Lawrence A. Gordon Directory Page

Lawrence A. Gordon

Lawrence A. Gordon

EY Alumni Professor of Managerial Accounting and Information Assurance

Ph.D., Managerial Economics, Rensselaer Polytechnic Institute

  • Accounting and Information Assurance
  • Contact

    4332F Van Munching Hall

    Dr. Lawrence A. Gordon is the EY Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland (UMD), Robert H. Smith School of Business. He is also an Affiliate Professor in UMD's Institute for Advanced Computer Studies, an Affiliate Researcher at the Maryland Cybersecurity Center, and a faculty member in the ACES (Advanced Cybersecurity Experience for Students) program offered by UMD's Honors College. Dr. Gordon earned his Ph.D. in Managerial Economics from Rensselaer Polytechnic Institute. An internationally known scholar in the areas of managerial accounting and cybersecurity economics, Dr. Gordon's research focuses on such issues as economic aspects of cybersecurity, corporate performance measures, cost management systems, and capital investments. He is the author (or coauthor) of over 100 articles, published in such journals as Science, The Accounting Review, ACM Transactions on Information and System Security, Journal of Financial and Quantitative Analysis, Journal of Computer Security, Journal of Cybersecurity, Accounting Organizations and Society, Journal of Accounting and Public Policy, MIS Quarterly, Communications of the ACM, Decision Sciences, Omega, Journal of Business Finance and Accounting, Journal of Information Security, European Accounting Review, Accounting and Business Research, Managerial and Decision Economics, and Management Accounting Research . In two different studies, Dr. Gordon was cited as being among the world's most influential/productive accounting researchers. He also is the author (or coauthor) of several books including Managerial Accounting:Concepts and Empirical Evidence, Managing Cybersecurity Resources: A Cost-Benefit Analysis, and Capital Budgeting:A Decision Support System Approach. He was the Editor-in-Chief (2001-2018) and Co-Editor (1982-2001) of the Journal of Accounting and Public Policy. He is currently on the Editorial Board of several journals. Prior to joining the University of Maryland, Dr. Gordon was a faculty member at McGill University and the University of Kansas. He also served as a Visiting Scholar at Columbia University while on sabbatical from the University of Maryland.

    Dr. Gordon is considered one of the pioneers in the field of cybersecurity economics (i.e., applying economic principles to cybersecurity-related issues). His current research emphasizes the importance of "accounting and economic aspects of cybersecurity" within an interconnected digital economy. He is the coauthor of the Gordon-Loeb Model (link is external), which provides an economic framework for deriving an organization's optimal level of cybersecurity investments.* This Model, which is the most widely referenced economics model for deriving the optimal amount to invest in cybersecurity activities, has been featured in the popular press (e.g., The Wall Street Journal (link is external)). In 2017, the Council of Better Business Bureaus recommended the Gordon-Loeb Model as a guide to help small businesses in North America make cybersecurity investment decisions. A three-minute video describing the Model in non-mathematical terms can be found at: https://www.youtube.com/watch?v=cd8dT0FuqQ4 (link is external). His work related to cybersecurity economics has received substantial external support from major government agencies. He is currently the PI on a $189K Research Award from the U.S. National Security Agency and a Co-PI on a $5M Grant from the U.S. National Science Foundation. He was previously the PI on a $667K Research Award from the U.S. Department of Homeland Security and a Co-PI on a $965K Research Award from the U.S. National Security Agency. In October 2007, Dr. Gordon was invited to provide Congressional Testimony concerning his research on cybersecurity economics before a Subcommittee of the U.S. House Committee on Homeland Security. Dr. Gordon's co-authored paper, "Increasing Cybersecurity Investments in the Private Sector," was one of three papers selected for recognition in the National Security Agency's 2016 Annual Best Scientific Cybersecurity Paper Competition.

    Dr. Gordon has received numerous research and teaching awards, as well as several service-related awards. He has also been an invited speaker at numerous universities around the world, including Harvard University, Columbia University, Carnegie Mellon University, University of Toronto, London Business School, London School of Economics and Political Science, McGill University, The University of Western Ontario, the University of Manchester, IE Business School, The University of Tokyo, Queen's University, and the University of California-Berkeley. In addition, he has been an invited speaker (often as the Keynote speaker) at numerous professional (i.e., non-academic) meetings. He also has served as a consultant to several private (e.g., IBM) and public (e.g., U.S. GAO) organizations. In 2016, Dr. Gordon was appointed by UMD's Provost and Senior VP to the Advisory Board of the Maryland Global Initiative on Cybersecurity (MaGIC).

    Dr. Gordon's Ph.D. students (i.e., students for whom he has served as the Chair or Co-Chair of their dissertation) have had an initial placement as an Assistant Professor at the Business Schools of such universities as Northwestern University, University of Southern California, Purdue University, Rensselaer Polytechnic Institute, IE Business School, McGill University, National Taiwan University, College of William & Mary, University of Hong Kong, and Michigan State University. His former M.B.A. students frequently contact him to discuss issues confronting their organizations. Dr. Gordon also is an active member of various professional organizations, a contributor to the popular press, and served as the President of the University of Maryland Faculty/Staff Club for over a decade.

    *The Gordon-Loeb Model was originally published in: Gordon, L. A. and M. P. Loeb, "The Economics of Information Security Investment," ACM Transactions on Information and System Security, (November 2002), pp. 438-457.

    Gordon, L.A. and A. Wilford, "An Analysis of Multiple Consecutive Years of Material Weaknesses in Internal Control," The Accounting Review, November 2012, Vol. 87, No. 6, pp. 2027-2060.

    Gordon, L.A., M. P. Loeb, "The Impact of IFRS Adoption on Foreign Direct Investment," Journal of Accounting and Public Policy, Vol. 31, No. 4, 2012, pp. 374-398.

    Gordon, L.A., M. P. Loeb, and L. Zhou, "The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?" Journal of Computer Security, 2011, Vol. 19, No.1., pp. 33-56.

    Gordon, L. A., M. P. Loeb, and T. Sohail, "Market Value for Voluntary Disclosures Concerning Information Security," MIS Quarterly , 2010, Vol. 34, No. 3, pp. 567-594.

    Gordon, L. A., M. P. Loeb, and C-Y Tseng, “Enterprise Risk Management and Firm Performance: A Contingency Perspective,” Journal of Accounting and Public Policy , Vol. 28, No. 4, 2009, pp. 301-327.

    Gordon, L. A., M. P. Loeb, T. Sohail, C-Y Tseng, and L. Zhou, “Cybersecurity, Capital Allocations and Management Control Systems,” European Accounting Review , 2008, Vol. 17, issue 2, pp. 215-241.

    Bodin, L., L. A. Gordon and M. P. Loeb, "Information Security and Risk Management,” Communications of the ACM , 2008, Vol.51, issue 4, pp. 64-68.

    Gordon, L. A, M. P. Loeb and W. Lucyshyn, "Sharing Information on Computer  Systems Security: An Economic Analysis," Journal of Accounting and Public Policy, Vol. 22, No. 6 (2003), pp. 461-485.

    Boschen, J. F., A. I. Duru, L. A. Gordon and K. J. Smith, "Accounting and Stock Price Performance in Dynamic CEO Compensation Arrangements," The Accounting Review, (January 2003), pp. 143-168.

    Campbell, K., L. A. Gordon, M. P. Loeb and L. Zhou, "The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market," Journal of Computer Security, Vol. 11 (2003), pp. 431-448.

    Gordon, L. A., M. P. Loeb and T. Sohail, "A Framework for Using Insurance for Cyber Risk Management," Communications of the ACM, (March 2003), pp. 81-85.

    Gordon, L. A. and M. P. Loeb, "The Economics of Information Security Investment," ACM Transactions on Information and System Security, (November 2002), pp. 438-457. Reprinted in Economics of Information Security, 2004, Springer, Camp and Lewis, eds.)

    Gordon, L. A. and M. P. Loeb, "A Framework for Using Information Security as a Response to Competitor Analysis Systems," Communications of the ACM , (September 2001), pp. 70-75.

    Gordon, L. A. and M. P. Loeb, "Distinguishing Between Direct and Indirect Costs is Crucial for Internet-Based Companies," Management Accounting Quarterly, (Summer 2001), pp. 12-17.

    Gordon, L. A. and K. Smith, "Residual Income as a Performance Measure for Creating Firm Value," Finance India, (December 2001), pp. 1153-1172.

    Gordon, L. A. and K. Silvester, "Stock Market Reactions to Activity-Based Costing Adoptions," Journal of Accounting and Public Policy, Vol. 18, No. 3 (1999), pp. 229-251.

    Frey, K. and L. A. Gordon, "ABC, Strategy and business Unit Performance," International Journal of Applied Quality Management, Vol. 2, No. 1 (1999), pp. 1-23.

    Gordon, L. A., "Efficiency Derives Values," Finance India, (June 1998), pp. 369-373.

    Gordon, L. A. and M. Myers, "Tobin's q and Overinvestment," Applied Economic Letters, (January 1998), pp. 1-4.

    Gordon, L. A. and R. J. Iyengar, "Return on Investment and Corporate Capital Expenditures: Empirical Evidence," Journal of Accounting and Public Policy, Vol. 15, No. 4 (Winter 1996), pp. 305-325.

    Tsay, Y., F. Alt and L. A. Gordon, "The Market Reaction to Announced Deep Cuts in Capital Expenditures," Managerial and Decision Economics, Vol. 14, No. 1 (1993), pp. 1-14.

    Gordon, L. A. and K. Smith, "Postauditing Capital Expenditures and Firm Performance: The Role of Asymmetric Information," Accounting, Organizations and Society, Vol. 17, No. 8 (1992), pp. 741-757.

    Myers, M., L. A. Gordon and M. Hamer, "Postauditing Capital Assets and Firm performance: An Empirical Investigation," Managerial and Decision Economics, Vol. 12 (1991), pp. 317-327.

    Schick, A., L. A. Gordon and S. Haka, "Information Overload: A Temporal Approach," Accounting, Organizations and Society, Vol. 15, No. 3 (1990), pp. 199-220.

    Gordon, L. A., M. Loeb and A. Stark, "Capital Budgeting and the Value of Information," Management Accounting Research, Vol. 1., No. 1 (1990), pp. 21-35.

    Gordon, L. A., "Benefit-Cost Analysis and Resource Allocation Decisions," Accounting, Organizations and Society, Vol. 14, No. 3 (1989), pp. 247-258.

    Gordon, L. A. and A. Stark, "Accounting and Economic Rates of Return: A Note on Depreciation and Other Accruals," Journal of Business Finance and Accounting," Vol. 16, No. 3 (1989), pp. 425-432.

    Gordon, L. A. and M. Hamer, "Rates of Return and Cash Flow Profiles: An Extension," The Accounting Review (July, 1988), pp. 514-521.

    Gordon, L. A., M. Kleiner and R. Natarajan, "Federal Capital Expenditures and Budget Deficits: Gross National Product and Labor Implications," Journal of Accounting and Public Policy, Vol. 5, No. 4 (1986), pp. 217-232.

    Haka, S., L. A. Gordon and G. E. Pinches, "Sophisticated Capital Budgeting Selection Techniques and Firm Performance," The Accounting Review (October, 1985), pp. 651-669. Reprinted in Emmanuel, Otley and Merchant's Readings in Accounting for Management Control (Chapman & Hall), 1992.

    Gordon, L. A., S. Haka and A. Schick, "Strategies for Information Systems Implementations: The Case of Zero Based Budgeting," Accounting, Organizations and Society, Vol. 9, No. 2 (1984), pp. 111-123.

    Gordon, L. A. and V. K. Narayanan, "Management Accounting Systems, Perceived Environmental Uncertainty, and Organization Structure: An Empirical Investigation," Accounting, Organizations and Society, Vol. 9, No. 1 (1984), pp. 33-47.

    Larcker, D., L. A. Gordon and G. Pinches, "Testing for Market Efficiency: A Comparison of the Cumulative Average Residual Methodology and Intervention Analysis," Journal of Financial and Quantitative Analysis (June 1980), pp. 267-287.

    Falk, H. and L. A. Gordon, "Business Combination Decisions: A U.S./Canada Study," Decision Sciences (October, 1979), pp. 607-617.

    Gordon, L. A., D. Larcker and F. D. Tuggle, "Strategic Decision Processes and the Design of Accounting Information Systems: Conceptual Linkages," Accounting, Organizations and Society, Vol. 3, Nos. ¾ (1978), pp. 203-213.

    Falk, H. and L. A. Gordon, "Assessing Industry Risk by Ratio Analysis: Validation," The Accounting Review (January, 1978), pp. 216-227.

    Dobrovolsky, S. P., L. A. Gordon and T. Pray, "Corporate Dividends, Taxes, and the Economy: A Simulation Experiment," Applied Economics, Vol. 9, No. 2 (1977), pp. 93-108.

    Gordon, L. A. and D. Miller, "A Contingency Framework for the Design of Accounting Information Systems," Accounting, Organizations and Society, Vol. 1, No. 1 (1976), pp. 59-69. Reprinted in Anton, Firmin, and Grove's 3rd ed. of Contemporary Issues in Cost and Managerial Accounting, Houghton-Mifflin Co., 1978; and Emmanuel, Otley and Merchant's Readings in Accounting for Management Control (Chapman & Hall), 1992.

    Miller, D. and L. A. Gordon, "Conceptual Levels and the Design of Accounting Information Systems," Decision Sciences (April, 1975), pp. 259-269.

    Gordon, L. A., "Allocating Service Departments' Costs: Methodology and Case Study," Accounting and Business Research (Winter, 1974), pp. 3-8.

    Gordon, L. A., "Accounting Rate of Return vs. the Economic Rate of Return," Journal of Business Finance and Accounting (Autumn, 1974), pp. 343-356. Reprinted in Organizational Performance Measurement, edited by D. Warwick, published by the Department of Accounting and Financial Management, The University of New England, Armidale, N.S.W., 1979.

    Gordon, L. A., "Differential Rate of Return Method for Reporting Holding Gains Earned by Fixed Assets," Accounting and Business Research (Summer, 1973), pp. 228-234.

    Gordon, L. A. and H. Cook, Jr., "Absorption Costing and Fixed Factors of Production," The Accounting Review (January, 1973), pp. 128-129.

    Gordon, L. A., "Comment on the Value of R2 in Regression Analysis," The Accounting Review (April, 1972), pp. 356-367.

    Dr. Gordon is a frequent contributor to the popular press on timely business and economic issues. His writings have appeared in such places as the Wall Street JournalUSA TodayFinancial TimesBusiness WeekThe Washington PostWashington Business JournalBloomberg Personal FinanceInformation Week and The Baltimore Sun. For example, in a series of short pieces near the end of the century, Dr. Gordon (with Dr. Martin Loeb) rebuked the Y2K (i.e., Millennium Bug) doomsayers. Recently, Dr. Gordon has written several pieces concerning "cybersecurity economics."  In this latter regard, the Gordon-Loeb Model has been featured in the Wall Street Journal and the Financial Times.

    The security of information is a fundamental concern to organizations operating in the modern digital economy.  There are technical, behavioral, and organizational aspects related to this concern.  There are also economic aspects of information security.  

    One important economic aspect of information security revolves around deriving the right amount an organization should invest in protecting information.  Organizations also need to determine the most appropriate way to allocate such an investment.  Both of these aspects of information security are addressed by Gordon and Loeb in a paper entitled "The Economics of Information Security Investment."  This paper considers investments in information security activities based on a mathematical model (often referred to in the literature as the Gordon-Loeb Model) that considers a broad group of information security breach functions.

    The focus of the  Gordon-Loeb Model is to present an economic framework that characterizes the optimal level of investment to protect a given set of information.*  Based on the Gordon-Loeb Model, it is shown that the amount a firm should spend to protect information should generally be only a small fraction of the expected loss. More specifically, the Model shows that it is generally uneconomical to invest in information security activities (including cybersecurity related activities) more than 37 percent of the expected loss that would occur from a security breach.  The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability.  In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.    

    The Gordon-Loeb Model has been widely referenced in the academic and practitioner literature. This Model has been featured in The Wall Street Journal and the Financial Times. The Model has also been empirically tested in several different settings.  For example, based on actual data from e-local governments in Japan , Tanaka et al. (2005, Journal of Accounting and Public Policy ) provide support for the Model's economic framework concerning the relation between the optimal level of security investment and the vulnerability of the information set.

    For more information on specific details of the Gordon-Loeb Model see: Gordon, L. A. and M. P. Loeb, "The Economics of Information Security Investment," ACM Transactions on Information and System Security ,  November 2002, pp. 438-457.  Individuals interested in applying the Model, or just learning more about the Model, should contact Larry Gordon at: lgordon@rhsmith.umd.edu(link sends e-mail).

    *Gordon, L. A. and M. P. Loeb, "The Economics of Information Security Investment," ACM Transactions on Information and System Security, (November 2002), pp. 438-457.

    Information security breaches in organizations are common in the modern digital economy.  What is uncommon though is the approach being taken by a new breed of researchers who are applying economic concepts to cyber security problems i.e., cybersecurity economics, in the hope of ultimately preventing (or at least reducing) their occurrence.  This new research agenda has important implications for organizations around the world.  Drs. Lawrence A. Gordon and Martin P. Loeb, along with other colleagues at the University of Maryland, are among the leading proponents of this new research agenda.  An Annotated Bibliography of some of the main articles resulting from their research follows.

    Annotated Bibliography
     

    • Gordon, L.A., M.P. Loeb, and L. Zhou, “The Impact of Information Security Breaches: Has there been a Downward Shift?,” Journal of Computer Security , 2011, Vol. 19, No.1. This paper shows that information security breaches have had a significant impact on the stock market returns of firms. However, there has been a significant downward shift in the impact of security breaches in the sub-period following 9/11/2001 versus the impact in the pre-9/11/2001 sub-period.
    • Gordon, L.A., M.P. Loeb and T. Sohail, “Market Value of Voluntary Disclosures Concerning Information Security,” MIS Quarterly, 2010, Vol. 34, No. 3. This paper provides strong evidence that voluntary disclosures concerning information security, in annual reports filed with the SEC, are positively associated with the stock market value of firms.
    • Gordon, L. A., M. P. Loeb, T. Sohail, C-Y Tseng, and L. Zhou, “Cybersecurity, Capital Allocations and Management Control Systems,” European Accounting Review , Vol. 17, No. 2, 2008. This paper shows that firms can use an information security audit (which is part of a management control system), along with compensation payments to the agent and the investment decision rules, to mitigate a Chief Information Security Officer’s inherent empire building preferences.
    • Bodin, L., L.A. Gordon and M.P. Loeb, “Information Security and Risk Management,” Communications of the ACM , Vol. 51, No. 4, 2008. The objectives of this paper are to discuss three measures that capture different aspects of information security risk and to propose a methodology that allows decision-makers to combine these (or any) different risk measures into a single composite metric. The proposed new metric is called the Perceived Composite Risk (PCR) .
    • Gordon, L.A.,  M. P. Loeb , W. Lucyshyn and T. Sohail, “The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities,” Journal of Accounting and Public Policy, Vol. 25, No.5, 2006.  This paper provides empirical evidence  that the Sarbanes-Oxley Act (SOX) of 2002 has had a significant impact on the voluntary disclosure of information security activities of corporations.  These findings suggest that SOX has increased the information security activities of these firms.
    • Gordon, L. A. and M. P. Loeb, “Budgeting Process for Information Security Expenditures,” Communications of the ACM, January 2006.  This paper provides empirical evidence concerning the way organizations budget for information security expenditures.  The findings indicate that economic concepts, such as NPV and cost-benefit analysis, are beginning to gain acceptance from senior information security managers.
    •  Bodin, L., L. A. Gordon and M. P. Loeb, “Evaluating Information Security Investments Using the Analytic Hierarchy Process,” Communications of the ACM, February 2005. The Analytic Hierarchy Process (AHP) is a tool for analyzing multi-criteria decision problems involving quantitative and qualitative criteria. This paper shows how a Chief Information Security Officer can apply the AHP to determine the best way to spend a limited information security budget and to make a case to the organization’s Chief Financial Officer for an increase in funds to further enhance the organization’s information security.
    • Gordon, L. A., M. P. Loeb and W. Lucyshyn, “Sharing Information on Computer Systems Security: An Economic Analysis,” Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003.  The U.S. federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. This paper presents a model to examine the welfare economic implications of this movement. It is shown that, since information sharing lowers the cost of each firm attaining any given level of information security, there are potential benefits for individual firms and society at large from sharing.  However, it is also shown that in the absence of appropriate economic incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information).
    • Campbell, K., L.A. Gordon, M. P. Loeb and L. Zhou, “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market,” Journal of Computer Security, Vol. 11, No. 3, 2003.  This study examines the economic effect of information security breaches on the stock market value of corporations. This approach takes into account the indirect costs, as well as the direct costs, to the firm.   The analysis shows that cyber security breaches in which confidential private information is compromised (e.g., the release of customer credit card numbers, bank account numbers, or medical records to unauthorized parties) have a significant negative effect on the stock market value of the attacked firm.  However, security breaches not related to confidentiality (e.g., a temporary shut down of a corporate website) involve costs that are transitory and are unlikely to significantly affect shareholder value.  Thus, market participants appear to discriminate across types of breaches and economically rational investment strategies should focus on protecting the firms’ most valuable information assets.
    • Gordon, L A., M. P. Loeb and W. Lucyshyn, “Information Security Expenditures and Real Options: A Wait-and-See Approach,” Computer Security Journal, Vol. 19, No. 2, 2003.  Empirical evidence suggests that security breaches are an important driver of actual expenditures on information security activities.  Although this wait-and-see approach toward information security expenditures may seem unwise on the surface, there is a rational economic explanation for such an approach under the appropriate conditions.  Indeed, as shown in this paper, this approach toward information security expenditures may be consistent with the real option (in particular, the deferment option) view of capital budgeting.
    • Gordon, L. A., M. P. Loeb and T. Sohail, “A Framework for Using Insurance for Cyber Risk Management,” Communications of the ACM, March 2003.  Insurance companies, designing new policies to deal with the cyber risks of information breaches, have had to address issues related to pricing, adverse selection, and moral hazard. While these issues are common to all forms of insurance, this paper examines the unique aspects associated with cyber risk and presents a framework for using insurance as a tool for helping to manage information security risk.  This framework is based on the risk management process and includes a four-step cyber risk insurance decision plan.
    • Gordon, L. A. and M. P. Loeb, “The Economics of Information Security Investment,” ACM Transactions on Information and System Security, November 2002.  This paper presents an economic model that characterizes the optimal monetary investment to protect a given set of information. It is shown that the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. Protecting highly vulnerable information sets may be inordinately expensive, and a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. Moreover, the paper shows that the amount the firm should spend to protect information sets should generally be only a small fraction of the expected loss.
    • Gordon, L. A. and M. P. Loeb, “Return on Information Security Investments: Myths vs. Reality,” Strategic Finance, November 2002. Although ROI measures have gained attention as a financial tool to evaluate information security projects, conceptual and practical problems of these measures have been largely ignored.  This paper highlights several of these problems. The paper shows that the common accounting measure of return on investment is different from the economic measure of return on investment, and that the accounting measure is inappropriate for both the ex ante and ex post evaluation of information security projects. The paper also recommends selecting a profit maximizing level of information security investment rather than the level that maximizes a measure of return on investment.
    • Gordon, L. A. and M. P. Loeb, “Economic Aspects of Information Security,” Tech Trends Notes, Fall 2001.  This paper provides an economic framework for looking at the allocation of resources to information security activities.  A major argument of this paper is that expenditures on information security need to be considered in cost-benefit terms, in a similar fashion to the way organizations allocate resources to other activities.
    • Gordon, L. A. and M. P. Loeb, “A Framework for Using Information Security as a Response to Competitor Analysis Systems,” Communications of the ACM, September 2001. This paper provides a framework for using information security as an appropriate response to rivals’ competitor analysis systems.  The paper also provides a five-step approach toward allocating information security funds in an effort to protect a firm from becoming a part of a rival’s competitor analysis system.
    • Gordon, L. A. and M. P. Loeb, “Expenditures on Competitor Analysis and Information Security: A Management Accounting Perspective,” in Management Accounting in the Digital Economy (Oxford University Press), A. Bhimani (ed.), 2003.  An underlying premise for both expenditures on competitor analysis and expenditures on information security is that information is an economic good with strategic value. In this paper, a game theoretic model of a market shared by two rivals is analyzed to shed light on how expenditures on competitor analysis affect, and are affected by, expenditures on information security. The paper also discusses the importance of these issues for management accounting.
    • Book: Gordon, L. A. and  M. P. Loeb, Managing Cybersecurity Resources: A Cost-Benefit Analysis (McGraw-Hill, Inc.), 2006. A fundamental argument throughout the book is that the proper use of economic concepts will allow organizations (in both the private and public sectors) to achieve a higher level of cybersecurity than otherwise possible.  This argument is developed by providing an economic framework for: (1) determining the appropriate amount to invest in cybersecurity, and (2) procedures for allocating such resources to particular cybersecurity activities. 

    Managing Cybersecurity Resources: A Cost-Benefit Analysis

    By Lawrence A. Gordon and Martin P. Loeb

    Cybersecurity breaches are a fact of life in today's interconnected world and the financial and business impact of unauthorized intrusions can be devastating. But how can you know if your firm is committing too much money, or not enough, to protect itself against such unseen hazards?

    Managing Cybersecurity Resources provides you with hands-on analysis and answers on this vital question. An invaluable resource for information security managers tasked with establishing cybersecurity initiatives as well as financial managers who must determine how much to allocate to such initiatives, this focused yet wide-ranging book details:

    • Models that quantify precisely how firms should decide on the right amount to spend on cybersecurity
    • Concepts and empirical evidence for assessing the real costs of cybersecurity breaches
    • Strategies for minimizing the impact of negative incidents on company valuation

    The Internet is one of the great innovations of the past century. As with all innovations, it presents its users with both unprecedented opportunities and unavoidable perils. Managing Cybersecurity Resources outlines a cost-benefit framework for protecting your organization against the invasion of its information network while leaving you with the resources you need to compete and grow. In essence, this book applies economic analysis to help solve problems associated with cybersecurity.  As such, the book falls under the domain of the emerging field of "cybersecurity economics."

    "Using economic considerations to drive cybersecurity investments is a relatively new phenomenon. It happened when it did in large measure due to the efforts of this book's authors. It's a great thing for security that they've distilled their work from the past several years into one straightforward, comprehensive discussion. As they say within its pages: 'the reality is that cybersecurity investments can, and should, be determined in a rational economic manner.' If you've got budgetary responsibilities for information security, you need to spend time with this book." - Robert Richardson, Editorial Director, Computer Security Institute

    Every day, your organization's information system is at risk of attack. And while many of these attacks are little more than harmless pranks, other more insidious assaults can wreak devastating economic and operational damages. Nobody questions that you must take tangible steps to protect the cybersecurity of your organization. Thus, the question becomes: What is such protection worth? How can you, with so many areas competing for your firm's limited resources, determine the optimal level of funding to adequately secure your information and computer systems? And, perhaps most important, how can you convince decision-makers as well as colleagues of the importance of maintaining this funding?

    Managing Cybersecurity Resources details guidelines for using sound and measurable principles of cost-benefit analysis, as a compliment to gut instinct, to efficiently allocate and manage cybersecurity resources within your organization. Written by two globally acknowledged leaders in the increasingly critical area of cybersecurity, this comprehensive exploration presents:
     

    • Key issues that impact the management of cybersecurity resources
    • An economic framework for achieving sufficient cybersecurity protection
    • The role risk plays in allocating cybersecurity resources
    • A generic approach for making the business case for securing funding deemed necessary
    • The growing role of cybersecurity in protecting national security

    Gordon, L. A. and M. P. Loeb, "Budgeting Process for Information Security Expenditures," Communications of the ACM , January 2006.  This paper provides empirical evidence concerning the way organizations budget for information security expenditures.  The findings from this study indicate that economic concepts, such as NPV and cost-benefit analysis, are beginning to gain acceptance from senior information security managers in budgeting for information security expenditures.

    Gordon, L A., M. P. Loeb and W. Lucyshyn, "Information Security Expenditures and Real Options: A Wait-and-See Approach,"  Computer Security Journal , Vol. 19, No. 2, 2003.  Empirical evidence suggests that security breaches are an important driver of actual expenditures on information security activities.  Although this wait-and-see approach toward information security expenditures may seem unwise on the surface, there is a rational economic explanation for such an approach under the appropriate conditions.  Indeed, as shown in this paper, this approach toward information security expenditures may be consistent with the real option (in particular, the deferment option) view of capital budgeting.

    Gordon, L. A. and M. P. Loeb, "The Economics Information Security Investment," ACM Transactions on Information and System Security , November 2002.  This paper presents an economic model that characterizes the optimal monetary investment to protect a given set of information. It is shown that, for a given potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. Protecting highly vulnerable information sets may be inordinately expensive, and a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. Moreover, the paper shows that the amount the firm should spend to protect information sets should generally be only a small fraction of the expected
    loss.

    Gordon, L. A. and M. P. Loeb, “Return on Information Security Investments: Myths vs. Reality,” Strategic Finance, November 2002. Although measures of return on investment have gained increased attention as a financial tool to evaluate information security projects, conceptual and practical problems of these measures have been largely ignored.  This paper highlights several of these problems. The paper shows that the common accounting measure of return on investment is different from the economic measure of return on investment, and that the accounting measure is inappropriate for both the ex ante and ex post evaluation of information security projects. The paper also recommends focusing on selecting a profit maximizing level of information security investment as opposed to the investment level that maximizes a measure of return on investment.

    Contingency theory suggests that an accounting information system should be designed in a flexible manner so as to consider the environment and organizational structure confronting an organization. Accounting information systems also need to be adapt to the specific decisions being considered.  In other words, accounting information systems need to be designed within an adaptive framework.                                                 

    • The first paper to specifically focus on the contingency view of accounting information systems in the accounting literature was "A Contingency Framework for the Design of Accounting Information Systems," Accounting, Organizations and Society , Vol.1, No. 1, pp. 59-69 (1976), by Lawrence A. Gordon and Danny Miller.  This paper laid out the basic framework for considering accounting information systems from a contingency perspective.
    • In a later paper, by Lawrence A. Gordon and V.K. Narayanan entitled "Management Accounting Systems, Perceived Environmental Uncertainty and Organization Structure: An Empirical Investigation," published in Accounting, Organizations and Society , Vol. 9, No. 1, pp. 33-47 (1984), it was shown that environmental uncertainty is a fundamental driver for designing management accounting systems among successful organizations.  A key finding in this study was that, as decision makers perceive greater environmental uncertainty, they tend to seek more external, nonfinancial and ex ante  information in addition to internal, financial and ex post information.  This latter finding has been confirmed by several studies that followed the Gordon and Narayanan paper.

    The information revolution has not only introduced new technologies but has changed the way business is conducted.  Economic transactions increasingly take place via digital electronic activities focused primarily on the interconnectivity obtained via the Internet.  A critical part of this interconnectivity is the way organizations have integrated their accounting and financial management systems with Internet-based applications.  The importance of the Internet to private and public organizations is well known.

    As a result of the above-noted developments, cybersecurity has moved to center stage.  Indeed, cybersecurity (with its emphasis on information and computer security) has itself become a key issue for private and public organizations in the digital economy.  The public policy implications of cybersecurity are now being actively debated.  The activities of the U.S. Department of Homeland Security have certainly highlighted the importance of this debate.

    In order to help form and resolve the debate concerning the relations among financial information systems, cybersecurity, and public policy, the University of Maryland's Robert H. Smith School of Business, in cooperation with the Center for Public Policy and Private Enterprise (from Maryland’s School of Public Policy), initiated a Forum entitled Financial Information Systems and Cyber Security: A Public Policy Perspective. The first Forum was held in May 2004. This Forum encourages the exchange of ideas among researchers and executives who share a common interest in issues related to Financial Information Systems and Cybersecurity.  Coordinators for the Forum are Lawrence A. Gordon, Martin P. Loeb, and William Lucyshyn. The Tenth Forum will be held in January 2014.

    Cybersecurity Risk Management (CRM) is concerned with the process of managing (reducing) potentially harmful uncertain events due to the lack of effective cybersecurity.  The key methods for managing cybersecurity risk include, but are not limited to: (1) the efficient use of resources, (2) internal controls, (3) information sharing, (4) technical improvements, (5) behavioral/ organizational improvements, and (6) cybersecurity insurance.  

    In order to facilitate research related to Cybersecurity Risk Management, the CRM Research Group has been formed. This Research Group consists of a network of individuals who have a particular interest in working on research issues related to economic aspects of Cybersecurity Risk Management.  The CRM Research Group is committed to using the tools of economic analysis to better understand and improve cybersecurity.  Correspondence concerning the CRM Research Group should be sent to Dr. Lawrence A. Gordon.

    Capital investments is an issue of fundamental concern to economists and managerial accountants.  In essence, capital investment decisions are resource allocation decisions.  Managerial accountants are especially concerned with the way capital investment (often called capital budgeting) decisions are made and the role of accounting information in making such decisions.  In addition, managerial accountants are concerned with the way to measure the performance of such decisions.  Several papers addressing these, and related, issues are listed below.

    • Gordon, L. A., M. P. Loeb, T. Sohail, C-Y Tseng, and L. Zhou, “Cybersecurity, Capital Allocations and Management Control Systems,” European Accounting Review, Vol. 17, issue 2, pp. 215-241.
    • Gordon, L.A., M.P. Loeb, and C. Tseng, "Capital Budgeting and Informational Impediments: A Managerial Accounting Perspective.” Chapter in Contemporary Issues in Management Accounting, Oxford University Press, A. Bhimini (ed.), 2006, pp. 146-165.
    • Gordon, L. A. and M. P. Loeb, “Process For Deciding on Information Security Expenditures: Empirical Evidence,” Communications of the ACM (January 2006), pp. 121-125.
    • Bodin, L., L. A. Gordon and M. P. Loeb, “Evaluating Information Security Investments Using the Analytic Hierarchy Process,” Communications of the ACM (February 2005), pp. 78-83.
    • Gordon, L. A. and M. P. Loeb, "The Economics of Information Security Investment," ACM Transactions on Information and System Security, (November 2002), pp. 438-457.  Reprinted in Economics of Information Security, 2004, Springer, Camp and Lewis, eds.)
    • Gordon, L. A. and R. J. Iyengar, “Return on Investment and Corporate Capital Expenditures: Empirical Evidence,” Journal of Accounting and Public Policy, Vol. 15, No. 4 (Winter 1996), pp. 305-325.
    • Gordon, L. A., M. P. Loeb and M. Myers, “A Note on Postauditing and Firm Performance,” Managerial and Decision Economics, Vol. 15 (1994), pp. 177-181.
    • Fettus, S. and L. A. Gordon, “Federal Capital Investment Information: An Assessment of Public Law 98-501,” Journal of Accounting and Public Policy, Vol. 13, No. 4 (Winter 1994), pp. 283-303.
    • Gordon, L. A. and K. Smith, “Postauditing Capital Expenditures and Firm Performance: The Role of Asymmetric Information,” Accounting, Organizations and Society, Vol. 17, No. 8 (1992), pp. 741-757.
    • Myers, M., L. A. Gordon and M. Hamer, “Postauditing Capital Assets and Firm performance: An Empirical Investigation,” Managerial and Decision Economics, Vol. 12 (1991), pp. 317-327.
    • Gordon, L. A., M. Loeb, and A. Stark, “Capital Budgeting and the Value of Information,” Management Accounting Research, Vol. 1., No. 1 (1990), pp. 21-35.
    • Gordon, L. A., M. Kleiner and R. Natarajan, “Federal Capital Expenditures and Budget Deficits: Gross National Product and Labor Implications,” Journal of Accounting and Public Policy, Vol. 5, No. 4 (1986), pp. 217-232.
    • Haka, S., L. A. Gordon and G. E. Pinches, “Sophisticated Capital Budgeting Selection Techniques and Firm Performance,” The Accounting Review, (October, 1985), pp. 651-669. Reprinted in Emmanuel, Otley and Merchant’s Readings in Accounting for Management Control (Chapman& Hall), 1992
    • Gordon, L. A., D. Larcker and F. D. Tuggle, “Informational Impediments to the Use of Sophisticated Capital Budgeting Models,” Omega, Vol. 7, No. 1 (1979), pp. 67-74.
    • Gordon, L.A. and G. Pinches, "Improving Capital Budgeting: A Decision Support System Approach" (Addison-Wesley Publishing Co.: Massachusetts, 1984).

    An issue of long-standing concern to academicians is the relation between accounting and economic measures of performance. The papers listed below are among the many papers written on this subject.

    Gordon, L. A., M. P. Loeb, and C-Y Tseng, "Enterprise Risk Management and Firm Performance: A Contingency Perspective," Journal of Accounting and Public Policy, Vol. 28, No. 4, 2009, pp. 301-327.

    Gordon, L. A. and K. Smith, "Residual Income as a Performance Measure for Creating Firm Value," Finance India, December 2001, pp. 1153-1172.

    Gordon, L. A. and M. Myers, "Tobin's q and Overinvestment," Applied Economic Letters, (January 1998), pp. 1-4.

    Gordon, L. A. and R. J. Iyengar, "Return on Investment and Corporate Capital Expenditures: Empirical Evidence," Journal of Accounting and Public Policy, Vol. 15, No. 4 (Winter 1996), pp. 305-325.

    Gordon, L. A. and A. Stark, "Accounting and Economic Rates of Return: A Note on Depreciation and Other Accruals," Journal of Business Finance and Accounting, Vol. 16, No. 3 (1989), pp. 425-432.

    Gordon, L. A. and M. Hamer, "Rates of Return and Cash Flow Profiles: An Extension," The Accounting Review, (July 1988), pp. 514-521.

    Gordon, L. A. and M. Hamer, "Rates of Return and Cash Flow Profiles: An Extension," The Accounting Review, (July 1988), pp. 514-521.

    Gordon, L. A., "Further Thoughts on the Accounting Rate of Return vs. the Economic Rate of Return," Journal of Business Finance and Accounting, (Spring, 1977), pp. 133-134.f

    Gordon, L. A., "Accounting Rate of Return vs. the Economic Rate of Return," Journal of Business Finance and Accounting, (Autumn, 1974), pp. 343-356. Reprinted in Organizational Performance Measurement, edited by D. Warwick, published by the Department of Accounting and Financial Management, The University of New England, Armidale, N.S.W., 1979.

    Gordon, L. A. and M. C. Findlay, "IRR Computation and the Multi-Asset Problem," Omega, (August 1974), pp. 557-561.

    Gordon, L. A., "Differential Rate of Return Method for Reporting Holding Gains Earned by Fixed Assets," Accounting and Business Research, (Summer, 1973), pp. 228-234.

    Course Description (3 credits / 4 credits with additional London Experience Option): Globalization is transforming the world of business. Indeed, it is essential that today's businesses recognize the importance and effect of globalization on their ability to be successful. Two of the key drivers of global business in an information-based economy are accounting and computers. This course discusses the role of these two drivers in facilitating global business activities, with a focus on the Internet as the link that connects accounting, computers and global business. Besides lectures from the course instructor, Dr. Lawrence A. Gordon, the course also includes guest presentations from senior business and government executives. In addition, the course includes one field trip to a global organization based in Washington, D.C. (e.g., International Monetary Fund). Students earn 3 credits for the regular course. By adding the London Experience Option (see below) to the course, students can earn a fourth credit. To earn the fourth credit, students are required to submit an acceptable paper describing their London Experience. This course is one of many Honors Seminars offered by the Honors College at the University of Maryland.

    London Experience Option: Students have the option (but are not required) to participate in the “London Experience,” a 4-day trip to London with Dr. Gordon over spring break that allows students to visit global financial institutions based in London and meet with executives from global companies! The Honors College will cover half of each student’s expenses related to the London Experience.

    Dr. Gordon’s consulting focus is on the following issues:

    (1) the relation between performance measures and firm value,

    (2) efficient allocation of information security investments,

    (3) the planning and control of capital investments, and

    (4) the design and use of cost management systems for managerial decision making.

    2012

    Gordon L, Loeb M, Lucyshyn W. Social Science Research Network Working Paper Series [Internet]. 2012. Publisher's Version

    Abstract

    This paper examines the deferment option explanation for why information security breaches are so prevalent. Our examination will focus on security breaches within major U.S. corporations and will include some empirical evidence to support our discussion. As will be seen, the evidence presented supports the argument that the ubiquitous nature of security breaches is due, at least in part, to the wait-and-see (i.e., deferment option) approach of many senior managers. This article will also show why such an approach is quite rational from an economics perspective.

    2007

    Gordon L, Loeb M, Lucyshyn W, Sohail T. Social Science Research Network Working Paper Series [Internet]. 2007. Publisher's Version

    Abstract

    This paper empirically examines the impact of the Sarbanes-Oxley Act (SOX) of 2002 on the voluntary disclosure of information security activities by corporations. The empirical evidence provided clearly indicates that SOX is having a positive impact on such disclosure. These findings provide strong indirect evidence that corporate information security activities are receiving more focus since the passage of SOX than before SOX was enacted.

    Gordon L, Loeb M, Lucyshyn W. Social Science Research Network Working Paper Series [Internet]. 2007. Publisher's Version

    Abstract

    The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making, the issue of sharing information on computer systems security has direct relevance to accounting, as well as to public policy. This paper presents a model to examine the welfare economic implications of this movement. In the absence of information sharing, each firm independently sets its information security expenditures at a level where the marginal benefits equal the marginal costs. It is shown that when information is shared, each firm reduces the amount spent on information security activities. Nevertheless, information sharing can lead to an increased level of information security. The paper provides necessary and sufficient conditions for information sharing to lead to an increased (decreased) level of information security. The level of information security that would be optimal for a firm in the absence of information sharing can be attained by the firm at a lesser cost when computer security information is shared. Hence, sharing provides benefits to each firm and total welfare also increases. However, in the absence of appropriate incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information). This latter situation results in the underinvestment of information security. Thus, appropriate incentive mechanisms are necessary for increases in both firm-level profits and social welfare to be realized from information sharing arrangements.

    2005

    Brown N, Gordon L, Wermers R. Social Science Research Network Working Paper Series [Internet]. 2005. Publisher's Version

    Abstract

    This study documents evidence consistent with herding in voluntary disclosure decisions in the context of capital expenditure forecasts and investigates two possible reasons for this behavior. Theories of rational herds suggest that herding in disclosure decisions may be due to either (1) the influence of information reflected in peer firms' past disclosure decisions (informational herding), and/or (2) managers' concern for their reputations (reputational herding). Using duration analysis for repeated events, we examine the timing of capital expenditure forecasts for a broad sample of disclosing and non-disclosing firms. We predict and find that the propensity to release capital expenditure forecasts is positively associated with the proportion of prior disclosing firms within the same industry, thus, providing evidence of herding. We also find that this positive association is even higher for firms in highly concentrated industries and firms with low barriers to entry. This finding suggests that firms facing relatively high industry competition may have greater incentives to herd. To provide further evidence of the underlying sources of this behavior, we examine whether the tendency to herd varies with the information content and specificity of prior same-industry forecasts, and with the level of managerial reputation. Our findings show that managers are more likely to disclose their expenditure plans when prior peer forecasts signal a decrease in future capital spending and when prior peer forecasts are more precise. Furthermore, we find that less reputable managers exhibit greater tendencies to herd in their disclosure decisions. These findings indicate that informational and reputational factors are both significant sources of herding in voluntary disclosure decisions.

    Dr. Gordon's primary teaching interests include: managerial accounting, cost accounting, cybersecurity economics, and managerial economics. Over the years, he has designed and taught a variety of new courses at the University of Maryland, including “Financial Planning and Control Systems for Managers and Consultants,” “Accounting and Economic Aspects of Cybersecurity,” and “The Role of Managerial Accounting and Computers in Facilitating Global Business.” His approach toward subject matter is interdisciplinary and global in nature, and his mode of delivery utilizes a combination of lectures, short cases, empirical evidence, and information technology.

    News

    Maryland Smith Researchers Awarded NSA Funding for ‘Cost-Benefit Analysis of Information Sharing’

    The National Security Agency's Laboratory for Telecommunication Sciences (LTS) has awarded research funding for a project titled "Cost-…

    Read News Story : Maryland Smith Researchers Awarded NSA Funding for ‘Cost-Benefit Analysis of Information Sharing’
    2020 Cybersecurity Forum: Maryland Smith Grad Gives Insight into Cyber-Securing America

    Among U.S. Army branches, Infantry, Special Forces and Corps of Engineers are household names. Perhaps “Cyber,” the newest branch, is…

    Read News Story : 2020 Cybersecurity Forum: Maryland Smith Grad Gives Insight into Cyber-Securing America
    Annual Cybersecurity Forum Set for 10 a.m. Jan. 8

    With the University of Maryland's delayed opening due to inclement weather, the 16th annual Forum on Financial Information Systems and…

    Read News Story : Annual Cybersecurity Forum Set for 10 a.m. Jan. 8

    Research

    In Accounting Research, a Move Toward the Inductive?

    How data analytics and machine learning are transforming accounting studies

    Read the article : In Accounting Research, a Move Toward the Inductive?

    Insights

    10 COVID-Era Trends That Are Here To Stay

    From healthcare to banking, how our lives have changed

    Read the article : 10 COVID-Era Trends That Are Here To Stay
    How To Stay Ahead of Cyber Risk

    Effective Cybersecurity Requires an Interdisciplinary Approach

    Read the article : How To Stay Ahead of Cyber Risk
    Back to Top