• Gordon, Lawrence A., Martin P. Loeb, and Tashfin Sohail, “A Framework for Using Insurance for Cyber Risk Management,” Communications of the ACM, March 2003, pp. 81-85.

Insurance companies, designing new policies to deal with the cyber risks of information breaches, have had to address issues related to pricing, adverse selection, and moral hazard. While these issues are common to all forms of insurance, this paper examines the unique aspects associated with cyber risk and presents a framework for using insurance as a tool for helping to manage information security risk. This framework is based on the risk management process and includes a four-step cyber risk insurance decision plan.

• Bodin, L.D., L.A. Gordon, and M.P. Loeb, “Information Security and Risk Management,” Communications of the ACM, (forthcoming).

Risk has a variety of meaning in the context of information security. The objectives of this paper are to discuss three measures that capture different aspects of information security risk and to propose a methodology that allows decision-makers to combine these (or any) different risk measures into a single composite metric.