“Gordon–Loeb model”的意思、由来-开放百科全书

The Gordon–Loeb /ˈgȯr-dən ˈlōb/ Model is a mathematical economic model analyzing the optimal investment level in information security.

Investing to protect company data involves a cost that, unlike other investments, usually does not generate profit. It does, however, serve to prevent additional costs. Thus, it's important to compare how expensive it is to protect a specific set of data, with the potential loss in case said data is stolen, lost, damaged or corrupted. To draft this model, the company must possess knowledge of three parameters: how much the data is worth; how much the data is at risk; the probability an attack on the data is going to be successful. This last parameter, Gordon and Loeb defined as vulnerability. The product of said parameters provides the medium money loss with no security investment.^[1]

From the model we can gather that the amount of money a company spends in protecting information should, in most cases, be only a small fraction of the predicted loss (for example, expected value of a loss following a security breach). Specifically, the model shows that it is generally inconvenient to invest in informatics security (including cybersecurity or computer security related activities) for amounts higher than 37% of the predicted loss. The Gordon–Loeb model also shows that, for a specific level of potential loss, the amount of resources to invest in order to protect an information set does not always increase with the increase in vulnerability of said set. Thus, companies can enjoy greater economic returns by investing in cyber/information security activities aimed to increase the security of data sets with a medium level of vulnerability. In other words, the investment in safeguarding a company's data reduces vulnerability with decreasing incremental returns.

Example: suppose an estimated data value of 1.000.000 euros, with an attack probability of 15%, and an 80% chance that an attack would be successful. In this case, the potential loss is given by the product 1.000.000 euros x 0.15 x 0.8 = 120.000 euros. According to Gordon and Loeb, the company's investment in security should not exceed 120.000 euros x 0.37 = 44.000 euros.

The Gordon–Loeb Model was first published by Lawrence A. Gordon and Martin P. Loeb in their 2002 paper, in ACM Transactions on Information and System Security, entitled "The Economics of Information Security Investment.^[2]" The paper was reprinted in the 2004 book [https://www.springer.com/computer/theoretical+computer+science/book/978-1-4020-8089-0 Economics of Information Security]. Gordon and Loeb are both Professors at the University of Maryland's Robert H. Smith School of Business.

The Gordon–Loeb Model is one of the most well accepted analytical models in the "economics of cyber/information security" literature. The Model has been widely referenced in the academic and practitioner literature.^[3]^[4]^[5]^[6]^[7]^[8]^[9]^[10]^[11] The model has also been empirically tested in several different settings. Research by mathematicians Marc Lelarge^[12] and Yuliy Baryshnikov^[13] generalized the results of the Gordon–Loeb Model.

The Gordon–Loeb model has been featured in the popular press, such as The Wall Street Journal^[14] and The Financial Times.^[15]^[16]

References

1. ^{{Cite book|title=Big Data e Privacy by design|author=Giuseppe D'Acquisto, Maurizio Naldi|year=2017|publisher=Giappichelli|isbn=978-88-921-6264-8|url=https://books.google.com/books?id=Ig9EDgAAQBAJ}}
2. ^{{cite journal|last=Gordon|first=Lawrence|author2=Martin Loeb|title=The Economics of Information Security Investment|journal=ACM Transactions on Information and System Security|date=November 2002|volume=5|issue=4|pages=438–457|doi=10.1145/581271.581274}}
3. ^{{cite web|url=http://weis2008.econinfosec.org/papers/Matsuura.pdf|date=23 April 2008|title=Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model|author=Kanta Matsuura|accessdate=30 October 2014}}
4. ^{{cite journal|title=CiteSeerX — On the Gordon&Loeb Model for Information Security Investment|publisher=citeseerx.ist.psu.edu|citeseerx = 10.1.1.60.9931}}
5. ^{{cite web|url=http://ieeexplore.ieee.org/xpl/login.jsp?reload=true&tp=&arnumber=5438086&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5438086|title=IEEE Xplore Abstract - Extending the Gordon-Loeb Model for Information Security Investment|publisher=ieeexplore.ieee.org|accessdate=30 October 2014}}
6. ^{{cite book|title=Managing Information Risk and the Economics of Security|author=Johnson, E.|date=2009|publisher=Springer-Verlag|isbn=9780387097626|url=https://books.google.com/books?id=PHAaT9KjbmkC|page=99|accessdate=30 October 2014}}
7. ^{{cite web|url=http://www.bibsonomy.org/bibtex/79b784185a4be9d45abd80a74a1c294d|title=BibSonomy :: publication :: The Gordon-Loeb Investment Model Generalized: Time Dependent Multiple Threats and Breach Losses over an Investment Period.|publisher=bibsonomy.org|accessdate=30 October 2014}}
8. ^{{cite web|url=http://eprints.eemcs.utwente.nl/5693/01/00000177.pdf|date=15 June 2006|title=An Overview of Economic Approaches to Information Security Management|author=Xiaomeng Su|accessdate=30 October 2014}}
9. ^{{cite web|url=http://www.wi1.uni-muenster.de/security/publications/Boehme2010_SecurityInvestment-IWSEC.pdf|date=29 August 2010|title=Security Metrics and Security Investment Models|author=Rainer Böhme|publisher=International Computer Science Institute, Berkeley, California|accessdate=30 October 2014}}
10. ^{{cite web|url=http://repository.ust.hk/dspace/handle/1783.1/5020|title=An economic model of investment in information security - HKUST Institutional Repository|publisher=repository.ust.hk|accessdate=30 October 2014}}
11. ^{{cite web|url=http://ci.nii.ac.jp/naid/110003298595|title=CiNii 論文 - 最適投資モデルに基づくセキュアシステム設計と事例研究|publisher=ci.nii.ac.jp|accessdate=30 October 2014}}
12. ^{{cite journal|last=Lelarge|first=Marc|title=Coordination in Network Security Games: A Monotone Comparative Statics Approach|journal=IEEE Journal on Selected Areas in Communications|date=December 2012|volume=30|issue=11|pages=2210–2219|url=http://www.techrepublic.com/resource-library/whitepapers/coordination-in-network-security-games-a-monotone-comparative-statics-approach/|accessdate=13 May 2014|doi=10.1109/jsac.2012.121213|arxiv=1208.3994}}
13. ^{{cite web|url=http://weis2012.econinfosec.org/papers/Baryshnikov_WEIS2012.pdf|date=24 February 2012|title=IT SECURITY INVESTMENT AND GORDON-LOEB'S 1/e RULE|author=YULIY BARYSHNIKOV|accessdate=30 October 2014}}
14. ^{{cite news|last=Gordon|first=Lawrence|author2= Martin Loeb|title=You May Be Fighting the Wrong Security Battles|url=https://www.wsj.com/news/articles/SB10001424053111904900904576554762089179984|accessdate=9 May 2014|newspaper=the Wall Street Journal|date=26 September 2011}}
15. ^{{cite news|last=Palin|first=Adam|title=Maryland professors weigh up cyber risks|url=http://www.ft.com/intl/cms/s/2/606e0e5a-b345-11e2-b5a5-00144feabdc0.html|accessdate=9 May 2014|newspaper=Financial Times|date=30 May 2013}}
16. ^For a 3-minute video that provides a non-mathematical overview of the Model, go to: https://www.youtube.com/watch?v=cd8dT0FuqQ4.