The economics of information security investment

Gordon, Lawrence A.; Loeb, Martin P.

doi:10.1145/581271.581274

articleACM Transactions on Information and System SecurityNov 1, 2002Closed access

The economics of information security investment

LALawrence A. Gordon MPMartin P. Loeb

University of Maryland, College Park

Indexed incrossref

Abstract

This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm…

Citation impact

1,286

total citations

FWCI: 34.03
Percentile: 100%
References: 35

Citations per year

Authors

2

Topics & keywords

Topics

Keywords

Vulnerability (computing)
Information security
Investment (military)
Computer science
Computer security
Set (abstract data type)
Information security management
Focus (optics)

No related works found for this paper.

Funding

LS
London School of Economics and Political Science