Gordon-Loeb Model
The Gordon-Loeb /ˈgȯr-dən ˈlōb/ model is a mathematical economic model analyzing the optimal investment level in information security.
From the model, one can conclude that the amount a firm spends to protect information should generally be only a small fraction of the expected loss (i.e., the expected value of the loss resulting from a cyber/information security breach). More specifically, the model shows that it is generally uneconomical to invest in information security activities (including cybersecurity or computer security related activities) more than 37 percent of the expected loss that would occur from a security breach. The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.
The Gordon-Loeb Model was first published by Lawrence A. Gordon and Martin P. Loeb in their 2002 paper, in ACM Transactions on Information and System Security, entitled "The Economics of Information Security Investment.[1]" The paper was reprinted in the 2004 book Economics of Information Security. Drs. Gordon and Loeb are both Professors at the University of Maryland's Robert H. Smith School of Business.
The Gordon-Loeb Model is one of the most well accepted analytical models in the "economics of cyber/information security" literature. The Model has been widely referenced in the academic and practitioner literature.[2][3][4][5][6][7][8][9][10] The Model has also been empirically tested in several different settings. Research by mathematicians Marc Lelarge[11] and Yuliy Baryshnikov[12] generalized the results of the Gordon-Loeb Model.
The Gordon-Loeb Model has been featured in the popular press, such as The Wall Street Journal[13] and The Financial Times.[14] For a 3-minute video that provides a non-mathematical overview of the Model, go to: https://www.youtube.com/watch?v=cd8dT0FuqQ4.
References
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
