Gordon-Loeb Model for Investing in Information Security

The security of information is a fundamental concern to organizations operating in the modern digital economy. There are technical, behavioral, and organizational aspects related to this concern. There are also economic aspects of information security. One important economic aspect of information security (including cybersecurity) revolves around deriving the right amount an organization should invest in protecting information. Organizations also need to determine the most appropriate way to allocate such an investment. Both of these aspects of information security are addressed by Drs. Lawrence A. Gordon and Martin P. Loeb, professors of accounting and information assurance at the University of Maryland's Robert H. Smith School of Business, in a paper entitled "The Economics of Information Security Investment." This paper considers investments in information security activities based on a mathematical model (often referred to as the Gordon-Loeb Model) that considers a broad group of information security breach functions.

The focus of the Gordon-Loeb Model is to present an economic framework that characterizes the optimal level of investment to protect a given set of information. Based on the Gordon-Loeb Model , it is shown that the amount a firm should spend to protect information should generally be only a small fraction of the expected loss. More specifically, the Gordon-Loeb Model shows that it is generally uneconomical to invest in information security activities (including cybersecurity related activities) more than 37 percent of the expected loss that would occur from a security breach. The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information sets vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.

The Gordon-Loeb Model has been widely referenced in the academic and practitioner literature and has also been empirically tested, and at least partially confirmed, in several different settings. For more information on specific details of the Gordon-Loeb Model see: Gordon, L. A. and M. P. Loeb, "The Economics of Information Security Investment," ACM Transactions on Information and System Security, November 2002, pp. 438-457. Individuals interested in applying, or just learning more about, the Gordon-Loeb Model should contact Larry Gordon at: lgordon@rhsmith.umd.edu.