The security of information is a fundamental concern to organizations operating in the modern digital economy.  There are technical, behavioral, and organizational aspects related to this concern.  There are also economic aspects of information security.  

One important economic aspect of information security revolves around deriving the right amount an organization should invest in protecting information.  Organizations also need to determine the most appropriate way to allocate such an investment.  Both of these aspects of information security are addressed by Gordon and Loeb in a paper entitled "The Economics of Information Security Investment."  This paper considers investments in information security activities based on a mathematical model (often referred to in the literature as the Gordon-Loeb Model) that considers a broad group of information security breach functions.

The focus of the  Gordon-Loeb Model is to present an economic framework that characterizes the optimal level of investment to protect a given set of information.  Based on the Gordon-Loeb Model, it is shown that the amount a firm should spend to protect information should generally be only a small fraction of the expected loss. More specifically, the Model shows that it is generally uneconomical to invest in information security activities (including cybersecurity related activities) more than 37 percent of the expected loss that would occur from a security breach.  The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability.  In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.    

The Gordon-Loeb Model has been widely referenced in the academic and practitioner literature. The model was also featured in an article by the author in a special report published by The Wall Street Journal on September 26, 2011. The Model has also been empirically tested in several different settings.  For example, based on actual data from e-local governments in Japan , Tanaka et al. (2005, Journal of Accounting and Public Policy ) provide support for the Model's economic framework concerning the relation between the optimal level of security investment and the vulnerability of the information set.

For more information on specific details of the Gordon-Loeb Model see: Gordon, L. A. and M. P. Loeb, "The Economics of Information Security Investment," ACM Transactions on Information and System Security ,  November 2002, pp. 438-457.  Individuals interested in applying the Model, or just learning more about the Model, should contact Larry Gordon at: lgordon@rhsmith.umd.edu.

Simple Chinese Translation (简体中文版翻译)

Complex Chinese Translation (繁體中文版翻譯)