Gordon, L. A. and M. P. Loeb, "Budgeting Process for Information
Communications of the ACM
, January 2006. This paper provides empirical evidence concerning the
way organizations budget for information security expenditures. The
findings from this study indicate that economic concepts, such as NPV
and cost-benefit analysis, are beginning to gain acceptance from
senior information security managers in budgeting for information
A., M. P. Loeb and W. Lucyshyn, "Information Security Expenditures and
Real Options: A Wait-and-See Approach,"
Computer Security Journal , Vol. 19,
No. 2, 2003. Empirical evidence suggests that security breaches are
an important driver of actual expenditures on information security
activities. Although this wait-and-see approach toward information
security expenditures may seem unwise on the surface, there is a
rational economic explanation for such an approach under the
appropriate conditions. Indeed, as shown in this paper, this approach
toward information security
expenditures may be consistent with the real option (in particular,
the deferment option) view of capital budgeting.
A. and M. P. Loeb, "The Economics Information Security Investment,"
ACM Transactions on Information and
System Security , November 2002.
This paper presents an economic model that characterizes the optimal
monetary investment to protect a given set of information. It is shown
that, for a given potential loss, the optimal amount to spend to
protect an information set does not always increase with increases in
the information set’s vulnerability. Protecting highly vulnerable
information sets may be inordinately expensive, and a firm may be
better off concentrating its efforts on information sets with midrange
vulnerabilities. Moreover, the paper shows that the amount the firm
should spend to protect information sets should generally be only a
small fraction of the expected
A. and M. P. Loeb, “Return on Information Security Investments: Myths
vs. Reality,” Strategic Finance
, November 2002. Although measures of return on investment have gained
increased attention as a financial tool to evaluate information
security projects, conceptual and practical problems of these measures
have been largely ignored. This paper highlights several of these
problems. The paper shows that the common accounting measure of return
on investment is different from the economic measure of return on
investment, and that the accounting measure is inappropriate for both
the ex ante and ex post evaluation of information security projects.
The paper also recommends focusing on selecting a profit maximizing
level of information security investment as opposed to the investment
level that maximizes a measure of return on investment.
For more on Managing
Cybersecurity Resources, see:
Click Back to
Lawrence A. Gordon's HomePage