Back
 JIS  Vol.7 No.2 , March 2016
Cybersecurity Investment Guidance: Extensions of the Gordon and Loeb Model
Abstract: Extensions of the Gordon-Loeb [1] and the Gordon-Loeb-Lucyshyn-Zhou [2] models are presented based on mathematical equivalency with a generalized homeland security model. The extensions include limitations on changes in the probability of attack, simultaneous effects on probability and loss, diversion of attack, and shared non-information defenses. Legal cases are then investigated to assess approximate magnitudes of external effects and the extent they are internalized by the legal system.
Cite this paper: Farrow, S. and Szanton, J. (2016) Cybersecurity Investment Guidance: Extensions of the Gordon and Loeb Model. Journal of Information Security, 7, 15-28. doi: 10.4236/jis.2016.72002.
References

[1]   Gordon, L. and Loeb, M. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457.
http://dx.doi.org/10.1145/581271.581274

[2]   Gordon, L., Loeb, M., Lucyshyn and Zhou, L. (2015) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 4-30.
http://dx.doi.org/10.4236/jis.2015.61003

[3]   Farrow, S. (2007) The Economics of Homeland Security Expenditures: Foundational Expected Cost-Effectiveness Approaches. Contemporary Economic Policy, 25, 14-26.
http://dx.doi.org/10.1111/j.1465-7287.2006.00029.x

[4]   Hausken, K. (2006) Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability. Information Systems Frontiers, 8, 338-349.
http://dx.doi.org/10.1007/s10796-006-9011-6

[5]   Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. Proceedings of the 11th Workshop on the Economics of Information Security (WEIS), Berlin, 25-26 June 2012.

[6]   Gordon, L., Loeb, M. and Lucyshyn, W. (2003) Sharing Information on Computer Systems Security: An Economic Analysis. Journal of Accounting and Public Policy, 22, 461-485.
http://dx.doi.org/10.1016/j.jaccpubpol.2003.09.001

[7]   Gordon, L. and Loeb, M. (2011) You May Be Fighting the Wrong Security Battles. Wall Street Journal, September 26.

[8]   Kunreuther, H. and Heal, G. (2003) Interdependent Security. Journal of Risk and Uncertainty, 26, 231-249.
http://dx.doi.org/10.1023/A:1024119208153

[9]   Willemson, J. (2010) Extending the Gordon and Loeb Model for Information Security Investment. 2010 International Conference on Availability, Reliability and Security, Krakow, 15-18 February 2010, 258-261.
http://dx.doi.org/10.1109/ARES.2010.37

[10]   Bagnoli, M. and Bergstrom, T. (2005) Log-Concave Probability and Its Applications. Economic Theory, 26, 445-469.
http://dx.doi.org/10.1007/s00199-004-0514-4

[11]   Cohen, M.A. (2000) Measuring the Costs and Benefits of Crime and Justice. In: Duffee, D., Ed., Measurement and Analysis of Crime and Justice, Criminal Justice 2000, Vol. 4, National Institute of Justice, Washington DC, 263-316.
http://www.ncjrs.org/criminal_justice2000/vol_4/04f.pdf

[12]   Heartland Payment Systems, Inc., Customer Data Security Breach Litigation (2012) 851 F. Supp. 2d 1040 (S.D. Tex.).

[13]   Graves, J., Acquisti, A. and Christin, N. (2014) Should Payment Card Issuers Reissue Cards in Response to a Data Breach? WEIS: Workshop on the Economics of Information Security, Pennsylvania State University, State College, 23-24 June 2014.
http://www.econinfosec.org/archive/weis2014/papers/GravesAcquistiChristin-WEIS2014.pdf

[14]   Crosman, P. (2014) How Much Do Data Breaches Cost? Two Studies Attempt a Tally. American Banker.
http://www.americanbanker.com/issues/179_176/how-much-do-data-breaches-cost-two-studies-attempt- a-tally-1069893-1.html

[15]   Silver-Greenberg, J. and Schwartz, N. (2012) MasterCard and Visa Investigate Data Breach. The New York Times, 31 March 2012.
http://www.nytimes.com/2012/03/31/business/mastercard-and-visa-look-into-possible-attack.html?_r=0

[16]   Clapper v. Amnesty International (2013) 133 S. Ct. 1138.

[17]   Lujan v. Defenders of Wildlife (1992) 504 U.S. 555, 560-61.

[18]   Zappos.com, Inc., Customer Data Sec. Breach Litig. (2015). No. 3:12-cv-00325-RCJ-VPC, (D. Nev.).

[19]   Willett, B. (2015) Employees Can’t Sue Hospital for Negligence, Breach of Contract, After Personal Data Breach. Reed Smith Technology Law Dispatch, 12 June 2015.

[20]   The Huntington National Bank v. Kokoska, et al. (2011) Docket No. 1:11-cv-00063 (N.D. W. Va. Apr 25).

[21]   Schmidt, M. and Sanger, D. (2014) 5 in China Army Face U.S. Charges of Cyberattacks. The New York Times, 19 May 2014.
http://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html

[22]   Andrijcic, E. and Horowitz, B. (2006) A Macro-Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property. Risk Analysis, 26, 907-923.
http://dx.doi.org/10.1111/j.1539-6924.2006.00787.x

[23]   Critical Infrastructures Protection Act (2001) 42 U.S.C. § 5195c(e).

[24]   Miller, C. (2009) Russia Confirms Involvement with Estonia DDOS Attacks. SC Magazine, 12 March 2009.
http://www.scmagazine.com/russia-confirms-involvement-with-estonia-ddos-attacks/article/128737/

[25]   Tanner, J. (2007) Estonia Moves Soviet Statue to Cemetery. The Associated Press, 30 April 2007.
http://www.washingtonpost.com/wp-dyn/content/article/2007/04/30/AR2007043000478.html

[26]   Hollis, D. (2011) Cyberware Case Study: Georgia 2008. Small Wars Journal, 6 January 2011.
http://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf

[27]   Markoff, J. (2008) Before the Gunfire, Cyberattacks. The New York Times, 13 August 2008.
http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0

[28]   Keizer, G. (2010) Estonia Blamed Russia for Backing 2007 Cyberattacks, Says Leaked Cable. Computer World, 9 December 2010.
http://www.computerworld.com/article/2511704/vertical-it/estonia-blamed-russia-for-backing-2007-cyberattacks --says-leaked-cable.html

[29]   Landler, M. and Markoff, J. (2007) Digital Fears Emerge After Data Siege in Estonia. The New York Times, 29 May 2007.
http://www.nytimes.com/2007/05/29/technology/29estonia.html?pagewanted=all

[30]   Richards, J. (2009) Denial-of-Service: The Estonian Cyberwar and Its Implications for US National Security. International Affairs Review, 18.
http://www.iar-gwu.org/node/65

[31]   Hobemagi, T. (2010) Price of Cyberattacks to Hansabank: 10 Million Euros. Baltic Business News, 12 August 2010.
http://balticbusinessnews.com/article/2010/12/08/Price-of-cyberattacks-to-Hansabank-10-million-euros

[32]   Herzog, S. (2011) Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses. Journal of Strategic Security, 4, 49-60.
http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1105&context=jss
http://dx.doi.org/10.5038/1944-0472.4.2.3


[33]   Crawford, J. (2014) The US Government Thinks China Could Take Down the Power Grid. CNN.com, 21 November 2014.
http://www.cnn.com/2014/11/20/politics/nsa-china-power-grid/

[34]   Lloyd’s of London (2015) Business Blackout: The Insurance Implications of a Cyber Attack on the US Power Grid. Lloyd’s Emerging Risk Report-2015.
https://www.lloyds.com/~/media/files/news%20and%20insight/risk%20insight/2015/business %20blackout/business%20blackout20150708.pdf

[35]   Liptak, A. (2003) The Blackout of 2003: Lawsuits; Plaintiffs to Face Hurdles Proving Liability. The New York Times, 15 August 2003.
http://www.nytimes.com/2003/08/15/us/the-blackout-of-2003-lawsuits-plaintiffs-to-face-hurdles- proving-liability.html

[36]   Garrison v. Pac. Nw. Bell (1980) 608 P.2d 1206, 1211.

[37]   Food Pageant, Inc. v. Consol. Edison Co. (1981) 429 N.E.2d 738, 740.

[38]   Singer Co., Link Simulation Sys. Div. v. Baltimore Gas & Elec. Co. (1989) 558 A.2d 419, 428.

[39]   Frankel, A. (2012) Can Customers Sue Power Companies for Outages? Yes, But It’s Hard to Win. Reuters.com, 9 November 2012.
http://blogs.reuters.com/alison-frankel/2012/11/09/can-customers-sue-power-companies-for-outages-yes -but-its-hard-to-win/

[40]   Zhang, Z. (2013) Cybersecurity Policy for the Electricity Sector: The First Step to Protecting Our Critical Infrastructure from Cyber Threats. Boston University Journal of Science and Technology Law, 19, 319-366.

[41]   Wei, L., Debaise, C. and Bray, C. (2003) Blackout Exposes Power Companies to Potential Lawsuits. Dow Jones Newswires New York, 18 August 2003.
http://www.oandb.com/blackoutexposes.html

[42]   Venable LLP (2014) The SAFETY Act: Providing Critical Liability Protections for Cyber and Physical Security Efforts.
https://www.venable.com/files/Publication/6c0b031e-c2c5-4029-9ac7-13cb1d8c0d07/Presentation/ PublicationAttachment/e81d24a3-fc57-4ece-8e1f-179418baf994/The_SAFETY_Act_Providing_ Critical_Liability_Protections_for_Cyber_and_Physical_Securi.pdf

[43]   Eeckhoudt, L., Gollier, C. and Schlesinger, H. (2005) Economic and Financial Decisions under Risk. Princeton University Press, Princeton.

[44]   Huang, C.D., Hu, Q. and Behara, R.S. (2008) An Economic Analysis of the Optimal Information Security Investment in the Case of a Risk-Averse Firm. International Journal of Production Economics, 114, 793-804.
http://dx.doi.org/10.1016/j.ijpe.2008.04.002

[45]   Cook, P. and Graham, D. (1977) The Demand for Insurance and Protection: A Case of Irreplaceable Commodities. Quarterly Journal of Economics, 92, 143-156.
http://dx.doi.org/10.2307/1883142

[46]   Lucas, D. (2014) Rebutting Arrow and Lind: Why Governments Should Use Market Rates for Discounting. Journal of Natural Resources Policy Research, 6, 85-91.
http://dx.doi.org/10.1080/19390459.2013.874106

[47]   Stewart, M., Ellingwood, B. and Mueller, J. (2011) Homeland Security: A Case Study in Risk Aversion for Public Decision Making. International Journal of Risk Assessment and Management, 15, 367-386.
http://dx.doi.org/10.1504/IJRAM.2011.043690

[48]   Stewart, M. and Mueller, J. (2013) Aviation Security, Risk Assessment, and Risk Aversion for Public Decisionmaking. Journal of Policy Analysis and Management, 32, 615-633.
http://dx.doi.org/10.1002/pam.21704

[49]   Farrow, S. and Scott, M. (2013) Comparing Multi-State Expected Damages, Option Price and Cumulative Prospect Measures for Valuing Flood Protection. Water Resources Research, 49, 2638-2648.
http://dx.doi.org/10.1002/wrcr.20217

 
 
Top