ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
The economics of information security investment
Full text PdfPdf (461 KB)
Source ACM Transactions on Information and System Security (TISSEC) archive
Volume 5 ,  Issue 4  (November 2002) table of contents
Pages: 438 - 457  
Year of Publication: 2002
ISSN:1094-9224
Authors
Lawrence A. Gordon  University of Maryland, College Park, MD
Martin P. Loeb  University of Maryland, College Park, MD
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 174,   Downloads (12 Months): 1366,   Citation Count: 29
Additional Information:

abstract   references   cited by   index terms   reviews   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/581271.581274
What is a DOI?

ABSTRACT

This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Anderson, J. 1972. Computer security technology planning study. U.S. Air Force Electronic Systems Division Tech. Rep. (Oct.), 73--51.
 
2
R. Anderson, Why Information Security is Hard-An Economic Perspective, Proceedings of the 17th Annual Computer Security Applications Conference, p.358, December 10-14, 2001
3
Stefan Axelsson, The base-rate fallacy and the difficulty of intrusion detection, ACM Transactions on Information and System Security (TISSEC), v.3 n.3, p.186-205, Aug. 2000  [doi>10.1145/357830.357849]
 
4
Buzzard, K. 1999. Computer security---What should you spend your money on. Comput. Sec. 18, 4, 322--334.
 
5
Thomas E. Daniels , Eugene H. Spafford, Identification of host audit data to detect attacks on low-level IP vulnerabilities, Journal of Computer Security, v.7 n.1, p.3-35, Sept. 1999
 
6
Dorothy E. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, v.13 n.2, p.222-232, Feb. 1987  [doi>10.1109/TSE.1987.232894]
7
Dorothy E. Denning , Dennis K. Branstad, A taxonomy for key escrow encryption systems, Communications of the ACM, v.39 n.3, p.34-40, March 1996  [doi>10.1145/227234.227239]
 
8
Finne, T. 1998. A conceptual framework for information security management. Comput. Sec. 17, 4, 303--307.
9
Deborah Frincke, Balancing cooperation and risk in intrusion detection, ACM Transactions on Information and System Security (TISSEC), v.3 n.1, p.1-29, Feb. 2000  [doi>10.1145/353323.353324]
10
Lawrence A. Gordon , Martin P. Loeb, Using information security as a response to competitor analysis systems, Communications of the ACM, v.44 n.9, p.70-75, Sept. 2001  [doi>10.1145/383694.383709]
 
11
Jim Hann , Ron Weber, Information systems planning: a model and empirical tests, Management Science, v.42 n.7, p.1043-1064, July 1996  [doi>10.1287/mnsc.42.7.1043]
 
12
Hoo, K. 2000. How much is enough? A risk-management approach to computer security. Consortium for Research on Information Security Policy (CRISP) Working Paper. Stanford University, Stanford, Calif., June.
 
13
Jajodia, S. and Millen, J.. 1993. Editors' preface. J. Comput. Sec. 2, 2/3, 85.
 
14
Jones, A. 1997. Penetration testing and system audit. Comput. Sec. 16, 595--602.
 
15
KPMG. 2000. Information Security Survey 2000. http://www.kpmg.co.uk/services/audit/pubs/ISS (Apr.), 1--4
 
16
Larsen, A. 1999. Global security survey: Virus attack. InformationWeek.Com. http://www.informationweek.com/743/security.htm.
 
17
Littlewood, B., Broclehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., Dobson, J., Mcdermid, J., and Gollman, D. 1993. Towards operational measures of security. J. Comput. Sec. 2, 2, 211--229.
 
18
Loch, K. D., Carr, H. H., and Warkentin, M. E. 1992. Threats to information systems: Today's reality, yesterday's understanding. MIS Quart. 17, 2, 173--186.
 
19
Luotonen, O. 1993. Risk management and insurances. Painatuskeskus Oy. Helsinki, Finland.
 
20
Lee McKnight , Richard Solomon , Joseph Reagle , David Carver , Clark Johnson , Branko Gerovac , David Gingold, Information security for Internet commerce, Internet economics, MIT Press, Cambridge, MA, 1997
 
21
Catherine Meadows, A cost-based framework for analysis of denial of service in networks, Journal of Computer Security, v.9 n.1-2, p.143-164, Jan. 1,2001
 
22
Millen, J. 1992. A resource allocation model for denial of service. In Proceedings of the 1992 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., pp. 137--147.
 
23
Krishnamurty Muralidhar , Dinesh Batra , Peeter J. Kirs, Accessibility, security, and accuracy in statistical databases: the case for the multiplicative fixed data perturbation approach, Management Science, v.41 n.9, p.1549-1564, Sept. 1995  [doi>10.1287/mnsc.41.9.1549]
 
24
NIST (National Institute of Standards and Technology). 1995. An Introduction to Computer Security: The NIST Handbook. (Special Publication 800-12).
25
Sylvia Osborn , Ravi Sandhu , Qamar Munawer, Configuring role-based access control to enforce mandatory and discretionary access control policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.2, p.85-106, May 2000  [doi>10.1145/354876.354878]
 
26
Peyravian, M., Roginsky, A., and Zunic, N. 1999. Hash-based encryption. Comput. Sec. 18, 4, 345--350.
 
27
Charles P. Pfleeger, Security in computing, Prentice-Hall, Inc., Upper Saddle River, NJ, 1996
 
28
Power, R. 2001. 2001 CSI/FBI computer crime and security survey. Comput. Sec. J. 17, 2 (Spring), 29--51.
29
Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999  [doi>10.1145/300830.300839]
 
30
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
 
31
Schneier, B. 1996. Applied Cryptography (2nd ed.), Wiley. New York.
32
Gustavus J. Simmons, Cryptanalysis and protocol failures, Communications of the ACM, v.37 n.11, p.56-65, Nov. 1994  [doi>10.1145/188280.188298]
 
33
Straub, D. W. 1990. Effective IS security: An empirical study. Inf. Syst. Res. 1, 3, 255--276.
 
34
Detmar W. Straub , Richard J. Welke, Coping with systems risk: security planning models for management decision making, MIS Quarterly, v.22 n.4, p.441-469, Dec. 1998  [doi>10.2307/249551]
 
35
Varian, H. R. 1997. How to build an economic model in your spare time. Part of a collection titled Passion and Craft: Economists at Work, ed. Michael Szenberg, University of Michigan Press, available at http://www.sims.berkeley.edu/∼hal/Papers/how.pdf.
 
36
Giovanni Vigna , Richard A. Kemmerer, NetSTAT: a network-based intrusion detection system, Journal of Computer Security, v.7 n.1, p.37-71, Sept. 1999
 
37
Wiseman, S. 1986. A secure capability computer system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif, pp. 86--94.

CITED BY  29
Huseyin Cavusoglu , Birendra Mishra , Srinivasan Raghunathan, A model for evaluating IT security investments, Communications of the ACM, v.47 n.7, p.87-92, July 2004
Katherine Campbell , Lawrence A. Gordon , Martin P. Loeb , Lei Zhou, The economic cost of publicly announced information security breaches: empirical evidence from the stock market, Journal of Computer Security, v.11 n.3, p.431-448, 1 March 2003
Gus Rodewald, Aligning information security investments with a firm's risk tolerance, Proceedings of the 2nd annual conference on Information security curriculum development, September 23-24, 2005, Kennesaw, Georgia
Lawrence D. Bodin , Lawrence A. Gordon , Martin P. Loeb, Evaluating information security investments using the analytic hierarchy process, Communications of the ACM, v.48 n.2, p.78-83, February 2005
Lawrence A. Gordon , Martin P. Loeb, Budgeting process for information security expenditures, Communications of the ACM, v.49 n.1, p.121-125, January 2006
James Aspnes , Kevin Chang , Aleksandr Yampolskiy, Inoculation strategies for victims of viruses and the sum-of-squares partition problem, Proceedings of the sixteenth annual ACM-SIAM symposium on Discrete algorithms, January 23-25, 2005, Vancouver, British Columbia
Rok Bojanc , Borka Jerman-Blaič, Towards a standard approach for quantifying an ICT security investment, Computer Standards & Interfaces, v.30 n.4, p.216-222, May, 2008
Wade H. Baker , Loren Paul Rees , Peter S. Tippett, Necessary measures: metric-driven information security risk assessment and decision making, Communications of the ACM, v.50 n.10, p.101-106, October 2007
James Aspnes , Kevin Chang , Aleksandr Yampolskiy, Inoculation strategies for victims of viruses and the sum-of-squares partition problem, Journal of Computer and System Sciences, v.72 n.6, p.1077-1093, September 2006
Francis K. Andoh-Baidoo , Kweku-Muata Osei-Bryson, Exploring the characteristics of Internet security breaches that impact the market value of breached firms, Expert Systems with Applications: An International Journal, v.32 n.3, p.703-725, April, 2007
Errol A. Blake, The management of access controls/biometrics in organizations, Proceedings of the 3rd annual conference on Information security curriculum development, September 22-23, 2006, Kennesaw, Georgia
Wei T. Yue , Metin Çakanyıldırım , Young U. Ryu , Dengpan Liu, Network externalities, layered protection and IT security risk management, Decision Support Systems, v.44 n.1, p.1-16, November, 2007
Shalom N. Rosenfeld , Ioana Rus , Michel Cukier, Archetypal behavior in computer security, Journal of Systems and Software, v.80 n.10, p.1594-1606, October, 2007
Lawrence A. Gordon , Martin P. Loeb, Economic aspects of information security: An emerging field of research, Information Systems Frontiers, v.8 n.5, p.335-337, December 2006
Kjell Hausken, Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability, Information Systems Frontiers, v.8 n.5, p.338-349, December 2006
Ashish Arora , Anand Nandkumar , Rahul Telang, Does information security attack frequency increase with vulnerability disclosure? An empirical analysis, Information Systems Frontiers, v.8 n.5, p.350-362, December 2006
J. C. Poindexter , Julia B. Earp , David L. Baumer, An experimental economics approach toward quantifying online privacy choices, Information Systems Frontiers, v.8 n.5, p.363-374, December 2006
Ram Kumar , Sungjune Park , Chandrasekar Subramaniam, Understanding the Value of Countermeasure Portfolios in Information Systems Security, Journal of Management Information Systems, v.25 n.2, p.241-280, Number 2 / Fall 2008
Jeffrey L. Duffany, Optimal resource allocation for securing an enterprise information infrastructure, Proceedings of the 4th international IFIP/ACM Latin American conference on Networking, October 10-11, 2007, San José, Costa Rica
Jens Grossklags , Nicolas Christin , John Chuang, Security and insurance management in networks with heterogeneous agents, Proceedings of the 9th ACM conference on Electronic commerce, July 08-12, 2008, Chicago, Il, USA
Jens Grossklags , Nicolas Christin , John Chuang, Secure or insure?: a game-theoretic analysis of information security games, Proceeding of the 17th international conference on World Wide Web, April 21-25, 2008, Beijing, China
Shu-Chuan Chao , Kuanchin Chen , Chien-Hua Lin, Capturing industry experience for an effective information security assessment, International Journal of Information Systems and Change Management, v.1 n.4, p.421-438, January 2006
Lawrence D. Bodin , Lawrence A. Gordon , Martin P. Loeb, Information security and risk management, Communications of the ACM, v.51 n.4, p.64-68, April 2008
Huaqiang Wei , Jim Alves-Foss , Terrence Soule , Hugh Pforsich , Du Zhang , Deborah Frincke, A Layered Decision Model for cost-effective system security, International Journal of Information and Computer Security, v.2 n.3, p.297-324, October 2008
Xia Zhao , Fang Fang , Andrew B. Whinston, An economic mechanism for better Internet security, Decision Support Systems, v.45 n.4, p.811-821, November, 2008
William R. Conkling , J. A. Drew Hamilton, Jr., The importance of information security spending: an economic approach, Proceedings of the 2008 Spring simulation multiconference, April 14-17, 2008, Ottawa, Canada
Huseyin Cavusoglu , Srinivasan Raghunathan , Wei Yue, Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment, Journal of Management Information Systems, v.25 n.2, p.281-304, Number 2 / Fall 2008
Sam Ransbotham , Sabyasachi Mitra, Choice and Chance: A Conceptual Model of Paths to Information Security Compromise, Information Systems Research, v.20 n.1, p.121-139, March 2009
Hemantha Herath , Tejaswini Herath, Investments in Information Security: A Real Options Perspective with Bayesian Postaudit, Journal of Management Information Systems, v.25 n.3, p.337-375, Number 3 / Winter 2008-9

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.1 Systems and Information Theory
          Subjects: Value of information

Additional Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.0 General
          Subjects: Economics
      K.6.5 Security and Protection (D.4.6, K.4.2)


General Terms:
Economics, Security


Keywords:
Optimal security investment


REVIEWS

"Lee Imrey : Reviewer"

Gordon and Loeb's paper is well timed. As businesses suffer from the economic uncertainties of the 21st century, management is looking for ways to contain costs while continuing to meet fiduciary responsibilities. This requires companies to spend   more...


"Melissa C. Stange : Reviewer"

A practical approach is presented in this paper for determining the investment requirements necessary for information protection. The model used is explained in detail throughout the 18 pages of the paper. Gordon and Loeb's detailed approach, whic  more...


"Roxanne B. Everetts : Reviewer"

Gordon and Loeb report on a model that they have developed to evaluate how much information security is needed to protect data assets, and to determine the optimal investment, given the value of the assets and their vulnerability. The authors argu  more...

Collaborative Colleagues:
Lawrence A. Gordon: colleagues
Martin P. Loeb: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player