• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.855-861
• /
• 2017

Gordon & Loeb[1] suggested that the optimal level of investment decision of an enterprise is the point that the marginal benefit(MB) of information security investment is equal to the marginal cost(MC). However, many companies suffering from information security incidents are not aware of the fact that they are experiencing information security accidents and can not measure how much they are affected. In this paper, I propose a model of information security investment decision making under the incomplete information situation by modifying the Gordon & Loeb[1] model and compare the differences in investment level. Under the incomplete information situation the expected return from the information security investment tends to be lower than that of actual information security investment, and the level of investment is also less. This shows that if a third party such as the government gives accurate information such as the rate of incidents of information security accidents and the amount of damages, companies can expand their investment in information security.

• The Journal of Society for e-Business Studies
• /
• v.20 no.2
• /
• pp.93-106
• /
• 2015

Providing trading partners with personal information to establish an e-commerce financial transaction is inevitable. Most e-commerce companies keep personal information and transaction data for user's convenience and develop additional services as their applications. However, keeping personal information increases the likelihood of identity theft causing direct or indirect damage while it may simplify repetitive financial transactions. This study introduces risk management methods based on quantitative and qualitative analysis including demand-supply curve model and Gordon & Loeb model to analyze the risks for security management. The empirical analysis with survey results from KISA (Korea Information Security Agency) shows that the root cause of different statistics of personal information leakage incidents according to core business of internet companies is the difference in their Loss Expectancy caused by them. Also we suggest disciplinary compensation and higher standard for personal information protection as a solution to prevent the variation of investment on it between individual companies.