Lawrence A. Gordon
Martin P. Loeb
Abstract
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.
- Anderson, J. 1972. Computer security technology planning study. U.S. Air Force Electronic Systems Division Tech. Rep. (Oct.), 73--51.Google Scholar
- Anderson, R. 2001. Why information security is hard---An economic perspective. In Proceedings of 17th Annual Computer Security Applications Conference (ACSAC) (New Orleans, La. Dec. 10--14). Google Scholar
- Axelsson, S. 2000. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Sec. 3, 3 (Aug.), 186--205. Google Scholar
- Buzzard, K. 1999. Computer security---What should you spend your money on. Comput. Sec. 18, 4, 322--334.Google Scholar
- Daniels, T. E. and Spafford, E. H. 1999. Identification of host audit data to detect attacks on low-level IP. J. Comput. Sec. 7, 1, 3--35. Google Scholar
- Denning, D. 1987. An intrusion-detection model. IEEE Trans. Softw. Eng. 13, 2 (Feb.), 222--226. Google Scholar
- Denning, D. and Branstad, D. 1996. A taxonomy of key escrow encryption systems. Commun. ACM. 39, 3 (Mar.), 34--40. Google Scholar
- Finne, T. 1998. A conceptual framework for information security management. Comput. Sec. 17, 4, 303--307.Google Scholar
- Frincke, D. 2000. Balancing cooperation and risk in intrusion detection. ACM Trans. Inf. Syst. Sec. 3, 1 (Feb.), 1--29. Google Scholar
- Gordon, L. and Loeb, M. 2001. A framework for using information security as a response to competitor analysis systems. Commun. ACM, 44, 9 (Sept.), 70--75. Google Scholar
- Hann, J. and Weber, R. 1996. Information systems planning: A model and empirical tests. Manage. Sci. 42, 7 (July), 1043--1064. Google Scholar
- Hoo, K. 2000. How much is enough? A risk-management approach to computer security. Consortium for Research on Information Security Policy (CRISP) Working Paper. Stanford University, Stanford, Calif., June.Google Scholar
- Jajodia, S. and Millen, J. 1993. Editors' preface. J. Comput. Sec. 2, 2/3, 85.Google Scholar
- Jones, A. 1997. Penetration testing and system audit. Comput. Sec. 16, 595--602.Google Scholar
- KPMG. 2000. Information Security Survey 2000. http://www.kpmg.co.uk/services/audit/pubs/ISS (Apr.), 1--4Google Scholar
- Larsen, A. 1999. Global security survey: Virus attack. InformationWeek.Com. http://www.informationweek.com/743/security.htm.Google Scholar
- Littlewood, B., Broclehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., Dobson, J., Mcdermid, J., and Gollman, D. 1993. Towards operational measures of security. J. Comput. Sec. 2, 2, 211--229.Google Scholar
- Loch, K. D., Carr, H. H., and Warkentin, M. E. 1992. Threats to information systems: Today's reality, yesterday's understanding. MIS Quart. 17, 2, 173--186.Google Scholar
- Luotonen, O. 1993. Risk management and insurances. Painatuskeskus Oy. Helsinki, Finland.Google Scholar
- Mcknight, L., Solomon, R., Reagle, J., Carver, D., Johnson, C., Gerovac, B., and Gingold, D. 1997. Information security of internet commerce. In Internet Economics, L. McKnight and J. Bailey, Eds., MIT Press, Cambridge, Mass., pp. 435--452. Google Scholar
- Meadows, C. 2001. A cost-based framework for analysis of denial of service in networks J. Comput. Sec. 9, 1/2, 143--164. Google Scholar
- Millen, J. 1992. A resource allocation model for denial of service. In Proceedings of the 1992 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., pp. 137--147.Google Scholar
- Muralidhar, K., Batra, D., and Kirs, P. 1995. Accessibility, security, and accuracy in statistical databases: The case for the multiplicative fixed data perturbation approach. Manage. Sci. 41, 9 (Sept.), 1549--1564. Google Scholar
- NIST (National Institute of Standards and Technology). 1995. An Introduction to Computer Security: The NIST Handbook. (Special Publication 800-12).Google Scholar
- Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Sec. 3, 2 (May), 85--106. Google Scholar
- Peyravian, M., Roginsky, A., and Zunic, N. 1999. Hash-based encryption. Comput. Sec. 18, 4, 345--350.Google Scholar
- Pfleeger, C. 1997. Security in Computing (2nd ed.), Prentice-Hall, Englewood Cliffs, N.J. Google Scholar
- Power, R. 2001. 2001 CSI/FBI computer crime and security survey. Comput. Sec. J. 17, 2 (Spring), 29--51.Google Scholar
- Sandhu, R. S., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Sec. 1, 2 (Feb.), 105--135. Google Scholar
- Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Comput. 29, 2 (Feb.), 38--47. Google Scholar
- Schneier, B. 1996. Applied Cryptography (2nd ed.), Wiley. New York.Google Scholar
- Simmons, G. 1994. Cryptanalysis and protocol failures. Commun. ACM. 37, 11 (Nov.), 56--64. Google Scholar
- Straub, D. W. 1990. Effective IS security: An empirical study. Inf. Syst. Res. 1, 3, 255--276.Google Scholar
- Straub, D. W. and Welke, R. J. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quart. 23, 4, 441--469. Google Scholar
- Varian, H. R. 1997. How to build an economic model in your spare time. Part of a collection titled Passion and Craft: Economists at Work, ed. Michael Szenberg, University of Michigan Press, available at http://www.sims.berkeley.edu/∼hal/Papers/how.pdf.Google Scholar
- Vigna, G. and Kemmeerer, R. A. 1999. NetSTAT: a network-based intrusion detection system. J. Comput. Sec. 7, 1, 37--71. Google Scholar
- Wiseman, S. 1986. A secure capability computer system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif, pp. 86--94.Google Scholar
Index Terms
- The economics of information security investment
Recommendations
Firms' information security investment decisions: Stock market evidence of investors' behavior
In the information society, it is important for firms to manage their core information resources securely. However, the difficulty of measuring the return on an IT security investment is one of the critical obstacles for firms in making such investment ...
Risk-neutral evaluation of information security investment on data centers
Based on given data center network topology and risk-neutral management, this work proposes a simple but efficient probability-based model to calculate the probability of insecurity of each protected resource and the optimal investment on each security ...
An impact of information security investment on information security incidents: a case of Korean organizations
ICEC '16: Proceedings of the 18th Annual International Conference on Electronic Commerce: e-Commerce in Smart connected WorldInformation security incidents are serious threats for a modern business environment. Firms believe that an investment on information security contribute to firms avoiding security incidents. However, there is a little research on economic outcomes of ...
Reviews
Melissa C. Stange
A practical approach is presented in this paper for determining the investment requirements necessary for information protection. The model used is explained in detail throughout the 18 pages of the paper. Gordon and Loeb's detailed approach, which includes textual explanations, formulas, graphics, and proofs, is excellent for clarifying the subject matter. The authors even take the extra step of including a discussion of which areas their research model does not address. These areas include perverse economic incentives affecting investment, dynamic issues, and game theoretic aspects. The paper is clearly written. It is organized into four sections, which easily flow from one to the next. The authors present analyses for a broad class of security breach probability functions; optimal security spending is presented as an increasing function of vulnerability level. The paper also provides a strong conceptual foundation in explaining why current research has fallen short in this area; the focus of research in information security has mainly been on technical issues. This useful and thought provoking model paper will not only be interesting to technical security professionals, but will also provide excellent reading for anyone faced with the task of developing a budget for information security. The most interesting thing I found in the paper was the fact that the model showed that management should be concentrating on midrange vulnerabilities, instead of on the high end. This is very important to current practice, in that most security teams do concentrate on the high end. Gordon and Loeb make a good recommendation to security teams, suggesting that all information be split into security breach vulnerability sets (low, middle, and high), and the sets then be defended moderately, instead of devoting all resources to one set. I recommend this paper highly to students, researchers, and information managers. Online Computing Reviews Service
Roxanne B. Everetts
Gordon and Loeb report on a model that they have developed to evaluate how much information security is needed to protect data assets, and to determine the optimal investment, given the value of the assets and their vulnerability. The authors argue that contrary to current best practices (which dictate that the more value attached to an asset, the greater the investment needed to protect it), the optimal information security investment does not always increase proportionately to increases in vulnerability; there is a point at which it is not in the best interest of a firm to make increasingly larger investments in information security. Gordon and Loeb’s findings indicate that investments in information security should not exceed 37 percent of the expected loss in the event of a breach. This finding offers an economic model for information security investment decisions. The authors observe correctly that the field of information security is currently drawing a great deal of attention. However, the focus of much of current research is on technical issues (how to make systems harder to breach), or on behavior (how to make people interact with systems in a manner that does not increase their vulnerabilities). There is little written to assist with determining the optimal level of investment, to help organizations determine how much it should cost to protect their information. The paper presents the authors’ model in scholarly fashion, and provides excellent dialogue to walk the reader through the proofs and propositions they have developed to support it. The arguments are well presented and clearly documented. Gordon and Loeb clearly identify the limitations of their research and the assumptions made in constructing their initial model. The references cited are mostly current, and reflect a wide range of inquiry into the field. The length of the paper is appropriate for the material presented. In layman’s terms, what Gordon and Loeb are arguing is that the law of diminishing returns applies to information security. It is not acceptable to continue to believe that if you throw endless amounts of money at a problem, you will have a solution. It is long past time that our field accepted this reality, and changed its focus accordingly. This work represents forward-looking thinking. It should be recognized as a valuable contribution to current research in the information security field. Online Computing Reviews Service
Lee Imrey
Gordon and Loeb's paper is well timed. As businesses suffer from the economic uncertainties of the 21st century, management is looking for ways to contain costs while continuing to meet fiduciary responsibilities. This requires companies to spend "enough" to protect their information assets, but no more than that. Unfortunately, we lack clear guidance on how much is "enough." Many auditing and vulnerability assessment teams approach information security from a technical perspective, and perform a "binary analysis" of security measures: "Do you have a firewall or not__?__" "Are you running a host-based IDS or not__?__" This approach generates a compendium of vulnerabilities, sometimes includes suggested countermeasures, but ultimately fails to address the business perspective, which must balance expected risk with cost of mitigation. In some cases, the most effective business decision may be to accept a risk, rather than mitigate it. Gordon and Loeb recognize this gap between the business perspective and the technical viewpoint, and have made a creditable first step to bridge it. Through applying the techniques of economic analysis to information security investment, they bring quantitative precision to what has been a more qualitative process of risk management. According to their mathematical analysis, optimal investments in information security rise with the vulnerability of information, but in some cases reach a point of diminishing return. This is intuitively known to all who have worked in the industry for any period of time, but Gordon and Loeb's paper provides definitive support for this view, which may be more effective in business impact analyses than intuition, however justified. The authors recognize that the model they use represents a simplification for most businesses, perhaps even an over-simplification, but correctly state that their work represents a starting point for further research into more complex models of information security investment, and into means to determine the optimal allocation of resources. Overall, I recommend this paper to those whose job requires budgeting for the protection of information. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments