Back
 JIS  Vol.7 No.2 , March 2016
Investing in Cybersecurity: Insights from the Gordon-Loeb Model
Abstract: Given the importance of cybersecurity to the survival of an organization, a fundamental economics-based question that must be addressed by all organizations is: How much should be invested in cybersecurity related activities? Gordon and Loeb [1] presented a model to address this question, and that model has received a significant amount of attention in the academic and practitioner literature. The primary objective of this paper is to discuss the Gordon-Loeb Model with a focus on gaining insights for the model’s use in a practical setting.
Cite this paper: Gordon, L. , Loeb, M. and Zhou, L. (2016) Investing in Cybersecurity: Insights from the Gordon-Loeb Model. Journal of Information Security, 7, 49-59. doi: 10.4236/jis.2016.72004.
References

[1]   Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457.
http://dx.doi.org/10.1145/581271.581274

[2]   Gordon, L.A. and Loeb, M.P. (2006) Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill, Inc., New York.

[3]   Rue, R. and Pfleeger, S.L. (2009) Making the Best Use of Cybersecurity Economic Models. IEEE Security & Privacy, 7, 52-60.
http://dx.doi.org/10.1109/MSP.2009.98

[4]   Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) A Model Evaluating IT Security Investments. Communications of the ACM, 47, 87-92.
http://dx.doi.org/10.1145/1005817.1005828

[5]   Wang, J., Chaudhury, A. and Rao, H.R. (2008) Research Note—A Value-at-Risk Approach to Information Security Investment. Information Systems Research, 19, 106-120.
http://dx.doi.org/10.1287/isre.1070.0143

[6]   AFCEA (Armed Forces Communications and Electronics Association) Cyber Committee Report (2013) The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment.

[7]   Gordon, L.A. and Loeb, M.P. (2011) You May Be Fighting the Wrong Security Battles. The Wall Street Journal, 26September.

[8]   Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cybersecurity Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30.
http://dx.doi.org/10.4236/jis.2015.61003

[9]   Gordon, L.A., Loeb, M.P. and Zhou, L. (2011) The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs? Journal of Computer Security, 19, 33-56.

[10]   Lelarge, M. (2012) Coordination in Network Security Games. In: Greenberg, A.G. and Sohraby, K., Eds., INFOCOM, IEEE, 2856-2860.
http://dx.doi.org/10.1109/infcom.2012.6195715

[11]   Lelarge, M. (2012) Coordination in Network Security Games: A Monotone Comparative Statics Approach. Selected Areas in Communications, IEE Journal, 30, 2210-2219.
http://dx.doi.org/10.1109/JSAC.2012.121213

[12]   Baryshnikov, Y. (2012) IT Security Investment and Gordon-Loeb’s 1/e Rule. Workshop on Economics and Information Security, Berlin.
http://weis2012.econinfosec.org/papers

[13]   Willemson, J. (2006) On the Gordon & Loeb Model for Information Security Investment. The Fifth Workshop on Economics of Information Security (WEIS), University of Cambridge.
http://www.econinfosec.org/archive/weis2006/docs/12.pdf

[14]   Hausken, K. (2006) Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability. Information Systems Frontiers, 8, 338-349.
http://dx.doi.org/10.1007/s10796-006-9011-6

[15]   Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective. Journal of Accounting and Public Policy, 34, 509-519.
http://dx.doi.org/10.1016/j.jaccpubpol.2015.05.001

[16]   Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Increasing Cybersecurity Investments in Private Sector Firms. Journal of Cybersecurity, 1, 3-17.
http://dx.doi.org/10.1093/cybsec/tyv011

[17]   Tanaka, H., Matsuura, K. and Sudoh, O. (2005) Vulnerability and Information Security Investment: An Empirical Analysis of e-Local Government in Japan. Journal of Accounting and Public Policy, 24, 37-59.
http://dx.doi.org/10.1016/j.jaccpubpol.2004.12.003

[18]   Bodin, L., Gordon, L.A. and Loeb, M.P. (2008) Information Security and Risk Management. Communications of the ACM, 51, 64-68.
http://dx.doi.org/10.1145/1330311.1330325

 
 
Top