User:Zlccwiki/sandbox

The Gordon-Loeb /ˈgȯr-dən ˈlōb/ model is a mathematical model analyzing the optimal investment level in cybersecurity. From the model, one can conclude that the amount a firm spends to protect information should generally be only a small fraction of the expected loss. More specifically, the Model shows that it is generally uneconomical to invest in information security activities (including cybersecurity related activities) more than 37 percent of the expected loss that would occur from a security breach. The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.

The Gordon-Loeb model was first published by Lawrence A. Gordon and Martin P. Loeb in their 2002 ACM Transactions on Information and System Security paper, "The Economics of Information Security Investment ." The paper was reprinted in the 2004 book Economics of Information Security.

The Gordon-Loeb Model has been widely referenced in the academic and practitioner literature. It has been featured in The Wall Street Journal and the Financial Times. The Model has also been empirically tested in several different settings.