The Economics of Information Security Investment

The Economics of Information Security Investment. Gordon, L. A. & Loeb, M. P. ACM Trans. Inf. Syst. Secur., 5(4):438–457, November, 2002. Place: New York, NY, USA Publisher: Association for Computing Machinery

Paper doi abstract bibtex

This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.

@article{gordon_economics_2002,
	title = {The {Economics} of {Information} {Security} {Investment}},
	volume = {5},
	issn = {1094-9224},
	url = {https://doi.org/10.1145/581271.581274},
	doi = {10.1145/581271.581274},
	abstract = {This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.},
	number = {4},
	journal = {ACM Trans. Inf. Syst. Secur.},
	author = {Gordon, Lawrence A. and Loeb, Martin P.},
	month = nov,
	year = {2002},
	note = {Place: New York, NY, USA
Publisher: Association for Computing Machinery},
	keywords = {Optimal security investment},
	pages = {438--457},
}

Downloads: 0

{"_id":"fwjwkLgmirZF2rBKu","bibbaseid":"gordon-loeb-theeconomicsofinformationsecurityinvestment-2002","author_short":["Gordon, L. A.","Loeb, M. P."],"bibdata":{"bibtype":"article","type":"article","title":"The Economics of Information Security Investment","volume":"5","issn":"1094-9224","url":"https://doi.org/10.1145/581271.581274","doi":"10.1145/581271.581274","abstract":"This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.","number":"4","journal":"ACM Trans. Inf. Syst. Secur.","author":[{"propositions":[],"lastnames":["Gordon"],"firstnames":["Lawrence","A."],"suffixes":[]},{"propositions":[],"lastnames":["Loeb"],"firstnames":["Martin","P."],"suffixes":[]}],"month":"November","year":"2002","note":"Place: New York, NY, USA Publisher: Association for Computing Machinery","keywords":"Optimal security investment","pages":"438–457","bibtex":"@article{gordon_economics_2002,\n\ttitle = {The {Economics} of {Information} {Security} {Investment}},\n\tvolume = {5},\n\tissn = {1094-9224},\n\turl = {https://doi.org/10.1145/581271.581274},\n\tdoi = {10.1145/581271.581274},\n\tabstract = {This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.},\n\tnumber = {4},\n\tjournal = {ACM Trans. Inf. Syst. Secur.},\n\tauthor = {Gordon, Lawrence A. and Loeb, Martin P.},\n\tmonth = nov,\n\tyear = {2002},\n\tnote = {Place: New York, NY, USA\nPublisher: Association for Computing Machinery},\n\tkeywords = {Optimal security investment},\n\tpages = {438--457},\n}\n\n\n\n","author_short":["Gordon, L. A.","Loeb, M. P."],"key":"gordon_economics_2002","id":"gordon_economics_2002","bibbaseid":"gordon-loeb-theeconomicsofinformationsecurityinvestment-2002","role":"author","urls":{"Paper":"https://doi.org/10.1145/581271.581274"},"keyword":["Optimal security investment"],"metadata":{"authorlinks":{}},"downloads":0,"html":""},"bibtype":"article","biburl":"https://bibbase.org/zotero/hweffers","dataSources":["deqdwEwth2mY6hYZF"],"keywords":["optimal security investment"],"search_terms":["economics","information","security","investment","gordon","loeb"],"title":"The Economics of Information Security Investment","year":2002}