Author(s)

Lawrence A. Gordon¹, Martin P. Loeb¹, William Lucyshyn², Lei Zhou¹

¹Robert H. Smith School of Business, University of Maryland, College Park, USA.
²School of Public Policy, University of Maryland, University of Maryland, College Park, USA.

Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and government executives. This paper examines how the existence of well-recognized externalities changes the maximum a firm should, from a social welfare perspective, invest in cyber security activities. By extending the cyber security investment model of Gordon and Loeb [1] to incorporate externalities, we show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss.

Economics of Information Security, Cyber Security Investment

Gordon, L. , Loeb, M. , Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. doi: 10.4236/jis.2015.61003.