A practical approach is presented in this paper for determining the investment requirements necessary for information protection. The model used is explained in detail throughout the 18 pages of the paper. Gordon and Loeb’s detailed approach, which includes textual explanations, formulas, graphics, and proofs, is excellent for clarifying the subject matter. The authors even take the extra step of including a discussion of which areas their research model does not address. These areas include perverse economic incentives affecting investment, dynamic issues, and game theoretic aspects.

The paper is clearly written. It is organized into four sections, which easily flow from one to the next. The authors present analyses for a broad class of security breach probability functions; optimal security spending is presented as an increasing function of vulnerability level. The paper also provides a strong conceptual foundation in explaining why current research has fallen short in this area; the focus of research in information security has mainly been on technical issues.

This useful and thought provoking model paper will not only be interesting to technical security professionals, but will also provide excellent reading for anyone faced with the task of developing a budget for information security. The most interesting thing I found in the paper was the fact that the model showed that management should be concentrating on midrange vulnerabilities, instead of on the high end. This is very important to current practice, in that most security teams do concentrate on the high end. Gordon and Loeb make a good recommendation to security teams, suggesting that all information be split into security breach vulnerability sets (low, middle, and high), and the sets then be defended moderately, instead of devoting all resources to one set. I recommend this paper highly to students, researchers, and information managers.