INVESTING IN CYBERSECURITY:

INVESTING IN CYBERSECURITY: Insights from the Gordon-Loeb Model Lawrence A. Gordon EY Alumni Professor of Managerial Accounting & Information Assurance Affiliate Professor in University of Maryland Institute for Advanced Computer Studies The Robert H. Smith School of Business http://scholar.rhsmith.umd.edu/lgordon April 2015 1

Basic Facts Cybersecurity Breaches are Growing at an Alarming Rate 100% Security Is Not Possible Large Share of Infrastructure Assets Owned by Private Sector Corporations Investments in Cybersecurity Involve Resource Allocation Decisions (i.e., Cost-Benefit Decisions or Making the Business Case) Cybersecurity Strategy is a National Policy Priority -- Economics is Key Component of this Strategy* 2 *See Report by OECD (2012)

Costs of Cybersecurity Breaches to Corporations Explicit Costs (e.g., Detecting and Correcting Breaches) Implicit Costs (e.g., Reputation Effect, Potential Liability) Impact of Breaches on Corporations Breaches Impact Annual Earnings of Corporations Large % of Breaches Do Not Have a Significant Impact on Stock Market Returns of Firms* -- but Some Do! Firms Have Strengthened Remediation Strategies (Important Part of Cybersecurity Risk Management) Stockholders Have Become Tolerant of Breaches 3 *See Appendix A for Methodology.

Why Are Cybersecurity Investments So Difficult to Justify? They are primarily Cost Savings Projects rather than Revenue Generating Projects (and Among the Most Difficult Cost Savings Projects to Justify) Their Benefits and Risks are Impossible to Measure Precisely (Wait-and-See approach is often Rational from an Economics perspective due to Deferment Option) Externalities are Important, but Hard to Justify on a Cost-Benefit basis 4

Figure 1: Benefits and Cost of an Investment in Cyber/Information Security* vl $ Cost of Investment Expected Benefits of Investment=(v-S[z,v])L Benefits are Increasing at a Decreasing Rate v = Vulnerability/Threat L = Potential Loss vl = Expected Loss z = Level of Investment 100% Security is Not Possible 5 45 0 z* Level of investment in information security vl *Adapted from Gordon and Loeb, 2002a (see Appendix B). z

Results of Gordon-Loeb Model* Key Components of Optimal Amount to Invest: Potential Losses (Cost Savings) Vulnerabilities/Threats Productivity of Investments Optimal Level of Cybersecurity Investments Does Not Always Increase with Level of Vulnerability Firms should Generally Invest 37% of Expected Loss (i.e., Invest, but Invest Wisely) *Economic models should be viewed as a complement to, not as a substitute for, sound business judgment! 6

How Can Organizations Use the Gordon-Loeb Model?* *Adapted from Gordon and Loeb, 2011 (Wall Street Journal) Step 1. Estimate the Potential Loss (L) from a Security Breach for each Set of Information (Info. Segmentation is Important). Step 2. Estimate the Likelihood that an Information Set will be Breached, by examining its Vulnerability/Threat (v) to Attack. Step 3. Create a Grid with all the Possible Combinations of the First Two Steps, from Low Value, Low Vulnerability/Threat to High Value, High Vulnerability/Threat. Step 4. Focus Spending where it Should Reap the Largest Net Benefits Based on Productivity of Investments. 7

Figure 2: Potential Loss from Information Security Breach Value of Information Sets (in $M)* Low Medium High Vulnerability/Threat** Low Medium High 10 20 30 40 50 60 70 80 90 100 10% 1 2 3 4 5 6 7 8 9 10 20% 2 4 6 8 10 12 14 16 18 20 30% 3 6 9 12 15 18 21 24 27 30 40% 4 8 12 16 20 24 28 32 36 40 50% 5 10 15 20 25 30 35 40 45 50 60% 6 12 18 24 30 36 42 48 54 60 70% 7 14 21 28 35 42 49 56 63 70 80% 8 16 24 32 40 48 56 64 72 80 90% 9 18 27 36 45 54 63 72 81 90 100% 10 20 30 40 50 60 70 80 90 100 8 *Value of Information = Potential Loss (L) ** Vulnerability/Threat = v Low: vl <30 Medium: 69 VL 30 High: vl 70

PRODUCTIVITY OF INVESTMENTS IN CYBERSECURITY (Example 1) z S(z,Low v ) S' S(z,Mediun v) S' S(z,High v) S' 1 0.500 0.500 0.250 0.750 0.125 0.875 2 0.333 0.167 0.111 0.139 0.037 0.088 3 0.250 0.083 0.063 0.049 0.016 0.021 4 0.200 0.050 0.040 0.023 0.008 0.008 5 0.167 0.033 0.028 0.012 0.005 0.003 6 0.143 0.024 0.020 0.007 0.003 0.002 Low Prodcutivity = v/(1+z) for Low Vulnerability/Threat Medium Productivity = v/(1+z)² for Medium Vulnerability/Threat High Productivity = v/(1+z)³ for High Vulnerability/Threat Follow the Yellow Brick Road 9

Figure 3: Cost Savings from 1st $M Investments Value of Information Sets (in $M) Low Medium High Vulnerability/Threat Low Medium High 10 20 30 40 50 60 70 80 90 100 10% 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 20% 1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00 10.00 30% 1.50 3.00 4.50 6.00 7.50 9.00 10.50 12.00 13.50 15.00 40% 3.00 6.00 9.00 12.00 15.00 18.00 21.00 24.00 27.00 30.00 50% 3.75 7.50 11.25 15.00 18.75 22.50 26.25 30.00 33.75 37.50 60% 4.50 9.00 13.50 18.00 22.50 27.00 31.50 36.00 40.50 45.00 70% 5.25 10.50 15.75 21.00 26.25 31.50 36.75 42.00 47.25 52.50 80% 7.00 14.00 21.00 28.00 35.00 42.00 49.00 56.00 63.00 70.00 90% 7.88 15.75 23.63 31.50 39.38 47.25 55.13 63.00 70.88 78.75 100% 8.75 17.50 26.25 35.00 43.75 52.50 61.25 70.00 78.75 87.50 10

Figure 4: Incremental Cost Savings from 2nd $M Investments Value of Information Sets (in $M) Low Medium High Vulnerability/Threat Low Medium High 10 20 30 40 50 60 70 80 90 100 10% 0.17 0.33 0.50 0.67 0.83 1.00 1.17 1.33 1.50 1.67 20% 0.33 0.67 1.00 1.33 1.67 2.00 2.33 2.67 3.00 3.33 30% 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 40% 0.56 1.11 1.67 2.22 2.78 3.33 3.89 4.44 5.00 5.56 50% 0.69 1.39 2.08 2.78 3.47 4.17 4.86 5.56 6.25 6.94 60% 0.83 1.67 2.50 3.33 4.17 5.00 5.83 6.67 7.50 8.33 70% 0.97 1.94 2.92 3.89 4.86 5.83 6.81 7.78 8.75 9.72 80% 0.70 1.41 2.11 2.81 3.52 4.22 4.93 5.63 6.33 7.04 90% 0.79 1.58 2.38 3.17 3.96 4.75 5.54 6.33 7.13 7.92 100% 0.88 1.76 2.64 3.52 4.40 5.28 6.16 7.04 7.92 8.80 11

Figure 5: Incremental Cost Savings from 3rd $M Investments Value of Information Sets Low Medium High Vulnerability/Threat Low Medium High 10 20 30 40 50 60 70 80 90 100 10% 0.08 0.17 0.25 0.33 0.42 0.50 0.58 0.67 0.75 0.83 20% 0.17 0.33 0.50 0.67 0.83 1.00 1.17 1.33 1.50 1.67 30% 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 40% 0.19 0.39 0.58 0.78 0.97 1.17 1.36 1.56 1.75 1.94 50% 0.24 0.49 0.73 0.97 1.22 1.46 1.70 1.94 2.19 2.43 60% 0.29 0.58 0.88 1.17 1.46 1.75 2.04 2.33 2.63 2.92 70% 0.34 0.68 1.02 1.36 1.70 2.04 2.38 2.72 3.06 3.40 80% 0.17 0.34 0.51 0.69 0.86 1.03 1.20 1.37 1.54 1.71 90% 0.19 0.39 0.58 0.77 0.96 1.16 1.35 1.54 1.73 1.93 100% 0.21 0.43 0.64 0.86 1.07 1.28 1.50 1.71 1.93 2.14 12

Figure 6: Incremental Cost Savings from 4th $M Investments Value of Information Sets (in $M) Low Medium High VulnerabilityThreat Low Medium High 10 20 30 40 50 60 70 80 90 100 10% 0.05 0.10 0.15 0.20 0.25 0.30 0.35 0.40 0.45 0.50 20% 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 30% 0.15 0.30 0.45 0.60 0.75 0.90 1.05 1.20 1.35 1.50 40% 0.09 0.18 0.27 0.36 0.45 0.54 0.63 0.72 0.81 0.90 50% 0.11 0.23 0.34 0.45 0.56 0.68 0.79 0.90 1.01 1.13 60% 0.14 0.27 0.41 0.54 0.68 0.81 0.95 1.08 1.22 1.35 70% 0.16 0.32 0.47 0.63 0.79 0.95 1.10 1.26 1.42 1.58 80% 0.06 0.12 0.18 0.24 0.31 0.37 0.43 0.49 0.55 0.61 90% 0.07 0.14 0.21 0.27 0.34 0.41 0.48 0.55 0.62 0.69 100% 0.08 0.15 0.23 0.31 0.38 0.46 0.53 0.61 0.69 0.76 13

Figure 7: Investment Amounts (Example 1) Value of Information Sets (in $M) Low Medium High VulnerabilityThreat Low Medium High 10 20 30 40 50 60 70 80 90 100 10% <1M 1M <2M <2M <2M 2M <3M <3M <3M <3M 20% 1M <2M 2M <3M <3M 3M <4M <4M <4M 4M 30% <2M 2M <3M 3M <4M <4M >4M >4M >4M >4M 40% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 50% <2M <3M <3M <3M <4M <4M <4M <4M >4M >4M 60% <2M <3M <3M <4M <4M <4M <4M >4M >4M >4M 70% <2M <3M <4M <4M <4M <4M >4M >4M >4M >4M 80% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 90% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 100% <2M <3M <3M <3M <4M <4M <4M <4M <4M <4M 14

PRODUCTIVITY OF INVESTMENTS IN CYBERSECURITY (Example 2) z S(z,Low v) S' S(z,High V) S' 1 0.500 0.500 0.125 0.875 2 0.333 0.167 0.037 0.088 3 0.250 0.083 0.016 0.021 4 0.200 0.050 0.008 0.008 5 0.167 0.033 0.005 0.003 6 0.143 0.024 0.003 0.002 Low Prodcutivity = v/(1+z) for v = 10%, 20%, 30%, 40% and 50% High Productivity = v/(1+z)³ for v = 60%, 70%, 80%, 90% and 100% 15

Figure 7: Investment Amounts (Example 2) Value of Information Sets (in $M) Low Medium High Vulnerability/Threat Low High 10 20 30 40 50 60 70 80 90 100 10% <1M 1M <2M <2M <2M 2M <3M <3M <3M <3M 20% 1M <2M 2M <3M <3M 3M <4M <4M <4M 4M 30% <2M 2M <3M 3M <4M <4M >4M >4M >4M >4M 40% <2M <3M 3M <4M 4M >4M >4M >4M >4M >4M 50% <2M <3M <4M 4M >4M >4M >4M >4M >4M >4M 60% <2M <3M <3M <3M <3M <3M <3M <4M <4M <4M 70% <2M <3M <3M <3M <3M <3M <4M <4M <4M <4M 80% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 90% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 100% <2M <3M <3M <3M <4M <4M <4M <4M <4M <4M 16

PRODUCTIVITY OF INVESTMENTS IN CYBERSECURITY (Example 3) z S(z, Lev1) S' S(z, Lev2) s' S(z, Lev3) s' S(z, Lev4) s' S(z, Lev5) s' 1 0.500 0.500 0.354 0.646 0.250 0.750 0.177 0.823 0.125 0.875 2 0.333 0.167 0.192 0.161 0.111 0.139 0.064 0.113 0.037 0.088 3 0.250 0.083 0.125 0.067 0.063 0.049 0.031 0.033 0.016 0.021 4 0.200 0.050 0.089 0.036 0.040 0.023 0.018 0.013 0.008 0.008 5 0.167 0.033 0.068 0.021 0.028 0.012 0.011 0.007 0.005 0.003 6 0.143 0.024 0.054 0.014 0.020 0.007 0.008 0.004 0.003 0.002 Productivity Lev1 = v/(1+z) for v = 10, 20% Productivity Lev2 = v/(1+z)^1.5 for v = 30, 40% Productivity Lev3 = v/(1+z)^2 for v = 50, 60% Productivity Lev4 = v/(1+z)^2.5 for v = 70, 80% Productivity Lev5 = v/(1+z)^3 for v = 90, 100% 17

Figure 7: Investment Amounts (Example 3) Value of Information Sets (in $M) Low Medium High Vulnerabilities/Threats v5 v4 v3 v2 v1 10 20 30 40 50 60 70 80 90 100 10% <1M 1M <2M <2M <2M 2M <3M <3M <3M <3M 20% 1M <2M 2M <3M <3M 3M <4M <4M <4M 4M 30% <2M <2M <3M <3M <4M <4M <4M <4M <4M >4M 40% <2M <3M <3M <4M <4M <4M 4M >4M >4M >4M 50% <2M <3M <3M <3M <4M <4M <4M <4M >4M >4M 60% <2M <3M <3M <4M <4M <4M <4M >4M >4M >4M 70% <2M <3M <3M <3M <4M <4M <4M <4M <4M <4M 80% <2M <3M <3M <4M <4M <4M <4M <4M <4M >4M 90% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 100% <2M <3M <3M <3M <4M <4M <4M <4M <4M <4M 18

Concluding Comments I. Cybersecurity Investments Are Hard To Justify They are Cost Savings, Not Revenue Generating, Projects You Can t See Savings Most Breaches Do Not Have Significant Effect on Stock Prices II. Invest, but Invest Wisely Conduct Cost-Benefit Analysis (Making the Business Case) On Average, Invest 37% of Expected Loss per Info. Set Wait-n-See Approach is Rational from Economics Perspective Key Factors for each Information Set: (a) Potential Loss, (b) Vulnerability/Threat, (c) Productivity of Investment Gather Data & Conduct Analyses on Above Factors III. Optimal Level of Investment Does Not Always Increase With The Level of Vulnerability/Threat Best Payoff Often Comes from Mid-level Vulnerability/Threat 19

SELECTED REFERENCES Gordon, L.A. and M.P. Loeb. 2011, You May Be Fighting the Wrong Security Battles: How IT executives can determine the right amount to spend and where to spend it, The Wall Street Journal, September 26, 2011. Gordon, L.A. and M.P. Loeb. 2006. MANAGING CYBERSECURITY RESOURCES: A Cost-Benefit Analysis (McGraw-Hill). Gordon, L.A. and M.P. Loeb. 2006. Information Security Budgeting Process: An Empirical Study, Communications of the ACM / Gordon, L.A., M.P. Loeb. 2006. Economic Aspects of Information Security: An Emerging Field of Research, Information System Frontiers. Gordon, L.A. and M.P. Loeb. 2002a. The Economics of Information Security Investment, ACM Transactions on Information and System Security. Gordon, L.A. and M.P. Loeb. 2002b. Return on Information Security Investments: Myths vs. Reality, Strategic Finance. Gordon, L.A., M.P. Loeb, and W. Lucyshyn. 2014. Cybersecurity Investments in the Private Sector: The Role of Governments, Georgetown Journal of International Affairs. Gordon, L.A., M.P. Loeb, and W. Lucyshyn. 2003. Sharing Information on Computer Systems Security: An Economic Analysis, Journal of Accounting and Public Policy. Gordon, L.A., M.P. Loeb, and W. Lucyshyn. 2003. Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal. Gordon, L.A., M.P Loeb, W. Lucyshyn, and R. Richardson. 2004. CSI/FBI Computer Crime and Security Survey, Computer Security Journal. Gordon, L.A., M.P. Loeb, W. Lucyshyn, and L. Zhou. Forthcoming. The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective, Journal of Accounting and Public Policy. Gordon, L.A., M.P. Loeb, W. Lucyshyn, and L. Zhou. 2015. Externalities and the Magnitude of Cybersecurity Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model, Journal of Information Security. Gordon, L.A., M.P. Loeb and T. Sohail. 2010. Market Value of Voluntary Disclosures Concerning Information Security, MIS Quarterly. Gordon, L.A., M.P. Loeb, and T. Sohail. 2003. A Framework for Using Insurance for Cyber-Risk Management, Communications of the ACM. Gordon, L.A., M.P. Loeb, T. Sohail. C-Y Tseng and L. Zhou. 2008. Cybersecurity Capital Allocation and Management Control Systems, European Accounting Review. Gordon, L.A., M.P. Loeb, and L. Zhou. 2011. The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs? Journal of Computer Security. Lelarge, M. 2012. Coordination in network security games: A monotone comparative statics approach. Selected Areas in Communications, IEEE Journal on Selected Areas in Communications. 20 OECD (Organization for Economic Cooperation and Development). 2012. Cybersecurity Policy Making at a Turning Point.

Appendix A: Research Methodology for Studying Cybersecurity Breaches One-factor Model (Basic CAPM) Abnormal Returns: R it AR RF = a + b ( RM RF ) + ε it = t i i RF ) [ aˆ + bˆ ( RM ( Rit t i i t t t t it RF )] Cumulative Abnormal Returns: CAR i t 2 = t= t 1 AR it, Average CAR across Firms: 1 N CARi N i = 1 CAR = R it : firm s return, RF t : risk-free rate, RM t : market s return b i ; the CAPM market model s slope parameter (i.e., the systematic risk of the return for firm i, relative to the return of the entire market place, and often call the firm s beta) 21

Appendix B: Optimal Amount to Invest in Cybersecurity (Gordon-Loeb Model)* Expected benefits of an investment in information security, denoted as EBIS, are equal to the reduction in the firm's expected loss attributable to the extra security. EBIS(z) = [v- S(z,v)] L [1] EBIS is written above as a function of z, since the investment in information security is the firm s only decision variable (v and L are parameters of the information set). The expected net benefits from an investment in information security, denoted ENBIS, equal EBIS less the cost of the investment, or: ENBIS(z) = [v -S(z,v)]L -z [2] Maximizing [2] is equivalent to minimizing: S(z,v)L +z [3] Interior maximum z*>0 is characterized by the first-order condition for maximizing [2] (or minimizing [3]) : -S z (z *,v)l =1 [4] 22 *Adapted from Gordon and Loeb, 2002a.