2012 | 45 | 6 | 276-288
Article title

Quantitative Model for Economic Analyses of Information Security Investment in an Enterprise Information System

Title variants
Languages of publication
The paper presents a mathematical model for the optimal security-technology investment evaluation and decision-making processes based on the quantitative analysis of security risks and digital asset assessments in an enterprise. The model makes use of the quantitative analysis of different security measures that counteract individual risks by identifying the information system processes in an enterprise and the potential threats. The model comprises the target security levels for all identified business processes and the probability of a security accident together with the possible loss the enterprise may suffer. The selection of security technology is based on the efficiency of selected security measures. Economic metrics are applied for the efficiency assessment and comparative analysis of different protection technologies. Unlike the existing models for evaluation of the security investment, the proposed model allows direct comparison and quantitative assessment of different security measures. The model allows deep analyses and computations providing quantitative assessments of different options for investments, which translate into recommendations facilitating the selection of the best solution and the decision-making thereof. The model was tested using empirical examples with data from real business environment.
Physical description
  • ZZI, Pot k sejmišču 33, 1231 Ljubljana-Črnuče, Slovenia,
  • Jožef Stefan Institute, Jamova 39, 1000 Ljubljana, Slovenia,
  • Acquisti, A., Friedman, A. & Telang, R. (2006). Is there a cost to privacy breaches? An event study. In: Workshop on the Economicsof Information Security, UK: Cambridge, Retrieved October 12, 2012 from
  • Anderson, R. & Schneier, B. (2005). Guest Editor‘s Introduction: Economics of Information Security. IEEE Security and Privacy, 3(1), 12-13, [Crossref]
  • Anderson, R. (2001). Why information security is hard-an economic perspective, Computer Security Applications. In: ACSAC 2001,Proceedings of the 17th Annual Conference, pp. 358-365, [Crossref]
  • Bojanc, R. & Jerman-Blažič, B. (2007). Towards a standard approach for quantifying an ICT security investment. Computer Standards& Interfaces, 30(4), 216-222, [WoS][Crossref]
  • Bojanc, R. & Jerman-Blažič, B. (2008). An economic modelling approach to information security risk management. InternationalJournal of Information Management, 28(5), 413-422, [Crossref]
  • Bojanc, R., Jerman-Blažič, B. & Tekavčič, M. (2012). Managing the Investment in Information Security Technology by use of Quantitative Modeling Approach, Information Processing &Management, 48(6), 1031-1052, [Crossref]
  • Cavusoglu, H., (2004). Economics of IT Security Management. In: Camp, L. and Lewis, S. (Eds), Economics of InformationSecurity, Vol. 12, pp. 71-83. Springer US, [Crossref]
  • Computer Security Institute (CSI). (2011). 2010/2011 Computer Crime and Security Survey. The 15th Annual Computer Crime and Security Survey. Retrieved January 17th, 2012, from
  • Farahmand, F., Navathe, S., Enslow, P. & Sharp, G. (2003). Managing vulnerabilities of information systems to security incidents. In: ICEC ‚03 Proceedings of the 5th international conference onElectronic commerce, pp. 348-354. ACM: New York, USA, [Crossref]
  • Gordon, A. L. & Loeb, P. M. (2001). Using information security as a response to competitor analysis systems. ACM, 44(9), 70-75, [Crossref]
  • Gordon, A. L. & Loeb, P. M. (2002). The Economics of Information Security Investment. ACM, 5(4), 438-457,[Crossref]
  • Gordon, A. L., & Richardson, R. (April 13, 2004). The New Economics of Information Security. Information Week, 53-56. Retrieved February 11th, 2007, from aml/showArticle.jhtml?articleID=18901266
  • Hoo, S. (2000). How Much Is Enough? A Risk-Management ApproachTo Computer Security. Retrieved February 28th, 2010, from
  • International Organization for Standardization. (2005). Informationtechnology - Security techniques - Information security managementsystems - Requirements. ISO/IEC 27001:2005. Geneva.
  • International Organization for Standardization. (2009). Informationtechnology - Security techniques - Information securitymanagement systems - Overview and vocabulary. ISO/IEC 27000:2005. Geneva.
  • Matsuura, K. (2009). Productivity Space of Information Security in an Extension of the Gordon-Loeb’s Investment Model. In: Managing Information Risk and the Economics of Security, pp. 99-119. Springer US, [Crossref]
  • McGraw, G. (2006). Software Security: Building Security In. Addison-Wesley Prof .
  • National Institute of Standards and Technology. (2004). MappingTypes of Information and Information Systems to SecurityCategories. Special Publication 800-60. Gaithersburg, Md.
  • National Institute of Standards and Technology (2005). An Introductionto Computer Security: The NIST Handbook. Special Publication 800-12. Gaithersburg, Md.
  • Ryan, J., & Ryan, D. (2006). Expected benefits of information security investments. Computers & Security, 25(8), 579-588, [Crossref]
  • Schneier, B. (2003). Beyond Fear: Think Sensibly about Security inan Uncertain World. New York: Copernicus Books.
  • Schneier, B. (2004). Secrets & Lies, Digital Security in a NetworkedWorld. New York: Wiley Publishing.
  • Tanaka, H., Liu, W. & Matsuura, K. (2006). An Empirical Analysis of Security Investment in Countermeasures Based on an Enterprise Survey in Japan. In: Workshop on the Economics of InformationSecurity, UK: Cambridge. Retrieved October 12, 2012, from
  • Tanaka, H., Matsuura, K. & Sudoh, O. (2005). Vulnerability and information security investment: An empirical analysis of e-local government in Japan, Journal of Accounting and PublicPolicy, 24(1), 37-59, [Crossref]
  • Willemson, J. (2006). On the Gordon and Loeb Model for Information Security Investment. In: Workshop on the Economics ofInformation Security, UK: Cambridge, Retrieved October 12, 2012, from
  • ---
Document Type
Publication order reference
YADDA identifier
JavaScript is turned off in your web browser. Turn it on to take full advantage of this site, then refresh the page.