Calibration of the Gordon-Loeb Models for the Probability of Security Breaches

Security breaches provoke increasingly high economic losses, requiring higher investment in security. The models by Gordon and Loeb are the most prominent tool employed to assess the impact of security investments on the probability of security breaches, but the estimation of their parameters remains an elusive issue. In this paper the impact of the investment productivity parameters in both Gordon- Loeb models is investigated, and a method is proposed for their estimation. The method employs a least-squares procedure and requires the amount of investments in security over period and the corresponding observed loss due to security breaches.

[1]  Paul A. Watters,et al.  A methodology for estimating the tangible cost of data breaches , 2014, J. Inf. Secur. Appl..

[2]  Jing Wang,et al.  Understanding the Cost associated with Data Security Breaches , 2014, PACIS.

[3]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[4]  Giuseppe D'Acquisto,et al.  Information Security Investments: When Being Idle Equals Negligence , 2013, GECON.

[5]  Yashwant K. Malaiya,et al.  A consolidated approach for estimation of data security breach costs , 2016, 2016 2nd International Conference on Information Management (ICIM).

[6]  Lei Zhou,et al.  Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model , 2015 .

[7]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[8]  Giuseppe D'Acquisto,et al.  Damage Sharing May Not Be Enough: An Analysis of an Ex-ante Regulation Policy for Data Breaches , 2012, TrustBus.

[9]  Julie J. C. H. Ryan THE USE , MISUSE , AND ABUSE OF STATISTICS IN INFORMATION SECURITY RESEARCH , 2004 .

[10]  Jan Willemson On the Gordon & Loeb Model for Information Security Investment , 2006, WEIS.

[11]  Sasha Romanosky,et al.  Examining the costs and causes of cyber incidents , 2016, J. Cybersecur..

[12]  Yuval Elovici,et al.  A model of the information security investment decision-making process , 2016, Comput. Secur..

[13]  Scott Farrow,et al.  Cybersecurity Investment Guidance: Extensions of the Gordon and Loeb Model , 2016 .

[14]  Lei Zhou,et al.  Increasing Cybersecurity Investments in Private Sector Firms , 2015, J. Cybersecur..

[15]  Lawrence A. Gordon,et al.  Investing in Cybersecurity: Insights from the Gordon-Loeb Model , 2016 .

[16]  Giuseppe D'Acquisto,et al.  A Game-Theoretic Formulation of Security Investment Decisions under Ex-ante Regulation , 2012, SEC.

[17]  Lei Zhou,et al.  The impact of information security breaches: Has there been a downward shift in costs? , 2011, J. Comput. Secur..

[18]  Ravi S. Behara,et al.  Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints , 2013 .

[19]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[20]  Adrian Davis,et al.  Return on Investment: Return on security investment - proving it's worth it , 2005 .