Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
The economics of information security investment
Gordon L., Loeb M. ACM Transactions on Information and System Security5 (4):438-457,2002.Type:Article
Date Reviewed: Mar 4 2003

Gordon and Loeb’s paper is well timed. As businesses suffer from the economic uncertainties of the 21st century, management is looking for ways to contain costs while continuing to meet fiduciary responsibilities. This requires companies to spend “enough” to protect their information assets, but no more than that. Unfortunately, we lack clear guidance on how much is “enough.”

Many auditing and vulnerability assessment teams approach information security from a technical perspective, and perform a “binary analysis” of security measures: “Do you have a firewall or not?” “Are you running a host-based IDS or not?” This approach generates a compendium of vulnerabilities, sometimes includes suggested countermeasures, but ultimately fails to address the business perspective, which must balance expected risk with cost of mitigation. In some cases, the most effective business decision may be to accept a risk, rather than mitigate it.

Gordon and Loeb recognize this gap between the business perspective and the technical viewpoint, and have made a creditable first step to bridge it. Through applying the techniques of economic analysis to information security investment, they bring quantitative precision to what has been a more qualitative process of risk management. According to their mathematical analysis, optimal investments in information security rise with the vulnerability of information, but in some cases reach a point of diminishing return. This is intuitively known to all who have worked in the industry for any period of time, but Gordon and Loeb’s paper provides definitive support for this view, which may be more effective in business impact analyses than intuition, however justified.

The authors recognize that the model they use represents a simplification for most businesses, perhaps even an over-simplification, but correctly state that their work represents a starting point for further research into more complex models of information security investment, and into means to determine the optimal allocation of resources. Overall, I recommend this paper to those whose job requires budgeting for the protection of information.
Reviewer:  Lee Imrey Review #: CR127001 (0306-0565)
Bookmark and Share
  Reviewer Selected
Featured Reviewer 		 
 
Value of Information (H.1.1 ... )
 
 
Economics (K.6.0 ... )
 
 
Security and Protection (K.6.5 )
 
Would you recommend this review?
yes
no
Other reviews under "Value of Information": Date
Rating the major computing periodicals on readability
Lemos R. Communications of the ACM 28(2): 152-157, 1985. Type: Article		 Jan 1 1986
Unused relevant information in research and development
Wilson P. Journal of the American Society for Information Science 46(1): 45-51, 1995. Type: Article		 Mar 1 1996
A contextual uncertainty condition for behavior under risk
Bell D. Management Science 41(7): 1145-1150, 1995. Type: Article		 Sep 1 1996
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy