Lawrence A. Gordon, Ernst & Young Alumni Professor of Managerial Accounting, and Martin Loeb, professor of accounting and information assurance and Deloitte & Touche Faculty Fellow, are pioneers in the economics and financial management of cybersecurity resources. A brief overview of recent key research is now being made available to Chinese scholars through a translation on Gordon's Web site. It is the pairs first foray to directly connect their counterparts in China with the results of their research. "I am hoping that these translations will make this research more accessible to Chinese speaking academicians and practitioners," says Gordon.
Gordon and Loeb started applying economic concepts such as cost-benefit analysis to cybersecurity issues back in 1998. At the time, some skeptics accused them of advocating voodoo economics in large part due to the uncertainty that permeates the process of evaluating information security activities. Yet, as Loeb points out, risk and uncertainty are too often a convenient excuse for avoiding careful economic analysis and just following the herd. Today these skeptics have largely disappeared, and the interactions of economics and cybersecurity are being more intensively scrutinized by both scholars and by business leaders eager to maximize the value of their information security investments.
Information is a very valuable asset in today's world. In a company its not just the information of private individuals which is being protected, it is the details of ongoing mergers, or product development information, says Gordon. Companies need to protect this asset, which means they need to understand how to most efficiently allocate their organizations resources to information security.
Gordon and Loeb developed a model to present an economic framework that characterizes the optimal level of investment to protect a given set of information. The Gordon-Loeb Model shows that the amount a firm should spend to protect information should generally be only a small fraction of the expected loss. The model shows that it rarely pays to invest more than 37 percent of the expected loss that would occur from a security breach. Furthermore, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information sets vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.
This research has been increasingly in demand as the credibility of this new field of research grows. Gordon and Loeb's paper entitled, "The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities" was recently listed on SSRN's Top 10 download list for "ERN Public Policy Centers Research Papers." SSRN - or the Social Sciences Research Network - is the online research database that the Smith School uses to catalog its working papers.