fbpx
Wikipedia

Gordon–Loeb model

January 01, 1970

The Gordon–Loeb model is a mathematical economic model analyzing the optimal investment level in information security.

Ideal level of investment in company computer security, given decreasing incremental returns

The primary benefits from cybersecurity investments result from the cost savings associated with cyber breaches that are prevented due to the investment. However, as with any investment, it is important to compare the benefits to the costs when deciding how to invest.[1] The Gordon-Loeb model provides a valuable framework for deriving, on a cost-benefit basis, the appropriate amount to invest in cybersecurity related activities.

The basic components of the Gordon-Loeb model are as follows:

  1. Data (information) sets of organizations that are vulnerable to cyber-attacks. This vulnerability, denoted as v (0 ≤ v ≤ 1), represents the probability that a breach to a specific information set will occur under current conditions.
  2. If an information set is breached, the value of the information set represents the potential loss (i.e., the cost of the breach) and can be expressed as a monetary value, denoted as L. Thus, vL is the expected loss from a cyber breach prior to an investment in additional cybersecurity activities.
  3. An investment in cybersecurity, denoted as z, will reduce v based on the productivity of the cybersecurity investment. The productivity of investment is what the Gordon-Loeb model refers to as the security breach probability function.

Gordon and Loeb were able to show that, for two broad classes of security breach probability functions, the optimal level of investment in information security, z*, would not exceed roughly 37% of the expected loss from a security breach. More specifically: z* (v) ≤ (1/e) vL.

Example:

Suppose an estimated data value of €1,000,000, with an attack probability of 15%, and an 80% chance that an attack would be successful.

In this case, the potential loss is given by the product €1,000,000  ×  0.15  ×  0.8 = €120,000.

According to Gordon and Loeb, the company's investment in security should not exceed €120,000  ×  0.37 = €44,000.

The Gordon–Loeb Model was first published by Lawrence A. Gordon and Martin P. Loeb in their 2002 paper, in ACM Transactions on Information and System Security, entitled "The Economics of Information Security Investment"[2] The paper was reprinted in the 2004 book Economics of Information Security.[3] Gordon and Loeb are both professors at the University of Maryland's Robert H. Smith School of Business.

The Gordon–Loeb Model is one of the most well-accepted analytical models for the economics of cyber security.[1] The model has been widely referenced in the academic and practitioner literature.[4][5][6][7][8][9][10][11][12][13] The model has also been empirically tested in several different settings. Research by mathematicians Marc Lelarge[14] and Yuliy Baryshnikov[15] generalized the results of the Gordon–Loeb Model.

The Gordon–Loeb model has been featured in the popular press, such as The Wall Street Journal[16] and The Financial Times.[17]

However, following research showed that even within the initial assumptions of the model, some security breach probability functions should be fixed with no less than 1/2 the expected loss, contradicting the hypothesis that the 1/e factor was universal. Furthermore, by using another mathematization of Gordon-Loeb requirements (more precisely, that the second derivative of the loss function does not need to be continuous), one can create loss functions whose optimal fixing costs 100% of the estimated loss.[18]

See also edit

References edit

  1. ^ a b Kianpour, Mazaher; Kowalski, Stewart; Øverby, Harald (2021). "Systematically Understanding Cybersecurity Economics: A Survey". Sustainability. 13 (24): 13677. doi:10.3390/su132413677. hdl:11250/2978306.
  2. ^ Gordon, Lawrence A.; Loeb, Martin P. (November 2002). "The Economics of Information Security Investment". ACM Transactions on Information and System Security. 5 (4): 438–457. doi:10.1145/581271.581274. S2CID 1500788.
  3. ^ Gordon, Lawrence A.; Loeb, Martin P. (2004). "Economics of Information Security Investment". In Camp, L. Jean; Lewis, Stephen (eds.). Economics of Information Security. Advances in Information Security. Vol. 12. Boston, MA: Springer. doi:10.1007/1-4020-8090-5_9. ISBN 978-1-4020-8089-0.
  4. ^ Kianpour, Mazaher; Raza, Shahid (2024). "More than malware: unmasking the hidden risk of cybersecurity regulations". International Cybersecurity Law Review. 5: 169–212. doi:10.1365/s43439-024-00111-7. hdl:11250/3116767.
  5. ^ Matsuura, Kanta (23 April 2008). "Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model" (PDF). Retrieved 30 October 2014.
  6. ^ Willemson, Jan (2006). "On the Gordon & Loeb Model for Information Security Investment" (PDF).
  7. ^ Willemson, Jan (2010). "Extending the Gordon and Loeb Model for Information Security Investment". 2010 International Conference on Availability, Reliability and Security. pp. 258–261. doi:10.1109/ARES.2010.37. ISBN 978-1-4244-5879-0. S2CID 11526162.
  8. ^ Johnson, E. (2009). Managing Information Risk and the Economics of Security. Springer. p. 99. ISBN 9780387097626. Retrieved 30 October 2014.
  9. ^ . BibSonomy. Archived from the original on 17 May 2014. Retrieved 30 October 2014.
  10. ^ Su, Xiaomeng (15 June 2006). "An Overview of Economic Approaches to Information Security Management" (PDF). Retrieved 30 October 2014.
  11. ^ Böhme, Rainer (29 August 2010). (PDF). International Computer Science Institute, Berkeley, California. Archived from the original (PDF) on 17 May 2014. Retrieved 30 October 2014.
  12. ^ Ye, Ruyi (2014). "An economic model of investment in information security". repository.ust.hk. HKUST Institutional Repository. Retrieved 30 October 2014.
  13. ^ Kuramitsu, Kimio (21 July 2005). "A Case Study of Gordon-Loop Model on Optimal Security Investments" 最適投資モデルに基づくセキュアシステム設計と事例研究 [Secure System Design Based on Optimal Investment Model and Case Study]. 電子情報通信学会技術研究報告 = Ieice Technical Report: 信学技報 (in Japanese). 105 (193). CiNii: 243–248. ISSN 0913-5685. Retrieved 30 October 2014.
  14. ^ Lelarge, Marc (December 2012). . IEEE Journal on Selected Areas in Communications. 30 (11): 2210–9. arXiv:1208.3994. Bibcode:2012arXiv1208.3994L. doi:10.1109/jsac.2012.121213. S2CID 672650. Archived from the original on 14 May 2014. Retrieved 13 May 2014.
  15. ^ Baryshnikov, Yuliy (24 February 2012). "IT Security Investment and Gordon-Loeb's 1/e Rule" (PDF). Retrieved 30 October 2014.
  16. ^ Gordon, Lawrence A.; Loeb, Martin P. (26 September 2011). "You May Be Fighting the Wrong Security Battles". The Wall Street Journal. Retrieved 9 May 2014.
  17. ^ Palin, Adam (30 May 2013). "Maryland professors weigh up cyber risks". Financial Times. Retrieved 9 May 2014.
  18. ^ Willemson, Jan (2006). "On the Gordon&Loeb Model for Information Security Investment". WEIS.

January 01, 1970
gordon, loeb, model, mathematical, economic, model, analyzing, optimal, investment, level, information, security, ideal, level, investment, company, computer, security, given, decreasing, incremental, returns, primary, benefits, from, cybersecurity, investment. The Gordon Loeb model is a mathematical economic model analyzing the optimal investment level in information security Ideal level of investment in company computer security given decreasing incremental returns The primary benefits from cybersecurity investments result from the cost savings associated with cyber breaches that are prevented due to the investment However as with any investment it is important to compare the benefits to the costs when deciding how to invest 1 The Gordon Loeb model provides a valuable framework for deriving on a cost benefit basis the appropriate amount to invest in cybersecurity related activities The basic components of the Gordon Loeb model are as follows Data information sets of organizations that are vulnerable to cyber attacks This vulnerability denoted as v 0 v 1 represents the probability that a breach to a specific information set will occur under current conditions If an information set is breached the value of the information set represents the potential loss i e the cost of the breach and can be expressed as a monetary value denoted as L Thus vL is the expected loss from a cyber breach prior to an investment in additional cybersecurity activities An investment in cybersecurity denoted as z will reduce v based on the productivity of the cybersecurity investment The productivity of investment is what the Gordon Loeb model refers to as the security breach probability function Gordon and Loeb were able to show that for two broad classes of security breach probability functions the optimal level of investment in information security z would not exceed roughly 37 of the expected loss from a security breach More specifically z v 1 e vL Example Suppose an estimated data value of 1 000 000 with an attack probability of 15 and an 80 chance that an attack would be successful In this case the potential loss is given by the product 1 000 000 0 15 0 8 120 000 According to Gordon and Loeb the company s investment in security should not exceed 120 000 0 37 44 000 The Gordon Loeb Model was first published by Lawrence A Gordon and Martin P Loeb in their 2002 paper in ACM Transactions on Information and System Security entitled The Economics of Information Security Investment 2 The paper was reprinted in the 2004 book Economics of Information Security 3 Gordon and Loeb are both professors at the University of Maryland s Robert H Smith School of Business The Gordon Loeb Model is one of the most well accepted analytical models for the economics of cyber security 1 The model has been widely referenced in the academic and practitioner literature 4 5 6 7 8 9 10 11 12 13 The model has also been empirically tested in several different settings Research by mathematicians Marc Lelarge 14 and Yuliy Baryshnikov 15 generalized the results of the Gordon Loeb Model The Gordon Loeb model has been featured in the popular press such as The Wall Street Journal 16 and The Financial Times 17 However following research showed that even within the initial assumptions of the model some security breach probability functions should be fixed with no less than 1 2 the expected loss contradicting the hypothesis that the 1 e factor was universal Furthermore by using another mathematization of Gordon Loeb requirements more precisely that the second derivative of the loss function does not need to be continuous one can create loss functions whose optimal fixing costs 100 of the estimated loss 18 See also editGenuine progress indicator External links References edit a b Kianpour Mazaher Kowalski Stewart Overby Harald 2021 Systematically Understanding Cybersecurity Economics A Survey Sustainability 13 24 13677 doi 10 3390 su132413677 hdl 11250 2978306 Gordon Lawrence A Loeb Martin P November 2002 The Economics of Information Security Investment ACM Transactions on Information and System Security 5 4 438 457 doi 10 1145 581271 581274 S2CID 1500788 Gordon Lawrence A Loeb Martin P 2004 Economics of Information Security Investment In Camp L Jean Lewis Stephen eds Economics of Information Security Advances in Information Security Vol 12 Boston MA Springer doi 10 1007 1 4020 8090 5 9 ISBN 978 1 4020 8089 0 Kianpour Mazaher Raza Shahid 2024 More than malware unmasking the hidden risk of cybersecurity regulations International Cybersecurity Law Review 5 169 212 doi 10 1365 s43439 024 00111 7 hdl 11250 3116767 Matsuura Kanta 23 April 2008 Productivity Space of Information Security in an Extension of the Gordon Loeb s Investment Model PDF Retrieved 30 October 2014 Willemson Jan 2006 On the Gordon amp Loeb Model for Information Security Investment PDF Willemson Jan 2010 Extending the Gordon and Loeb Model for Information Security Investment 2010 International Conference on Availability Reliability and Security pp 258 261 doi 10 1109 ARES 2010 37 ISBN 978 1 4244 5879 0 S2CID 11526162 Johnson E 2009 Managing Information Risk and the Economics of Security Springer p 99 ISBN 9780387097626 Retrieved 30 October 2014 The Gordon Loeb Investment Model Generalized Time Dependent Multiple Threats and Breach Losses over an Investment Period BibSonomy Archived from the original on 17 May 2014 Retrieved 30 October 2014 Su Xiaomeng 15 June 2006 An Overview of Economic Approaches to Information Security Management PDF Retrieved 30 October 2014 Bohme Rainer 29 August 2010 Security Metrics and Security Investment Models PDF International Computer Science Institute Berkeley California Archived from the original PDF on 17 May 2014 Retrieved 30 October 2014 Ye Ruyi 2014 An economic model of investment in information security repository ust hk HKUST Institutional Repository Retrieved 30 October 2014 Kuramitsu Kimio 21 July 2005 A Case Study of Gordon Loop Model on Optimal Security Investments 最適投資モデルに基づくセキュアシステム設計と事例研究 Secure System Design Based on Optimal Investment Model and Case Study 電子情報通信学会技術研究報告 Ieice Technical Report 信学技報 in Japanese 105 193 CiNii 243 248 ISSN 0913 5685 Retrieved 30 October 2014 Lelarge Marc December 2012 Coordination in Network Security Games A Monotone Comparative Statics Approach IEEE Journal on Selected Areas in Communications 30 11 2210 9 arXiv 1208 3994 Bibcode 2012arXiv1208 3994L doi 10 1109 jsac 2012 121213 S2CID 672650 Archived from the original on 14 May 2014 Retrieved 13 May 2014 Baryshnikov Yuliy 24 February 2012 IT Security Investment and Gordon Loeb s 1 e Rule PDF Retrieved 30 October 2014 Gordon Lawrence A Loeb Martin P 26 September 2011 You May Be Fighting the Wrong Security Battles The Wall Street Journal Retrieved 9 May 2014 Palin Adam 30 May 2013 Maryland professors weigh up cyber risks Financial Times Retrieved 9 May 2014 Willemson Jan 2006 On the Gordon amp Loeb Model for Information Security Investment WEIS Retrieved from https en wikipedia org w index php title Gordon Loeb model amp oldid 1218997687, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.