Application of the Gordon Loeb model to security investment metrics: a proposal

Maria Francesca Carfora; Albina Orlando; Maria Francesca Carfora; Albina Orlando

doi:10.3934/DSFE.2024025

Data Science in Finance and Economics

2024, Volume 4, Issue 4: 601-614. doi: 10.3934/DSFE.2024025

Previous Article Next Article

Research article

Application of the Gordon Loeb model to security investment metrics: a proposal

Maria Francesca Carfora ^,,
Albina Orlando ^,

Istituto per le Applicazioni del Calcolo "Mauro Picone" - Consiglio Nazionale delle Ricerche, Italy

Received: 06 August 2024 Revised: 12 November 2024 Accepted: 01 December 2024 Published: 17 December 2024
JEL Codes: M15, D81, C60, C80

Cyber risk is a significant concern for all types of businesses. The consequences of a cyber attack can be quite severe. Investing in security to mitigate the impact of such risks is a crucial task, both in terms of the frequency and the severity of cyber incidents. In this paper, we propose a practical application of the Gordon and Loeb model, thereby suggesting a methodology to estimate risk exposure and reconsidering some investment evaluation metrics. Our findings strongly support the claim that maximizing the expected net benefit of an investment solely at the optimal level is not sufficient for sound decision-making. On the contrary, incorporating metrics that evaluate the benefit in relation to risk and consider worst-case scenarios offers deeper insights.
- cyber risk,
- security economics,
- security investments,
- risk exposure,
- Gordon-Loeb model
Citation: Maria Francesca Carfora, Albina Orlando. Application of the Gordon Loeb model to security investment metrics: a proposal[J]. Data Science in Finance and Economics, 2024, 4(4): 601-614. doi: 10.3934/DSFE.2024025

Related Papers:

Abstract

Cyber risk is a significant concern for all types of businesses. The consequences of a cyber attack can be quite severe. Investing in security to mitigate the impact of such risks is a crucial task, both in terms of the frequency and the severity of cyber incidents. In this paper, we propose a practical application of the Gordon and Loeb model, thereby suggesting a methodology to estimate risk exposure and reconsidering some investment evaluation metrics. Our findings strongly support the claim that maximizing the expected net benefit of an investment solely at the optimal level is not sufficient for sound decision-making. On the contrary, incorporating metrics that evaluate the benefit in relation to risk and consider worst-case scenarios offers deeper insights.

References

[1]	Allianz Global Corporate Specialty (2022) Allianz Risk Barometer: Top Business Risks for 2022. Report.
[2]	Böhme R (2010) Security metrics and security investment models. In Advances in Information and Computer Security. IWSEC 2010. Lecture Notes in Computer Science. Springer, Berlin. https://doi.org/10.1007/978-3-642-16825-3_2
[3]	Böhme R, Nowey T (2008) Economic security metrics. In Irene Eusgeld, F. F. and Reussner, R. H., editors, Dependability Metrics. Lecture Notes in Computer Sciences 4909, 176–187. Springer, Berlin Heidelberg. https://doi.org/10.1007/978-3-540-68947-8_15
[4]	Böhme R, Schwartz G (2020) Modeling the interdependent risks and investments in information security. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.
[5]	Carfora M, Martinelli F, Mercaldo F, et al. (2019) Cyber risk management: An actuarial point of view. J Oper Risk 14: 77–103.
[6]	Carfora M, Orlando A (2022a) Cyber risk: Estimates for malicious and negligent breaches distributions. In Corazza, M., Perna, C., Pizzi, C., and Sibillo, M., editors, Mathematical and Statistical Methods for Actuarial Sciences and Finance, 140–145, Cham. Springer International Publishing. https://doi.org/10.1007/978-3-030-99638-3_23
[7]	Carfora M, Orlando A (2022b) Some remarks on malicious and negligent data breach distribution estimates. Computation 10. https://doi.org/10.3390/computation10120208 doi: 10.3390/computation10120208
[8]	Edwards B, Hofmeyr S, Forrest S (2016) Hype and heavy tails: A closer look at data breaches. J Cybersecurity 2: 3–14. https://doi.org/10.1093/cybsec/tyw003 doi: 10.1093/cybsec/tyw003
[9]	European Commission (2024) Dora regulation. Available from: ec.europa.eu/finance/docs/level-2-measures/dora-regulation-rts–2024-1532_en.pdf.
[10]	European Union Agency for Cybersecurity (ENISA) (2012) Introduction to return security investments. Available from: https://www.enisa.europa.eu/publications/introduction-to-return-on-security-investment/@@download/fullReport.
[11]	Farkas S, Lopez O, Maud T (2021) Cyber claim analysis using generalized Pareto regression trees with applications to insurance. Insur Math Econ 98: 92–105. https://doi.org/10.1016/j.insmatheco.2021.02.009 doi: 10.1016/j.insmatheco.2021.02.009
[12]	Fedele A, Roner C (2022) Dangerous games: A literature review on cybersecurity investments. J Econ Surv 36: 157–187. https://doi.org/10.1111/joes.12456 doi: 10.1111/joes.12456
[13]	Feng N, Wang H, Li M (2022) Optimizing cybersecurity investment: An application of the Gordon-Loeb model in industry 4.0. Comput Secur 111.
[14]	Fernandez De Arroyabe I, Arranz C, Arroyabe M, et al. (2023) Cybersecurity capabilities and cyber-attacks as drivers of investment in cybersecurity systems: A UK survey for 2018 and 2019. Comput Secur 124: 102954. https://doi.org/10.1016/j.cose.2022.102954 doi: 10.1016/j.cose.2022.102954
[15]	Fortune Business Insights (2023) Cyber security market size, share & trends analysis report by component, by security type, by deployment mode, by enterprise size, by industry vertical, by region, and segment forecasts, 2023–2030.
[16]	Gordon L, Loeb M (2002) The economics of information security investment. Acm T Inform Syst Secur 5: 438–457. https://doi.org/10.1145/581271.58127 doi: 10.1145/581271.58127
[17]	Gordon L, Loeb M, Zhou L (2016) Investing in cybersecurity: insights from the Gordon-Loeb model. J Inf Secur 7: 49–59. http://creativecommons.org/licenses/by/4.0/
[18]	Gordon L, Loeb M, Zhou L (2021) The impact of information security breaches on stock market returns: The role of financial analysts. J Account Public Pol 40.
[19]	Gordon L, Loeb P, Zhou L (2020) Integrating cost-benefit analysis into the nist cybersecurity framework via the gordon-loeb model. J Cybersecurity 6: 1–8. https://doi.org/10.1093/cybsec/tyaa005 doi: 10.1093/cybsec/tyaa005
[20]	Jacobs J (2014) Analyzing Ponemon cost of data breach. Available from: http://datadrivensecurity.info/blog/posts/2014/Dec/ponemon/.
[21]	Javadnejad F, Abdelmagid A, Pinto C, et al. (2024) An exploratory data analysis of malware/ransomware cyberattacks: insights from an extensive cyber loss dataset. Enterp Inf Syst 18: 2369952. https://doi.org/10.1080/17517575.2024.2369952 doi: 10.1080/17517575.2024.2369952
[22]	Mazzoccoli A, Naldi M (2022) An overview of security breach probability models. Risks 10. https://doi.org/10.3390/risks10110220 doi: 10.3390/risks10110220
[23]	Morgan J, Reuters (1996) RiskMetrics$.TM$.
[24]	Naldi M, Flamini M (2017) Calibration of the Gordon-Loeb models for the probability of security breaches. In 2017 UKSim-AMSS 19th International Conference on Computer Modelling & Simulation (UKSim), 135–140. https://doi.org/10.1109/UKSim.2017.18
[25]	OECD (2017) Types of cyber incidents and losses.
[26]	Orlando A (2021) Cyber risk quantification: investigating the role of cyber value at risk. Risks 9: 184. https://doi.org/10.3390/risks9100184 doi: 10.3390/risks9100184
[27]	Privacy Rights Clearinghouse (2018) Chronology of data breaches. Available from: https://www.privacyrights.org/data-breaches.
[28]	Resti A, Sironi A (2012) Risk Management and Shareholders' Value in Banking: From Risk Measurement Models to Capital Allocation Policies. Wiley Finance. Hoboken: John Wiley Sons Ltd.
[29]	Shetty S, McShane M, Zhang R (2018) A portfolio approach to cybersecurity investment. J Risk Insur 85: 359–384.
[30]	Skeoch H (2022) Expanding the Gordon-Loeb model to cyber-insurance. Comput Secur 112: 102533. https://doi.org/10.1016/j.cose.2021.102533 doi: 10.1016/j.cose.2021.102533
[31]	Sonnenreich W, Albanese J, Stout B (2006) Return on security investment (ROSI) - a practical quantitative model. J Res Pract Inf Tech 38: 45–56.
[32]	Sun H, Xu M, Zhao P (2021) Modeling malicious hacking data breach risks. N Am Actuar J 25: N484–502. https://doi.org/10.1080/10920277.2020.1752255 doi: 10.1080/10920277.2020.1752255
[33]	World Economic Forum (2012) Risk and responsibility in a hyperconnected world-principles and guidelines.
[34]	Zaik E, Walter J, Retting G, et al. (1996) RAROC at Bank of America: From theory to practice. J Appl Corp Financ 9: 83–93. https://doi.org/10.1111/j.1745-6622.1996.tb00117.x doi: 10.1111/j.1745-6622.1996.tb00117.x

Reader Comments

Your name:*

Email:*
© 2024 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)