LAG PortraitcropProfessor Larry Gordon of the University of Maryland Discusses the Gordon-Loeb Cybersecurity Investment Model in this interview with ActiveCyber. Learn how economics, cyber, and mathematics came together at the genesis of this model and how to use this model to guide your cyber investment strategy.

I was delighted when Professor Gordon invited me to lunch early this month to discuss the model and its impact on cyber economics. The Gordon-Loeb Model for Cybersecurity Investment has stood out as the golden rule-of-thumb metric for organizations contemplating how much to invest in cybersecurity protections since its inception in 2002.  Besides learning that we both share a love for opera, Professor Gordon traced the path of the model from its genesis to today along with how it has impacted related research in the field. Discover how the Gordon-Loeb Model works and how it can guide your organization’s cyber investment strategy in the interview that follows.

Spotlight on Larry Gordon, Professor and Researcher, University of Maryland College Park

» Title: EY Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland’s RH Smith School of Business and Affiliate Professor in the University of Maryland Institute for Advanced Computer Studies
» Email: lgordon@rhsmith.umd.edu
» Websitehttp://scholar.rhsmith.umd.edu/lgordon/home

Read his bio below.


March 14, 2016

Chris Daly, ActiveCyber: As a Professor in the School of Business and given your background in accounting and economics, what led to your interest in developing this model in cybersecurity investment?

Professor Larry Gordon, University of Maryland: In the spring of 1999, my colleague (Martin Loeb) and I were discussing the fact that cybersecurity investments were competing for the same resources as other potential investments within an organization. Thus, during the summer of 1999 we conducted a literature search to see if there were any rigorous economic models developed specifically to address the issues associated with determining the appropriate amount for an organization to invest in cybersecurity related activities. To our surprise, no such model existed at that time and this is what led us to develop such a model. The model we developed was published in ACM Transactions on Information and System Security in 2002, and shortly thereafter the model was being referred to as the Gordon-Loeb Model for Cybersecurity (or Information Security) Investments.

ActiveCyber: Could you provide an explanation of the model and the types of conclusions that a user can derive from it?

Gordon: The model is a mathematical economic model that derives the optimal investment level in cybersecurity. A basic concept underlying the model is that benefits from cybersecurity investments should exceed the costs of cybersecurity activities. Based on the model, it is shown that that the amount a firm spends to protect information should generally be only a small fraction of the expected loss resulting from an information security (cybersecurity) breach. More specifically, the model shows that it is generally uneconomical to invest in information security activities more than 37 percent (37%) of the expected loss that would occur from a security breach. The model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. A visual explanation of the model is provided in the three-minute video at the following YouTube site:

https://www.youtube.com/watch?v=cd8dT0FuqQ4&feature=youtu.be

ActiveCyber: Can you suggest an approach or set of steps to how the model should be used?

Gordon: In applying the model to an actual organization, there are four basic steps to follow. Step 1: Segment the organizations information into appropriate categories (what we call information sets) and then estimate the value of the various sets of information. In other words, estimate the value of the segmented information you are trying to protect. Step 2: Estimate the probability that a particular information set will experience a cybersecurity breach. Step 3: Develop a matrix that shows the information value for each information set and the associated probability of that the particular information set will experience a cybersecurity breach. This step is essentially combining steps 1 and 2, in terms of a visual matrix (or grid). Step 4: Allocate the dollars invested in cybersecurity to those activities that will be most productive in reducing the expected losses from a cybersecurity breach. In following the fourth step, keep in mind that the benefits from additional investments increase at a decreasing rate.

ActiveCyber: Experience has shown that the costs of a breach are generally proportional to the “dwell time” that an attacker has within the compromised environment. Dwell time allows an attacker to find new hosts in the target environment to exploit and to create more damage. How does the model accommodate this factor?

Gordon: Our model does not address this issue, although it could provide the basis for an extension to our model.

ActiveCyber: New adaptive approaches to security call for investment in threat information sharing to forecast or predict new attacks and fortify defenses to prevent attacks that may leverage new vulnerabilities. Do these new adaptive approaches affect the model’s assumptions or conclusions?

Gordon: Yes, in terms of the probability of experiencing a cybersecurity breach and the recovery process associated with an actual breach. For example, information sharing is an important vehicle for reducing the probability of experiencing a cybersecurity breach and for speeding up the recovery process associated with addressing actual breaches.

ActiveCyber: What has been the industry response to the model?

Gordon: Numerous organizations have expressed a strong interest in using the model as a framework for deriving their level of cybersecurity spending. The three-minute video referred to in the answer to question 2 above is intended to help facilitate the actual use of the model by organizations.

ActiveCyber: Have you been able to validate the model empirically?

Gordon: We have been able to validate the model via a simple simulation. Validating the model in an actual organization is problematic because it is based on expected values, which means you need a large number of repeated trials to truly validate it.

ActiveCyber: Have there been any proposed modifications to the model?

Gordon: Yes. In an article published in the Journal of Information Security (2015), by Gordon, Loeb, Lucyshyn and Zhou, we extended the model to include externalities. The title of the paper is “Externalities and the Magnitude of the Gordon-Loeb Model.”

ActiveCyber: Have you performed any related research since the model was initially published?

Gordon: Yes. Since the model was published, we have addressed such related issues as: (1) the impact of information sharing on a firm’s level of cybersecurity, (2) real options associated with deferring investments in cybersecurity activities, (3) deriving the economic cost of cybersecurity breaches via the impact of such breaches on stock market returns, and (4) determining the impact of government incentives on cybersecurity investments by private sector firms. In fact, we have published approximately 25 articles, and one book, on issues related to cybersecurity economics (i.e., economic aspects of cybersecurity) since the initial publication of the Gordon-Loeb Model for Cybersecurity Investments.

ActiveCyber: One of the focus areas of recent research has been the development of “cyber DRGs” or diagnostic related groups similar to how Medicare uses DRGs to maintain a balance between the costs of health care and the quality of treatment outcomes. What are your thoughts regarding how to distinguish good investments from bad in cybersecurity?

Gordon: Although we have not done any work on this specific issue, I believe it is a great idea for a research project. In fact, my guess is that the right team of researchers would be able to put together a very competitive research proposal on this topic.


If you didn’t check out the YouTube link listed in the interview yet, I recommend you bookmark it because it provides a great overview of the Gordon-Loeb Model. Looks to me that my quest for a cyber ROI formula has found a solid point of reference for helping to make decisions for cyber investments. Thanks Professor Gordon (and Professor Loeb) for leading this work and ActiveCyber looks forward to future revisions to the Model and related research as cyber economics continues to evolve.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.

About Larry Gordon

Dr. Lawrence A. Gordon is the EY Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland’s RH Smith School of Business, and Affiliate Professor in the University of Maryland Institute for Advanced Computer Studies. His Ph.D. is in Managerial Economics from Rensselaer Polytechnic Institute. He is the author of over 100 articles that have been published in various academic and practitioner journals, as well as the author or coauthor of several books. Dr. Gordon is considered to be one of the pioneers in the field of cybersecurity economics. In addition to the Smith School of Business, Dr. Gordon’s research on cybersecurity has been supported by the U.S. National Security Agency and the U.S. Department of Homeland Security. He is also the Editor-in-Chief of the Journal of Accounting and Public Policy and serves on the editorial boards of several other academic journals. In 2007, Dr. Gordon was invited to provide Congressional Testimony concerning his research on cybersecurity economics before the Subcommittee of the U.S. House Committee on Homeland Security. Dr. Gordon, is also a frequent speaker at various universities and professional meetings, and has been a consultant to several major organizations.