article

The economics of information security investment

Authors:

Lawrence A. Gordon,

Martin P. LoebAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 5, Issue 4

Pages 438 - 457

https://doi.org/10.1145/581271.581274

Published: 01 November 2002 Publication History

Get Access

Abstract

This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.

References

[1]

Anderson, J. 1972. Computer security technology planning study. U.S. Air Force Electronic Systems Division Tech. Rep. (Oct.), 73--51.

Google Scholar

[2]

Anderson, R. 2001. Why information security is hard---An economic perspective. In Proceedings of 17th Annual Computer Security Applications Conference (ACSAC) (New Orleans, La. Dec. 10--14).

Crossref

Google Scholar

[3]

Axelsson, S. 2000. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Sec. 3, 3 (Aug.), 186--205.

Crossref

Google Scholar

[4]

Buzzard, K. 1999. Computer security---What should you spend your money on. Comput. Sec. 18, 4, 322--334.

Google Scholar

[5]

Daniels, T. E. and Spafford, E. H. 1999. Identification of host audit data to detect attacks on low-level IP. J. Comput. Sec. 7, 1, 3--35.

Crossref

Google Scholar

[6]

Denning, D. 1987. An intrusion-detection model. IEEE Trans. Softw. Eng. 13, 2 (Feb.), 222--226.

Crossref

Google Scholar

[7]

Denning, D. and Branstad, D. 1996. A taxonomy of key escrow encryption systems. Commun. ACM. 39, 3 (Mar.), 34--40.

Crossref

Google Scholar

[8]

Finne, T. 1998. A conceptual framework for information security management. Comput. Sec. 17, 4, 303--307.

Google Scholar

[9]

Frincke, D. 2000. Balancing cooperation and risk in intrusion detection. ACM Trans. Inf. Syst. Sec. 3, 1 (Feb.), 1--29.

Crossref

Google Scholar

[10]

Gordon, L. and Loeb, M. 2001. A framework for using information security as a response to competitor analysis systems. Commun. ACM, 44, 9 (Sept.), 70--75.

Crossref

Google Scholar

[11]

Hann, J. and Weber, R. 1996. Information systems planning: A model and empirical tests. Manage. Sci. 42, 7 (July), 1043--1064.

Crossref

Google Scholar

[12]

Hoo, K. 2000. How much is enough? A risk-management approach to computer security. Consortium for Research on Information Security Policy (CRISP) Working Paper. Stanford University, Stanford, Calif., June.

Google Scholar

[13]

Jajodia, S. and Millen, J. 1993. Editors' preface. J. Comput. Sec. 2, 2/3, 85.

Google Scholar

[14]

Jones, A. 1997. Penetration testing and system audit. Comput. Sec. 16, 595--602.

Google Scholar

[15]

KPMG. 2000. Information Security Survey 2000. http://www.kpmg.co.uk/services/audit/pubs/ISS (Apr.), 1--4

Google Scholar

[16]

Larsen, A. 1999. Global security survey: Virus attack. InformationWeek.Com. http://www.informationweek.com/743/security.htm.

Google Scholar

[17]

Littlewood, B., Broclehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., Dobson, J., Mcdermid, J., and Gollman, D. 1993. Towards operational measures of security. J. Comput. Sec. 2, 2, 211--229.

Google Scholar

[18]

Loch, K. D., Carr, H. H., and Warkentin, M. E. 1992. Threats to information systems: Today's reality, yesterday's understanding. MIS Quart. 17, 2, 173--186.

Google Scholar

[19]

Luotonen, O. 1993. Risk management and insurances. Painatuskeskus Oy. Helsinki, Finland.

Google Scholar

[20]

Mcknight, L., Solomon, R., Reagle, J., Carver, D., Johnson, C., Gerovac, B., and Gingold, D. 1997. Information security of internet commerce. In Internet Economics, L. McKnight and J. Bailey, Eds., MIT Press, Cambridge, Mass., pp. 435--452.

Crossref

Google Scholar

[21]

Meadows, C. 2001. A cost-based framework for analysis of denial of service in networks J. Comput. Sec. 9, 1/2, 143--164.

Crossref

Google Scholar

[22]

Millen, J. 1992. A resource allocation model for denial of service. In Proceedings of the 1992 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., pp. 137--147.

Google Scholar

[23]

Muralidhar, K., Batra, D., and Kirs, P. 1995. Accessibility, security, and accuracy in statistical databases: The case for the multiplicative fixed data perturbation approach. Manage. Sci. 41, 9 (Sept.), 1549--1564.

Crossref

Google Scholar

[24]

NIST (National Institute of Standards and Technology). 1995. An Introduction to Computer Security: The NIST Handbook. (Special Publication 800-12).

Google Scholar

[25]

Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Sec. 3, 2 (May), 85--106.

Crossref

Google Scholar

[26]

Peyravian, M., Roginsky, A., and Zunic, N. 1999. Hash-based encryption. Comput. Sec. 18, 4, 345--350.

Google Scholar

[27]

Pfleeger, C. 1997. Security in Computing (2nd ed.), Prentice-Hall, Englewood Cliffs, N.J.

Crossref

Google Scholar

[28]

Power, R. 2001. 2001 CSI/FBI computer crime and security survey. Comput. Sec. J. 17, 2 (Spring), 29--51.

Google Scholar

[29]

Sandhu, R. S., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Sec. 1, 2 (Feb.), 105--135.

Crossref

Google Scholar

[30]

Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Comput. 29, 2 (Feb.), 38--47.

Crossref

Google Scholar

[31]

Schneier, B. 1996. Applied Cryptography (2nd ed.), Wiley. New York.

Google Scholar

[32]

Simmons, G. 1994. Cryptanalysis and protocol failures. Commun. ACM. 37, 11 (Nov.), 56--64.

Crossref

Google Scholar

[33]

Straub, D. W. 1990. Effective IS security: An empirical study. Inf. Syst. Res. 1, 3, 255--276.

Google Scholar

[34]

Straub, D. W. and Welke, R. J. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quart. 23, 4, 441--469.

Crossref

Google Scholar

[35]

Varian, H. R. 1997. How to build an economic model in your spare time. Part of a collection titled Passion and Craft: Economists at Work, ed. Michael Szenberg, University of Michigan Press, available at http://www.sims.berkeley.edu/&sim;hal/Papers/how.pdf.

Google Scholar

[36]

Vigna, G. and Kemmeerer, R. A. 1999. NetSTAT: a network-based intrusion detection system. J. Comput. Sec. 7, 1, 37--71.

Crossref

Google Scholar

[37]

Wiseman, S. 1986. A secure capability computer system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif, pp. 86--94.

Google Scholar

Cited By

View all

Zhang YMalacaria P(2025)Dealing with uncertainty in cybersecurity decision supportComputers & Security10.1016/j.cose.2024.104153148(104153)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104153
Al-Sharhan AAlsaber AAl Khasham YAl Kandari ANafea RSetiya P(2024)The Influence of Governmental Support on Cyber-Security Adoption and PerformanceInternational Journal of Business Data Communications and Networking10.4018/IJBDCN.34126419:1(1-16)Online publication date: 9-Apr-2024
https://dl.acm.org/doi/10.4018/IJBDCN.341264
Gavėnaitė-Sirvydienė J(2024)Development of cyber security assessment tool for financial institutionsundefined10.20334/2024-023-MOnline publication date: 2024
https://doi.org/10.20334/2024-023-M
Show More Cited By

Index Terms

The economics of information security investment
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime
  2. Professional topics
    1. Management of computing and information systems
      1. Information system economics

Recommendations

Firms' information security investment decisions: Stock market evidence of investors' behavior

In the information society, it is important for firms to manage their core information resources securely. However, the difficulty of measuring the return on an IT security investment is one of the critical obstacles for firms in making such investment ...
Risk-neutral evaluation of information security investment on data centers

Based on given data center network topology and risk-neutral management, this work proposes a simple but efficient probability-based model to calculate the probability of insecurity of each protected resource and the optimal investment on each security ...
An impact of information security investment on information security incidents: a case of Korean organizations
ICEC '16: Proceedings of the 18th Annual International Conference on Electronic Commerce: e-Commerce in Smart connected World

Information security incidents are serious threats for a modern business environment. Firms believe that an investment on information security contribute to firms avoiding security incidents. However, there is a little research on economic outcomes of ...

Reviews

Reviewer: Melissa C. Stange

A practical approach is presented in this paper for determining the investment requirements necessary for information protection. The model used is explained in detail throughout the 18 pages of the paper. Gordon and Loeb's detailed approach, which includes textual explanations, formulas, graphics, and proofs, is excellent for clarifying the subject matter. The authors even take the extra step of including a discussion of which areas their research model does not address. These areas include perverse economic incentives affecting investment, dynamic issues, and game theoretic aspects. The paper is clearly written. It is organized into four sections, which easily flow from one to the next. The authors present analyses for a broad class of security breach probability functions; optimal security spending is presented as an increasing function of vulnerability level. The paper also provides a strong conceptual foundation in explaining why current research has fallen short in this area; the focus of research in information security has mainly been on technical issues. This useful and thought provoking model paper will not only be interesting to technical security professionals, but will also provide excellent reading for anyone faced with the task of developing a budget for information security. The most interesting thing I found in the paper was the fact that the model showed that management should be concentrating on midrange vulnerabilities, instead of on the high end. This is very important to current practice, in that most security teams do concentrate on the high end. Gordon and Loeb make a good recommendation to security teams, suggesting that all information be split into security breach vulnerability sets (low, middle, and high), and the sets then be defended moderately, instead of devoting all resources to one set. I recommend this paper highly to students, researchers, and information managers. Online Computing Reviews Service

Reviewer: Roxanne B. Everetts

Gordon and Loeb report on a model that they have developed to evaluate how much information security is needed to protect data assets, and to determine the optimal investment, given the value of the assets and their vulnerability. The authors argue that contrary to current best practices (which dictate that the more value attached to an asset, the greater the investment needed to protect it), the optimal information security investment does not always increase proportionately to increases in vulnerability; there is a point at which it is not in the best interest of a firm to make increasingly larger investments in information security. Gordon and Loeb’s findings indicate that investments in information security should not exceed 37 percent of the expected loss in the event of a breach. This finding offers an economic model for information security investment decisions. The authors observe correctly that the field of information security is currently drawing a great deal of attention. However, the focus of much of current research is on technical issues (how to make systems harder to breach), or on behavior (how to make people interact with systems in a manner that does not increase their vulnerabilities). There is little written to assist with determining the optimal level of investment, to help organizations determine how much it should cost to protect their information. The paper presents the authors’ model in scholarly fashion, and provides excellent dialogue to walk the reader through the proofs and propositions they have developed to support it. The arguments are well presented and clearly documented. Gordon and Loeb clearly identify the limitations of their research and the assumptions made in constructing their initial model. The references cited are mostly current, and reflect a wide range of inquiry into the field. The length of the paper is appropriate for the material presented. In layman’s terms, what Gordon and Loeb are arguing is that the law of diminishing returns applies to information security. It is not acceptable to continue to believe that if you throw endless amounts of money at a problem, you will have a solution. It is long past time that our field accepted this reality, and changed its focus accordingly. This work represents forward-looking thinking. It should be recognized as a valuable contribution to current research in the information security field. Online Computing Reviews Service

Reviewer: Lee Imrey

Gordon and Loeb's paper is well timed. As businesses suffer from the economic uncertainties of the 21st century, management is looking for ways to contain costs while continuing to meet fiduciary responsibilities. This requires companies to spend "enough" to protect their information assets, but no more than that. Unfortunately, we lack clear guidance on how much is "enough." Many auditing and vulnerability assessment teams approach information security from a technical perspective, and perform a "binary analysis" of security measures: "Do you have a firewall or not__?__" "Are you running a host-based IDS or not__?__" This approach generates a compendium of vulnerabilities, sometimes includes suggested countermeasures, but ultimately fails to address the business perspective, which must balance expected risk with cost of mitigation. In some cases, the most effective business decision may be to accept a risk, rather than mitigate it. Gordon and Loeb recognize this gap between the business perspective and the technical viewpoint, and have made a creditable first step to bridge it. Through applying the techniques of economic analysis to information security investment, they bring quantitative precision to what has been a more qualitative process of risk management. According to their mathematical analysis, optimal investments in information security rise with the vulnerability of information, but in some cases reach a point of diminishing return. This is intuitively known to all who have worked in the industry for any period of time, but Gordon and Loeb's paper provides definitive support for this view, which may be more effective in business impact analyses than intuition, however justified. The authors recognize that the model they use represents a simplification for most businesses, perhaps even an over-simplification, but correctly state that their work represents a starting point for further research into more complex models of information security investment, and into means to determine the optimal allocation of resources. Overall, I recommend this paper to those whose job requires budgeting for the protection of information. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

ACM Transactions on Information and System Security Volume 5, Issue 4

November 2002

174 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/581271

Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2002

Published in TISSEC Volume 5, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

Optimal security investment

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

793
Total Citations
View Citations
16,695
Total Downloads

Downloads (Last 12 months)517
Downloads (Last 6 weeks)62

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Zhang YMalacaria P(2025)Dealing with uncertainty in cybersecurity decision supportComputers & Security10.1016/j.cose.2024.104153148(104153)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104153
Al-Sharhan AAlsaber AAl Khasham YAl Kandari ANafea RSetiya P(2024)The Influence of Governmental Support on Cyber-Security Adoption and PerformanceInternational Journal of Business Data Communications and Networking10.4018/IJBDCN.34126419:1(1-16)Online publication date: 9-Apr-2024
https://dl.acm.org/doi/10.4018/IJBDCN.341264
Gavėnaitė-Sirvydienė J(2024)Development of cyber security assessment tool for financial institutionsundefined10.20334/2024-023-MOnline publication date: 2024
https://doi.org/10.20334/2024-023-M
Kianpour MRaza S(2024)More than malware: unmasking the hidden risk of cybersecurity regulationsInternational Cybersecurity Law Review10.1365/s43439-024-00111-75:1(169-212)Online publication date: 2-Feb-2024
https://doi.org/10.1365/s43439-024-00111-7
Hui WHui KYue W(2024)Cyber Insurance and Post-Breach Services: A Normative AnalysisService Science10.1287/serv.2021.0120Online publication date: 19-Mar-2024
https://doi.org/10.1287/serv.2021.0120
Carvalho MDragotto GFeijoo FLodi ASankaranarayanan S(2024)When Nash Meets StackelbergManagement Science10.1287/mnsc.2022.0341870:10(7308-7324)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1287/mnsc.2022.03418
de Cornière ATaylor G(2024)A Model of Information Security and CompetitionMarketing Science10.1287/mksc.2023.0513Online publication date: 29-Oct-2024
https://doi.org/10.1287/mksc.2023.0513
Clement NArce D(2024)Dynamics of Shared Security in the CloudInformation Systems Research10.1287/isre.2023.0256Online publication date: 29-Jul-2024
https://doi.org/10.1287/isre.2023.0256
Gómez YBranley-Bell DBriggs PVila J(2024)Exploring Behavioural Strategies in Cyberinsurance AdoptionProceedings of the European Conference on Cognitive Ergonomics 202410.1145/3673805.3673816(1-6)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3673805.3673816
Ramaj XSánchez-Gordón MGkioulos VColomo-Palacios R(2024)On DevSecOps and Risk Management in Critical Infrastructures: Practitioners' Insights on Needs and GoalsProceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability10.1145/3643662.3643954(45-52)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643662.3643954
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Firms' information security investment decisions: Stock market evidence of investors' behavior

Risk-neutral evaluation of information security investment on data centers

An impact of information security investment on information security incidents: a case of Korean organizations

Reviews

Access critical reviews of Computing literature here

Comments

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tag

Qualifiers

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Firms' information security investment decisions: Stock market evidence of investors' behavior

Risk-neutral evaluation of information security investment on data centers

An impact of information security investment on information security incidents: a case of Korean organizations

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tag

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations