Skip to main content


I have just finished reading Gordon &Loeb's Managing Cybersecurity Resources: A Cost-Benefit Analysis and I highly recommend it for information security professionals seeking to learn more about the economics of information security.

The book goes into some good details about using Average Loss Expectancy. The most interesting part for me was there discussion of their financial model. While disappointed that they felt the "mathematical approach to deriving the optimal investment level" was beyond the scope of the book, I thought the presented results were interesting:

First, it is generally uneconomical to invest in cybersecurity activities costing more thatn 37 percent of the expected loss. In fact, in most cases, an organization would want to invest an amount substantially below the 1/3 rule.
The authors state the this is the rule of dominishing returns at work. I wonder if other forces are at work too. For example, two-factor authentication has traditionally been very expensive. Now attacks against passwords are more prevelent and profitable, so the potential costs have increased, making it more likely that deploying two-factor authentication will fit in the 1/3 rule. At the same time, competition from start-ups like WiKID have help reduce the cost of two-factor authentication. When we price our solution, we take into consideration the competition's pricing, but mainly what our target market is willing to pay, which may be 1/3 of the expected loss. Without more details of their model, it is hard to know which is the dog and which the tail.

The second result (an information set is that data which is being protected):

Even for imformation sets that have the same potential loss from a security breach and face the same threats, organizations should not always direct their cybersecurity investments toward those information sets having the greatest vulnerabilty.
This just means that some information sets are too costly to protect effectively, which makes sense, but seems to separate out protected data from the protection mechanism, which is hard to do. What data is your firewall protecting?

There is a lot more in the book that I hope to have time to go into, but I wouldn't count on it, so you might want to get it yourself ;).

Currently unrated

Recent Posts







RSS / Atom