ACES Faculty Member Interviewed by ActiveCyber

news story image

Dr. Lawrence Gordon, ACES Professor of HACS208A, Accounting and Economic Aspects of Cybersecurity, was interviewed by Chris Daly, the founder of His interview about the Gordon-Loeb Model for Cybersecurity Investments, is available below.

Professor Larry Gordon of the University of Maryland Discusses the Gordon-Loeb Cybersecurity Investment Model in this interview with ActiveCyber. Learn how economics, cyber, and mathematics came together at the genesis of this model and how to use this model to guide your cyber investment strategy.

Chris Daly, ActiveCyber: As a Professor in the School of Business and given your background in accounting and economics, what led to your interest in developing this model in cybersecurity investment?

Professor Larry Gordon, University of Maryland: In the spring of 1999, my colleague (Martin Loeb) and I were discussing the fact that cybersecurity investments were competing for the same resources as other potential investments within an organization. Thus, during the summer of 1999 we conducted a literature search to see if there were any rigorous economic models developed specifically to address the issues associated with determining the appropriate amount for an organization to invest in cybersecurity related activities. To our surprise, no such model existed at that time and this is what led us to develop such a model. The model we developed was published in ACM Transactions on Information and System Security in 2002, and shortly thereafter the model was being referred to as the Gordon-Loeb Model for Cybersecurity (or Information Security) Investments.(link is external)

ActiveCyber: Could you provide an explanation of the model and the types of conclusions that a user can derive from it?

Gordon: The model is a mathematical economic model that derives the optimal investment level in cybersecurity. A basic concept underlying the model is that benefits from cybersecurity investments should exceed the costs of cybersecurity activities. Based on the model, it is shown that that the amount a firm spends to protect information should generally be only a small fraction of the expected loss resulting from an information security (cybersecurity) breach. More specifically, the model shows that it is generally uneconomical to invest in information security activities more than 37 percent (37%) of the expected loss that would occur from a security breach. The model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. A visual explanation of the model is provided in the three-minute video at the following YouTube site: is external).

View the full interview here(link is external)

Published August 4, 2016