Gordon, L. A. and M. P. Loeb, "Budgeting Process for Information Security Expenditures," Communications of the ACM , January 2006.  This paper provides empirical evidence concerning the way organizations budget for information security expenditures.  The findings from this study indicate that economic concepts, such as NPV and cost-benefit analysis, are beginning to gain acceptance from senior information security managers in budgeting for information security expenditures.  

Gordon, L A., M. P. Loeb and W. Lucyshyn, "Information Security Expenditures and Real Options: A Wait-and-See Approach,"  Computer Security Journal , Vol. 19, No. 2, 2003.  Empirical evidence suggests that security breaches are an important driver of actual expenditures on information security activities.  Although this wait-and-see approach toward information security expenditures may seem unwise on the surface, there is a rational economic explanation for such an approach under the appropriate conditions.  Indeed, as shown in this paper, this approach toward information security expenditures may be consistent with the real option (in particular, the deferment option) view of capital budgeting.

Gordon, L. A. and M. P. Loeb, "The Economics Information Security Investment," ACM Transactions on Information and System Security , November 2002.  This paper presents an economic model that characterizes the optimal monetary investment to protect a given set of information. It is shown that, for a given potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. Protecting highly vulnerable information sets may be inordinately expensive, and a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. Moreover, the paper shows that the amount the firm should spend to protect information sets should generally be only a small fraction of the expected
loss.

Gordon, L. A. and M. P. Loeb, “Return on Information Security Investments: Myths vs. Reality,” Strategic Finance , November 2002. Although measures of return on investment have gained increased attention as a financial tool to evaluate information security projects, conceptual and practical problems of these measures have been largely ignored.  This paper highlights several of these problems. The paper shows that the common accounting measure of return on investment is different from the economic measure of return on investment, and that the accounting measure is inappropriate for both the ex ante and ex post evaluation of information security projects. The paper also recommends focusing on selecting a profit maximizing level of information security investment as opposed to the investment level that maximizes a measure of return on investment.

For more on Managing Cybersecurity Resources, see: http://www.rhsmith.umd.edu/faculty/lgordon/cybersecuritybook.htm

      Click Back to Lawrence A. Gordon's HomePage