Skip to main content

Negligence and sanctions in information security investments in a cloud environment


The Learned Hand’s rule, comparing security investments against the expected loss from data breaches, can be used as a simple tool to determine the negligence of the company holding the data. On the other hand, companies may have several incentives to distribute their data over a cloud. In order to analyze the conflict between the sanctioning behavior and the search for economic profit, we employ the well known Gordon-Loeb models, as well as the more recent Huang-Behara models, for the relationship between investments and the probability of money loss due to malicious attacks. In this paper we determine the optimal amount of investments when data are distributed over a cloud and Hand’s rule is applied. We find that the net benefit of investing in security shrinks as the number of repositories making up the cloud grows, till investing becomes non profitable. An implication of our study is that, unless the cloud provider may guarantee a higher security investment productivity, the cloud solution provides a lower net benefit than the centralized one. By the application of Hand’s rule, we show that the company is held negligent if it does not invest just in the case it uses a centralized storage infrastructure or a cloud made of a limited number of repositories: Hand’s rule sanctions the lack of security investments by cloud providers with a limited number of repositories.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11


  1. Bartolini, C., El Kateb, D., Le Traon, Y., Hagen, D. (2015). Cloud providers viability: how to address it from an IT and legal perspective?. In Economics of grids, clouds, systems, and services.

  2. Cooter, R., & Ulen, T. (2000). Law and economics. Boston: Addison-Wesley.

    Google Scholar 

  3. D’Acquisto, G., Flamini, M., Naldi, M. (2012). Damage sharing may not be enough: an analysis of an ex-ante regulation policy for data breaches. In Trust, Privacy and Security in Digital Business - 9th International Conference, TrustBus 2012, Vienna, Austria, September 3-7, 2012. Proceedings (Vol. 7449, p. 149-160). Springer.

    Chapter  Google Scholar 

  4. D’Acquisto, G., Flamini, M., Naldi, M. (2012). A game-theoretic formulation of security investment decisions under ex-ante regulation. In 27th IFIP International Information Security and Privacy Conference (Vol. 376). Springer.

  5. Drago, I., Bocchi, E., Mellia, M., Slatman, H., Pras, A. (2013). Benchmarking personal cloud storage. In Proceedings of the 2013 conference on internet measurement conference (pp. 205–212). ACM.

  6. Farkas, C., & Jajodia, S. (2002). The inference problem: a survey. ACM SIGKDD Explorations Newsletter, 4(2), 6–11.

    Article  Google Scholar 

  7. Gordon, L.A., & Loeb, M.P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.

    Article  Google Scholar 

  8. Huang, C.D., & Behara, R.S. (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, 141(1), 255–268.

    Article  Google Scholar 

  9. Kim, K., Kang, S., Altmann, J. (2014). Cloud Goliath versus a federation of cloud Davids. In Economics of grids, clouds, systems, and services (pp. 55–66). Springer, Berlin.

    Google Scholar 

  10. Markovits, R.S. (2004). Tort-related risk costs and the hand formula for negligence. The University of Texas School of Law, Law and Economics Working Paper.

  11. Naldi, M. (2014). Balancing leasing and insurance costs to achieve total risk coverage in cloud storage multi-homing. In Altmann, J., Vanmechelen, K., Rana, O.F. (Eds.) Economics of Grids, Clouds, Systems, and Services - 11th International Conference, GECON 2014, Cardiff, UK, September 16-18, 2014. Revised Selected Papers. (Vol. 8914, pp. 146–158). Springer.

  12. Naldi, M., Flamini, M., D’Acquisto, G. (2013). Economics of grids, clouds, systems, and services: 10th international conference, GECON 2013, Zaragoza, Spain, September 18-20, 2013. Proceedings. In Altmann, J., Vanmechelen, K., Rana, O. F., (Eds.), (pp. 268–279). Springer International Publishing.

  13. Naldi, M., Flamini, M., D’Acquisto, G. (2013). A revenue-based sanctioning procedure for data breaches. In The 7th International Conference on Network and System Security NSS 2013. Madrid: Springer.

  14. Naldi, M., & Mastroeni, L. (2016). Economic decision criteria for the migration to cloud storage. Eur J Inf Syst, 25(1), 16–28.

    Article  Google Scholar 

  15. Petri, I., Diaz-Montes, J., Zou, M., Beach, T., Rana, O., Parashar, M. (2015). Market models for federated clouds. IEEE Transactions on Cloud Computing, 3(3), 398–410.

    Article  Google Scholar 

  16. Rong, C, Nguyen, S.T., Jaatun, M.G. (2013). Beyond lightning: a survey on security challenges in cloud computing. Computers & Electrical Engineering, 39(1), 47–54. Special issue on Recent Advanced Technologies and Theories for Grid and Cloud Computing and Bio-engineering.

    Article  Google Scholar 

  17. Rustad, M.L., & Koenig, T.H. (2007). Extending learned hand’s negligence formula to information security breaches. I/S: A Journal on Law and Policy for the Information Society, 3(2), 236–270.

    Google Scholar 

  18. Schneider, J.W. (2009). Preventing data breaches: alternative approaches to deter negligent handling of consumer data. Journal of Science & Technology Law, 15(2), 279–332. Boston University School of Law.

    Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Maurizio Naldi.

Additional information

Responsible Editor: Jörn Altmann

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Naldi, M., Flamini, M. & D’Acquisto, G. Negligence and sanctions in information security investments in a cloud environment. Electron Markets 28, 39–52 (2018).

Download citation


  • Security
  • Privacy
  • Investments
  • Cloud
  • Negligence
  • Hand’s rule

JEL Classification

  • D92
  • L86
  • L5