The GordonâÂÂLoeb model is an economic model that analyzes the optimal level of investment in information security.
The benefits of investing in cybersecurity stem from reducing the costs associated with cyber breaches. The Gordon-Loeb model provides a framework for determining how much to invest in cybersecurity, using a cost-benefit approach.
The model includes the following key components:
Gordon and Loeb demonstrated that the optimal level of security investment, , does not exceed 37% of the expected loss from a breach. Specifically, .
The model was first introduced by Lawrence A. Gordon and Martin P. Loeb in a 2002 paper published in ACM Transactions on Information and System Security, titled "The Economics of Information Security Investment". It was reprinted in the 2004 book Economics of Information Security. Both authors are professors at the University of Maryland's Robert H. Smith School of Business.
The model is widely regarded as one of the leading analytical tools in cybersecurity economics. It has been extensively referenced in academic and industry literature. It has also been tested in various contexts by researchers such as Marc Lelarge and Yuliy Baryshnikov.
The model has also been covered by mainstream media, including The Wall Street Journal and The Financial Times.
Subsequent research has critiqued the model's assumptions, suggesting that some security breach functions may require fixing no less than the expected loss, challenging the universality of the factor. Alternative formulations even propose that some loss functions may justify investment at the full estimated loss.