Login
Login

Gordon–Loeb model

{{Short description|Method for optimizing information security investments}}

File:Gordon-Loeb.png

The Gordon–Loeb model is an economic model that analyzes the optimal level of investment in information security.

The benefits of investing in cybersecurity stem from reducing the costs associated with cyber breaches. The Gordon-Loeb model provides a framework for determining how much to invest in cybersecurity, using a cost-benefit approach.

The model includes the following key components:

  • Organizational data vulnerable to cyber-attacks, with vulnerability denoted by {{mvar|v}} ({{math|0 ≤ v ≤ 1}}), representing the probability of a breach occurring under current conditions.
  • The potential loss from a breach, represented by {{mvar|L}}, which can be expressed in monetary terms. The expected loss is calculated as {{math|vL}} before additional cybersecurity investments.
  • Investment in cybersecurity, denoted as {{mvar|z}}, reduces {{mvar|v}} based on the effectiveness of the security measures, known as the security breach probability function.

Gordon and Loeb demonstrated that the optimal level of security investment, {{mvar|z*}}, does not exceed 37% of the expected loss from a breach. Specifically, {{math|z* (v) ≤ (1/e) vL}}.

Overview

{{quote frame| Example:

Consider a data value of {{math|€1,000,000}}, with an attack probability of {{math|15%}} and an {{math|80%}} chance of a successful breach. The potential loss is {{math|€1,000,000 {{times}} 0.15 {{times}} 0.8 {{=}} €120,000}}. Based on the Gordon-Loeb model, the company’s security investment should not exceed {{math|€120,000 {{times}} 0.37 {{=}} €44,000}}.}}

The model was first introduced by Lawrence A. Gordon and Martin P. Loeb in a 2002 paper published in ACM Transactions on Information and System Security, titled "The Economics of Information Security Investment".{{Cite journal|first1=Lawrence A. |last1=Gordon|author-link1=Lawrence A. Gordon|first2=Martin P. |last2=Loeb |author-link2=Martin P. Loeb|journal=ACM Transactions on Information and System Security|volume=5|issue=4| pages=438–457|doi=10.1145/581271.581274|title= The Economics of Information Security Investment|s2cid=1500788|url=http://tissec.acm.org/|date=November 2002|url-access=subscription}} It was reprinted in the 2004 book Economics of Information Security.{{cite book |first1=Lawrence A. |last1=Gordon|author-link1=Lawrence A. Gordon|first2=Martin P. |last2=Loeb |author-link2=Martin P. Loeb|chapter=Economics of Information Security Investment |chapter-url=https://link.springer.com/chapter/10.1007/1-4020-8090-5_9|doi=10.1007/1-4020-8090-5_9| date=2004 |url=https://www.springer.com/computer/theoretical+computer+science/book/978-1-4020-8089-0 |isbn=978-1-4020-8089-0 |editor-first1=L. Jean |editor-last1=Camp |editor-first2=Stephen |editor-last2=Lewis |publisher=Springer|location=Boston, MA|series=Advances in Information Security|volume=12 |title=Economics of Information Security }} Both authors are professors at the University of Maryland's Robert H. Smith School of Business.

The model is widely regarded as one of the leading analytical tools in cybersecurity economics.{{cite journal |last1=Kianpour |first1=Mazaher |last2=Kowalski |first2=Stewart |last3=Øverby |first3=Harald |date=2021 |title=Systematically Understanding Cybersecurity Economics: A Survey |journal=Sustainability |volume=13 |issue=24 |page=13677 |doi=10.3390/su132413677 |doi-access=free |hdl-access=free |hdl=11250/2978306}} It has been extensively referenced in academic and industry literature.{{cite journal |last1=Kianpour |first1=Mazaher |last2=Raza |first2=Shahid |date=2024 |title= More than malware: unmasking the hidden risk of cybersecurity regulations|journal= International Cybersecurity Law Review |volume= 5 |pages=169–212 |doi= 10.1365/s43439-024-00111-7|doi-access=free |hdl=11250/3116767 |hdl-access=free }}{{cite web |url=http://weis2008.econinfosec.org/papers/Matsuura.pdf|archive-url=https://web.archive.org/web/20080908081316/http://weis2008.econinfosec.org/papers/Matsuura.pdf|url-status=dead|archive-date=September 8, 2008|date=23 April 2008 |title=Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model |first=Kanta |last=Matsuura |accessdate=30 October 2014}}{{cite web |last=Willemson |first=Jan |date=2006 |title=On the Gordon & Loeb Model for Information Security Investment |url=https://www.econinfosec.org/archive/weis2006/docs/12.pdf}} It has also been tested in various contexts by researchers such as Marc Lelarge{{cite journal|last=Lelarge|first=Marc|title=Coordination in Network Security Games: A Monotone Comparative Statics Approach|journal=IEEE Journal on Selected Areas in Communications|date=December 2012|volume=30|issue=11|pages=2210–9|url=http://www.techrepublic.com/resource-library/whitepapers/coordination-in-network-security-games-a-monotone-comparative-statics-approach/|accessdate=13 May 2014|doi=10.1109/jsac.2012.121213|arxiv=1208.3994|bibcode=2012arXiv1208.3994L|s2cid=672650|archive-date=14 May 2014|archive-url=https://web.archive.org/web/20140514062653/http://www.techrepublic.com/resource-library/whitepapers/coordination-in-network-security-games-a-monotone-comparative-statics-approach/|url-status=dead}} and Yuliy Baryshnikov.{{cite web|url=http://weis2012.econinfosec.org/papers/Baryshnikov_WEIS2012.pdf|date=24 February 2012|title=IT Security Investment and Gordon-Loeb's 1/e Rule |first=Yuliy |last=Baryshnikov|accessdate=30 October 2014}}

The model has also been covered by mainstream media, including The Wall Street Journal{{cite news |first1=Lawrence A. |last1=Gordon|author-link1=Lawrence A. Gordon|first2=Martin P. |last2=Loeb |author-link2=Martin P. Loeb |title=You May Be Fighting the Wrong Security Battles|url=https://www.wsj.com/news/articles/SB10001424053111904900904576554762089179984 |accessdate=9 May 2014|newspaper=The Wall Street Journal|date=26 September 2011 |url-access=subscription}} and The Financial Times.{{cite news|last=Palin|first=Adam|title=Maryland professors weigh up cyber risks |url=http://www.ft.com/intl/cms/s/2/606e0e5a-b345-11e2-b5a5-00144feabdc0.html |accessdate=9 May 2014 |newspaper=Financial Times|date=30 May 2013}}

Subsequent research has critiqued the model's assumptions, suggesting that some security breach functions may require fixing no less than {{math|1/2}} the expected loss, challenging the universality of the {{math|1/e}} factor. Alternative formulations even propose that some loss functions may justify investment at the full estimated loss.{{cite journal |last1=Willemson |first1=Jan |title=On the Gordon&Loeb Model for Information Security Investment |journal=WEIS |date=2006 |url=https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=802aeb6fd4cf033b8ecb25b970fbb58394d32466}}

See also

References

{{Reflist}}

{{DEFAULTSORT:Gordon-Loeb model}}

Category:Data security

Category:Mathematical economics