Information Security Investment Model and Level in Incomplete Information

Vol. 27, No. 4, pp. 855-862, Aug. 2017
10.13089/JKIISC.2017.27.4.855, Full Text:
Keywords: Information Security Investment, Incomplete Information
Abstract

Gordon & Loeb[1] suggested that the optimal level of investment decision of an enterprise is the point that the marginal benefit(MB) of information security investment is equal to the marginal cost(MC). However, many companies suffering from information security incidents are not aware of the fact that they are experiencing information security accidents and can not measure how much they are affected. In this paper, I propose a model of information security investment decision making under the incomplete information situation by modifying the Gordon & Loeb[1] model and compare the differences in investment level. Under the incomplete information situation the expected return from the information security investment tends to be lower than that of actual information security investment, and the level of investment is also less. This shows that if a third party such as the government gives accurate information such as the rate of incidents of information security accidents and the amount of damages, companies can expand their investment in information security.

Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from December 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article
[IEEE Style]
Y. Lee, "Information Security Investment Model and Level in Incomplete Information," Journal of The Korea Institute of Information Security and Cryptology, vol. 27, no. 4, pp. 855-862, 2017. DOI: 10.13089/JKIISC.2017.27.4.855.

[ACM Style]
Yong-pil Lee. 2017. Information Security Investment Model and Level in Incomplete Information. Journal of The Korea Institute of Information Security and Cryptology, 27, 4, (2017), 855-862. DOI: 10.13089/JKIISC.2017.27.4.855.