ArticlePDF Available

Investing in Cybersecurity: Insights from the Gordon-Loeb Model

Authors:

Abstract and Figures

Given the importance of cybersecurity to the survival of an organization, a fundamental economics based question that must be addressed by all organizations is: How much should be invested in cybersecurity related activities? Gordon and Loeb [1] presented a model to address this question, and that model has received a significant amount of attention in the academic and practitioner literature. The primary objective of this paper is to discuss the Gordon-Loeb Model with a focus on gaining insights for the model's use in a practical setting.
Content may be subject to copyright.
Journal of Information Security, 2016, 7, 49-59
Published Online March 2016 in SciRes. http://www.scirp.org/journal/jis
http://dx.doi.org/10.4236/jis.2016.72004
How to cite this paper: Gordon, L.A., Loeb, M.P. and Zhou, L. (2016) Investing in Cybersecurity: Insights from the Gordon-
Loeb Model. Journal of Information Security, 7, 49-59. http://dx.doi.org/10.4236/jis.2016.72004
Investing in Cybersecurity: Insights from
the Gordon-Loeb Model
Lawrence A. Gordon, Martin P. Loeb, Lei Zhou
Robert H. Smith School of Business, University of Maryland, College Park, USA
Received 19 January 2016; accepted 20 March 2016; published 23 March 2016
Copyright © 2016 by authors and Scientific Research Publishing Inc.
This work is licensed under the Creative Commons Attribution International License (CC BY).
http://creativecommons.org/licenses/by/4.0/
Abstract
Given the importance of cybersecurity to the survival of an organization, a fundamental econom-
ics-based question that must be addressed by all organizations is: How much should be invested in
cybersecurity related activities? Gordon and Loeb [1] presented a model to address this question,
and that model has received a significant amount of attention in the academic and practitioner li-
terature. The primary objective of this paper is to discuss the Gordon-Loeb Model with a focus on
gaining insights for the models use in a practical setting.
Keywords
Economics of Information Security, Cybersecurity Investment
1. Introduction
Cybersecurity is a critical concern in todays interconnected digital world.1 In fact, the major industrialized
countries throughout the world now consider having a cybersecurity strategy as a national policy priority (OECD,
2012). Private sector organizations are equally concerned about cybersecurity, especially in light of the recent
wave of high visibility corporate breaches.2
Given the importance of cybersecurity to the survival of an organization, a fundamental economics-based
question that must be addressed by all organizations is: How much should be invested in cybersecurity related
1For purposes of this paper, the term cybersecurity refers to “the protection of information that is accessed and transmitted via the Internet or
more generally, through any computer network” ([2], p. 10).
2For example, in the U.S., Target Corporation had a major cybersecurity breach in 2013 (see Targets 10-
K Report for the fiscal year ending
February 1, 2014, filed with the U.S. Securities and Exchange Commission at:
https://corporate.target.com/annual-reports/pdf-viewer-2013?cover=6725&parts=6727). JP
Morgan Chase & Co. had a major cybersecurity
breach in 2014 (see JP Morgan Chase & Co.s 8-K Report filed on October 2, 2014 with the U.S. Securities Exchange Commission at
https://www.sec.gov/Archives/edgar/data/19617/000119312514362173/d799478d8k.htm).
L. A. Gordon et al.
50
activities? Since organizations have finite resources, answering the above question essentially involves a resource
allocation decision. As with all resource allocation decisions, a good starting place is to assess the costs and
benefits (i.e., conduct a cost-benefit analysis) associated with cybersecurity investments.3 That is, as long as the
expected incremental benefits exceed the expected incremental costs from additional cybersecurity investments,
an argument can be made for increasing additional cybersecurity investments. Mathematically speaking, the op-
timal level of cybersecurity investment for an organization is at the point where the expected marginal investment
costs equal the expected marginal benefits derived from the investment.4 Finding this optimal level of investment
in cybersecurity is, in essence, the Holy Grail that is at the heart of economic aspects of cybersecurity.
One approach for deriving an organizations optimal level of cybersecurity investment, which has received a
significant amount of attention in the academic and practitioner literature, is referred to as the Gordon-Loeb Model
(hereafter as the GL Model).5,6 The primary objective of this paper is to discuss the GL Model, as well as some
extensions to the model, with a focus on gaining insights for utilizing the GL Model in a practical setting. In other
words, although the GL Model is based on a set of mathematical formulas, the focus of this paper is to show that
the intuition underlying the models key components, as well as the models findings, provide a useful framework
for guiding organizations in their quest for deriving the right level of cybersecurity investment.
The remainder of this paper will proceed as follows. In the next (second) section of the paper, we briefly review
the GL Model. The third section of the paper focuses on the general insights that can be gleaned from the model.
Based on these insights, the third section of the paper also provides a set of steps an organization could take to
derive its optimal (or at least an appropriate) level of cybersecurity investment. In the fourth section of the paper,
we provide a hypothetical example of how an organization can derive its cybersecurity investment level. The
example also illustrates how to allocate the investment to various information sets, based on the steps provided in
the third section of the paper. The fifth, and final, section of the paper provides some concluding comments, as
well as limitations of the GL Model and directions for future research.
2. The Gordon-Loeb Model
Following is a brief review of the GL Model. This review is based, in large part, on the original article [1]. The
purpose of this review is to highlight the key components of the model, as well as the key findings from the model.
The emphasis will be placed on the intuition underlying the models key components and findings, rather than the
mathematics upon which the model is based. As such, this paper builds and expands upon [7]. We refer readers
interested in delving more deeply into the mathematics of the model to the original article [1], as well as the fol-
low-up article [8].
The basic assumptions of the GL Model are as follows. First, information sets of organizations are vulnerable to
cyber-attacks. This vulnerability, denoted as v (0 v 1), represents the probability that a breach to a specific
information set will occur under current conditions.7 Second, if an information set is breached, the value of the
information set represents the potential loss (i.e., the cost of the breach) and can be expressed as a monetary value,
denoted as L. Thus, vL is equal to the expected loss prior to an investment in additional cybersecurity activities.8
The third assumption is that an investment in cybersecurity, denoted as z, will reduce v based on the productivity
of the cybersecurity investment. The GL Model defines s(z,v) as the security breach probability function. More to
3
Although a cost-benefit analysis is a good starting place with all resource allocation decisions, other considerations,
many of which cannot
be quantified,
also need to be considered when deciding on how much to spend on cybersecurity activities. More will be said about this
point in the final section of this paper.
4The primary benefits from cybersecurity investments are the cost savings associated with cybersecurity breaches that were prevented due t
o
investments. In some cases, however, cybersecurity investments could give an organization a competitive advantage that could generate a
d-
ditional benefits (e.g., increased revenues).
5While there is a broad literature dealing with cybersecurity investment (e.g., [3]-[5]), the Gordon-
Loeb Model has been referred to as the
“gold standard” for deriving the amount an organization should invest on cybersecurity activities (e.g., see the Appendix A to [6]).
6In the original paper, the GL Model used the term information security
rather than cybersecurity. Given the role of the Internet in storing
and transmitting information in todays interconnected digital economy,
for purposes of this paper the two terms are considered to be inter-
changeable.
7Our notion of vas the probability
that a successful breach will occur incorporates the threat that an information set will experience a cyber-
security attacked, as well as the information sets vulnerability to a cybersecurity breach. Gordon and Loeb [1], for expositional ease,
held
the threat probability constant so that v was interpreted as the probability of a breach for the given threat level.
8Although not explicitly stated in [1],
the GL Model considers situations where some level of cybersecurity already exists within an organi-
zation and thus the concern is to derive the optimal amount of additional investment. Also,
note that measuring the actual loss from a cyber
breach is not straightforward. One method used in the cybersecurity economics literature is to measure the effect of the anno
uncement of a
cyber breach on the value of firm’s stock. See, for example, [9].
L. A. Gordon et al.
51
the point, s(z,v) specifies a function that considers the productivity of different levels of cybersecurity investments
and thus provides a revised measure of the probability of an information sets vulnerability after some level of
investment in cybersecurity. The model also assumes that s(z,v) is twice continuous differentiable and strictly
convex, such that the benefits from increasing cybersecurity investments related to a specific information set are
increasing at a decreasing rate (i.e., there are positive, but diminishing, returns to additional investments in cy-
bersecurity), as shown in Figure 1. The model also assumes that, if some level of vulnerability exists for an in-
formation set, additional investments in cybersecurity can bring the probability of a cybersecurity breach arbi-
trarily close to zero, but not zero.
Given the assumption discussed above, the GL Model can be summarized in a set of equations published in [1]
(p. 444). These equations are provided below, where the price of a unit of investment, z, is equal to one. In these
equations, the expected benefits of an investment in information security are denoted as EBIS, and are equal to the
reduction in the firms expected loss attributable to the extra security, as shown in Equation (1) below:
( ) ( )
,EBIS z v S z v L= −


(1)
EBIS is written above as a function of z, since the investment in information security is the firms only decision
variable (v and L are given parameters for a given information set). The expected net benefits from an investment
in information security are denoted ENBIS, and equal EBIS less the cost of the investment, as shown in Equation
(2a) below:
( ) ( )
,ENBIS z v S z v L z=−−


. (2a)
Maximizing Equation (2a) is equivalent to minimizing the expression shown in (2b) below:
. (2b)
The interior maximum at z* > 0, is characterized by the first-order condition for maximizing Equation (2a), and
is shown in Equation (3) below:
( )
*
,1
z
s z vL−=
. (3)
From (3) above, it becomes clear that the optimal level of investment, z*, in cybersecurity takes place where the
expected marginal benefits from investing in cybersecurity is equal to the expected marginal cost of the invest-
ment.9 This optimal level of cybersecurity investment is illustrated in Figure 1, at the investment level of z*.
Gordon and Loeb [1] were able to show that, for two broad classes of security breach probability functions, the
optimal level would not exceed vL/e, or roughly 37% of the expected loss from a security breach, vL.10 Following
[1] (p. 451), this result is expressed as:
( ) ( )
*
1z v e vL<
. (4)
Mathematicians Lelarge [10] [11] and Baryshnikov [12] generalized the results of the GL Model to a large array
of security breach probability functions. When the assumptions given by Lelarge are violated, the papers of
Willemson [13] and Hausken [14] provide demonstration that the 37% rule does not always hold. Gordon et al. [8]
extended the GL Model to include externalities, which were not considered in the original model. The revised
formulation for the social optimal cybersecurity level considering externalities, denoted as zSC, is shown as the
inequality (5) below (see page 8 of [8]):
( ) ( )
( )
11
SC E P P
z v e L L vL

<+

(5)
where LP represents the private costs to an organization from a cybersecurity breach, LE represents the cost of
externalities to other organizations and individuals from the firms cybersecurity breach, and LSC represents the
total social costs from the firms cybersecurity breach (i.e., LSC = LP + LE).11
9It should be recalled that the price of a unit of z is equal to 1
. Furthermore, there are no fixed costs in the analysis, which means that that the
investment curve in Figure 1 is a 45-degree linear curve.
10Although the GL Model discussedL andz in terms of a single breach, the analysis would be the same if L andz
were considered in terms of
multiple breaches within a single time period without corrections after each breach (i.e
., ignoring the interdependencies among breaches
during the time period).
11Because the socially optimal level of investment is greater than the private optimal level of investment, additional incentiv
es are required
to motivate private firms to invest more. Gordon et al. [15] [16]
look at ways in which private firms may be incentivized to increase their
cybersecurity investments.
L. A. Gordon et al.
52
Figure 1. Benefits and costs of an investment in cyber/information security.
3. Insights from the Gordon-Loeb Model
The GL Model provides important insights regarding the way organizations can derive the appropriate level of
cybersecurity investment and the best way to allocate this investment to various information sets. These insights
are most clearly seen in terms of the models key components and findings.
There are three key components underlying the way the model derives the optimal amount to invest in cyber-
security. The first component has to do with identifying and valuing an organizations information sets. The value
of each set represents the potential loss if the information set were to experience a cybersecurity breach. Since
segmentation of information sets (via network segmentation) is an important part of cybersecurity, firms are likely
to have several sets of information to protect.12
Once the organizations information sets are established and valued, the second component of the GL Model
has to do with estimating the vulnerability to a cybersecurity breach for each information set. That is, the organ-
ization should estimate the probability that an information set will experience a cybersecurity breach, for each
information set identified.
The third underlying component of the GL Model has to do with the way and investment in cybersecurity will
reduce an information sets vulnerability to a cybersecurity breach (i.e., the productivity of a cybersecurity in-
vestment). Estimates of this investment productivity will likely vary for different information sets, depending on
the specific concerns surrounding a particular information set. In addition, as noted above, it is assumed that the
benefits from cybersecurity investments will increase at a decreasing rate. In fact, the finding from the GL Model
that firms should generally invest an amount that is less than, or at most equal to, roughly 37% of the expected loss
that could result from a cybersecurity breach to an information set is directly related to the assumption that the
benefits of cybersecurity investments increase at a decreasing rate. Furthermore, it is assumed that cybersecurity
investments are allocated to cybersecurity activities based on the declining marginal productivity of the invest-
ments.
Another finding from the GL Model is that the optimal level of cybersecurity investment does not always in-
crease with the level of vulnerability.13 For example, it may pay for a firm to spend more on protecting an in-
formation set that has a medium level of vulnerability than one with a high level of vulnerability. Again, this
general finding is linked to the productivity of incremental investments in cybersecurity.
The above discussion can be summarized in terms of four steps. These steps are provided below. In the next
section, an example based on these steps is provided.
12Each set would contain various pieces of information based on some logical grouping of the relevant information for an organization.
13
Tanaka et al. [17] empirically verify this finding.
L. A. Gordon et al.
53
Step 1: Estimate the Value, and thus the potential Loss (L), for each information set in the organization. This
step recognizes the fact that the value of the information sets that you wish to protect may differ. It also recognizes
the fact that segmentation of information sets is an important component of cybersecurity.
Step 2: Estimate the probability that an information set will be breached based on the information sets vul-
nerability. This step explicitly considers the likelihood of a successful cyber-attack on each information set within
the organization.
Step 3: Create a grid of all possible combinations of steps 1 and 2 above. The grid resulting from this step
should range from Low Value/Low Vulnerability to High Value/ High Vulnerability information sets. Each cell in
the grid represents the expected loss (L) without any additional investment in cybersecurity. The expected loss is,
in essence, the potential benefit (i.e., cost savings) from additional cybersecurity investments. The net benefit
(discussed in the previous section of this paper) would be the difference between the benefit and investment cost.
Step 4: Derive the level of cybersecurity investment by allocating funds to protect the information sets, subject
to the constraint that the incremental benefits from additional investments exceed (or are at least equal to) the
incremental costs of the investment. Assuming the investments in cybersecurity will have different levels of
productivity based on the levels of vulnerability associated with each information set, the optimal amount to invest
in different information sets will vary and not necessarily increase with increases in the vulnerability of an in-
formation set. Furthermore, it is assumed that cybersecurity investments are allocated to cybersecurity activities
based on the declining marginal productivity of the investments.
4. Example for Deriving the Investment Level
In this section we provide a hypothetical example of how to use the insights from the GL Model discussed in the
previous section of this paper. Our approach is to focus on the four steps of the GL Model that were discussed at
the end of the previous section of this paper.
The example is for the GLZ Corporation, a U.S. based manufacturing company that sells its products in several
different countries as well as throughout the U.S. The company, which manufactures household appliances, has
two manufacturing plants in the U.S. and one manufacturing plant in Canada.
The GLZ Company has 12,000 employees, of which 10,000 are located in the U.S. and another 1500 in Canada.
The remaining 500 employees are located in a variety of other countries (i.e., other than the U.S. or Canada) and
focus largely on sales related issues. The GLZ Company has patents for several of its products and has several key
business partners in the U.S., Canada, China, and throughout Europe. These business partners are from various
points throughout the entire supply chain, including firms that provide raw materials to the corporation and large
retail stores that sell its final products.
In an effort to protect its information from cybersecurity breaches, as well to minimize the impact of any cy-
bersecurity breaches that actually occur, the firm has been diligent in segmenting its databases (i.e., data seg-
mentation). For example, the firm has segmented its databases according to countries, business partners, customer
related information, employee information and market-based data. In addition, highly sensitive data (e.g., em-
ployee social security numbers) is separated from less sensitive data (e.g., employee names). In deriving the firms
overall level of spending, the firm has decided to follow the four steps suggested by the GL Model that were
outlined in the previous section of this paper. The firmsapproach to following these steps is provided below.
Step 1: For each separate database, what the company refers to as information set, the GLZ Corporation pro-
vides a rough estimate of the total monetary value in terms of the maximum potential loss (L) the firm would incur
if the information set were to experience a cybersecurity breach. Stated in terms of dollars, the firm decides on five
discrete categories of monetary value for purposes of grouping information sets. These five categories are $20
million, $40 million, $60 million, $80 million, and $100 million. Different information sets could have the same
monetary value. These dollar values represent the potential maximum cost of a cybersecurity breach and include
such things as the cost of detecting and correcting the cybersecurity breach. In addition, these dollar values include
the potential costs associated with lost revenues due to the negative reputation effects of a cybersecurity breach
and the potential costs associated with successful lawsuits filed against the firm as a result of the breach.
Step 2: The next step in GLZ Corporations decision process for deriving its cybersecurity spending is to assign
a vulnerability (v) score to each information set. For illustrative purposes, it is assumed that GLZ corporations
assign a vulnerability score of either 0.2, 0.4, 0.6 or 0.8 to each information set. Assigning an information set a
score of 0.2, 0.4, 0.6 or 0.8 means there is a 20%, 40%, 60% or 80% probability that the information set will incur
L. A. Gordon et al.
54
a cybersecurity breach. The fact that more than one information set has the same monetary value, or in essence the
same potential loss (L), does not mean that these sets will have the same probability of being breached. In fact, the
probability that an information set may experience a breach is largely the result of the anticipated threats con-
fronting the information set. In other words, the firm has decided that each level of potential loss (L) should be
further segmented into the four categories of vulnerabilities (v), thereby generating 20 distinct information sets
(i.e., five categories of information value, with each of these categories sub-divided into four categories of vul-
nerabilities).
Step 3: The next step is for the firm to develop a grid that combines steps 1 and 2 above. This grid, which is
illustrated in Figure 2, contains the expected losses that the firm would incur due to a cybersecurity breach of a
particular information set. The cells in yellow in Figure 2 represent the medium level of expected losses (i.e., low:
vL < 30, medium: 69 ≥ vL ≥ 30, high: vL ≥ 70).
Step 4: The final step in the process of deciding on how much to spend on cybersecurity activities is to consider
the cost-benefit aspects of investing additional funds on each information set. Executing this step requires
knowledge of the potential expected loss from each information set, but it also requires knowledge of the expected
productivity derived from incremental cybersecurity investments. Using $1 million as our unit of investment in
cybersecurity activities, this step essentially comes down to asking the following question: How much costs will
our firm save, in terms of the reduction in the expected loss, by investing another $1 million on the information set
under consideration? If the firm expects to save more (less) than $1 million by making an additional $1 million
investment, it pays (does not pay) to make the additional investment from a strictly economics perspective. At a
cost savings of $1 million, for an additional $1 million cybersecurity investment, the firm would be indifferent
to investing the additional funds.
As noted above, knowledge concerning the productivity of additional investments is crucial to carrying out the
fourth step. Although there is no absolute procedure for obtaining this knowledge, we do know (or at least assume)
that rational economic decision makers will generally select investment opportunities in descending order. In
other words, they generally select investment opportunities that provide the largest benefits first and work their
way down to opportunities with smaller benefits. This approach will essentially result in a curve that exhibits
increasing benefits at a decreasing rate (as shown in Figure 1, and discussed the previous section of this paper).
Exactly how the benefits curve will look is, however, a function of the specifics productivity of the investment.
For purposes of completing the fourth step in our example, we assume that investments are generally more
productive where the vulnerabilities are greatest. This assumption is based on the general principle that “low
hanging fruit” are easiest to pick and therefore provide a higher return for a given level of effort. Accordingly, for
our three levels of vulnerabilities (i.e., the probability that a cybersecurity breach will occur), we assume that the
Figure 2. Expected loss from information security breach.
L. A. Gordon et al.
55
productivity of adding an additional $1 million dollars of investment (z) will reduce the vulnerabilities [i.e., s(v,z)]
from Equation (3) above by v/(1 + z) where v is 0.2, v/(1 + z)2 where v is 0.4 or 0.6, and v/(1 + z)3 where v is 0.8.
Figure 3 provides a summary of the reduction inv due to incremental investments of the 1st million, 2nd million, 3rd
million, and 4th million dollars for each level of v shown in that figure. Applying the results shown in Figure 3 to
Figure 2, we can derive Figures 4-7. The cells in yellow in Figures 4-7 represent the information sets where it is
still beneficial to make the next $1 million additional investment. Figure 8 illustrates the final amounts to invest to
all of the information sets. As shown in Figure 8, the maximum amount to invest in any information set is $4
million (the final cells in yellow). More to the point, for the cells showing that z is $1 million means that after
investing $1 million, the savings from the next $1 million investment would be less than the investment cost. A
similar interpretation would apply for the other cells shown in Figure 8 (i.e., where $2 million, $3 million, $4
million are invested, the savings from investing the next $1 million would be less than the investment cost). As
shown in Figure 8, the only information sets to receive a $4 million in investment in our hypothetical example
would be the information sets with a $100 million value (or potential loss, L) and a vulnerability (v) score of 20%
and 60%, and the information set with an $80 million value and a vulnerability score of 60%.
Figure 3. Productivity of investments in cybersecurity.
Figure 4. Cost savings from 1st million dollar investment.
L. A. Gordon et al.
56
Figure 5. Cost savings from 2nd million dollar investment.
Figure 6. Cost savings from 3rd million dollar investment.
Figure 7. Cost savings from 4th million dollar investment.
L. A. Gordon et al.
57
Figure 8. Investment amounts.
The actual GL Model is based on continuous investment functions, whereas our hypothetical example is based
on discrete investments of $1 million per unit of investment. Consequently, the investment level in our example
would only serve as an estimate of the mathematical optimum. In any case, comparing, the numbers in Figure 8
with 1/e times the numbers in Figure 2, cell by cell, the example is consistent with the GL rule that the optimum
investment is less than 37% of the expected loss.14
5. Concluding Comments
Todays interconnected digital world has changed the way organizations, as well as people, operate and interact.
Indeed, we now live in a world that many describe as an on-demand economy (i.e., a marketplace that allows
consumer demands for goods and services to be immediately met via digital communication through various sorts
of electronic devices). This new kind of economy has created a business model that is characterized by large
quantities of information being instantaneously transmitted through cyberspace and stored in a variety of elec-
tronic devices.15 Although the interconnected digital world has resulted in many benefits to businesses, as well as
individuals, a downside of this new way of operating and interacting with one and other has been the rapid growth
of cybersecurity breaches. Unfortunately, no organization is immune to potential cybersecurity breaches. Accor-
dingly, organizations need to make investments in cybersecurity activities so as to protect themselves against the
negative effects of cybersecurity breaches. A fundamental question that must be asked, in this regard, is: How
much should be invested in cybersecurity related activities?
The primary objective of this paper has been to explain how the GL Model can be used by organizations to
answer the above question. More to the point, this paper has provided a conceptual explanation, accompanied by
an illustrative example, of how organizations can use the Gordon-Loeb Model to derive their appropriate level of
cybersecurity investment.16
As shown in this paper, despite its mathematical underpinnings, the GL Model provides an intuitive framework
that lends itself to an easily understood set of steps for deriving an organizations cybersecurity investment level.
These steps are: (1) to estimate the value, and thus the potential Loss (), for each information set in the organi-
zation; (2) to estimate the probability that an information set will be breached based on the information sets
vulnerability; (3) to create a grid of all possible combinations of steps 1 and 2 above; and (4) to derive the level of
cybersecurity investment by allocating funds to protect the information sets, subject to the constraint that the in-
14The maximum to invest (in increments of one million) were shown in Figure 8
, for all cells with the exception of the two cells (row 4,
column 5) and (row 4, column 6). Although we did not carry out the example to the point where one would not wish to invest mo
re for those
information sets, one can easily carry out the example t
o verify that one would want to invest less 37% of the expected loss for those sets as
well.
15The term cyberspace refers to the environment where digital communication, especially via the Internet and other computer networks,
takes place.
16For a 3-minute-and-34 second YouTube video providing a succinct overview of the Gordon-Loeb Model, see:
https://www.youtube.com/watch?v=cd8dT0FuqQ4.
L. A. Gordon et al.
58
cremental benefits from additional investments exceed (or are at least equal to) the incremental costs of the in-
vestment.
Although not a panacea, the use of the intuitive framework provided by the GL Model can go a long way toward
improving the decision process concerning the way organizations should go about deriving the appropriate
amount to invest in cybersecurity activities. In other words, it provides a rational economic procedure for firms to
use in deciding on how much to spend on cybersecurity, in light of the cybersecurity risk confronting the firm.
As with the use of all approaches to making investment decisions, there are limitations to using the above noted
framework for deciding on the appropriate level of cybersecurity spending. The two most prominent of these li-
mitations are the imprecision associated with valuing the information sets the firm is trying to protect and esti-
mating the probability that a given information set will be breached. However, we believe that making rational,
systematic, estimates of these factors is preferred to some completely ad hoc approach to considering them in the
process of making cybersecurity investment decisions. Another limitation of the approach described in this paper
for deriving the cybersecurity investment level is the fact that it does not explicitly consider the qualitative aspects
of the decision. However, as noted in footnote 3 of this paper, we believe that using a cost-benefit approach (which
is essentially what the GL Model does) is a good starting place for cybersecurity investment decisions. Qualitative
concerns (e.g., the organizations overall strategy toward cybersecurity spending) should be considered before
making any final decisions regarding the appropriate level of spending on cybersecurity activities. In other words,
we strongly believe that economic models should be used as complement to, not as substitute for sound business
judgment.
Future research could extend the analyses provided in this paper in several ways. For example, a simulation
varying the number of information sets, the values for each information set, and the probabilities associated with
potential breaches, could be conducted to assess the sensitivity of the resource allocation decision to these factors.
In addition, the quantitative analysis provided by the GL Model could be combined with qualitative techniques for
considering cybersecurity investment decisions. In this latter regard, the probabilities of potential cybersecurity
breaches used in step 2 from the GL Model could be derived via an AHP (Analytical Hierarchy Process) technique,
which allows for consideration of both quantitative and qualitative issues (see [18]).
References
[1] Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on In-
formation and System Security, 5, 438-457. http://dx.doi.org/10.1145/581271.581274
[2] Gordon, L.A. and Loeb, M.P. (2006) Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill, Inc.,
New York.
[3] Rue, R. and Pfleeger, S.L. (2009) Making the Best Use of Cybersecurity Economic Models. IEEE Security & Privacy,
7, 52-60. http://dx.doi.org/10.1109/MSP.2009.98
[4] Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) A Model Evaluating IT Security Investments. Communications
of the ACM, 47, 87-92. http://dx.doi.org/10.1145/1005817.1005828
[5] Wang, J., Chaudhury, A. and Rao, H.R. (2008) Research NoteA Value-at-Risk Approach to Information Security
Investment. Information Systems Research, 19, 106-120. http://dx.doi.org/10.1287/isre.1070.0143
[6] AFCEA (Armed Forces Communications and Electronics Association) Cyber Committee Report (2013) The Econom-
ics of Cybersecurity: A Practical Framework for Cybersecurity Investment.
[7] Gordon, L.A. and Loeb, M.P. (2011) You May Be Fighting the Wrong Security Battles. The Wall Street Journal,
26September.
[8] Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cybersecurity Unde-
rinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6,
24-30. http://dx.doi.org/10.4236/jis.2015.61003
[9] Gordon, L.A., Loeb, M.P. and Zhou, L. (2011) The Impact of Information Security Breaches: Has There Been a
Downward Shift in Costs? Journal of Computer Security, 19, 33-56.
[10] Lelarge, M. (2012) Coordination in Network Security Games. In: Greenberg, A.G. and Sohraby, K., Eds., INFOCOM,
IEEE, 2856-2860. http://dx.doi.org/10.1109/infcom.2012.6195715
[11] Lelarge, M. (2012) Coordination in Network Security Games: A Monotone Comparative Statics Approach. Selected
Areas in Communications, IEE Journal, 30, 2210-2219. http://dx.doi.org/10.1109/JSAC.2012.121213
[12] Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. Workshop on Economics and Informa-
L. A. Gordon et al.
59
tion Security, Berlin. http://weis2012.econinfosec.org/papers
[13] Willemson, J. (2006) On the Gordon & Loeb Model for Information Security Investment. The Fifth Workshop on
Economics of Information Security (WEIS), University of Cambridge.
http://www.econinfosec.org/archive/weis2006/docs/12.pdf
[14] Hausken, K. (2006) Returns to Information Security Investment: The Effect of Alternative Information Security Breach
Functions on Optimal Investment and Sensitivity to Vulnerability. Information Systems Frontiers, 8, 338-349.
http://dx.doi.org/10.1007/s10796-006-9011-6
[15] Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) The Impact of Information Sharing on Cybersecurity
Underinvestment: A Real Options Perspective. Journal of Accounting and Public Policy, 34, 509-519.
http://dx.doi.org/10.1016/j.jaccpubpol.2015.05.001
[16] Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Increasing Cybersecurity Investments in Private Sector
Firms. Journal of Cybersecurity, 1, 3-17. http://dx.doi.org/10.1093/cybsec/tyv011
[17] Tanaka, H., Matsuura, K. and Sudoh, O. (2005) Vulnerability and Information Security Investment: An Empirical
Analysis of e-Local Government in Japan. Journal of Accounting and Public Policy, 24, 37-59.
http://dx.doi.org/10.1016/j.jaccpubpol.2004.12.003
[18] Bodin, L., Gordon, L.A. and Loeb, M.P. (2008) Information Security and Risk Management. Communications of the
ACM, 51, 64-68. http://dx.doi.org/10.1145/1330311.1330325
... however, financial models for making a decision on information security investment cannot replace "sound business judgement" for those same decisions; those two approaches are complementary, rather than substitutes (Gordon et al., 2016). ...
... Benefits for the company. Although the literature does list various benefits of cybersecurity management (Acuna, 2016;Ahmad, Bosua, et al., 2014;Campbell et al., 2003;Cardenas et al., 2012;Ezingeard et al., 2007;Gordon et al., 2010Gordon et al., , 2015Gordon et al., , 2016Gordon & Loeb, 2002;Horne et al., 2017;Kwon & Johnson, 2014;McFadzean et al., 2007;Shi, 2013;Whitman, Yayla & Hu, 2011), only four studies were found that explore how cybersecurity supports sustainable competitive advantage (Ahmad, Bosua, et al., 2014;Horne et al., 2017;Shi, 2013;Yayla & Hu, 2011). The resourced-based view and dynamic capabilities theory seems to be the most appropriate for explaining this relationship, so this is one of the areas that are worth researching further. ...
... Although existing literature does suggest risk assessment as a method for determining which information is the most critical within a company, such method is often too complex to quickly determine on which information the company should focus (Ahmad, Bosua, et al., 2014;Ahmad, Maynard, et al., 2014;ISO/IEC 27001:2013Information Technology -Security Techniques -Information Security Management Systems -Requirements, 2013. (Bulgurcu et al., 2010) x (Campbell et al., 2003) x (Cardenas et al., 2012) x (Corallo et al., 2020) x x x x x x (Edwards, 2018) x x x x (Gomes et al., 2017) x x (Gordon et al., 2010) x x (Gordon et al., 2015) x (Gordon et al., 2016) x (Gordon & Loeb, 2002) x (Hong et al., 2003) x x (Horne et al., 2017) x Therefore, further research should be focused on models that would describe holistic cybersecurity management, how cybersecurity supports the competitive advantage of a company, for which types of companies cybersecurity is the most appropriate, for which types of information cybersecurity is the most appropriate, and how to balance security with innovation and knowledge sharing. ...
Thesis
Full-text available
Purpose The purpose of this paper is to help companies address the problem of ever-increasing cybersecurity investment that does not produce tangible business value. Consequently, this thesis aims to explore the elements needed for cybersecurity implementation and management in an organization, as well as to explore how cybersecurity can contribute to the competitive advantage of a company. Design/methodology/approach The impact of cybersecurity on competitive advantage was explored through a qualitative research study-a state-of-the-art literature review was conducted, as well as three rounds of semi-structured interviews with security officers, executives, consultants, and information technology (IT) managers from companies in 10 countries, from the aerospace, bioscience, chemical manufacturing, financial, food processing, IT, and security industries. Findings The analysis of the findings enabled the conceptualization of the Cybersecurity Competitive Advantage Model that explains two key points. First, to manage cybersecurity, a holistic approach to cybersecurity management is needed through a socio-technical system that balances strategic, organizational, risk & technology, and people aspects. Second, the main benefit from managing cybersecurity will be compliance with various requirements; however, compliance can be easily imitated by competitors because it is based on operational capabilities. By developing specific cybersecurity dynamic capabilities, companies can achieve strategic value that will be difficult to imitate, and thereby achieve sustainable competitive advantage. Research limitations/implications The research limitations relate to sampling, scope, and correctness of interviewee answers. Future research may focus on implications of cybersecurity for different industries and company sizes; influence of maturity, inter-company information sharing, and artificial intelligence on cybersecurity; the balance of innovation and cybersecurity; and the impact of cybersecurity on decision making. The proposed model helps explain to executives how to differentiate their company in a novel way, and how to retain that competitive advantage; security professionals can use the model to organize cybersecurity and communicate to their superiors more effectively. Originality/value For academic researchers, this thesis explains that socio-technical systems can be used for managing cybersecurity, that the creation of cybersecurity dynamic capabilities will create sustainable competitive advantage, and collocates the research within the topic of IT impact on competitiveness. For managers, this thesis advances a model that differs from existing literature, cybersecurity frameworks, and industry standards because it presents a method for avoiding technological bias and for achieving competitive advantage.
... The second must then be "What level of strategic information security resource investment is justifiable?" (Gordon et al., 2016). Combined, these questions help to set the stage for a company's entire information security strategy and help categorize businesses into three main groups based on their level of commitment to information security. ...
... The more secure an IT system, the easier it becomes for senior managers to trust that value is being derived from IT investments. The metrics should reflect that work is being done to improve the security of the system within the stipulated budget (Gordon et al., 2016). Improving the security of technological systems is often a long and expensive endeavor given the uncertainties surrounding the evolutions of threats and vulnerabilities and the interdependence of the Internet. ...
Article
Full-text available
As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners.
... The most established model to relate security investments and vulnerability reduction, which allows us to compute the optimal investment to be made in security, is due to Gordon and Loeb (GL) [20], who actually proposed two models, which we refer to as GL1 and GL2 in the following. The use of GL models in a practical setting has been investigated in [21,22]. A special form of the GL1 model was derived by [23] when attacks target a particular node (one-to-one attacks) (the equivalence of the two models was proven by [24]). ...
Article
Full-text available
In the context of growing vulnerabilities, cyber-risk management cannot rely on a one-off approach, instead calling for a continuous re-assessment of the risk and adaptation of risk management strategies. Under the mixed investment–insurance approach, where both risk mitigation and risk transfer are employed, the adaptation implies the re-computation of the optimal amount to invest in security over time. In this paper, we deal with the problem of computing the optimal balance between investment and insurance payments to achieve the minimum overall security expense when the vulnerability grows over time according to a logistic function, adopting a greedy approach, where strategy adaptation is carried out periodically at each investment epoch. We consider three liability degrees, from full liability to partial liability with deductibles. We find that insurance represents by far the dominant component in the mix and may be relied on as a single protection tool when the vulnerability is very low.
... However, this does not necessarily imply that the cyber risk manager should fully allocate capital for cybersecurity investment only. The well-known Gordon-Loeb model (see Gordon and Loeb (2002) and Gordon et al. (2016)) states that the marginal benefit, in terms of the reduction of reserve, decreases for each unit of cybersecurity investment. Therefore, as pointed out by Ruan (2019), if the total allocated capital is to be minimized, there will be a certain level of cybersecurity investment such that any additional investment allocation is not worthy for such small marginal return. ...
Preprint
Full-text available
Cyber risk is an omnipresent risk in the increasingly digitized world that is known to be difficult to quantify and assess. Despite the fact that cyber risk shows distinct characteristics from conventional risks, most existing models for cyber risk in the insurance literature have been purely based on frequency-severity analysis, which was developed for classical property and casualty risks. In contrast, the cybersecurity engineering literature employs different approaches, under which cyber incidents are viewed as threats or hacker attacks acting on a particular set of vulnerabilities. There appears a gap in cyber risk modeling between engineering and insurance literature. This paper presents a novel model to capture these unique dynamics of cyber risk known from engineering and to model loss distributions based on industry loss data and a particular company's cybersecurity profile. The analysis leads to a new tool for allocating resources of the company between cybersecurity investments and loss-absorbing reserves.
Chapter
Full-text available
The emergence of the Internet of Things (IoT) in healthcare has created a global upsurge of medical data as healthcare providers deploy numerous sensor devices providing medical services like patient monitoring, drug management, and online appointments and treatment in real time. However, the availability and security of massive data generated by these sensors devices from cyber-criminals become a concern for healthcare providers and patients. The chapter provides protection against distributed denial of service (DDoS), which is the most famous threat to cloud medical data availability. The work introduces a fog layer to provide additional services to the cloud network, where the medical resources like data centers reside. The fog layer serves as a packet filter for all received packets by computing the network delay, server response time, and comparing it with the cloud servers’ threshold value. If the network delay and the server response time are higher than the initial threshold value, the packet is considered suspicious. Captcha is sent to the packet source to avoid Bonet; otherwise, the packet is normal.
Chapter
Blockchain is a leading central concept, and it is gaining more attention in various businesses and various scenarios. It has been one of the superior technology that helps in decentralizing different areas of applications. Despite numerous uses of Blockchain, it is suffering from a severe concern generally resultant from security. Blockchain has a high potential developing trend, requiring more focus on privacy and security concerns for people. Data of the healthcare industry is both sensitive and also needs protection from theft or illegal modifications. Security, privacy, data integrity, and non-repudiation are essential features to be associated with healthcare data. Data stored in the distributed ledger of transactions with Blockchain technology is highly reliable and the data, once stored, is immutable. As healthcare data is sensitive, it is indispensable to have highly evolved systems for protecting data. At the same time, it is also essential to ensure that evidence-based research documents are not illegally modified and non-repudiation is guaranteed. In this work, the summary discusses the Blockchain security structure, and also the particular security threats and vulnerabilities are analyzed. Besides, the Blockchain-based security system and its issues are presenting in this work. Furthermore, in the Blockchain, the key technologies on privacy, trust, and security are presented. Moreover, this work provides open research challenges. It helps different stakeholders such as general users of medical data, academia, healthcare professionals, and healthcare units across the globe, given to the researchers on the privacy, trust, and security issues in Blockchain Technologies.
Article
We present an economic model for decisions on competing cyber-security and cyber-insurance investment based on the Gordon-Loeb model for investment in information security. We consider a one-period scenario in which a firm may invest in information security measures to reduce the probability of a breach, in cyber-insurance or in a combination of both. The optimal combination of investment and insurance under the assumptions of the Gordon-Loeb model is investigated via consideration of the costs and benefits of investment in security alongside purchasing insurance at an independent premium rate. Under both exponential (constant absolute risk aversion) and logarithmic (constant relative risk aversion) utility functions it is found that when the insurance premium is below a certain value, utility is maximised with insurance and security investment. These results suggest that cyber-insurance is a worthwhile undertaking provided it is not overly costly. We believe this model to be the first attempt to integrate the Gordon-Loeb model into a classical microeconomic analysis of insurance, particularly using the Gordon-Loeb security breach functions to determine the probability of an insurance claim. The model follows the tradition of the Gordon-Loeb model in being accessible to practitioners and decision makers in information security.
Article
Full-text available
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend at most a small fraction (1/e) of the expected loss due to a security breach.
Article
Full-text available
The primary objective of this article is to develop an economics-based analytical framework for assessing the impact of government incentives/regulations designed to offset the tendency to under-invest in cybersecurity related activities by private sector firms. The analysis provided in the article shows that the potential for government incentives/regulations to increase cybersecurity investments by private sector firms is dependent on the following two fundamental issues: (i) whether or not firms are utilizing the optimal mix of inputs to cybersecurity, and (ii) whether or not firms are able, and willing, to increase their investments in cybersecurity activities. The implications of these findings are also discussed in this article, as well as a formal analysis of these implications. In addition , this article provides a discussion of existing actions by the US federal government that should be more effectively utilized before, or at least in conjunction with, considering new government incentives/regulations for increasing cybersecurity investments by private sector firms.
Article
Full-text available
Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and government executives. This paper examines how the existence of well-recognized externalities changes the maximum a firm should, from a social welfare perspective, invest in cyber security activities. By extending the cyber security investment model of Gordon and Loeb [1] to incorporate externalities, we show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss.
Article
Full-text available
Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. In this paper, we focus on the question of incentive alignment for agents of a large network towards a better security. We start with an economic model for a single agent, that determines the optimal amount to invest in protection. The model takes into account the vulnerability of the agent to a security breach and the potential loss if a security breach occurs. We derive conditions on the quality of the protection to ensure that the optimal amount spent on security is an increasing function of the agent's vulnerability and potential loss. We also show that for a large class of risks, only a small fraction of the expected loss should be invested. Building on these results, we study a network of interconnected agents subject to epidemic risks. We derive conditions to ensure that the incentives of all agents are aligned towards a better security. When agents are strategic, we show that security investments are always socially inefficient due to the network externalities. Moreover alignment of incentives typically implies a coordination problem, leading to an equilibrium with a very high price of anarchy.
Article
Full-text available
An analysis of several representative cyber security economic models that shows many assumptions are the same across disparate models and far from realistic is presented. The five models share common categories of assumptions and inputs. the (Honeyman, Schwartz, and van Assche) HSA model explores the consequences of limited information and it assumes that information about the cause of system failures is too expensive for most users to obtain. HSA also shows how the result differs if the amounts are fixed by a social engineer trying to maximize total profit over all manufacturers. The (Clark and Konrad) CK model explores resource allocation for defending multiple fronts. The Cavusoglu, Mishra, and Raghunathan (CMR) differs from other models by treating as a variable the amount of human monitoring each security package requires.
Article
Maintaining adequate cybersecurity is crucial for a firm to maintain the integrity of its external and internal financial reports, as well as to protect the firm’s strategic proprietary information. This paper demonstrates how information sharing could encourage firms to take a more proactive, as compared to a reactive, approach toward cybersecurity investments. In particular, information sharing could reduce the tendency by firms to defer cybersecurity investments. The basic argument presented in this paper is grounded in the real options perspective of cybersecurity investments. More to the point, the value of an option to defer an investment in cybersecurity activities increases as the uncertainty associated with the investment increases. To the extent that information sharing reduces a firm’s uncertainty concerning a cybersecurity investment, it decreases the value of the deferment option associated with the investment. As a result of this decrease in the deferment option value, it may well make economic sense for the firm to make the cybersecurity investment sooner than otherwise would be the case.
Conference Paper
Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. An unexplored direction of this challenge consists in under- standing how to align the incentives of the agents of a large network towards a better security. This paper addresses this new line of research. We start with an economic model for a single agent, that determines the optimal amount to invest in protection. The model takes into account the vulnerability of the agent to a security breach and the potential loss if a security breach occurs. We derive conditions on the quality of the protection to ensure that the optimal amount spent on security is an increasing function of the agent's vulnerability and potential loss. We also show that for a large class of risks, only a small fraction of the expected loss should be invested. Building on these results, we study a network of interconnected agents subject to epidemic risks. We derive conditions to ensure that the incentives of all agents are aligned towards a better security. When agents are strategic, we show that security investments are always socially inefficient due to the network externalities. Moreover if our conditions are not satisfied, incentives can be aligned towards a lower security leading to an equilibrium with a very high price of anarchy.
Article
The authors aim to verify the relation between vulnerability and information security investment. This relation is empirically analyzed using data on e-local governments in Japan. The results suggest that the decisions an economic entity makes concerning information security investment depend on vulnerability. Our research lends empirical support to prior economic research.