Gordon–Loeb Model
   HOME

TheInfoList



Click Here for Items Related To - Gordon–Loeb Model
OR:
Gordon–Loeb Model on:   [Wikipedia]   [Google]   [Amazon]

The Gordon–Loeb model is a mathematical
economic model In economics, a model is a theoretical construct representing economic processes by a set of variables and a set of logical and/or quantitative relationships between them. The economic model is a simplified, often mathematical, framework desi ...
analyzing the optimal investment level in
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthori ...
. The primary benefits from cybersecurity investments result from the cost savings associated with cyber breaches that are prevented due to the investment. However, as with any investment, it is important to compare the benefits to the costs when deciding how to invest. The Gordon-Loeb model provides a valuable framework for deriving, on a cost-benefit basis, the appropriate amount to invest in cybersecurity related activities. The basic components of the Gordon-Loeb model are as follows: # Data (information) sets of organizations that are vulnerable to cyber-attacks. This vulnerability, denoted as (), represents the probability that a breach to a specific information set will occur under current conditions. # If an information set is breached, the value of the information set represents the potential loss (i.e., the cost of the breach) and can be expressed as a monetary value, denoted as . Thus, is the expected loss from a cyber breach prior to an investment in additional cybersecurity activities. # An investment in cybersecurity, denoted as , will reduce based on the productivity of the cybersecurity investment. The productivity of investment is what the Gordon-Loeb model refers to as the security breach probability function. Gordon and Loeb were able to show that, for two broad classes of security breach probability functions, the optimal level of investment in information security, , would not exceed roughly 37% of the expected loss from a security breach. More specifically: . The Gordon–Loeb Model was first published by
Lawrence A. Gordon Lawrence A. Gordon is the EY Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland’s Robert H. Smith School of Business. He is also an Affiliate Professor in the University of Maryland Institute for Ad ...
and Martin P. Loeb in their 2002 paper, in ''ACM Transactions on Information and System Security'', entitled "The Economics of Information Security Investment" The paper was reprinted in the 2004 book ''Economics of Information Security''. Gordon and Loeb are both professors at the
University of Maryland The University of Maryland, College Park (University of Maryland, UMD, or simply Maryland) is a public university, public Land-grant university, land-grant research university in College Park, Maryland. Founded in 1856, UMD is the Flagship un ...
's
Robert H. Smith School of Business The Robert H. Smith School of Business (Smith School) is the business school at the University of Maryland, College Park, a public research university in College Park, Maryland. The school was named after alumnus Robert H. Smith (Accounting '50) ...
. The Gordon–Loeb Model is one of the most well-accepted analytical models for the economics of cyber security. The model has been widely referenced in the academic and practitioner literature. The model has also been empirically tested in several different settings. Research by mathematicians Marc Lelarge and Yuliy Baryshnikov generalized the results of the Gordon–Loeb Model. The Gordon–Loeb model has been featured in the popular press, such as ''
The Wall Street Journal ''The Wall Street Journal'' is an American business-focused, international daily newspaper based in New York City, with international editions also available in Chinese and Japanese. The ''Journal'', along with its Asian editions, is published ...
'' and ''
The Financial Times The ''Financial Times'' (''FT'') is a British daily newspaper printed in broadsheet and published digitally that focuses on business and economic current affairs. Based in London, England, the paper is owned by a Japanese holding company, Nikke ...
''. However, following research showed that even within the initial assumptions of the model, some security breach probability functions should be fixed with no less than the expected loss, contradicting the hypothesis that the factor was universal. Furthermore, by using another mathematization of Gordon-Loeb requirements (more precisely, that the second derivative of the loss function does not need to be continuous), one can create loss functions whose optimal fixing costs 100% of the estimated loss.


See also

* Genuine progress indicator (External links)


References

{{DEFAULTSORT:Gordon-Loeb model Data security Mathematical economics