Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
The economics of information security investment
Gordon L., Loeb M. ACM Transactions on Information and System Security5 (4):438-457,2002.Type:Article
Date Reviewed: Jan 3 2003

Gordon and Loeb report on a model that they have developed to evaluate how much information security is needed to protect data assets, and to determine the optimal investment, given the value of the assets and their vulnerability. The authors argue that contrary to current best practices (which dictate that the more value attached to an asset, the greater the investment needed to protect it), the optimal information security investment does not always increase proportionately to increases in vulnerability; there is a point at which it is not in the best interest of a firm to make increasingly larger investments in information security. Gordon and Loeb’s findings indicate that investments in information security should not exceed 37 percent of the expected loss in the event of a breach. This finding offers an economic model for information security investment decisions.

The authors observe correctly that the field of information security is currently drawing a great deal of attention. However, the focus of much of current research is on technical issues (how to make systems harder to breach), or on behavior (how to make people interact with systems in a manner that does not increase their vulnerabilities). There is little written to assist with determining the optimal level of investment, to help organizations determine how much it should cost to protect their information.

The paper presents the authors’ model in scholarly fashion, and provides excellent dialogue to walk the reader through the proofs and propositions they have developed to support it. The arguments are well presented and clearly documented. Gordon and Loeb clearly identify the limitations of their research and the assumptions made in constructing their initial model. The references cited are mostly current, and reflect a wide range of inquiry into the field. The length of the paper is appropriate for the material presented.

In layman’s terms, what Gordon and Loeb are arguing is that the law of diminishing returns applies to information security. It is not acceptable to continue to believe that if you throw endless amounts of money at a problem, you will have a solution. It is long past time that our field accepted this reality, and changed its focus accordingly. This work represents forward-looking thinking. It should be recognized as a valuable contribution to current research in the information security field.
Reviewer:  Dr. Roxanne B. Everetts Review #: CR126815 (0303-0287)
Bookmark and Share
 
Value of Information (H.1.1 ... )
 
 
Economics (K.6.0 ... )
 
 
Security and Protection (K.6.5 )
 
Would you recommend this review?
yes
no
Other reviews under "Value of Information": Date
Rating the major computing periodicals on readability
Lemos R. Communications of the ACM 28(2): 152-157, 1985. Type: Article		 Jan 1 1986
Unused relevant information in research and development
Wilson P. Journal of the American Society for Information Science 46(1): 45-51, 1995. Type: Article		 Mar 1 1996
A contextual uncertainty condition for behavior under risk
Bell D. Management Science 41(7): 1145-1150, 1995. Type: Article		 Sep 1 1996
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy