Gordon and Loeb’s paper is well timed. As businesses suffer from the economic uncertainties of the 21st century, management is looking for ways to contain costs while continuing to meet fiduciary responsibilities. This requires companies to spend “enough” to protect their information assets, but no more than that. Unfortunately, we lack clear guidance on how much is “enough.”
Many auditing and vulnerability assessment teams approach information security from a technical perspective, and perform a “binary analysis” of security measures: “Do you have a firewall or not?” “Are you running a host-based IDS or not?” This approach generates a compendium of vulnerabilities, sometimes includes suggested countermeasures, but ultimately fails to address the business perspective, which must balance expected risk with cost of mitigation. In some cases, the most effective business decision may be to accept a risk, rather than mitigate it.
Gordon and Loeb recognize this gap between the business perspective and the technical viewpoint, and have made a creditable first step to bridge it. Through applying the techniques of economic analysis to information security investment, they bring quantitative precision to what has been a more qualitative process of risk management. According to their mathematical analysis, optimal investments in information security rise with the vulnerability of information, but in some cases reach a point of diminishing return. This is intuitively known to all who have worked in the industry for any period of time, but Gordon and Loeb’s paper provides definitive support for this view, which may be more effective in business impact analyses than intuition, however justified.
The authors recognize that the model they use represents a simplification for most businesses, perhaps even an over-simplification, but correctly state that their work represents a starting point for further research into more complex models of information security investment, and into means to determine the optimal allocation of resources. Overall, I recommend this paper to those whose job requires budgeting for the protection of information.