Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model
Affiliation(s)
1 Robert H. Smith School of Business, University of Maryland, College Park, USA. 2 School of Public Policy, University of Maryland, University of Maryland, College Park, USA.
1 Robert H. Smith School of Business, University of Maryland, College Park, USA. 2 School of Public Policy, University of Maryland, University of Maryland, College Park, USA.
ABSTRACT
Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and government executives. This paper examines how the existence of well-recognized externalities changes the maximum a firm should, from a social welfare perspective, invest in cyber security activities. By extending the cyber security investment model of Gordon and Loeb [1] to incorporate externalities, we show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss.
Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and government executives. This paper examines how the existence of well-recognized externalities changes the maximum a firm should, from a social welfare perspective, invest in cyber security activities. By extending the cyber security investment model of Gordon and Loeb [1] to incorporate externalities, we show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss.
Cite this paper
Gordon, L. , Loeb, M. , Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. doi: 10.4236/jis.2015.61003.
Gordon, L. , Loeb, M. , Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. doi: 10.4236/jis.2015.61003.
References
[1] Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information System Security, 5, 438-457. http://dx.doi.org/10.1145/581271.581274 [2] U.S. Department of Homeland Security (2013) Executive Order 1636: Improving Critical Infrastruc- ture, Department of Homeland Security Integrated Task Force, Incentives Study. Washington DC. [3] Presidential Executive Order 13636 (2013) Improving Critical Infrastructure Cybersecurity. Federal Registrar, 78, 11739-11743.
https://www.federalregister.gov/articles/2013/02/19/2013-03915/improving-critical-infrastructure-cybersecurity [4] Presidential Policy Directive/PPD-21 (2013) Critical Infrastructure Security and Resilience.
http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infra- structure-security-and-resil [5] Varian, H. (2004) System Reliability and Free Riding. In Camp, L. and Lewis, S., Eds., Economics of Information Security, Springer US, 1-15. http://dx.doi.org/10.1007/1-4020-8090-5_1 [6] Gordon, L.A., Loeb, M.P. and Lucyshyn, W. (2003) Sharing Information on Computer Systems Security: An Economic Analysis. Journal of Accounting and Public Policy, 22, 461-485.
http://dx.doi.org/10.1016/j.jaccpubpol.2003.09.001 [7] Kunreuther, H. and Heal, G. (2003) Interdependent Security. Journal of Risk and Uncertainty, 26, 231-249. [8] Lelarge, M. (2012) Coordination in Network Security Games: A Monotone Comparative Statics Approach. IEEE Journal on Selected Areas in Communications, 30, 2210-2219. [9] Treasury Department Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636. (2013).
http://www.treasury.gov/press-center/Documents/Supporting Analysis Treasury Report to the Presi- dent on Cybersecurity Incentives_FINAL.pdf [10] U.S. Department of Homeland Security (2013) Executive Order 13636: Improving Critical Infrastructure, Department of Homeland Security Integrated Task Force, Incentives Study Analytic Report.
http://www.dhs.gov/sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf [11] Böhme, R. (2010) Security Metrics and Security Investment Models. In: Echizen, I., Kunihiro, N. and Sasaki, R., Eds., Advances in Information and Computer Security, Springer-Verlag, Berlin, Heidelberg, 10-24. http://dx.doi.org/10.1007/978-3-642-16825-3_2 [12] Campbell, K., Gordon, L.A., Loeb, M.P. and Zhou, L. (2003) The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, 11, 431-448. [13] Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9, 69-104. [14] Gordon, L.A., Loeb, M.P. and Zhou, L. (2011) The Impact of Information Security Breaches: Has There Been a Downward Shift in Cost? Journal of Computer Security, 19, 33-56. [15] Gal-Or, E. and Ghose, A. (2005) The Economic Incentives for Sharing Security Information. Information Systems Research, 16, 186-208. http://dx.doi.org/10.1287/isre.1050.0053 [16] Hausken, K. (2007) Information Sharing among Firms and Cyber Attacks. Journal of Accounting and Public Policy, 26, 639-688. http://dx.doi.org/10.1016/j.jaccpubpol.2007.10.001 [17] Gansler, J.S. and Lucyshyn, W. (2005) Improving the Security of Financial Management Systems: What Are We to Do? Journal of Accounting and Public Policy, 24, 1-9.
http://dx.doi.org/10.1016/j.jaccpubpol.2004.12.001 [18] Gordon, L.A., Loeb, M.P. and Sohail, T. (2010) Market Value of Voluntary Disclosures Concerning Information Security. MIS Quarterly, 34, 567-594. [19] Willemson, J. (2006) On the Gordon & Loeb Model for Information Security Investment. The Fifth Workshop on the Economics of Information Security (WEIS), University of Cambridge, 26-28 June. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.60.9931&rep=rep1&type=pdf [20] Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. 2012 Workshop on Economics and Information Security, Berlin, 25-26 June.
http://weis2012.econinfosec.org/papers/Baryshnikov_WEIS2012.pdf
[1] Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information System Security, 5, 438-457. http://dx.doi.org/10.1145/581271.581274 [2] U.S. Department of Homeland Security (2013) Executive Order 1636: Improving Critical Infrastruc- ture, Department of Homeland Security Integrated Task Force, Incentives Study. Washington DC. [3] Presidential Executive Order 13636 (2013) Improving Critical Infrastructure Cybersecurity. Federal Registrar, 78, 11739-11743.
https://www.federalregister.gov/articles/2013/02/19/2013-03915/improving-critical-infrastructure-cybersecurity [4] Presidential Policy Directive/PPD-21 (2013) Critical Infrastructure Security and Resilience.
http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infra- structure-security-and-resil [5] Varian, H. (2004) System Reliability and Free Riding. In Camp, L. and Lewis, S., Eds., Economics of Information Security, Springer US, 1-15. http://dx.doi.org/10.1007/1-4020-8090-5_1 [6] Gordon, L.A., Loeb, M.P. and Lucyshyn, W. (2003) Sharing Information on Computer Systems Security: An Economic Analysis. Journal of Accounting and Public Policy, 22, 461-485.
http://dx.doi.org/10.1016/j.jaccpubpol.2003.09.001 [7] Kunreuther, H. and Heal, G. (2003) Interdependent Security. Journal of Risk and Uncertainty, 26, 231-249. [8] Lelarge, M. (2012) Coordination in Network Security Games: A Monotone Comparative Statics Approach. IEEE Journal on Selected Areas in Communications, 30, 2210-2219. [9] Treasury Department Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636. (2013).
http://www.treasury.gov/press-center/Documents/Supporting Analysis Treasury Report to the Presi- dent on Cybersecurity Incentives_FINAL.pdf [10] U.S. Department of Homeland Security (2013) Executive Order 13636: Improving Critical Infrastructure, Department of Homeland Security Integrated Task Force, Incentives Study Analytic Report.
http://www.dhs.gov/sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf [11] Böhme, R. (2010) Security Metrics and Security Investment Models. In: Echizen, I., Kunihiro, N. and Sasaki, R., Eds., Advances in Information and Computer Security, Springer-Verlag, Berlin, Heidelberg, 10-24. http://dx.doi.org/10.1007/978-3-642-16825-3_2 [12] Campbell, K., Gordon, L.A., Loeb, M.P. and Zhou, L. (2003) The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, 11, 431-448. [13] Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9, 69-104. [14] Gordon, L.A., Loeb, M.P. and Zhou, L. (2011) The Impact of Information Security Breaches: Has There Been a Downward Shift in Cost? Journal of Computer Security, 19, 33-56. [15] Gal-Or, E. and Ghose, A. (2005) The Economic Incentives for Sharing Security Information. Information Systems Research, 16, 186-208. http://dx.doi.org/10.1287/isre.1050.0053 [16] Hausken, K. (2007) Information Sharing among Firms and Cyber Attacks. Journal of Accounting and Public Policy, 26, 639-688. http://dx.doi.org/10.1016/j.jaccpubpol.2007.10.001 [17] Gansler, J.S. and Lucyshyn, W. (2005) Improving the Security of Financial Management Systems: What Are We to Do? Journal of Accounting and Public Policy, 24, 1-9.
http://dx.doi.org/10.1016/j.jaccpubpol.2004.12.001 [18] Gordon, L.A., Loeb, M.P. and Sohail, T. (2010) Market Value of Voluntary Disclosures Concerning Information Security. MIS Quarterly, 34, 567-594. [19] Willemson, J. (2006) On the Gordon & Loeb Model for Information Security Investment. The Fifth Workshop on the Economics of Information Security (WEIS), University of Cambridge, 26-28 June. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.60.9931&rep=rep1&type=pdf [20] Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. 2012 Workshop on Economics and Information Security, Berlin, 25-26 June.
http://weis2012.econinfosec.org/papers/Baryshnikov_WEIS2012.pdf