The Economics of Information Security Investment

  • Lawrence A. Gordon
  • Martin P. Loeb
Part of the Advances in Information Security book series (ADIS, volume 12)


Information Security Intrusion Detection System Optimal Investment Computer Security Expected Loss 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Anderson, J. 1972. Computer security technology planning study. U. S. Air Force Electronic Systems Division Technical Report. (Oct.), 73–51.Google Scholar
  2. Anderson, R. 2001. Why information security is hard-an economic perspective. In Proceeding of 17th Annual Computer Security Applications Conference (ACSAC) (New Orleans, Louisiana. December 10–14).Google Scholar
  3. Axelsson, S. 2000. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and Systems Security. 3,3 (Aug.), 186–205.MathSciNetGoogle Scholar
  4. Buzzard, K. 1999. Computer security-what should you spend your money on. Computers & Security. 18,4, 322–334.CrossRefGoogle Scholar
  5. Daniels, T.E. and Spafford, E. H. 1999. Identification of host audit data to detect attacks on low-level IP. Journal of Computer Security. 7,1, 3–35.Google Scholar
  6. Denning, D. 1987. An intrusion-detection model. IEEE Transactions on Software Engineering. 13,2 (Feb.), 222–226.Google Scholar
  7. Denning, D., and Branstad, D. 1996. A taxonomy of key escrow encryption systems. Communications of the ACM. 39,3(Mar.), 34–40.CrossRefGoogle Scholar
  8. Finne, T. 1998. A conceptual framework for information security management. Computers & Security. 17,4, 303–307.CrossRefGoogle Scholar
  9. Frincke, D. 2000. Balancing cooperation and risk in intrusion detection. ACM Transactions on Information and Systems Security. 3,1(Feb.), 1–29.Google Scholar
  10. Hann, J., and Weber, R. 1996. Information systems planning: a model and empirical tests. Management Science. 42,7(Jul.), 1043–1064.Google Scholar
  11. Gordon, L. and Loeb, M. 2001. A Framework for using information security as a response to competitor analysis systems. Communications of the ACM, Vol. 44. No. 9 (Sept.) 70–75CrossRefGoogle Scholar
  12. Hoo, K. 2000. How much is enough? A risk-management approach to computer security. Consortium for Research on Information Security Policy (CRISP) Working Paper. Stanford University. (June).Google Scholar
  13. Jajodia, S., and J. Millen. 1993. Editors’ preface. Journal of Computer Security. 2,2/3, 85.Google Scholar
  14. Jones, A. 1997. Penetration testing and system audit. Computers & Security. 16, 595–602.Google Scholar
  15. Kpmg. 2000. Information Security Survey 2000., (Apr.), 1–4
  16. Larsen, A. 1999. Global security survey: virus attack. InformationWeek.Com. (Jul.12).
  17. Littlewood, B., Broclehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., Dobson, J., Mcdermid, J., and Gollman, D. 1993. Towards operational measures of security. Journal of Computer Security. 2,2, 211–229.Google Scholar
  18. Loch, K. D., Carr, H. H., and Warkentin, M. E. 1992. Threats to information systems: today’s reality, yesterday’s understanding. MIS Quarterly. 17,2, 173–186.Google Scholar
  19. Luotonen, O. 1993. Risk management and insurances. Painatuskeskus Oy. Helsinki.Google Scholar
  20. Mcknight, L., R. Solomon, J. Reagle, D. Carver, C. Johnson, B. Gerovac, and Gingold, D. 1997. Information security of internet commerce. In Internet Economics, ed. L. McKnight and J. Bailey. Cambridge, Mass.: MIT Press, 435–452.Google Scholar
  21. Meadows, C. 2001. A cost-based framework for analysis of denial of service in networks, Journal of Computer Security. 9,1/2, 143–164.Google Scholar
  22. Millen, J. 1992. A resource allocation model for denial of service. Proceedings of the 1992 IEEE Symposium on Security & Privacy. IEEE Comp Soc Press, 137–147.Google Scholar
  23. Muralidhar, K., Batra, D., and Kirs, P. 1995. Accessibility, security, and accuracy in statistical databases: the case for the multiplicative fixed data perturbation approach. Management Science. 41,9 (Sep.), 1549–1564.Google Scholar
  24. NIST (National Institute of Standards and Technology). 1995. An Introduction to Computer Security: The NIST Handbook. (Special Publication 800-12).Google Scholar
  25. Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions of Information and Systems Security. 3,2(May), 85–106.Google Scholar
  26. Peyravian, M., Roginsky, A., Zunic, N. 1999. Hash-based encryption. Computers & Security. 18,4, 345–350.CrossRefGoogle Scholar
  27. Pfleeger, C. 1997., Security in Computing (2nd ed.), Prentice-Hall, N.J.Google Scholar
  28. Power, R. 2001. 2001 CSI/FBI computer crime and security survey. Computer Security Journal. 17,2 (Spring), 29–51.Google Scholar
  29. Sandhu, R. S., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and Systems Security. 1,2 (Feb.), 105–135.Google Scholar
  30. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Computer. 29,2 (Feb.), 38–47.Google Scholar
  31. Schneier, B. 1996. Applied Cryptography (2nd ed.), Wiley. New York, NY.Google Scholar
  32. Simmons, G. 1994. Cryptanalysis and protocol failures. Communications of the ACM. 37,11 (Nov.), 56–64.CrossRefGoogle Scholar
  33. Straub, D. W. and Welke, R. J. 1998. Coping with systems risk: security planning models for management decision making. MIS Quarterly. 23,4, 441–469.Google Scholar
  34. Straub, D. W. 1990. Effective IS security: an empirical study. Information Systems Research. 1,3, 255–276.Google Scholar
  35. Varian, H.R. 1997. How to Build an Economic Model in Your Spare Time. It is part of a collection titled Passion and Craft: Economists at Work, edited by Michael Szenberg, University of Michigan Press, available at
  36. Vigna, G. and Kemmeerer, R. A. 1999. NetSTAT: a network-based intrusion detection system. Journal of Computer Security. 7,1, 37–71.Google Scholar
  37. Wiseman, S. 1986. A secure capability computer system. Proceedings of the IEEE Symposium on Security & Privacy. IEEE Comp Soc Press, 86–94.Google Scholar

Copyright information

© Springer Science + Business Media, Inc. 2004

Authors and Affiliations

  • Lawrence A. Gordon
    • 1
  • Martin P. Loeb
    • 1
  1. 1.University of MarylandUSA

Personalised recommendations