Jump to content

Gordon–Loeb model

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 129.2.89.226 (talk) at 20:17, 16 March 2023. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
Ideal level of investment in company computer security, given decreasing incremental returns

The Gordon–Loeb model is a mathematical economic model analyzing the optimal investment level in information security.

Investing to protect company data involves a cost that, unlike other investments, usually does not generate revenues. It does, however, serve to prevent additional costs. Thus, it's important to compare how expensive it is to protect a specific set of data, with the potential loss in case said data is stolen, lost, damaged or corrupted. To utilize this model, the company must possess knowledge of three parameters:

  1. how much the data that is being protected is worth;
  2. the probability an attack on the data is going to be successful, which is a combination of the vulnerability of the data and "threat" associated with a cyber attack;
  3. the productivity associated with additional investments in cybersecurity-related activities (what Gordon and Loeb called the security breach function)

By multiplying the first two parameters you get expected loss due to a successful cyber-attack without investing in cybsersecurity.Cite error: A <ref> tag is missing the closing </ref> (see the help page). The paper was reprinted in the 2004 book Economics of Information Security.[1] Gordon and Loeb are both professors at the University of Maryland's Robert H. Smith School of Business.

The Gordon–Loeb Model is one of the most well accepted analytical models for the economics of cyber security. The model has been widely referenced in the academic and practitioner literature.[2][3][4][5][6][7][8][9][10] The model has also been empirically tested in several different settings. Research by mathematicians Marc Lelarge[11] and Yuliy Baryshnikov[12] generalized the results of the Gordon–Loeb Model.

The Gordon–Loeb model has been featured in the popular press, such as The Wall Street Journal[13] and The Financial Times.[14]

References

  1. ^ Camp, L. Jean; Lewis, Stephen, eds. (2004). Economics of Information Security. Kluwer. ISBN 978-1-4020-8089-0.
  2. ^ Matsuura, Kanta (23 April 2008). "Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model" (PDF). Retrieved 30 October 2014.
  3. ^ Willemson, Jan (2006). "On the Gordon & Loeb Model for Information Security Investment" (PDF).
  4. ^ Willemson, Jan (2010). "Extending the Gordon and Loeb Model for Information Security Investment". 2010 International Conference on Availability, Reliability and Security. pp. 258–261. doi:10.1109/ARES.2010.37. ISBN 978-1-4244-5879-0. S2CID 11526162.
  5. ^ Johnson, E. (2009). Managing Information Risk and the Economics of Security. Springer. p. 99. ISBN 9780387097626. Retrieved 30 October 2014.
  6. ^ "The Gordon-Loeb Investment Model Generalized: Time Dependent Multiple Threats and Breach Losses over an Investment Period". BibSonomy. Archived from the original on 17 May 2014. Retrieved 30 October 2014.
  7. ^ Su, Xiaomeng (15 June 2006). "An Overview of Economic Approaches to Information Security Management" (PDF). Retrieved 30 October 2014.
  8. ^ Böhme, Rainer (29 August 2010). "Security Metrics and Security Investment Models" (PDF). International Computer Science Institute, Berkeley, California. Archived from the original (PDF) on 17 May 2014. Retrieved 30 October 2014.
  9. ^ Ye, Ruyi (2014). "An economic model of investment in information security". repository.ust.hk. HKUST Institutional Repository. Retrieved 30 October 2014.
  10. ^ Kuramitsu, Kimio (21 July 2005). "A Case Study of Gordon-Loop Model on Optimal Security Investments" 最適投資モデルに基づくセキュアシステム設計と事例研究 [Secure System Design Based on Optimal Investment Model and Case Study]. 電子情報通信学会技術研究報告 = Ieice Technical Report: 信学技報 (in Japanese). 105 (193). CiNii: 243–248. ISSN 0913-5685. Retrieved 30 October 2014.
  11. ^ Lelarge, Marc (December 2012). "Coordination in Network Security Games: A Monotone Comparative Statics Approach". IEEE Journal on Selected Areas in Communications. 30 (11): 2210–9. arXiv:1208.3994. Bibcode:2012arXiv1208.3994L. doi:10.1109/jsac.2012.121213. S2CID 672650. Archived from the original on 14 May 2014. Retrieved 13 May 2014.
  12. ^ Baryshnikov, Yuliy (24 February 2012). "IT Security Investment and Gordon-Loeb's 1/e Rule" (PDF). Retrieved 30 October 2014.
  13. ^ Gordon, Lawrence; Loeb, Martin (26 September 2011). "You May Be Fighting the Wrong Security Battles". The Wall Street Journal. Retrieved 9 May 2014.
  14. ^ Palin, Adam (30 May 2013). "Maryland professors weigh up cyber risks". Financial Times. Retrieved 9 May 2014.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Gordon–Loeb_model&oldid=1145014542"