Martin P. Loeb
Deloitte & Touche Faculty Fellow
Van Munching Hall 3351
Robert H. Smith School of Business
The University of Maryland
College Park, MD 20742, USA
Phone: (301) 405-2209



Managing Cybersecurity Resources: A Cost-Benefit Analysis



Information security is an appropriate response to rivals' development of competitor analysis systems. This paper provides a framework for using information security in such a fashion. The paper also provides a five-step approach toward allocating information security funds in an effort to protect a firm from becoming a meaningful part of the competition's competitor analysis system.

This paper presents an economic model that characterizes the optimal monetary investment to protect a given set of information. It is shown that, for a given potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set¡¦s vulnerability. Protecting highly vulnerable information sets may be inordinately expensive, and a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. Moreover, the paper shows that the amount the firm should spend to protect information sets should generally be only a small fraction of the expected

Insurance companies, designing new policies to deal with the cyber risks of information breaches, have had to address issues related to pricing, adverse selection, and moral hazard. While these issues are common to all forms of insurance, this paper examines the unique aspects associated with cyber risk and presents a framework for using insurance as a tool for helping to manage information security risk. This framework is based on the risk management process and includes a four-step cyber risk insurance decision plan.

  • Campbell, Katherine, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou, ¡§The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market,¡¨ Journal of Computer Security, Vol. 11, No. 3, 2003, pp. 431-448.

This study examines the economic effect of information security breaches on the stock market value of corporations. This approach takes into account the indirect costs, as well as the direct costs, to the firm. The analysis shows that cyber security breaches in which confidential private information is compromised (e.g., the release of customer credit card numbers, bank account numbers, or medical records to unauthorized parties) have a significant negative effect on the stock market value of the attacked firm. However, security breaches not related to confidentiality (e.g., a temporary shut down of a corporate website) involve costs that are transitory and are unlikely to significantly affect shareholder value. Thus, market participants appear to discriminate across types of breaches and economically rational investment strategies should focus on protecting the firms¡¦ most valuable information assets.

The U.S. federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. This paper presents a model to examine the welfare economic implications of this movement. It is shown that, since information sharing lowers the cost of each firm attaining any given level of information security, there are potential benefits for individual firms and society at large from sharing. However, it is also shown that in the absence of appropriate economic incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information).

  • Gordon, Lawrence A. and Martin P. Loeb, ¡§Expenditures on Competitor Analysis and Information Security: A Management Accounting Perspective,¡¨ Chapter in Management Accounting in the Digital Economy (Oxford University Press), A. Bhimini (ed), 2003, pp. 95-111.

An underlying premise for both expenditures on competitor analysis and expenditures on information security is that information is an economic good with strategic value. In this paper, a game theoretic model of a market shared by two rivals is presented and analyzed in order to shed light on how expenditures on competitor analysis affect, and are affected by, expenditures on information security. The paper also discusses the importance of these information economy based issues for management accounting.

  • Gordon, Lawrence A., Martin P. Loeb, and William Lucyshyn, ¡§Information Security Expenditures and Real Options: A Wait-and-See Approach,¡¨ Computer Security Journal, Vol 19, No. 2, 2003, pp. 1-7.

Empirical evidence suggests that security breaches are an important driver of actual expenditures on information security activities. Although this wait-and-see approach toward information security expenditures may seem unwise on the surface, there is a rational economic explanation for such an approach under the appropriate conditions. Indeed, as shown in this paper, this approach toward information security expenditures may be consistent with the real option (in particular, the deferment option) view of capital budgeting.

The Analytic Hierarchy Process (AHP) is a tool for analyzing multi-criteria decision problems involving quantitative and qualitative criteria. This paper shows how a Chief Information Security Officer can apply the AHP to determine the best way to spend a limited information security budget and to make a case to the organization's Chief Financial Officer for an increase in funds to further enhance the organization's information security.

This paper provides empirical evidence concerning the way organizations budget for information security expenditures. The findings from this study indicate that economic concepts, such as NPV and cost-benefit analysis, are beginning to gain acceptance from senior information security managers in budgeting for information security expenditures.

This book provides a guide for managers dealing with the economic and financial aspects of information security. It is intended to be a valuable resource for information security managers and other IT personnel seeking to attain additional organizational recourses for information security. Topics covered include a general economic cost-benefit framework for managing cybersecurity resources and risk, assessing the actual costs of cybersecurity breaches, preparing a business case for securing information security funding, the uses of security audits, and the role of cybersecurity in national security. In addition to its use to information security managers, this book should also prove valuable to instructors and students in university courses covering financial and economic aspects of information security.

This paper empirically examines the impact of the Sarbanes-Oxley Act (SOX) of 2002 on the voluntary disclosure of information security activities by corporations. The empirical evidence provided clearly indicates that SOX is having a positive impact on such disclosure. These findings provide strong indirect evidence that corporate information security activities are receiving more focus since the passage of SOX than before SOX was enacted.

This paper chronicles the development of economics of information security as an academic area of research. It also describes the contributions of the papers in the special section of this issue devoted to the topic.

Risk has a variety of meaning in the context of information security. The objectives of this paper are to discuss three measures that capture different aspects of information security risk and to propose a methodology that allows decision-makers to combine these (or any) different risk measures into a single composite metric.

Drawing on and extending the extant agency-based capital budgeting literature, this paper demonstrates the relevance of the study of management accounting controls to problems arising in the cybersecurity setting. The main finding is that firms can use an information security audit (which is an integral part of a management control system) along with adjustments to the compensation payments to the agent and the investment decision rules, to mitigate a Chief Information Security Officer¡¦s inherent empire building preferences. The paper also identifies additional research areas where management accountants with expertise in management control systems can contribute to the academic literature and practice surrounding cybersecurity issues.¡@

This paper provides strong evidence that disclosures concerning information security, in annual reports filed with the SEC are positively associated with the stock market value of the firms.¡@      


This paper shows that information security breaches have had significant impact on the stock market returns of firms. However, there has been significant downward shift in the impact of security breaches in the period following 9/11/2001 versus the impact in the pre-9/11/2011 sub-period.¡@