Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model

Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and government executives. This paper examines how the existence of well-recognized externalities changes the maximum a firm should, from a social welfare perspective, invest in cyber security activities. By extending the cyber security investment model of Gordon and Loeb [1] to incorporate externalities, we show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss.

[1]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[2]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[3]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[4]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[5]  Lawrence A. Gordon,et al.  Market Value of Voluntary Disclosures Concerning Information Security , 2010, MIS Q..

[6]  Marc Lelarge Inria Coordination in Network Security Games: a Monotone Comparative Statics Approach , 2012 .

[7]  Jan Willemson On the Gordon & Loeb Model for Information Security Investment , 2006, WEIS.

[8]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[9]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[10]  William Lucyshyn,et al.  Improving the security of financial management systems: What are we to do? , 2005 .

[11]  K. Hausken Information sharing among firms and cyber attacks , 2007 .

[12]  Yuliy Baryshnikov,et al.  IT Security Investment and Gordon-Loeb's 1/e Rule , 2012, WEIS.

[13]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[14]  Lei Zhou,et al.  The impact of information security breaches: Has there been a downward shift in costs? , 2011, J. Comput. Secur..

[15]  Rainer Böhme,et al.  Security Metrics and Security Investment Models , 2010, IWSEC.