Extensions of the Gordon-Loeb [1] and the Gordon-Loeb-Lucyshyn-Zhou [2] models are presented based on mathematical equivalency with a generalized homeland security model. The extensions include limitations on changes in the probability of attack, simultaneous effects on probability and loss, diversion of attack, and shared non-information defenses. Legal cases are then investigated to assess approximate magnitudes of external effects and the extent they are internalized by the legal system.
The most pressing cyberthreats once came from emailed viruses, but today’s cyberattacks increasingly take the form of massive identity and intellectual property thefts and the potential for physical damage to critical infrastructure. As cyberattacks have proven to be increasingly disruptive to the economy, a growing body of scholarship examines how much firms should invest in protection and what are appropriate roles for governments. Gordon and Loeb, GL [
GL and GLLZ investigate the implications of their model in some detail after first deriving the condition that the optimum (interior) investment is found where the incremental benefits of information security equal the incremental costs. As the optimal investment is shown to be increasing in damages (losses), including external damages increases the optimal level of investment. As with standard models of investment, an organization that only considers private losses in its optimization is correct if there are no external losses; but if external losses exist then optimum social expenditures increase. By investigating several functional forms for the security breach function, GL and later researchers showed that it is not uncommon for investments to have a maximum of about 37 percent of expected losses although this result is conditional on the specification.
This paper proceeds by investigating extensions to the GL and GLLZ models implied by a general investment model for homeland security expenditures. A review of legal cases involving cybersecurity breaches is then used to assess the implications of including external costs in the optimal investment model.
While GL and GLLZ examine how much an individual firm should invest in preventing a cyberattack, related work by Farrow [
A summary of the definitions for the general homeland security investment model based on Farrow [
Define:
ei: organizational security expenditures on site i.
P(ei): probability of an event. P′ < 0; P″ > 0 where P' is the partial derivative and functions are assumed to be twice continuously differentiable. This assumes some behavior or reaction function on the part of the attacker such that expenditures could alter their choice of targets or the expenditures could lead to capture prior to an attack.
S(ei): additional costs incurred as a result of the investment expenditure whether for the expending organization or third parties such as time in security lines or changes in productivity which are not part of the budget constraint, expect S′ > 0.
C(ei): social cost given an event happens, C′ < 0; C″ > 0, which includes direct costs to the organization, CD(ei) and costs external to the organization (external costs) CE(ei). Note that the constrained expenditure amount ei is always assumed to be obligated and spent whether or not an attack occurs. It is the social cost, C, that is conditional on the event occurring.
The organization’s investment problem is stated as choosing the level of expenditure at each site (
Min
Subject to:
The unconstrained minimization form of the problem is that used by Baryshnikov [
GL and GLLZ do not consider a budget constraint, although they note that conflict between the Chief Information Officer and the Chief Executive Officer may affect the derivation of the optimal amount. In many instances, a budget constraint may be a more realistic decision context. In the budget constrained problem, a budget larger than the optimum expenditure yields the unconstrained solution (the constraint is not binding) while a binding constraint implies a shadow price affecting the expenditure allocation. At the same time, the parameterization in GL adds greater interpretation to the Farrow results.
The notation changes and constraints to place the GL model in the Farrow notation are as below (
Farrow investigated several cases which can be considered extensions of the GL and GLLZ models2. Security and investment concerns modeled by these extensions include:
1) Multiple sites with a budget constraint: The primary difference compared to GL and GLLZ is inclusion of the shadow price of the constraint. First order conditions require that the marginal (incremental) benefit of the investment equal the marginal cost at each site where the marginal cost takes into account the shadow price associated with the binding constraint. Further, marginal expected social costs avoided―the benefits―are to be equated across sites. Where such equality cannot occur, some sites have zero optimal investment. In application, GL appear to follow such an approach for multiple information sets [
2) Probability and consequence reductions: Investments may reduce not only the probability of an attack but the loss from the attack. When these impacts are separated, investments should occur until the incremental return per dollar invested is the same across the probability and consequence domains. Recent cybersecurity approaches echo this conclusion by extending cybersecurity beyond protecting access to actions designed to limit internal and external damage.
3) Attacker diversion: Investments in defense by one organization may divert attacker effort to another site. If larger firms are better protected than smaller firms, whether in the defense industry or elsewhere; the probability of attack may increase at less defended sites.
4) Continuous asymmetric focus or advanced persistent attack: Limitations on ability to defend a site or consequences of an attack may lead to optimal inequality of defense across sites and information sets as security may not be reducible to the level desired in the absence of such persistent attacks.
5) Shared filtering or defenses: The benefit of the investment includes the sum of benefits across all units to the extent that defensive activity reduces damages at other sites through positive external effects. This may occur for example if government or the private sector provides centralized hacker detection. The centralization