ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY
                                

 Click Back to Lawrence A. Gordon's HomePage

 

 

 

 

     Information security breaches in organizations are common in the modern digital economy.  What is uncommon though is the approach being taken by a new breed of researchers who are applying economic concepts to cyber security problems i.e., cybersecurity economics, in the hope of ultimately preventing (or at least reducing) their occurrence.  This new research agenda has important implications for organizations around the world.  Drs. Lawrence A. Gordon and Martin P. Loeb, along with other colleagues at the University of Maryland, are among the leading proponents of this new research agenda.  An Annotated Bibliography of some of the main articles resulting from their research follows.

Annotated Bibliography

Gordon, L.A., M.P. Loeb, and L. Zhou, “The Impact of Information Security Breaches: Has there been a Downward Shift?,” Journal of Computer Security , 2011, Vol. 19, No.1., pp. 33-56. This paper shows that information security breaches have had a significant impact on the stock market returns of firms. However, there has been a significant downward shift in the impact of security breaches in the sub-period following 9/11/2001 versus the impact in the pre-9/11/2001 sub-period.

Gordon, L.A., M.P. Loeb and T. Sohail, “Market Value of Voluntary Disclosures Concerning Information Security,” MIS Quarterly, 2010, Vol. 34, No. 3, pp. 567-594. This paper provides strong evidence that voluntary disclosures concerning information security, in annual reports filed with the SEC, are positively associated with the stock market value of firms.

Gordon, L. A., M. P. Loeb, T. Sohail, C-Y Tseng, and L. Zhou, “Cybersecurity, Capital Allocations and Management Control Systems,” European Accounting Review , Vol. 17, No. 2, 2008. This paper shows that firms can use an information security audit (which is part of a management control system), along with compensation payments to the agent and the investment decision rules, to mitigate a Chief Information Security Officer’s inherent empire building preferences.

Bodin, L., L.A. Gordon and M.P. Loeb, “Information Security and Risk Management,” Communications of the ACM , Vol. 51, No. 4, 2008. The objectives of this paper are to discuss three measures that capture different aspects of information security risk and to propose a methodology that allows decision-makers to combine these (or any) different risk measures into a single composite metric. The proposed new metric is called the Perceived Composite Risk (PCR) .

Gordon, L.A.,  M. P. Loeb , W. Lucyshyn and T. Sohail, “The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities,” Journal of Accounting and Public Policy, Vol. 25, No.5, 2006.  This paper provides empirical evidence  that the Sarbanes-Oxley Act (SOX) of 2002 has had a significant impact on the voluntary disclosure of information security activities of corporations.  These findings suggest that SOX has increased the information security activities of these firms.

Gordon, L. A. and M. P. Loeb, “Budgeting Process for Information Security Expenditures,” Communications of the ACM, January 2006.  This paper provides empirical evidence concerning the way organizations budget for information security expenditures.  The findings indicate that economic concepts, such as NPV and cost-benefit analysis, are beginning to gain acceptance from senior information security managers.

 Bodin, L., L. A. Gordon and M. P. Loeb, “Evaluating Information Security Investments Using the Analytic Hierarchy Process,” Communications of the ACM, February 2005. The Analytic Hierarchy Process (AHP) is a tool for analyzing multi-criteria decision problems involving quantitative and qualitative criteria. This paper shows how a Chief Information Security Officer can apply the AHP to determine the best way to spend a limited information security budget and to make a case to the organization’s Chief Financial Officer for an increase in funds to further enhance the organization’s information security.

Gordon, L. A., M. P. Loeb and W. Lucyshyn, “Sharing Information on Computer Systems Security: An Economic Analysis,” Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003.  The U.S. federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. This paper presents a model to examine the welfare economic implications of this movement. It is shown that, since information sharing lowers the cost of each firm attaining any given level of information security, there are potential benefits for individual firms and society at large from sharing.  However, it is also shown that in the absence of appropriate economic incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information).

Campbell, K., L.A. Gordon, M. P. Loeb and L. Zhou, “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market,” Journal of Computer Security, Vol. 11, No. 3, 2003.  This study examines the economic effect of information security breaches on the stock market value of corporations. This approach takes into account the indirect costs, as well as the direct costs, to the firm.   The analysis shows that cyber security breaches in which confidential private information is compromised (e.g., the release of customer credit card numbers, bank account numbers, or medical records to unauthorized parties) have a significant negative effect on the stock market value of the attacked firm.  However, security breaches not related to confidentiality (e.g., a temporary shut down of a corporate website) involve costs that are transitory and are unlikely to significantly affect shareholder value.  Thus, market participants appear to discriminate across types of breaches and economically rational investment strategies should focus on protecting the firms’ most valuable information assets.

Gordon, L A., M. P. Loeb and W. Lucyshyn, “Information Security Expenditures and Real Options: A Wait-and-See Approach,” Computer Security Journal, Vol. 19, No. 2, 2003.  Empirical evidence suggests that security breaches are an important driver of actual expenditures on information security activities.  Although this wait-and-see approach toward information security expenditures may seem unwise on the surface, there is a rational economic explanation for such an approach under the appropriate conditions.  Indeed, as shown in this paper, this approach toward information security expenditures may be consistent with the real option (in particular, the deferment option) view of capital budgeting.

Gordon, L. A., M. P. Loeb and T. Sohail, “A Framework for Using Insurance for Cyber Risk Management,” Communications of the ACM, March 2003.  Insurance companies, designing new policies to deal with the cyber risks of information breaches, have had to address issues related to pricing, adverse selection, and moral hazard. While these issues are common to all forms of insurance, this paper examines the unique aspects associated with cyber risk and presents a framework for using insurance as a tool for helping to manage information security risk.  This framework is based on the risk management process and includes a four-step cyber risk insurance decision plan.

Gordon, L. A. and M. P. Loeb, “The Economics of Information Security Investment,” ACM Transactions on Information and System Security, November 2002.  This paper presents an economic model that characterizes the optimal monetary investment to protect a given set of information. It is shown that the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. Protecting highly vulnerable information sets may be inordinately expensive, and a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. Moreover, the paper shows that the amount the firm should spend to protect information sets should generally be only a small fraction of the expected loss.

Gordon, L. A. and M. P. Loeb, “Return on Information Security Investments: Myths vs. Reality,” Strategic Finance, November 2002. Although ROI measures have gained attention as a financial tool to evaluate information security projects, conceptual and practical problems of these measures have been largely ignored.  This paper highlights several of these problems. The paper shows that the common accounting measure of return on investment is different from the economic measure of return on investment, and that the accounting measure is inappropriate for both the ex ante and ex post evaluation of information security projects. The paper also recommends selecting a profit maximizing level of information security investment rather than the level that maximizes a measure of return on investment.

Gordon, L. A. and M. P. Loeb, “Economic Aspects of Information Security,” Tech Trends Notes, Fall 2001.  This paper provides an economic framework for looking at the allocation of resources to information security activities.  A major argument of this paper is that expenditures on information security need to be considered in cost-benefit terms, in a similar fashion to the way organizations allocate resources to other activities.

Gordon, L. A. and M. P. Loeb, “A Framework for Using Information Security as a Response to Competitor Analysis Systems,” Communications of the ACM, September 2001. This paper provides a framework for using information security as an appropriate response to rivals’ competitor analysis systems.  The paper also provides a five-step approach toward allocating information security funds in an effort to protect a firm from becoming a part of a rival’s competitor analysis system.

 

Gordon, L. A. and M. P. Loeb, “Expenditures on Competitor Analysis and Information Security: A Management Accounting Perspective,” in Management Accounting in the Digital Economy (Oxford University Press), A. Bhimani (ed.), 2003.  An underlying premise for both expenditures on competitor analysis and expenditures on information security is that information is an economic good with strategic value. In this paper, a game theoretic model of a market shared by two rivals is analyzed to shed light on how expenditures on competitor analysis affect, and are affected by, expenditures on information security. The paper also discusses the importance of these issues for management accounting.

 

Book: Gordon, L. A. and  M. P. Loeb, Managing Cybersecurity Resources: A Cost-Benefit Analysis (McGraw-Hill, Inc.), 2006. A fundamental argument throughout the book is that the proper use of economic concepts will allow organizations (in both the private and public sectors) to achieve a higher level of cybersecurity than otherwise possible.  This argument is developed by providing an economic framework for: (1) determining the appropriate amount to invest in cybersecurity, and (2) procedures for allocating such resources to particular cybersecurity activities. 

    For more on Managing Cybersecurity Resources, see: http://www.rhsmith.umd.edu/faculty/lgordon/cybersecuritybook.htm

      Click Back to Lawrence A. Gordon's HomePage