From the model, one can conclude that the amount a firm spends to protect information should generally be only a small fraction of the expected loss (i.e., the expected value of the loss resulting from a cyber/information security breach). More specifically, the model shows that it is generally uneconomical to invest in information security activities (including cybersecurity or computer security related activities) more than 37 percent of the expected loss that would occur from a security breach. The Gordon–Loeb model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.
The Gordon–Loeb model was first published by Lawrence A. Gordon and Martin P. Loeb in their 2002 paper, in ACM Transactions on Information and System Security, entitled "The Economics of Information Security Investment." The paper was reprinted in the 2004 book Economics of Information Security. Gordon and Loeb are both Professors at the University of Maryland's Robert H. Smith School of Business.
The Gordon–Loeb model is one of the most well accepted analytical models in the "economics of cyber/information security" literature. The Model has been widely referenced in the academic and practitioner literature. The model has also been empirically tested in several different settings. Research by mathematicians Marc Lelarge and Yuliy Baryshnikov generalized the results of the Gordon–Loeb model.
- Gordon, Lawrence; Martin Loeb (November 2002). "The Economics of Information Security Investment". ACM Transactions on Information and System Security. 5 (4): 438–457. doi:10.1145/581271.581274.
- Kanta Matsuura (23 April 2008). "Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model" (PDF). Retrieved 30 October 2014.
- "CiteSeerX — On the Gordon&Loeb Model for Information Security Investment". citeseerx.ist.psu.edu. Retrieved 30 October 2014.
- "IEEE Xplore Abstract - Extending the Gordon and Loeb Model for Information Security Investment". ieeexplore.ieee.org. Retrieved 30 October 2014.
- Johnson, E. (2009). Managing Information Risk and the Economics of Security. Springer-Verlag. p. 99. ISBN 9780387097626. Retrieved 30 October 2014.
- "BibSonomy :: publication :: The Gordon-Loeb Investment Model Generalized: Time Dependent Multiple Threats and Breach Losses over an Investment Period.". bibsonomy.org. Retrieved 30 October 2014.
- Xiaomeng Su (15 June 2006). "An Overview of Economic Approaches to Information Security Management" (PDF). Retrieved 30 October 2014.
- Rainer Böhme (29 August 2010). "Security Metrics and Security Investment Models" (PDF). International Computer Science Institute, Berkeley, California. Retrieved 30 October 2014.
- "An economic model of investment in information security - HKUST Institutional Repository". repository.ust.hk. Retrieved 30 October 2014.
- "CiNii 論文 - 最適投資モデルに基づくセキュアシステム設計と事例研究". ci.nii.ac.jp. Retrieved 30 October 2014.
- Lelarge, Marc (December 2012). "Coordination in Network Security Games: A Monotone Comparative Statics Approach". IEEE Journal on Selected Areas in Communications. 30 (11): 2210–2219. doi:10.1109/jsac.2012.121213. Retrieved 13 May 2014.
- YULIY BARYSHNIKOV (24 February 2012). "IT SECURITY INVESTMENT AND GORDON-LOEB'S 1/e RULE" (PDF). Retrieved 30 October 2014.
- Gordon, Lawrence; Martin Loeb (26 September 2011). "You May Be Fighting the Wrong Security Battles". the Wall Street Journal. Retrieved 9 May 2014.
- Palin, Adam (30 May 2013). "Maryland professors weigh up cyber risks". Financial Times. Retrieved 9 May 2014.
- For a 3-minute video that provides a non-mathematical overview of the Model, go to: https://www.youtube.com/watch?v=cd8dT0FuqQ4.