optimal amount of additional investment. Also,
note that measuring the actual loss from a cyber
breach is not straightforward. One method used in the cybersecurity economics literature is to measure the effect of the anno
uncement of a
cyber breach on the value of firm’s stock. See, for example, .
L. A. Gordon et al.
the point, s(z,v) specifies a function that considers the productivity of different levels of cybersecurity investments
and thus provides a revised measure of the probability of an information set’s vulnerability after some level of
investment in cybersecurity. The model also assumes that s(z,v) is twice continuous differentiable and strictly
convex, such that the benefits from increasing cybersecurity investments related to a specific information set are
increasing at a decreasing rate (i.e., there are positive, but diminishing, returns to additional investments in cy-
bersecurity), as shown in Figure 1. The model also assumes that, if some level of vulnerability exists for an in-
formation set, additional investments in cybersecurity can bring the probability of a cybersecurity breach arbi-
trarily close to zero, but not zero.
Given the assumption discussed above, the GL Model can be summarized in a set of equations published in 
(p. 444). These equations are provided below, where the price of a unit of investment, z, is equal to one. In these
equations, the expected benefits of an investment in information security are denoted as EBIS, and are equal to the
reduction in the firm’s expected loss attributable to the extra security, as shown in Equation (1) below:
( ) ( )
,EBIS z v S z v L= −
EBIS is written above as a function of z, since the investment in information security is the firm’s only decision
variable (v and L are given parameters for a given information set). The expected net benefits from an investment
in information security are denoted ENBIS, and equal EBIS less the cost of the investment, as shown in Equation
( ) ( )
,ENBIS z v S z v L z=−−
Maximizing Equation (2a) is equivalent to minimizing the expression shown in (2b) below:
,S zvL z+
The interior maximum at z* > 0, is characterized by the first-order condition for maximizing Equation (2a), and
is shown in Equation (3) below:
s z vL−=
From (3) above, it becomes clear that the optimal level of investment, z*, in cybersecurity takes place where the
expected marginal benefits from investing in cybersecurity is equal to the expected marginal cost of the invest-
ment.9 This optimal level of cybersecurity investment is illustrated in Figure 1, at the investment level of z*.
Gordon and Loeb  were able to show that, for two broad classes of security breach probability functions, the
optimal level would not exceed vL/e, or roughly 37% of the expected loss from a security breach, vL.10 Following
 (p. 451), this result is expressed as:
( ) ( )
1z v e vL<
Mathematicians Lelarge   and Baryshnikov  generalized the results of the GL Model to a large array
of security breach probability functions. When the assumptions given by Lelarge are violated, the papers of
Willemson  and Hausken  provide demonstration that the 37% rule does not always hold. Gordon et al. 
extended the GL Model to include externalities, which were not considered in the original model. The revised
formulation for the social optimal cybersecurity level considering externalities, denoted as zSC, is shown as the
inequality (5) below (see page 8 of ):
( ) ( )
SC E P P
z v e L L vL
where LP represents the private costs to an organization from a cybersecurity breach, LE represents the cost of
externalities to other organizations and individuals from the firm’s cybersecurity breach, and LSC represents the
total social costs from the firm’s cybersecurity breach (i.e., LSC = LP + LE).11
9It should be recalled that the price of a unit of z is equal to 1
. Furthermore, there are no fixed costs in the analysis, which means that that the
investment curve in Figure 1 is a 45-degree linear curve.
10Although the GL Model discussedL andz in terms of a single breach, the analysis would be the same if L andz
were considered in terms of
multiple breaches within a single time period without corrections after each breach (i.e
., ignoring the interdependencies among breaches
during the time period).
11Because the socially optimal level of investment is greater than the private optimal level of investment, additional incentiv
es are required
to motivate private firms to invest more. Gordon et al.  
look at ways in which private firms may be incentivized to increase their
L. A. Gordon et al.
Figure 1. Benefits and costs of an investment in cyber/information security.
3. Insights from the Gordon-Loeb Model
The GL Model provides important insights regarding the way organizations can derive the appropriate level of
cybersecurity investment and the best way to allocate this investment to various information sets. These insights
are most clearly seen in terms of the model’s key components and findings.
There are three key components underlying the way the model derives the optimal amount to invest in cyber-
security. The first component has to do with identifying and valuing an organization’s information sets. The value
of each set represents the potential loss if the information set were to experience a cybersecurity breach. Since
segmentation of information sets (via network segmentation) is an important part of cybersecurity, firms are likely
to have several sets of information to protect.12
Once the organization’s information sets are established and valued, the second component of the GL Model
has to do with estimating the vulnerability to a cybersecurity breach for each information set. That is, the organ-
ization should estimate the probability that an information set will experience a cybersecurity breach, for each
information set identified.
The third underlying component of the GL Model has to do with the way and investment in cybersecurity will
reduce an information set’s vulnerability to a cybersecurity breach (i.e., the productivity of a cybersecurity in-
vestment). Estimates of this investment productivity will likely vary for different information sets, depending on
the specific concerns surrounding a particular information set. In addition, as noted above, it is assumed that the
benefits from cybersecurity investments will increase at a decreasing rate. In fact, the finding from the GL Model
that firms should generally invest an amount that is less than, or at most equal to, roughly 37% of the expected loss
that could result from a cybersecurity breach to an information set is directly related to the assumption that the
benefits of cybersecurity investments increase at a decreasing rate. Furthermore, it is assumed that cybersecurity
investments are allocated to cybersecurity activities based on the declining marginal productivity of the invest-
Another finding from the GL Model is that the optimal level of cybersecurity investment does not always in-
crease with the level of vulnerability.13 For example, it may pay for a firm to spend more on protecting an in-
formation set that has a medium level of vulnerability than one with a high level of vulnerability. Again, this
general finding is linked to the productivity of incremental investments in cybersecurity.
The above discussion can be summarized in terms of four steps. These steps are provided below. In the next
section, an example based on these steps is provided.
12Each set would contain various pieces of information based on some logical grouping of the relevant information for an organization.
Tanaka et al.  empirically verify this finding.
L. A. Gordon et al.
Step 1: Estimate the Value, and thus the potential Loss (L), for each information set in the organization. This
step recognizes the fact that the value of the information sets that you wish to protect may differ. It also recognizes
the fact that segmentation of information sets is an important component of cybersecurity.
Step 2: Estimate the probability that an information set will be breached based on the information set’s vul-
nerability. This step explicitly considers the likelihood of a successful cyber-attack on each information set within
Step 3: Create a grid of all possible combinations of steps 1 and 2 above. The grid resulting from this step
should range from Low Value/Low Vulnerability to High Value/ High Vulnerability information sets. Each cell in
the grid represents the expected loss (L) without any additional investment in cybersecurity. The expected loss is,
in essence, the potential benefit (i.e., cost savings) from additional cybersecurity investments. The net benefit
(discussed in the previous section of this paper) would be the difference between the benefit and investment cost.
Step 4: Derive the level of cybersecurity investment by allocating funds to protect the information sets, subject
to the constraint that the incremental benefits from additional investments exceed (or are at least equal to) the
incremental costs of the investment. Assuming the investments in cybersecurity will have different levels of
productivity based on the levels of vulnerability associated with each information set, the optimal amount to invest
in different information sets will vary and not necessarily increase with increases in the vulnerability of an in-
formation set. Furthermore, it is assumed that cybersecurity investments are allocated to cybersecurity activities
based on the declining marginal productivity of the investments.
4. Example for Deriving the Investment Level
In this section we provide a hypothetical example of how to use the insights from the GL Model discussed in the
previous section of this paper. Our approach is to focus on the four steps of the GL Model that were discussed at
the end of the previous section of this paper.
The example is for the GLZ Corporation, a U.S. based manufacturing company that sells its products in several
different countries as well as throughout the U.S. The company, which manufactures household appliances, has
two manufacturing plants in the U.S. and one manufacturing plant in Canada.
The GLZ Company has 12,000 employees, of which 10,000 are located in the U.S. and another 1500 in Canada.
The remaining 500 employees are located in a variety of other countries (i.e., other than the U.S. or Canada) and
focus largely on sales related issues. The GLZ Company has patents for several of its products and has several key
business partners in the U.S., Canada, China, and throughout Europe. These business partners are from various
points throughout the entire supply chain, including firms that provide raw materials to the corporation and large
retail stores that sell its final products.
In an effort to protect its information from cybersecurity breaches, as well to minimize the impact of any cy-
bersecurity breaches that actually occur, the firm has been diligent in segmenting its databases (i.e., data seg-
mentation). For example, the firm has segmented its databases according to countries, business partners, customer
related information, employee information and market-based data. In addition, highly sensitive data (e.g., em-
ployee social security numbers) is separated from less sensitive data (e.g., employee names). In deriving the firm’s
overall level of spending, the firm has decided to follow the four steps suggested by the GL Model that were
outlined in the previous section of this paper. The firms’ approach to following these steps is provided below.
Step 1: For each separate database, what the company refers to as information set, the GLZ Corporation pro-
vides a rough estimate of the total monetary value in terms of the maximum potential loss (L) the firm would incur
if the information set were to experience a cybersecurity breach. Stated in terms of dollars, the firm decides on five
discrete categories of monetary value for purposes of grouping information sets. These five categories are $20
million, $40 million, $60 million, $80 million, and $100 million. Different information sets could have the same
monetary value. These dollar values represent the potential maximum cost of a cybersecurity breach and include
such things as the cost of detecting and correcting the cybersecurity breach. In addition, these dollar values include
the potential costs associated with lost revenues due to the negative reputation effects of a cybersecurity breach
and the potential costs associated with successful lawsuits filed against the firm as a result of the breach.
Step 2: The next step in GLZ Corporation’s decision process for deriving its cybersecurity spending is to assign
a vulnerability (v) score to each information set. For illustrative purposes, it is assumed that GLZ corporations
assign a vulnerability score of either 0.2, 0.4, 0.6 or 0.8 to each information set. Assigning an information set a
score of 0.2, 0.4, 0.6 or 0.8 means there is a 20%, 40%, 60% or 80% probability that the information set will incur
L. A. Gordon et al.
a cybersecurity breach. The fact that more than one information set has the same monetary value, or in essence the
same potential loss (L), does not mean that these sets will have the same probability of being breached. In fact, the
probability that an information set may experience a breach is largely the result of the anticipated threats con-
fronting the information set. In other words, the firm has decided that each level of potential loss (L) should be
further segmented into the four categories of vulnerabilities (v), thereby generating 20 distinct information sets
(i.e., five categories of information value, with each of these categories sub-divided into four categories of vul-
Step 3: The next step is for the firm to develop a grid that combines steps 1 and 2 above. This grid, which is
illustrated in Figure 2, contains the expected losses that the firm would incur due to a cybersecurity breach of a
particular information set. The cells in yellow in Figure 2 represent the medium level of expected losses (i.e., low:
vL < 30, medium: 69 ≥ vL ≥ 30, high: vL ≥ 70).
Step 4: The final step in the process of deciding on how much to spend on cybersecurity activities is to consider
the cost-benefit aspects of investing additional funds on each information set. Executing this step requires
knowledge of the potential expected loss from each information set, but it also requires knowledge of the expected
productivity derived from incremental cybersecurity investments. Using $1 million as our unit of investment in
cybersecurity activities, this step essentially comes down to asking the following question: How much costs will
our firm save, in terms of the reduction in the expected loss, by investing another $1 million on the information set
under consideration? If the firm expects to save more (less) than $1 million by making an additional $1 million
investment, it pays (does not pay) to make the additional investment from a strictly economics perspective. At a
cost savings of $1 million, for an additional $1 million cybersecurity investment, the firm would be indifferent
to investing the additional funds.
As noted above, knowledge concerning the productivity of additional investments is crucial to carrying out the
fourth step. Although there is no absolute procedure for obtaining this knowledge, we do know (or at least assume)
that rational economic decision makers will generally select investment opportunities in descending order. In
other words, they generally select investment opportunities that provide the largest benefits first and work their
way down to opportunities with smaller benefits. This approach will essentially result in a curve that exhibits
increasing benefits at a decreasing rate (as shown in Figure 1, and discussed the previous section of this paper).
Exactly how the benefits curve will look is, however, a function of the specifics productivity of the investment.
For purposes of completing the fourth step in our example, we assume that investments are generally more
productive where the vulnerabilities are greatest. This assumption is based on the general principle that “low
hanging fruit” are easiest to pick and therefore provide a higher return for a given level of effort. Accordingly, for
our three levels of vulnerabilities (i.e., the probability that a cybersecurity breach will occur), we assume that the
Figure 2. Expected loss from information security breach.
L. A. Gordon et al.
productivity of adding an additional $1 million dollars of investment (z) will reduce the vulnerabilities [i.e., s(v,z)]
from Equation (3) above by v/(1 + z) where v is 0.2, v/(1 + z)2 where v is 0.4 or 0.6, and v/(1 + z)3 where v is 0.8.
Figure 3 provides a summary of the reduction inv due to incremental investments of the 1st million, 2nd million, 3rd
million, and 4th million dollars for each level of v shown in that figure. Applying the results shown in Figure 3 to
Figure 2, we can derive Figures 4-7. The cells in yellow in Figures 4-7 represent the information sets where it is
still beneficial to make the next $1 million additional investment. Figure 8 illustrates the final amounts to invest to
all of the information sets. As shown in Figure 8, the maximum amount to invest in any information set is $4
million (the final cells in yellow). More to the point, for the cells showing that z is $1 million means that after
investing $1 million, the savings from the next $1 million investment would be less than the investment cost. A
similar interpretation would apply for the other cells shown in Figure 8 (i.e., where $2 million, $3 million, $4
million are invested, the savings from investing the next $1 million would be less than the investment cost). As
shown in Figure 8, the only information sets to receive a $4 million in investment in our hypothetical example
would be the information sets with a $100 million value (or potential loss, L) and a vulnerability (v) score of 20%
and 60%, and the information set with an $80 million value and a vulnerability score of 60%.
Figure 3. Productivity of investments in cybersecurity.
Figure 4. Cost savings from 1st million dollar investment.
L. A. Gordon et al.
Figure 5. Cost savings from 2nd million dollar investment.
Figure 6. Cost savings from 3rd million dollar investment.
Figure 7. Cost savings from 4th million dollar investment.
L. A. Gordon et al.
Figure 8. Investment amounts.
The actual GL Model is based on continuous investment functions, whereas our hypothetical example is based
on discrete investments of $1 million per unit of investment. Consequently, the investment level in our example
would only serve as an estimate of the mathematical optimum. In any case, comparing, the numbers in Figure 8
with 1/e times the numbers in Figure 2, cell by cell, the example is consistent with the GL rule that the optimum
investment is less than 37% of the expected loss.14
5. Concluding Comments
Today’s interconnected digital world has changed the way organizations, as well as people, operate and interact.
Indeed, we now live in a world that many describe as an on-demand economy (i.e., a marketplace that allows
consumer demands for goods and services to be immediately met via digital communication through various sorts
of electronic devices). This new kind of economy has created a business model that is characterized by large
quantities of information being instantaneously transmitted through cyberspace and stored in a variety of elec-
tronic devices.15 Although the interconnected digital world has resulted in many benefits to businesses, as well as
individuals, a downside of this new way of operating and interacting with one and other has been the rapid growth
of cybersecurity breaches. Unfortunately, no organization is immune to potential cybersecurity breaches. Accor-
dingly, organizations need to make investments in cybersecurity activities so as to protect themselves against the
negative effects of cybersecurity breaches. A fundamental question that must be asked, in this regard, is: How
much should be invested in cybersecurity related activities?
The primary objective of this paper has been to explain how the GL Model can be used by organizations to
answer the above question. More to the point, this paper has provided a conceptual explanation, accompanied by
an illustrative example, of how organizations can use the Gordon-Loeb Model to derive their appropriate level of
As shown in this paper, despite its mathematical underpinnings, the GL Model provides an intuitive framework
that lends itself to an easily understood set of steps for deriving an organization’s cybersecurity investment level.
These steps are: (1) to estimate the value, and thus the potential Loss (), for each information set in the organi-
zation; (2) to estimate the probability that an information set will be breached based on the information set’s
vulnerability; (3) to create a grid of all possible combinations of steps 1 and 2 above; and (4) to derive the level of
cybersecurity investment by allocating funds to protect the information sets, subject to the constraint that the in-
14The maximum to invest (in increments of one million) were shown in Figure 8
, for all cells with the exception of the two cells (row 4,
column 5) and (row 4, column 6). Although we did not carry out the example to the point where one would not wish to invest mo
re for those
information sets, one can easily carry out the example t
o verify that one would want to invest less 37% of the expected loss for those sets as
15The term cyberspace refers to the environment where digital communication, especially via the Internet and other computer networks,
16For a 3-minute-and-34 second YouTube video providing a succinct overview of the Gordon-Loeb Model, see:
L. A. Gordon et al.
cremental benefits from additional investments exceed (or are at least equal to) the incremental costs of the in-
Although not a panacea, the use of the intuitive framework provided by the GL Model can go a long way toward
improving the decision process concerning the way organizations should go about deriving the appropriate
amount to invest in cybersecurity activities. In other words, it provides a rational economic procedure for firms to
use in deciding on how much to spend on cybersecurity, in light of the cybersecurity risk confronting the firm.
As with the use of all approaches to making investment decisions, there are limitations to using the above noted
framework for deciding on the appropriate level of cybersecurity spending. The two most prominent of these li-
mitations are the imprecision associated with valuing the information sets the firm is trying to protect and esti-
mating the probability that a given information set will be breached. However, we believe that making rational,
systematic, estimates of these factors is preferred to some completely ad hoc approach to considering them in the
process of making cybersecurity investment decisions. Another limitation of the approach described in this paper
for deriving the cybersecurity investment level is the fact that it does not explicitly consider the qualitative aspects
of the decision. However, as noted in footnote 3 of this paper, we believe that using a cost-benefit approach (which
is essentially what the GL Model does) is a good starting place for cybersecurity investment decisions. Qualitative
concerns (e.g., the organizations overall strategy toward cybersecurity spending) should be considered before
making any final decisions regarding the appropriate level of spending on cybersecurity activities. In other words,
we strongly believe that economic models should be used as complement to, not as substitute for sound business
Future research could extend the analyses provided in this paper in several ways. For example, a simulation
varying the number of information sets, the values for each information set, and the probabilities associated with
potential breaches, could be conducted to assess the sensitivity of the resource allocation decision to these factors.
In addition, the quantitative analysis provided by the GL Model could be combined with qualitative techniques for
considering cybersecurity investment decisions. In this latter regard, the probabilities of potential cybersecurity
breaches used in step 2 from the GL Model could be derived via an AHP (Analytical Hierarchy Process) technique,
which allows for consideration of both quantitative and qualitative issues (see ).
 Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on In-
formation and System Security, 5, 438-457. http://dx.doi.org/10.1145/581271.581274
 Gordon, L.A. and Loeb, M.P. (2006) Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill, Inc.,
 Rue, R. and Pfleeger, S.L. (2009) Making the Best Use of Cybersecurity Economic Models. IEEE Security & Privacy,
7, 52-60. http://dx.doi.org/10.1109/MSP.2009.98
 Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) A Model Evaluating IT Security Investments. Communications
of the ACM, 47, 87-92. http://dx.doi.org/10.1145/1005817.1005828
 Wang, J., Chaudhury, A. and Rao, H.R. (2008) Research Note—A Value-at-Risk Approach to Information Security
Investment. Information Systems Research, 19, 106-120. http://dx.doi.org/10.1287/isre.1070.0143
 AFCEA (Armed Forces Communications and Electronics Association) Cyber Committee Report (2013) The Econom-
ics of Cybersecurity: A Practical Framework for Cybersecurity Investment.
 Gordon, L.A. and Loeb, M.P. (2011) You May Be Fighting the Wrong Security Battles. The Wall Street Journal,
 Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cybersecurity Unde-
rinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6,
 Gordon, L.A., Loeb, M.P. and Zhou, L. (2011) The Impact of Information Security Breaches: Has There Been a
Downward Shift in Costs? Journal of Computer Security, 19, 33-56.
 Lelarge, M. (2012) Coordination in Network Security Games. In: Greenberg, A.G. and Sohraby, K., Eds., INFOCOM,
IEEE, 2856-2860. http://dx.doi.org/10.1109/infcom.2012.6195715
 Lelarge, M. (2012) Coordination in Network Security Games: A Monotone Comparative Statics Approach. Selected
Areas in Communications, IEE Journal, 30, 2210-2219. http://dx.doi.org/10.1109/JSAC.2012.121213
 Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. Workshop on Economics and Informa-
L. A. Gordon et al.
tion Security, Berlin. http://weis2012.econinfosec.org/papers
 Willemson, J. (2006) On the Gordon & Loeb Model for Information Security Investment. The Fifth Workshop on
Economics of Information Security (WEIS), University of Cambridge.
 Hausken, K. (2006) Returns to Information Security Investment: The Effect of Alternative Information Security Breach
Functions on Optimal Investment and Sensitivity to Vulnerability. Information Systems Frontiers, 8, 338-349.
 Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) The Impact of Information Sharing on Cybersecurity
Underinvestment: A Real Options Perspective. Journal of Accounting and Public Policy, 34, 509-519.
 Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Increasing Cybersecurity Investments in Private Sector
Firms. Journal of Cybersecurity, 1, 3-17. http://dx.doi.org/10.1093/cybsec/tyv011
 Tanaka, H., Matsuura, K. and Sudoh, O. (2005) Vulnerability and Information Security Investment: An Empirical
Analysis of e-Local Government in Japan. Journal of Accounting and Public Policy, 24, 37-59.
 Bodin, L., Gordon, L.A. and Loeb, M.P. (2008) Information Security and Risk Management. Communications of the
ACM, 51, 64-68. http://dx.doi.org/10.1145/1330311.1330325