Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.4.855

Information Security Investment Model and Level in Incomplete Information  

Lee, Yong-pil (Korea Internet & Security Agency)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.4, 2017 , pp. 855-861 More about this Journal
Abstract
Gordon & Loeb[1] suggested that the optimal level of investment decision of an enterprise is the point that the marginal benefit(MB) of information security investment is equal to the marginal cost(MC). However, many companies suffering from information security incidents are not aware of the fact that they are experiencing information security accidents and can not measure how much they are affected. In this paper, I propose a model of information security investment decision making under the incomplete information situation by modifying the Gordon & Loeb[1] model and compare the differences in investment level. Under the incomplete information situation the expected return from the information security investment tends to be lower than that of actual information security investment, and the level of investment is also less. This shows that if a third party such as the government gives accurate information such as the rate of incidents of information security accidents and the amount of damages, companies can expand their investment in information security.
Keywords
Information Security Investment; Incomplete Information;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Zhou, L. "Increasing cybersecurity investments in private sector firms," Journal of Cybersecurity, vol. 1, no. 1, pp. 3-17, Nov. 2015.
2 Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Zhou, L. "The impact of information sharing on cybersecurity underinvestment: a real options perspective," Journal of Accounting and Public Policy, vol. 34, no. 5, pp. 509-519, Sep. 2015.   DOI
3 Gordon, L.A., Loeb, M.P. and Lucyshyn, W. "Sharing information on computer systems security: an economic analysis," Journal of Accounting and Public Policy, vol. 22, no. 6, pp. 461-485, Nov. 2003.   DOI
4 Gal-Or, E. and Ghose, A. "The economic incentives for sharing security information," Information Systems Research, vol. 16, no. 2, pp. 186-208, June 2005.   DOI
5 Shin, Soojung, Innovation with Security, Elcompany, Apr. 2013.
6 Kong, H.K., Jun, H.J., and Kim, T.S., "A study on information security investment by the analytic hierarchy process," Journal of Information Technology Applications & Management, 15(1), pp. 139-152, Mar. 2008.
7 Kong, Hee-Kyung and Kim, Tae-sung. "Research trends on information security investment effect," Korea Institute of Information Security and Cryptology, 17(4), pp. 26-33, Aug. 2007
8 Gordon, L.A., Loeb, M.P. and Zhou, L. "Investing in cybersecurity : insights from the Gordon-Loeb model," Journal of Computer Security, vol. 7, no. 2, pp. 49-59, Mar. 2016.
9 Kisa, https://www.kisa.or.kr/notice/notice_View.jsp?cPage=1&mode=view&p_No=4&b_No=4&d_No=1756&ST=T&SV=공시
10 Symantec, https://www.symantec.com/content/en/us/about/media/pdfs/2012-state-of-information-global.en-us.pdf
11 Akamai, https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/akamai-q1-2016-state-of-the-internet-security-report.pdf
12 Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Zhou, L. "Externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model," Journal of Information Security, vol. 6, no. 1, pp. 24-30, Jan. 2015.   DOI
13 KISIA, http://www.kisia.or.kr/new_kisia/bbs/board.php?bo_table=s6_board3&wr_id=28
14 UK, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432412/bis-15-302-information_security_breaches_survey_2015-full-report.pdf
15 Kisa, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432412/bis-15-302-information_security_breaches_survey_2015-full-report.pdf
16 Gordon, L. A., and Loeb, M. P. "The economics of information security investment," ACM Transactions on Information and System Security (TISSEC), vol. 5, no. 4, pp.438-457, Nov. 2002.   DOI