Information security breaches in organizations are common in the modern
digital economy. What is uncommon though is the approach being taken by
a new breed of researchers who are applying economic concepts to cyber
security problems i.e., cybersecurity economics, in the hope of ultimately preventing (or at least
reducing) their occurrence. This new research agenda has important
implications for organizations around the world. Drs. Lawrence A.
Gordon and Martin P. Loeb, along with other colleagues at the University
of Maryland, are among the leading proponents of this new research
agenda. An Annotated Bibliography of some of the main articles
resulting from their research follows.
M.P. Loeb, and L. Zhou, “The Impact of Information Security
Breaches: Has there been a Downward Shift?,”
of Computer Security ,
Vol. 19, No.1.
shows that information security breaches have had a significant
impact on the stock market returns of firms. However, there has been
a significant downward shift in the impact of security breaches in
the sub-period following 9/11/2001 versus the impact in the
M.P. Loeb and T. Sohail, “Market Value of Voluntary Disclosures
Concerning Information Security,”
MIS Quarterly, 2010,
Vol. 34, No. 3.
provides strong evidence that voluntary disclosures concerning
information security, in annual reports filed with the SEC, are
positively associated with the stock market value of firms.
Gordon, L. A., M. P. Loeb, T. Sohail, C-Y Tseng, and L. Zhou,
“Cybersecurity, Capital Allocations and Management Control Systems,”
European Accounting Review
Vol. 17, No. 2, 2008. This paper shows that firms can use an
information security audit (which is part of a management control
system), along with compensation payments to the agent and the
investment decision rules, to mitigate a Chief Information Security
Officer’s inherent empire building preferences.
Bodin, L., L.A. Gordon and M.P. Loeb, “Information Security and Risk
Communications of the ACM
Vol. 51, No. 4, 2008. The objectives of this paper are to
discuss three measures that capture different aspects of information
security risk and to propose a methodology that allows
decision-makers to combine these (or any) different risk measures
into a single composite metric. The proposed new metric is called
the Perceived Composite Risk (PCR) .
Gordon, L.A., M.
P. Loeb , W. Lucyshyn and T. Sohail, “The Impact of the
Sarbanes-Oxley Act on the Corporate Disclosures of
Information Security Activities,” Journal of
Accounting and Public Policy, Vol. 25, No.5, 2006.
This paper provides empirical evidence
that the Sarbanes-Oxley Act (SOX) of 2002 has had a
significant impact on the voluntary disclosure of
information security activities of corporations.
These findings suggest that SOX has increased the
information security activities of these firms.
Gordon, L. A. and M. P. Loeb, “Budgeting Process for
Information Security Expenditures,” Communications of
the ACM, January 2006.
This paper provides empirical evidence concerning the
way organizations budget for information security
findings indicate that economic concepts, such as NPV and
cost-benefit analysis, are beginning to gain acceptance from
senior information security managers.
Bodin, L., L. A. Gordon and M. P. Loeb, “Evaluating
Information Security Investments Using the Analytic
Hierarchy Process,” Communications of the ACM,
February 2005. The Analytic Hierarchy Process (AHP) is a
tool for analyzing multi-criteria decision problems
involving quantitative and qualitative criteria. This paper
shows how a Chief Information Security Officer can apply the
AHP to determine the best way to spend a limited information
security budget and to make a case to the organization’s
Chief Financial Officer for an increase in funds to further
enhance the organization’s information security.
Gordon, L. A., M. P. Loeb and W. Lucyshyn, “Sharing
Information on Computer Systems Security: An Economic
Analysis,” Journal of Accounting and Public Policy,
Vol. 22, No. 6, 2003.
The U.S. federal government has fostered a movement toward
sharing information concerning computer security, with
particular emphasis on protecting critical infrastructure
assets that are largely owned by the private sector. This
paper presents a model to examine the welfare economic
implications of this movement. It is shown that, since
information sharing lowers the cost of each firm attaining
any given level of information security, there are potential
benefits for individual firms and society at large from
sharing. However, it
is also shown that in the absence of appropriate economic
incentive mechanisms, each firm will attempt to free ride on
the security expenditures of other firms (i.e., renege from
the sharing agreement and refuse to share information).
Campbell, K., L.A. Gordon, M. P. Loeb and L. Zhou, “The
Economic Cost of Publicly Announced Information Security
Breaches: Empirical Evidence from the Stock Market,”
Journal of Computer Security, Vol. 11, No. 3, 2003.
This study examines the economic effect of
information security breaches on the stock market value of
corporations. This approach takes into account the indirect
costs, as well as the direct costs, to the firm.
The analysis shows that cyber security breaches in
which confidential private information is compromised (e.g.,
the release of customer credit card numbers, bank account
numbers, or medical records to unauthorized parties) have a
significant negative effect on the stock market value of the
However, security breaches not related to confidentiality
(e.g., a temporary shut down of a corporate website) involve
costs that are transitory and are unlikely to significantly
affect shareholder value.
Thus, market participants appear to discriminate
across types of breaches and economically rational
investment strategies should focus on protecting the firms’
most valuable information assets.
Gordon, L A., M. P. Loeb and W. Lucyshyn, “Information
Security Expenditures and Real Options: A Wait-and-See
Approach,” Computer Security Journal, Vol. 19,
No. 2, 2003.
Empirical evidence suggests that security breaches are an
important driver of actual expenditures on information
Although this wait-and-see approach toward information
security expenditures may seem unwise on the surface, there
is a rational economic explanation for such an approach
under the appropriate conditions.
Indeed, as shown in this paper, this approach toward
information security expenditures may be consistent with the real
option (in particular, the deferment option) view of capital
Gordon, L. A., M. P. Loeb and T. Sohail, “A Framework for
Using Insurance for Cyber Risk Management,”
Communications of the ACM, March 2003.
Insurance companies, designing new policies to deal
with the cyber risks of information breaches, have had to
address issues related to pricing, adverse selection, and
moral hazard. While these issues are common to all forms of
insurance, this paper examines the unique aspects associated
with cyber risk and presents a framework for using insurance
as a tool for helping to manage information security risk.
This framework is based on the risk management
process and includes a four-step cyber risk insurance
Gordon, L. A. and M. P. Loeb, “The Economics of
Information Security Investment,” ACM Transactions on
Information and System Security, November 2002.
This paper presents an economic model that
characterizes the optimal monetary investment to protect a
given set of information. It is shown that the optimal
amount to spend to protect an information set does not
always increase with increases in the information set’s
vulnerability. Protecting highly vulnerable information sets
may be inordinately expensive, and a firm may be better off
concentrating its efforts on information sets with midrange
vulnerabilities. Moreover, the paper shows that the amount
the firm should spend to protect information sets should
generally be only a small fraction of the expected loss.
Gordon, L. A. and M. P. Loeb, “Return on Information
Security Investments: Myths vs. Reality,” Strategic
Finance, November 2002. Although ROI measures have
gained attention as a financial tool to evaluate information
security projects, conceptual and practical problems of
these measures have been largely ignored.
This paper highlights several of these problems. The
paper shows that the common accounting measure of return on
investment is different from the economic measure of return
on investment, and that the accounting measure is
inappropriate for both the ex ante and ex post evaluation of
information security projects. The paper also recommends
selecting a profit maximizing level of information security
investment rather than the level that maximizes a measure of
return on investment.
Gordon, L. A. and M. P. Loeb, “Economic Aspects of
Information Security,” Tech Trends Notes, Fall
2001. This paper
provides an economic framework for looking at the allocation
of resources to information security activities.
A major argument of this paper is that expenditures
on information security need to be considered in
cost-benefit terms, in a similar fashion to the way
organizations allocate resources to other activities.
Gordon, L. A. and M. P. Loeb, “A Framework for Using
Information Security as a Response to Competitor Analysis
Systems,” Communications of the ACM, September
2001. This paper provides a framework for using information
security as an appropriate response to rivals’ competitor
analysis systems. The
paper also provides a five-step approach toward allocating
information security funds in an effort to protect a firm
from becoming a part of a rival’s competitor analysis
Gordon, L. A. and M. P. Loeb, “Expenditures on Competitor
Analysis and Information Security: A Management Accounting
Perspective,” in Management Accounting in the Digital
Economy (Oxford University Press), A. Bhimani (ed.),
2003. An underlying
premise for both expenditures on competitor analysis and
expenditures on information security is that information is
an economic good with strategic value. In this paper, a game
theoretic model of a market shared by two rivals is analyzed
to shed light on how expenditures on competitor analysis
affect, and are affected by, expenditures on information
security. The paper also discusses the importance of these
issues for management accounting.
Book: Gordon, L. A. and
M. P. Loeb, Managing Cybersecurity Resources: A
Cost-Benefit Analysis (McGraw-Hill,
Inc.), 2006. A fundamental argument throughout the
book is that the proper use of economic concepts will allow
organizations (in both the private and public sectors) to
achieve a higher level of cybersecurity than otherwise
argument is developed by providing an economic framework
for: (1) determining the appropriate amount to invest in
cybersecurity, and (2) procedures for allocating such
resources to particular cybersecurity activities.
For more on Managing
Cybersecurity Resources, see:
Click Back to
Lawrence A. Gordon's HomePage