Cyber-Security Investment in the Context of Disruptive Technologies: Extension of the Gordon-Loeb Model

Cyber-security breaches inflict significant costs on organizations. Hence, the development of an information-systems defense capability through cyber-security investment is a prerequisite. The question of how to determine the optimal amount to invest in cyber-security has been widely investigated in the literature. In this respect, the Gordon-Loeb model and its extensions received wide-scale acceptance. However, such models predominantly rely on restrictive assumptions that are not adapted for analyzing dynamic aspects of cyber-security investment. Yet, understanding such dynamic aspects is a key feature for studying cyber-security investment in the context of a fast-paced and continuously evolving technological landscape. We propose an extension of the Gordon-Loeb model by considering multi-period and relaxing the assumption of a continuous security-breach probability function. Such theoretical adaptations enable to capture dynamic aspects of cyber-security investment such as the advent of a disruptive technology and its investment consequences. Such a proposed extension of the Gordon-Loeb model gives room for a hypothetical decrease of the optimal level of cyber-security investment, due to a potential technological shift. While we believe our framework should be generalizable across the cyber-security milieu, we illustrate our approach in the context of critical-infrastructure protection, where security-cost reductions related to risk events are of paramount importance as potential losses reach unaffordable proportions. Moreover, despite the fact that some technologies are considered as disruptive and thus promising for critical-infrastructure protection, their effects on cyber-security investment have been discussed little.

[1]  David J. Teece,et al.  A capability theory of the firm: an economics and (Strategic) management perspective , 2019 .

[2]  Lei Zhou,et al.  Empirical Evidence on the Determinants of Cybersecurity Investments in Private Sector Firms , 2018 .

[3]  Seref Sagiroglu,et al.  Big data analytics for network anomaly detection from netflow data , 2017, 2017 International Conference on Computer Science and Engineering (UBMK).

[4]  Rabih Bashroush,et al.  Economic valuation for information security investment: a systematic literature review , 2016, Information Systems Frontiers.

[5]  Pedro Casas,et al.  Network security and anomaly detection with Big-DAMA, a big data analytics framework , 2017, 2017 IEEE 6th International Conference on Cloud Networking (CloudNet).

[6]  Donald J. Trump,et al.  Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , 2017 .

[7]  Baojiang Cui,et al.  Anomaly Detection Model Based on Hadoop Platform and Weka Interface , 2016, 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS).

[8]  Saad Y. Sait,et al.  Multi-level anomaly detection: Relevance of big data analytics in networks , 2015, Sadhana.

[9]  J. West,et al.  Disruptive Innovation , 2015 .

[10]  Jing Liu,et al.  A Network Gene-Based Framework for Detecting Advanced Persistent Threats , 2014, 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing.

[11]  Pratyusa K. Manadhata,et al.  The Operational Role of Security Information and Event Management Systems , 2014, IEEE Security & Privacy.

[12]  Pasquale Malacaria,et al.  How to spend it: optimal investment for cyber security , 2014, ACySE '14.

[13]  Hannes Holm,et al.  Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter? , 2014, 2014 47th Hawaii International Conference on System Sciences.

[14]  Alvaro A. Cárdenas,et al.  Big Data Analytics for Security , 2013, IEEE Security & Privacy.

[15]  Barack Obama,et al.  Executive Order 13636: Improving Critical Infrastructure Cybersecurity , 2013 .

[16]  Veda C. Storey,et al.  Business Intelligence and Analytics: From Big Data to Big Impact , 2012, MIS Q..

[17]  Arvind Sathi,et al.  Big Data Analytics: Disruptive Technologies for Changing the Game , 2012 .

[18]  Rok Bojanc,et al.  Quantitative Model for Economic Analyses of Information Security Investment in an Enterprise Information System , 2012 .

[19]  Marc Lelarge,et al.  Coordination in Network Security Games: A Monotone Comparative Statics Approach , 2012, IEEE Journal on Selected Areas in Communications.

[20]  Sharon Weinberger,et al.  Computer security: Is this the start of cyberwarfare? , 2011, Nature.

[21]  Yuval Elovici,et al.  Optimizing Investment Decisions in Selecting Information Security Remedies , 2011, Inf. Manag. Comput. Secur..

[22]  Jan Willemson,et al.  Extending the Gordon and Loeb Model for Information Security Investment , 2010, 2010 International Conference on Availability, Reliability and Security.

[23]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[24]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[25]  Jingyue Li,et al.  Making Cost Effective Security Decision with Real Option Thinking , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[26]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[27]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[28]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[29]  E McIntosh,et al.  Introduction to the polymorphic tracking code: Fibre bundles, polymorphic taylor types and exact tracking , 2002 .

[30]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[31]  J. Barney Firm Resources and Sustained Competitive Advantage , 1991 .

[32]  John F. Sowa,et al.  Conceptual Structures: Information Processing in Mind and Machine , 1983 .

[33]  R. Serfozo An Equivalence between Continuous and Discrete Time Markov Decision Processes. , 1976 .

[34]  W. Hogan,et al.  A THEORY OF THE GROWTH OF THE FIRM , 1961 .

[35]  E. Penrose The theory of the growth of the firm twenty-five years after , 1960 .

[36]  Lei Zhou,et al.  Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model , 2015 .

[37]  Sherali Zeadally,et al.  Critical infrastructure protection: Requirements and challenges for the 21st century , 2015, Int. J. Crit. Infrastructure Prot..

[38]  Daniel Bachlechner,et al.  To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool , 2012, WEIS.

[39]  M. Nene,et al.  A Survey on Machine Learning Techniques for Intrusion Detection Systems , 2013 .

[40]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[41]  Yuliy Baryshnikov,et al.  IT Security Investment and Gordon-Loeb's 1/e Rule , 2012, WEIS.

[42]  Ross J. Anderson,et al.  Security Economics and Critical National Infrastructure , 2009, WEIS.

[43]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[44]  S. Dhami ECONOMICS OF INFORMATION , 2004 .

[45]  J. Friedrich,et al.  Security Engineering: a Guide to Building Dependable Distributed Systems Banking and Bookkeeping , 2022 .