What Should You Pay to Protect Your Data? The Economics of Cyber Security

Research output: Contribution to non-peer-reviewed publicationInternet publication


A CISO’s primary duty is to protect their organisation’s data. The past year has seen an increase in the frequency of major cyber incidents, including evolving malware, DDoS, social engineering and supply-chain attacks. These events serve as a serious warning to organisations that cyber security investment is essential to protect their assets, regardless of their size.

Cyber security investment is generally viewed as essential to protect an organisation’s assets. If the organisation holds valuable data (for example, customer PII or sensitive commercial information), we might expect a range of controls to be put in place, from employee training and risk management strategies to network monitoring, up-to-date firewalls and breach mitigation products. The difficult question is therefore: what is the ‘right’ amount to invest to protect a given data-set? How do you know if you’re investing too much, or too little? Organisational leaders often have little to go on when determining the optimal amount to invest in cyber security, which needs to be more than an intuitive (and therefore subjective) exercise.

Two academics at the University of Maryland, Laurence Gordon and Martin Loeb, have developed an economic framework to help answer this question. They found that the optimal amount of investment should only be a’ small fraction’ of the expected monetary loss following a data breach (and estimate the optimal figure at around 37% of an expected loss). They also found that beyond a certain expected level of loss, extra investment provided increasingly limited additional protection benefits. Their model has become one of the most prominent frameworks within the economics of security investment.
Original languageEnglish
Number of pages6
VolumeMarch 2018 edition
Specialist publicationCyber World
Publication statusPublished - 9 Mar 2018

Cite this