Cite this paper
Gordon, L. , Loeb, M. , Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model.
Journal of Information Security,
6, 24-30. doi:
10.4236/jis.2015.61003.
References
[1] Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information System Security, 5, 438-457.
http://dx.doi.org/10.1145/581271.581274
[2] U.S. Department of Homeland Security (2013) Executive Order 1636: Improving Critical Infrastruc-
ture, Department of Homeland Security Integrated Task Force, Incentives Study. Washington DC.
[3] Presidential Executive Order 13636 (2013) Improving Critical Infrastructure Cybersecurity. Federal Registrar, 78, 11739-11743.
https://
www.federalregister.gov/articles/2013/02/19/2013-03915/improving-critical-infrastructure-cybersecurity
[4] Presidential Policy Directive/PPD-21 (2013) Critical Infrastructure Security and Resilience.
http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infra-
structure-security-and-resil
[5] Varian, H. (2004) System Reliability and Free Riding. In Camp, L. and Lewis, S., Eds., Economics of Information Security, Springer US, 1-15.
http://dx.doi.org/10.1007/1-4020-8090-5_1
[6] Gordon, L.A., Loeb, M.P. and Lucyshyn, W. (2003) Sharing Information on Computer Systems Security: An Economic Analysis. Journal of Accounting and Public Policy, 22, 461-485.
http://dx.doi.org/10.1016/j.jaccpubpol.2003.09.001
[7] Kunreuther, H. and Heal, G. (2003) Interdependent Security. Journal of Risk and Uncertainty, 26, 231-249.
[8] Lelarge, M. (2012) Coordination in Network Security Games: A Monotone Comparative Statics Approach. IEEE Journal on Selected Areas in Communications, 30, 2210-2219.
[9] Treasury Department Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636. (2013).
http://www.treasury.gov/press-center/Documents/Supporting Analysis Treasury Report to the Presi-
dent on Cybersecurity Incentives_FINAL.pdf
[10] U.S. Department of Homeland Security (2013) Executive Order 13636: Improving Critical Infrastructure, Department of Homeland Security Integrated Task Force, Incentives Study Analytic Report.
http://www.dhs.gov/sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf
[11] Böhme, R. (2010) Security Metrics and Security Investment Models. In: Echizen, I., Kunihiro, N. and Sasaki, R., Eds., Advances in Information and Computer Security, Springer-Verlag, Berlin, Heidelberg, 10-24.
http://dx.doi.org/10.1007/978-3-642-16825-3_2
[12] Campbell, K., Gordon, L.A., Loeb, M.P. and Zhou, L. (2003) The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, 11, 431-448.
[13] Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9, 69-104.
[14] Gordon, L.A., Loeb, M.P. and Zhou, L. (2011) The Impact of Information Security Breaches: Has There Been a Downward Shift in Cost? Journal of Computer Security, 19, 33-56.
[15] Gal-Or, E. and Ghose, A. (2005) The Economic Incentives for Sharing Security Information. Information Systems Research, 16, 186-208.
http://dx.doi.org/10.1287/isre.1050.0053
[16] Hausken, K. (2007) Information Sharing among Firms and Cyber Attacks. Journal of Accounting and Public Policy, 26, 639-688.
http://dx.doi.org/10.1016/j.jaccpubpol.2007.10.001
[17] Gansler, J.S. and Lucyshyn, W. (2005) Improving the Security of Financial Management Systems: What Are We to Do? Journal of Accounting and Public Policy, 24, 1-9.
http://dx.doi.org/10.1016/j.jaccpubpol.2004.12.001
[18] Gordon, L.A., Loeb, M.P. and Sohail, T. (2010) Market Value of Voluntary Disclosures Concerning Information Security. MIS Quarterly, 34, 567-594.
[19] Willemson, J. (2006) On the Gordon & Loeb Model for Information Security Investment. The Fifth Workshop on the Economics of Information Security (WEIS), University of Cambridge, 26-28 June.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.60.9931&rep=rep1&type=pdf
[20] Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. 2012 Workshop on Economics and Information Security, Berlin, 25-26 June.
http://weis2012.econinfosec.org/papers/Baryshnikov_WEIS2012.pdf