^{1}

^{*}

^{1}

^{*}

^{1}

^{*}

This paper provides an analysis of how the benefits of information segmentation can assist an organization to derive the appropriate amount to invest in cybersecurity from a cost-benefit perspective. An analytical model based on the framework of the Gordon-Loeb Model ( [1] ) is presented that provides a set of sufficient conditions for information segmentation to lower the total investments in cybersecurity and the expected loss from cybersecurity breaches. A numerical example illustrating the insights gained from the model is also presented.

In today’s interconnected world of digital computer-based communication systems, a fundamental question confronting organizations is: How much should an organization invest in cybersecurity related activities?^{1} The answer to the above question is far from straightforward. Indeed, deriving the appropriate amount an organization should invest in cybersecurity is essentially a resource allocation decision that is best resolved in terms of cost-benefit analysis.

The primary objective of this paper is to provide an analysis of how information segmentation can assist an organization to derive the appropriate amount to invest in cybersecurity from a cost-benefit perspective. While many benefits of information segmentation have been well-documented (e.g., [^{2}

The remainder of this paper proceeds as follows. In the next (i.e., second) section of the paper we provide a brief review of the literature on cybersecurity investments.^{3} In the third section of the paper we provide a discussion of information segmentation, with an emphasis on the benefits of information segmentation in deriving the appropriate amount an organization should invest in cybersecurity related activities. The fourth section of the paper provides a model and example that illustrates the use of the Gordon-Loeb Model for deriving the appropriate amount to invest in cybersecurity related activities. The example is based on an organization that has segmented its information into three subsets of information. The fifth section of the paper provides some concluding comments and suggestions for future research.

Although cybersecurity is a fundamental concern for organizations, they cannot devote all of their resources to cybersecurity. Indeed, as with all resource allocation decisions, investments in (i.e., expenditures on) cybersecurity related activities need to be viewed in the context of cost-benefit analysis.^{4} That is, in addressing the fundamental question concerning the right amount to invest in cybersecurity, organizations need to consider the costs and benefits associated with such investments.

There is a large, and growing, body of literature addressing issues related to cybersecurity investments. The focus of this literature is, however, quite varied. For example, one stream of this literature focuses on the trade-offs among different combinations of security related expenditures (e.g., expenditures on such things as access controls, encryption, firewalls, employee training, intrusion prevention and detection systems, computer hardware, etc.). Generally speaking, this stream of literature is concerned with deciding on how to efficiently allocate the funds that have been budgeted for cybersecurity related activities. Papers by Bodin, Gordon and Loeb [

A second stream of literature addressing issues related to cybersecurity investments focuses on expenditures related to cybersecurity insurance as a way of transferring the risk associated with cybersecurity breaches. Of course, expenditures on cybersecurity insurance are indirectly investments in cybersecurity. Papers by Gordon, Loeb and Sohail [

A third stream of the literature addressing issues related to cybersecurity investments focuses on deriving the optimal amount an organization should invest in cybersecurity activities. This stream of literature implicitly assumes the investment in cybersecurity related activities will be allocated in the most efficient manner. Papers by Hoo [

All of the above noted streams of literature have a bearing on answering the question: How much should an organization invest in cybersecurity related activities? However, the papers addressing issues related to the optimal amount an organization should invest in cybersecurity are explicitly concerned with answering the above question. The most widely referenced economic model for deriving the optimal amount to invest in cybersecurity activities in the academic literature is the Gordon-Loeb Model [^{5} Most importantly for the purposes of this paper, the GL Model provides a general framework that can assist organizations during the process of making decisions concerning the derivation of the appropriate amount to spend on cybersecurity related activities. As noted by the U.S. Council of Better Business Bureaus, in its Report on the “2017 State of Cybersecurity Among Small Businesses in North America”:

Since the threat of cybersecurity is real, and action is important, a fundamental question organizations answer is: How much should they invest in cybersecurity? Gordon and Loeb developed a model based on cost-benefit analysis to help answer this question. Their framework provides a useful guide for organizations trying to find the right level of cybersecurity investment ( [

The general framework provided by the GL Model is based on three fundamental factors. These three factors are: 1) the value of the information being protected, which represents the potential loss from a cybersecurity breach and is denoted as L, 2) the probability that the information will suffer a cybersecurity breach, denoted as v ( 0 < v < 1 ),^{6} and 3) the productivity of the investment in cybersecurity activities, referred to as the security breach probability function and denoted as S ( z , v ) , where z represents the investment. Note that S ( 0 , v ) = v (i.e., v represents the probability of a breach when z = 0 ). Given the above, the expected loss before an additional investment in cybersecurity activities is equal to vL. The productivity function for an investment, S ( z , v ) , provides a revised measure of the probability that an information set will be breached after some level of investment in cybersecurity. The GL Model assumes that the benefits from increasing cybersecurity investments are derived from decreasing the expected loss, S ( z , v ) L , associated with a cybersecurity breach. The model also assumes that these benefits are increasing at a decreasing rate (i.e., there are positive, but diminishing, returns to increasing cybersecurity investments). In other words, increased investments in cybersecurity reduce S ( z , v ) , and in turn S ( z , v ) L (i.e., the expected loss), but this reduction in the expected loss occurs at a decreasing rate. A convenient feature of the GL Model is that it easily incorporates the information segmentation concept discussed above. The GL Model is summarized in a set of equations provided in the Appendix to this paper.

Firms often have several segmented computer networks and multiple segmented databases within a given network.^{7} Both network segmentation and database segmentation facilitate limiting the access of information to specific individuals. Database segmentation and network segmentation result in what we refer to as information segmentation (i.e., subsets of segmented information). Firewalls, access controls, encryption, and dedicated computers are among the ways to facilitate information segmentation. Network segmentation is also a useful mechanism for keeping some information disconnected from the Internet, which is a critical portal for cybersecurity breaches. Information segmentation could be based on a variety of factors, including business functions (e.g., accounting/finance, production, marketing), business subunits (including wholly-owned subsidiaries), customer characteristics, geographic location of sales and/or operations, government regulations, point of sales characteristics (e.g., retail store sales, e-commerce sales), secret formulas, etc.

The amount a firm should be willing to invest in cybersecurity-related activities to protect a specific information segment should be directly related to the potential benefits (i.e., potential reduction in the expected loss) resulting from the cybersecurity investment in the information segment. That is, decisions regarding the amount to invest in cybersecurity for a specific information segment should be based on a segment-specific cost-benefit analysis. Based on the GL Model, this means that the optimal amount ( z i * ) to invest in a specific information segment i depends on the value ( L i ) of the information contained in the i^{th} information segment, the vulnerability to cybersecurity breach of that information segment ( v i ), and the productivity of additional investments in cybersecurity for that information segment, S i ( z i , v i ) . Based on the assumption that additional investments in cybersecurity reduce the probability of incurring a cybersecurity breach, the benefits from such an additional investment can be derived by multiplying the reduction in the probability of breach times the potential benefits (i.e., [ v i − S i ( z i , v i ) ] L i ). To illustrate the above point, assume a firm has a cybersecurity breach to an information segment that contains sensitive customer information (e.g., credit card numbers, and/or social security numbers). Such a breach could result in a major loss to the firm due to its potential negative impact on future revenues and potential class-action lawsuits. A large investment in cybersecurity related activities to protect that information segment by reducing the probability of a breach to that information segment may be warranted. In contrast, a cybersecurity breach to a publicly available segment of information (e.g., a listing and description of government regulations used for compliance purposes) is unlikely to result in a major loss to a firm. In this latter case, a large investment in cybersecurity related activities to protect that information segment seems unjustified.

In addition to the fact that different segments of information within a given firm may have different values, the probability of a cybersecurity breach to different information segments would likely be an increasing function of the value of the information being protected. Generally speaking, the more valuable an information segment, the greater the amount of effort and dollars a hacker would be willing to spend on illegally obtaining such information. That is, hackers also conduct a cost-benefit analysis when targeting information to steal.^{8} Thus, there is a game-theoretic cost-benefit type of analysis going on between those protecting an information segment and those trying to illegally gain access to the same information segment. On the one hand, the owners of an information segment consider the cost-benefit aspects of protecting the information. On the other hand, potential hackers are considering the cost-benefit aspects of conducting a successful hack of the information.

Achieving 100% cybersecurity is essentially impossible from a technical perspective. Furthermore, from an economics perspective, an organization should stop investing in cybersecurity activities once the incremental costs from an incremental investment exceed the expected incremental benefits from such an investment. The expected incremental benefits from increasing cybersecurity investments are primarily derived from avoiding the costs (i.e., cost savings or what some call cost avoidance) associated with cybersecurity breaches. In other words, by avoiding a cybersecurity breach an organization saves the amount it would have lost due to the breach.^{9} The amount an organization would expect to lose from a cybersecurity breach is based on the value of the information being protected and the probability that a successful breach was to occur. Thus, the expected incremental benefits from an incremental investment in cybersecurity activities equal the expected loss from a cybersecurity breach that would be avoided as a result of the additional cybersecurity investment. Assuming that cybersecurity investments reduce the probability of a breach, these benefits would equal the reduction in the probability of a breach due to the investment multiplied by the value of the information being protected (see Equation [A1] in the Appendix).

The four steps associated with implementing the GL Model, when multiple segments (i.e., subsets) of information exist, are as follows:^{10}

Step 1: Estimate the value, L i , associated with each information segment being protected.

Step 2: Estimate the probability, v i , of a breach associated with each information segment i. As pointed out above, the probability of a breach would likely vary for different information segments.

Step 3: Estimate the productivity of investments in cybersecurity [ S i ( z i , v i ) ] to protect each specific information segment.

Step 4: Derive the optimal investment level, z i * for each information segment i, (i.e., z i * minimizes [ S i ( z i , v i ) L i + z i ] ). The sum of the investments, z s e g * ≡ ∑ i z i * is the optimal total investment level, under the assumption that the information segments are independent of each other.^{11}

By deriving the appropriate amount to invest in cybersecurity for each information segment based on the GL Model, and aggregating these amounts, an organization is able to answer the question: How much should our organization invest in cybersecurity related activities? More to the point, assuming independent information segments, the answer to the question is that the overall level of cybersecurity investment should be the sum of the amounts derived for each segment (as shown in step 4 above).

There are at least seven potential benefits that information segmentation provides an organization concerning its cybersecurity investment level.^{12} First, information segmentation facilitates limiting the access of information to specific individuals (internal, as well as external, to the organization), based on need and security clearance. Thus, for a given cybersecurity investment level, there should be an improvement in the overall security of the information contained within an organization’s entire computer-based information system. Alternatively, for a given level of overall cybersecurity, an organization should be able to invest less than would be necessary in the absence of information segmentation.

Second, and closely related to the first benefit noted above, information segmentation minimizes the cascading effect of a cybersecurity breach that actually occurs within an organization. Minimizing the cascading effect is accomplished by decoupling information into disconnected (i.e., independent) segments or strongly separated (e.g., via firewalls, access controls, encryption, etc.) information segments. In other words, the goal is to minimize the connectivity of information segments such that a cybersecurity breach to one segment of information can be contained to that subset of information. Where connectivity among information segments exist, however, an estimate of the interactive effect needs to be made. Here again, for a given level of overall cybersecurity, information segmentation (especially where the information segments are independent from one another) should facilitate an organization’s ability to invest less than would be necessary in the absence of any information segmentation.

Third, the decoupling of information segments means that the effort, and in turn investment, involved in detecting a cybersecurity breach should be much lower than in a situation where the breach affects an organization’s entire information system. Furthermore, by focusing on specific segments of information, once an actual cybersecurity breach is detected, the required investment to recover from the breach should be more focused, and in turn lower, than the required investment where a cybersecurity breach has affected the organization’s entire information system.

Fourth, information segmentation also facilitates more focused policies and decentralized accountability regarding the protection of an organization’s information. The decentralization of information accountability and more focused policies concerning an organization’s cybersecurity is especially important for large (e.g., multinational) organizations. More focused policies and decentralized accountability should also facilitate a more efficient allocation of funds budgeted for cybersecurity related activities. The above should translate into reducing cybersecurity breaches and, in turn, the overall investment required for cybersecurity related activities.

Fifth, Information segmentation should also improve the reliability of the estimates of the value of information needing protection, the probability of a breach to an information subset, and the productivity of investments in cybersecurity to protect the specific information subset. In other words, information segmentation should improve the estimates required to implement the framework underlying the GL Model for cybersecurity investments. This improvement in estimates is accomplished by shifting the focus from a large heterogeneous computer-based information system to segments of information that are more aligned with specific organizational tasks. Improved estimates should result in more cost-efficient cybersecurity investments.

Sixth, information segmentation should also improve the efficiency (i.e., performance) of the overall information system by reducing congestion (i.e., the problem associated with a network node inefficiently handling data). By improving the overall efficiency of an organization’s information system, the investment required to secure the system at a particular level should also be reduced. Alternatively, for a given level of investment in cybersecurity, an organization should be able to achieve a higher overall level of cybersecurity than possible in the absence of information segmentation.

Seventh, information segmentation should also improve the feedback control process associated with cybersecurity investments. More specifically, cybersecurity investments are best thought of as part of an organization’s planning and control process. The planning phase of the process begins by identifying opportunities and potential problems related to cybersecurity and developing a strategy to improve the organization’s cybersecurity by taking advantage of these opportunities and addressing the potential problems. Implementation of the strategy involves the actual investment (i.e., expenditures) to carry out the cybersecurity strategy. Decisions concerning the amount of cybersecurity investments (expenditures) that should be included in an organization’s operating and capital budgets are part of an organization’s overall financial planning process. The control phase of the cybersecurity investment process begins by comparing the actual investments with the budgeted (i.e., planned) expenditures for cybersecurity activities. Any difference between the budgeted and actual cybersecurity expenditures should be analyzed so as to improve future financial planning concerning cybersecurity. In addition, the control phase of the cybersecurity investment process includes comparing the actual results (i.e., benefits) with the anticipated results from the investments. In this latter regard, the following question needs to be addressed: Did the investments in cybersecurity yield the anticipated reduction in cybersecurity breaches? Analyzing the difference between the actual and planned investments on cybersecurity, as well as comparing the actual results from the investments with the anticipated results, involves what is usually referred to as a feedback control system. Information segmentation should help to facilitate this feedback control process in terms of focus, accuracy, and timeliness. A well-designed feedback control system based on information segments, compared to an organization’s entire information system, should improve the efficiency of future planning for cybersecurity investments.

Although our discussion treated each of the seven benefits derived from information segmentation as being independent of each other, in reality they will likely interact with one and other. For example, increased clarity of an organization’s policies and lines of accountability related to cybersecurity will clearly impact the reliability of the estimates of the value of information needing protection ( L i ), the probability of a breach to that information subset ( v i ), and the productivity of investments in cybersecurity to protect the information subset [ S i ( z i , v i ) L i ] .

In this section, we present an analytical model based on the framework of the Gordon-Loeb Model to provide a set of sufficient conditions for information segmentation to lower the total investments in cybersecurity and the expected loss from cybersecurity breaches. The model examines the impact of information segmentation on the optimal level of cybersecurity investments and the resulting expected loss from cybersecurity breaches. A numerical example is also provided in this section to illustrate the insights gained from the model.

As previously noted, the GL Model denotes an organization’s value of information set as L, the vulnerability of the information set as v, the investment in cybersecurity as z, and the security breach probability function as S ( z , v ) . As discussed in Gordon and Loeb (2002), before any additional cybersecurity investments, the security breach probability equals to the vulnerability of the information set i.e., S ( 0 , v ) = v . In addition, the security breach probability

function should satisfy conditions ∂ S ∂ z = S z ( z , v ) < 0 and ∂ 2 S ∂ z 2 = S z z ( z , v ) > 0 .

That is, as the investment in cybersecurity increases, the probability of the organization being breached is reduced, but at a decreasing rate.

Suppose the organization’s information set can be divided into N segments. For i = 1 , 2 , ⋯ , N , we denote the value of information in segment i as L i , the vulnerability of the segment i information set as v i ( 0 < v i < 1 ), the cybersecurity investment in segment i as z i and the security breach probability for segment i as S i ( z i , v i ) . To focus on the impact of information segmentation on cybersecurity investment decisions, we assume that information segmentation does not change the organization’s value of information. That is, for the whole organization, the total value of information with or without the information segmentation is the same. Formally stated, we have

L = ∑ i = 1 N L i . (1)

Since the organization’s information set is assumed to have been divided into N segments, we assume the expected loss from cybersecurity breaches (before any additional cybersecurity investments) with segmentation to be no greater than the expected loss without segmentation. That is,

∑ i = 1 N S i ( 0 , v i ) L i ≤ S ( 0 , v ) L , (2)

i.e.,

∑ i = 1 N v i L i ≤ v L . (3)

To demonstrate the benefits of segmentation, we look at the case where there is no initial benefit to segmentation. That is, at the initial investment levels, the organization’s expected loss from breaches to the non-segmented information equals the sum of the expected losses to all segments. Stated formally, we assume:

v L = ∑ i = 1 N v i L i . (4)

Note that Equation (4) can be rewritten as

v = ∑ i = 1 N v i L i L . (5)

In other words, the organization vulnerability without segmentation is a weighted average of the vulnerability of individual segments. The weight on the vulnerability of a segment is the ratio of the segment’s value of information to that of the whole organization.

Since each information segment is only a subset of the organization’s information set, we expect the same amount of cybersecurity investment will be more effective in protecting a segment than protecting the whole information set. For simplicity, we assume: 1) each segment’s security breach probability function (i.e., the productivity of the investment in cybersecurity activities) takes the same functional form as the organization’s breach probability function, and 2) the effectiveness of cybersecurity investment in a segment is inversely related to the proportion of value of information in that segment to the organization’s total value of information. Formally stated, the breach probability function for segment i ( i = 1 , 2 , ⋯ , N ) is assumed to be

S i ( z i , v i ) = S ( z i L i / L , v i ) (6)

In this setup, the more valuable the segment’s information relative to the whole information set, the more similar the segment’s security breach probability function is to the organization’s breach probability function without information segmentation. When there is no information segmentation (i.e., L i / L = 1 ), the above function reverts to S ( z , v ) .

Without information segmentation, the organization invests in cybersecurity activities to minimize the sum of the expected loss from cybersecurity breaches and the investment in cybersecurity for the single organizational wide information set, i.e.,

min z [ S ( z , v ) L + z ] . (7)

The optimal investment in cybersecurity ( z * ) needs satisfy the first order condition

S z ( z * , v ) L + 1 = 0. (8)

In addition, we denote security breach probability resulting from the optimal investment as S * = S ( z * , v ) and the expected loss from cybersecurity breaches as S * L = S ( z * , v ) L .

With information segmentation, cybersecurity investments in each segment are determined separately. Hence, each segment will minimize the segment’s total cybersecurity costs as below

min z i [ S ( z i L i / L , v i ) L i + z i ] . (9)

The segment i optimal investment ( z i * ) can be solved using the following first order condition:

1 L i / L S z ( z i * L i / L , v i ) L i + 1 = 0 , (10)

i.e.,

S z ( z i * L i / L , v i ) L + 1 = 0. (11)

Hence, for segment i, the security breach probability resulting from the optimal investment is S i * = S ( z i * L i / L , v i ) and the expected loss from cybersecurity breach is S i * L i = S ( z i * L i / L , v i ) L i .

With information segmentation, the total investment in cybersecurity is ∑ i = 1 N z i * , and the total expected losses from security breaches based on the optimal segmental investment is ∑ i = 1 N S i * L i = ∑ i = 1 N S ( z i * L i / L , v i ) L i .

Based on the characteristics of the initial condition [i.e., Equation (4)] and the characteristics of the security breach functions [i.e., Equation (6)], we will present two propositions that provide sufficient conditions for information segmentation to reduce the optimal level of cybersecurity investments and lower the expected loss from cybersecurity breaches for an organization. In the process of proving each proposition, we will first state and prove a corresponding lemma.

Lemma 1: when all information segments in an organization have equal vulnerability, the sum of optimal investments in cybersecurity with information segmentation is equal to the optimal investments in cybersecurity without information segmentation. That is, if v i = v j for all i and j, then ∑ i = i N z i * = z * .

Proof: Based on first-order conditions (8) and (11), the optimal investments in cybersecurity is a function of the vulnerability. In other words, we can write the optimal investment in cybersecurity without information segmentation as z * ( v ) , and optimal cybersecurity investment segment i as z i * ( v i ) . Given that S z < 0 and S z z > 0 , from Equation (11), we have

z i * ( v i ) = z * ( v i ) L i L . (12)

When v i = v j for all i and j, v i = v for all i. Hence,

∑ i = i N z i * ( v i ) = ∑ i = i N z * ( v i ) L i L = ∑ i = i N z * ( v ) L i L = z * ( v ) . (13)

Q.E.D.

Proposition 1: When an organization’s information set contains information segments of different vulnerability, the sum of optimal investments in cybersecurity with information segmentation is less than the optimal investment in cybersecurity without information segmentation if the optimal investment in cybersecurity is concave in vulnerability. That is, when there exists two segments, i

and j, such that v i ≠ v j , ∑ i = 1 N z i * < z * if ∂ 2 z * ∂ v 2 < 0 .

Proof: Let θ i = L i / L for i = 1 , 2 , ⋯ , N . Note that 0 ≤ θ i ≤ 1 and ∑ i = 1 N θ i = 1 . This allows us to rewrite Equation (5) as

v = ∑ i = 1 N θ i v i . (14)

Based on Equation (12), we can write the total cybersecurity investment with information segmentation as

∑ i = 1 N z i * ( v i ) = ∑ i = 1 N z * ( v i ) L i L = ∑ i = 1 N θ i z * ( v i ) . (15)

Since there exists two segments, i and j, such that v i ≠ v j , by Jensen’s Inequality and Equation (14), it follows that ∑ i = 1 N θ i z * ( v i ) < z * ( v ) if ∂ 2 z * ∂ v 2 < 0 .

Q.E.D.

The sufficient condition in Proposition 1 will hold if the optimal investment in cybersecurity increases in vulnerability at a decreasing rate.

Lemma 2: When all information segments in an organization have equal vulnerability the sum of expected losses from cybersecurity breaches with information segmentation is equal to the expected loss from cybersecurity breaches without information segmentation. That is, if v i = v j for all i and j, then ∑ i = 1 N S i * L i = S * L .

Proof: Recall that the optimal investment in cybersecurity can be written as a function of vulnerability, i.e., z * ( v ) or z i * ( v i ) . Hence, we can also write the resulting expected loss from security breaches without segmentation as a function of the organization’s vulnerability, i.e., S * = S [ z * ( v ) , v ] L = S * ( v ) L .

The expected loss from security breaches based on the optimal segmental cybersecurity investment is

S i * L i = S ( z i * ( v i ) L i / L , v i ) L i . (16)

Combined with Equation (12), we have S i * L i = S [ z * ( v i ) , v i ] L i , which can also be written as a function of the segmental vulnerability, i.e.,

S i * L i = S [ z * ( v i ) , v i ] L i = S * ( v i ) L i . (17)

When v i = v j for all i and j, v i = v for all i. Hence,

∑ i = 1 N S * ( v i ) L i = ∑ i = 1 N S * ( v ) L i = S * ( v ) L . ( 18 ) (18)

Q.E.D.

Proposition 2: When an organization’s information set contains information segments of different vulnerability, the sum of expected losses from cybersecurity breaches with information segmentation is less than the expected loss from cybersecurity breaches without information segmentation if the security breach probability based on the optimal cybersecurity investment is concave in vulnerability. That is, when there exist two segments, i and j, such that v i ≠ v j ,

∑ i = 1 N S i * L i < S * L if ∂ 2 S * ∂ v 2 < 0 .

Proof: Given Equation (17), the total expected loss from cybersecurity breaches with information segmentation is

∑ i = 1 N S i * L i = ∑ i = 1 N S * ( v i ) L i . (19)

Since there exist two segments, i and j, such that v i ≠ v j , by Jensen’s Inequality and Equation (14), we have

∑ i = 1 N S * ( v i ) L i L < S * ( v ) , (20)

if ∂ 2 S * ∂ v 2 < 0 . In other words, ∑ i = 1 N S * ( v i ) L i < S * ( v ) L if ∂ 2 S * ∂ v 2 < 0 .

Q.E.D.

The sufficient condition in Proposition 2 will hold if the security breach probability resulting from the optimal investment in cybersecurity increases in vulnerability at a decreasing rate.

Taken together, our model shows that for all information segments sharing a broad class of security breach probability functions and when the information segments do not have equal vulnerability, information segmentation results in a reduction in both the optimal level of cybersecurity investments and the expected loss of cybersecurity breaches for an organization.^{13}

We develop a hypothetical example for a small, publicly traded, US-based jewelry firm called ZLG (hereafter referred to as ZLG). ZLG has annual revenues of approximately $500 Million a year, and roughly 1100 employees. The ZLG consists of 20 retail stores, each one located in a different Metropolitan area on the East Coast of the U.S.

The computer-based information system for ZLG consists of wide area networks (WANs) that segment its information into the following three organizational functions: customers (including credit card information and other personal data related to customers), internal operations (including employee information and financial information required for preparing financial statements and meeting tax requirements), external operations (including advertising and supply chain partners). The three information segments are physically separated from one another via routers and switches, thus the segments are considered to be independent of each other (i.e., a cybersecurity breach to an information segment is confined to that information segment).^{14} A schematic diagram of the ZLG’s computer-based information system is provided in ^{15}

Up until this point in time, the CIO (Chief Information Officer) and her staff (which includes a CISO [Chief Information Security Officer]) have taken care of the firm’s cybersecurity related issues. Although ZLG has not had a cybersecurity breach (at least not one of which the firm is aware), the CIO and CISO have become aware of an increasing number of cybersecurity breaches in small businesses in North America. Accordingly, the CIO and CISO, in cooperation with the firm’s CFO (Chief Financial Officer), decided it was time to make an additional investment in cybersecurity activities. In order to get an estimate of the amount of the new investment, the CIO, CISO and CFO decide that ZLG will follow the U.S. Council of Better Business Bureaus’ recommendation and use the framework underlying the GL Model for cybersecurity investments ( [

The CIO and CFO of ZLG are fully aware of the fact that the net benefits from any additional cybersecurity investment derived from the GL Model is best viewed as an estimate. However, they believe that initially viewing the investment decision from a sound economics perspective is a good starting place because it forces the firm to consider the cost-benefit factors that underlie cybersecurity investment decisions. Ultimately, the investment amount derived based on the GL Model will be modified based on the combined business judgment of ZLG’s CIO, CISO and CFO.

As discussed in Section III of this paper, there are four basic steps that need to be taken in deriving the additional amount that ZLG Jewelry should invest in cybersecurity activities, based on the framework underlying the GL Model. The first step is to estimate the value (i.e., L i ) for each of the three (i.e., customers, internal, and external) information segments being protected. The second step is to estimate of the probability (i.e., v i ) that a cybersecurity breach will occur for each of the three information segments, assuming no additional investment in cybersecurity. The third step is to estimate the productivity of an additional investment in cybersecurity ( S i [ z i , v i ] ) to protect each specific information subset. The fourth step is to derive the optimal investment level for each information segment. In other words, the L i , v i , and S i [ z i , v i ] in the GL Model need to be estimated for each of the three (i.e., customers, internal, and external) information segments. In essence, the plan is to estimate the optimal amount of additional investment in each of the three information segments and then sum these amounts to arrive at an initial total estimate for additional cybersecurity investments by ZLG Jewelry.

With Segmentation | Without Segmentation | Economic Benefits of Information Segmentation | |||||
---|---|---|---|---|---|---|---|

Customers | Internal Operations | External Operations | Total | ||||

Value of Information | $120,000,000 | $60,000,000 | $20,000,000 | $200,000,000 | $200,000,000 | ||

Vulnerability | 40% | 20% | 10% | 31% | |||

Expected Loss Before Additional Investment | $48,000,000 | $12,000,000 | $2,000,000 | $62,000,000 | $62,000,000 | ||

Optimal Investment | $2,280,000 | $788,528 | $180,000 | $3,248,528 | $3,321,363 | $72,835 | |

Expected Loss with Optimal Investment | $2,400,000 | $848,528 | $200,000 | $3,448,528 | $3,521,363 | $72,835 | |

Total Cybersecurity Costs | $4,680,000 | $1,637,056 | $380,000 | $6,697,056 | $6,842,726 | $145,670 |

^{a}The numbers of optimal investment, expected loss with optimal investment and total cybersecurity costs are generated based on security breach probability function S ( z , v ) = v 1 + z / 200000 , where the optimal investment is z * = 200000 v L − 200000 , and rounded to the nearest dollars.

current probability of a breach (i.e., without an additional investment in cybersecurity activities) to be 40%, 20%, and 10%, respectively for the three information segments.^{16} Without information segmentation, the vulnerability is 31% (i.e., the same as the weighted average of the vulnerability of all segments: [ ( $ 120000000 × 40 % + $ 60000000 × 20 % + $ 20000000 × 10 % ) / $ 200000000 ] ).

The CIO and CISO together estimate the breach probability function for ZLG without information segmentation would be S ( z , v ) = v 1 + 1 200000 z . With information segmentation, breach probability functions for the three information segments are 40 % 1 + 1 200000 × z 0.6 , 20 % 1 + 1 200000 × z 0.3 , and 10 % 1 + 1 200000 × z 0.1 . As

shown in

Cybersecurity breaches have become a major concern to modern organizations operating in today’s interconnected world of digital computer-based communication systems. In order to prevent, as well as recover, from these breaches, organizations need to invest in cybersecurity related activities. Given the exponential growth of developments related to the “Internet of Things (IoT),” the importance of investing in cybersecurity will only increase over the foreseeable future. Accordingly, a fundamental resource allocation question that needs to be addressed is: How much should our organization invest in cybersecurity?

Unfortunately, a simple, unequivocal, answer to the above question does not exist. Using cost-benefit analysis, however, is the best approach for determining the appropriate amount to invest. The main arguments presented in this paper have been that information segmentation can assist an organization derive the appropriate amount to invest in cybersecurity from a cost-benefit perspective and that the Gordon-Loeb Model provides a logical cost-benefit framework for incorporating information segmentation into cybersecurity investment decisions.

It is important for organizations to understand that investing in cybersecurity is best viewed as a process that focuses on preventing breaches where possible and minimizing the damage from breaches that occur. This process includes identifying the cybersecurity risks, the potential losses that may occur as a result of a breach and determining the appropriate actions and investments that are most likely to minimize any damage that could result from cybersecurity breaches. Since 100% security is unrealistic, especially from an economics perspective, a part of cybersecurity investments should be devoted to a recovery plan. Indeed, a critical component of an organization’s efficient cybersecurity investment plan should be its plan for recovering from potential cybersecurity breaches.

There are, of course, many issues not discussed in this paper that have an effect on deriving the right amount to invest in cybersecurity. For example, if a company was doing business with the U.S. federal government, approaching cybersecurity risk in a manner that is consistent with the NIST Cybersecurity Framework ( [

The authors declare no conflicts of interest regarding the publication of this paper.

Gordon, L.A., Loeb, M.P. and Zhou, L. (2021) Information Segmentation and Investing in Cybersecurity. Journal of Information Security, 12, 115-136. https://doi.org/10.4236/jis.2021.121006

The equations described below, and the description of the variables used in these equations, are the same as those in the Gordon and Loeb (2002), and Gordon et al. (2016). The first equation is a representation of the expected benefits of an investment in information security (i.e., cybersecurity), denoted as EBIS. The firm’s EBIS results from reducing the probability of a breach based on the productivity function for an investment, z, as shown below:

EBIS ( z ) = [ v − S ( z , v ) ] L . [A1]

Since v and L are parameters for a given information set, z is the firm’s only decision variable, and EBIS is written above as a function of z. The second equation represents the expected net benefits from an investment in information security, ENBIS, and equals EBIS less the amount of the cybersecurity investment, z, as shown below:

ENBIS ( z ) = [ v − S ( z , v ) ] L − z . [A2]

Denote z * = arg max { [ v − S ( z , v ) ] L − z } = arg min [ S ( z , v ) L + z ] . That is, the investment z * that maximizes ENBIS minimizes the total expected cost of a cybersecurity breach (i.e., the revised measure of v after investing z, plus the plus amount of the cybersecurity investment, z). The optimal investment, z * is characterized in Equation [A3], where the expected marginal benefits from investing in cybersecurity (i.e., left hand side of [A3]) is equal to the expected marginal cost of the investment (right hand side of [A3]).^{17}

− S z ( z * , v ) L = 1 [A3]

Gordon and Loeb (2002) proved (Proposition 3, p. 451) that for two broad classes of security breach probability functions, the optimal level would be less than or equal to vL/e, or roughly 37% of the expected loss from a security breach, as shown in Equation [A4] below:

z * ( v ) ≤ ( 1 e ) v L . [A4]

The GL Model was extended to include externalities in Gordon et al. (2014). Let L P represent the private costs to an organization from a cybersecurity breach, L E represent the cost of externalities to other organizations and individuals from the firm’s cybersecurity breach, and L S C represent the total social costs from the firm’s cybersecurity breach. Thus, L S C = L P + L E . Gordon et al. (2014, p. 8)) demonstrate the revised version of [A4] for the social optimal cybersecurity level considering externalities, denoted as z S C , as shown in Equation [A5] below:

z S C ( v ) ≤ ( 1 / e ) [ 1 + ( L E / L P ) ] v L P [A5]