The Economics of Information Security Investment

Gordon, Lawrence A.; Loeb, Martin P.

doi:10.1007/1-4020-8090-5_9

Lawrence A. Gordon⁴ &
Martin P. Loeb⁴

Part of the book series: Advances in Information Security ((ADIS,volume 12))

566 Accesses
16 Citations
3 Altmetric

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 129.00; Price excludes VAT (USA)

Softcover Book: USD 169.99; Price excludes VAT (USA)

Hardcover Book: USD 169.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Anderson, J. 1972. Computer security technology planning study. U. S. Air Force Electronic Systems Division Technical Report. (Oct.), 73–51.
Google Scholar
Anderson, R. 2001. Why information security is hard-an economic perspective. In Proceeding of 17th Annual Computer Security Applications Conference (ACSAC) (New Orleans, Louisiana. December 10–14).
Google Scholar
Axelsson, S. 2000. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and Systems Security. 3,3 (Aug.), 186–205.
MathSciNet Google Scholar
Buzzard, K. 1999. Computer security-what should you spend your money on. Computers & Security. 18,4, 322–334.
Article Google Scholar
Daniels, T.E. and Spafford, E. H. 1999. Identification of host audit data to detect attacks on low-level IP. Journal of Computer Security. 7,1, 3–35.
Google Scholar
Denning, D. 1987. An intrusion-detection model. IEEE Transactions on Software Engineering. 13,2 (Feb.), 222–226.
Google Scholar
Denning, D., and Branstad, D. 1996. A taxonomy of key escrow encryption systems. Communications of the ACM. 39,3(Mar.), 34–40.
Article Google Scholar
Finne, T. 1998. A conceptual framework for information security management. Computers & Security. 17,4, 303–307.
Article Google Scholar
Frincke, D. 2000. Balancing cooperation and risk in intrusion detection. ACM Transactions on Information and Systems Security. 3,1(Feb.), 1–29.
Google Scholar
Hann, J., and Weber, R. 1996. Information systems planning: a model and empirical tests. Management Science. 42,7(Jul.), 1043–1064.
Google Scholar
Gordon, L. and Loeb, M. 2001. A Framework for using information security as a response to competitor analysis systems. Communications of the ACM, Vol. 44. No. 9 (Sept.) 70–75
Article Google Scholar
Hoo, K. 2000. How much is enough? A risk-management approach to computer security. Consortium for Research on Information Security Policy (CRISP) Working Paper. Stanford University. (June).
Google Scholar
Jajodia, S., and J. Millen. 1993. Editors’ preface. Journal of Computer Security. 2,2/3, 85.
Google Scholar
Jones, A. 1997. Penetration testing and system audit. Computers & Security. 16, 595–602.
Google Scholar
Kpmg. 2000. Information Security Survey 2000. http://www.kpmg.co.uk/services/audit/pubs/ISS, (Apr.), 1–4
Larsen, A. 1999. Global security survey: virus attack. InformationWeek.Com.http://www.informationweek.com/743/security.htm (Jul.12).
Littlewood, B., Broclehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., Dobson, J., Mcdermid, J., and Gollman, D. 1993. Towards operational measures of security. Journal of Computer Security. 2,2, 211–229.
Google Scholar
Loch, K. D., Carr, H. H., and Warkentin, M. E. 1992. Threats to information systems: today’s reality, yesterday’s understanding. MIS Quarterly. 17,2, 173–186.
Google Scholar
Luotonen, O. 1993. Risk management and insurances. Painatuskeskus Oy. Helsinki.
Google Scholar
Mcknight, L., R. Solomon, J. Reagle, D. Carver, C. Johnson, B. Gerovac, and Gingold, D. 1997. Information security of internet commerce. In Internet Economics, ed. L. McKnight and J. Bailey. Cambridge, Mass.: MIT Press, 435–452.
Google Scholar
Meadows, C. 2001. A cost-based framework for analysis of denial of service in networks, Journal of Computer Security. 9,1/2, 143–164.
Google Scholar
Millen, J. 1992. A resource allocation model for denial of service. Proceedings of the 1992 IEEE Symposium on Security & Privacy. IEEE Comp Soc Press, 137–147.
Google Scholar
Muralidhar, K., Batra, D., and Kirs, P. 1995. Accessibility, security, and accuracy in statistical databases: the case for the multiplicative fixed data perturbation approach. Management Science. 41,9 (Sep.), 1549–1564.
Google Scholar
NIST (National Institute of Standards and Technology). 1995. An Introduction to Computer Security: The NIST Handbook. (Special Publication 800-12).
Google Scholar
Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions of Information and Systems Security. 3,2(May), 85–106.
Google Scholar
Peyravian, M., Roginsky, A., Zunic, N. 1999. Hash-based encryption. Computers & Security. 18,4, 345–350.
Article Google Scholar
Pfleeger, C. 1997., Security in Computing (2nd ed.), Prentice-Hall, N.J.
Google Scholar
Power, R. 2001. 2001 CSI/FBI computer crime and security survey. Computer Security Journal. 17,2 (Spring), 29–51.
Google Scholar
Sandhu, R. S., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and Systems Security. 1,2 (Feb.), 105–135.
Google Scholar
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Computer. 29,2 (Feb.), 38–47.
Google Scholar
Schneier, B. 1996. Applied Cryptography (2nd ed.), Wiley. New York, NY.
Google Scholar
Simmons, G. 1994. Cryptanalysis and protocol failures. Communications of the ACM. 37,11 (Nov.), 56–64.
Article Google Scholar
Straub, D. W. and Welke, R. J. 1998. Coping with systems risk: security planning models for management decision making. MIS Quarterly. 23,4, 441–469.
Google Scholar
Straub, D. W. 1990. Effective IS security: an empirical study. Information Systems Research. 1,3, 255–276.
Google Scholar
Varian, H.R. 1997. How to Build an Economic Model in Your Spare Time. It is part of a collection titled Passion and Craft: Economists at Work, edited by Michael Szenberg, University of Michigan Press, available at http://www.sims.berkeley.edu/~hal/Papers/how.pdf
Vigna, G. and Kemmeerer, R. A. 1999. NetSTAT: a network-based intrusion detection system. Journal of Computer Security. 7,1, 37–71.
Google Scholar
Wiseman, S. 1986. A secure capability computer system. Proceedings of the IEEE Symposium on Security & Privacy. IEEE Comp Soc Press, 86–94.
Google Scholar

Download references

Author information

Authors and Affiliations

University of Maryland, USA
Lawrence A. Gordon & Martin P. Loeb

Authors

Lawrence A. Gordon
View author publications
You can also search for this author in PubMed Google Scholar
Martin P. Loeb
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Harvard University, USA
L. Jean Camp
University of Cambridge, UK
Stephen Lewis

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Gordon, L.A., Loeb, M.P. (2004). The Economics of Information Security Investment. In: Camp, L.J., Lewis, S. (eds) Economics of Information Security. Advances in Information Security, vol 12. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8090-5_9

Download citation

DOI: https://doi.org/10.1007/1-4020-8090-5_9
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4020-8089-0
Online ISBN: 978-1-4020-8090-6
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics