Gordon–Loeb model

Ideal level of investment in company computer security, given decreasing incremental returns

The Gordon–Loeb model is an economic model that analyzes the optimal level of investment in information security.

The benefits of investing in cybersecurity stem from reducing the costs associated with cyber breaches. The Gordon-Loeb model provides a framework for determining how much to invest in cybersecurity, using a cost-benefit approach.

The model includes the following key components:

• Organizational data vulnerable to cyber-attacks, with vulnerability denoted by v (0 ≤ v ≤ 1), representing the probability of a breach occurring under current conditions.

• The potential loss from a breach, represented by L, which can be expressed in monetary terms. The expected loss is calculated as vL before additional cybersecurity investments.

• Investment in cybersecurity, denoted as z, reduces v based on the effectiveness of the security measures, known as the security breach probability function.

Gordon and Loeb demonstrated that the optimal level of security investment, z*, does not exceed 37% of the expected loss from a breach. Specifically, z* (v) ≤ (1/e) vL.

Overview

Example: Consider a data value of €1,000,000, with an attack probability of 15% and an 80% chance of a successful breach. The potential loss is €1,000,000  ×  0.15  ×  0.8 = €120,000. Based on the Gordon-Loeb model, the company’s security investment should not exceed €120,000  ×  0.37 = €44,000.

The model was first introduced by Lawrence A. Gordon and Martin P. Loeb in a 2002 paper published in ACM Transactions on Information and System Security, titled "The Economics of Information Security Investment".^[1] It was reprinted in the 2004 book Economics of Information Security.^[2] Both authors are professors at the University of Maryland's Robert H. Smith School of Business.

The model is widely regarded as one of the leading analytical tools in cybersecurity economics.^[3] It has been extensively referenced in academic and industry literature.^[4][5][6] It has also been tested in various contexts by researchers such as Marc Lelarge^[7] and Yuliy Baryshnikov.^[8]

The model has also been covered by mainstream media, including The Wall Street Journal^[9] and The Financial Times.^[10]

Subsequent research has critiqued the model's assumptions, suggesting that some security breach functions may require fixing no less than 1/2 the expected loss, challenging the universality of the 1/e factor. Alternative formulations even propose that some loss functions may justify investment at the full estimated loss.^[11]

See also

• Genuine progress indicator

References

1. Gordon, Lawrence A.; Loeb, Martin P. (November 2002). "The Economics of Information Security Investment". ACM Transactions on Information and System Security. 5 (4): 438–457. doi:10.1145/581271.581274. S2CID 1500788.
2. Gordon, Lawrence A.; Loeb, Martin P. (2004). "Economics of Information Security Investment". In Camp, L. Jean; Lewis, Stephen (eds.). Economics of Information Security. Advances in Information Security. Vol. 12. Boston, MA: Springer. doi:10.1007/1-4020-8090-5_9. ISBN 978-1-4020-8089-0.
3. Kianpour, Mazaher; Kowalski, Stewart; Øverby, Harald (2021). "Systematically Understanding Cybersecurity Economics: A Survey". Sustainability. 13 (24): 13677. doi:10.3390/su132413677. hdl:11250/2978306.
4. Kianpour, Mazaher; Raza, Shahid (2024). "More than malware: unmasking the hidden risk of cybersecurity regulations". International Cybersecurity Law Review. 5: 169–212. doi:10.1365/s43439-024-00111-7. hdl:11250/3116767.
5. Matsuura, Kanta (23 April 2008). "Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model" (PDF). Retrieved 30 October 2014.
6. Willemson, Jan (2006). "On the Gordon & Loeb Model for Information Security Investment" (PDF).
7. Lelarge, Marc (December 2012). "Coordination in Network Security Games: A Monotone Comparative Statics Approach". IEEE Journal on Selected Areas in Communications. 30 (11): 2210–9. arXiv:1208.3994. Bibcode:2012arXiv1208.3994L. doi:10.1109/jsac.2012.121213. S2CID 672650. Archived from the original on 14 May 2014. Retrieved 13 May 2014.
8. Baryshnikov, Yuliy (24 February 2012). "IT Security Investment and Gordon-Loeb's 1/e Rule" (PDF). Retrieved 30 October 2014.
9. Gordon, Lawrence A.; Loeb, Martin P. (26 September 2011). "You May Be Fighting the Wrong Security Battles". The Wall Street Journal. Retrieved 9 May 2014.
10. Palin, Adam (30 May 2013). "Maryland professors weigh up cyber risks". Financial Times. Retrieved 9 May 2014.
11. Willemson, Jan (2006). "On the Gordon&Loeb Model for Information Security Investment". WEIS.