February 12, 2026
Each January for the last 10 years I have happily accepted an invite to attend the Annual Cybersecurity Forum that is co-sponsored by the University of Maryland’s Smith School of Business and the School of Public Policy. This annual gathering of academics, and industry and policy leaders is organized by professors Lawrence A. Gordon, Charles Harry, Martin P. Loeb (now retired) and William Lucyshyn. This year the program included special recognition of Gordon and Loeb’s groundbreaking and now-25-year-old Gordon Loeb Model for significantly impacting cybersecurity economics and information security investment as a widely applied, extended benchmark for rational cybersecurity investment planning. In a nutshell, the model provides an algorithmic framework showing that the optimal cybersecurity investment level for protecting information and information networks typically should not exceed ~37% of the expected cyber losses. The model was an impetus to start the Forum, which, as Loeb has noted, has “positioned the Smith School and the School of Public Policy to lead the university in increasing cross-disciplinary research on challenges associated with financial and public policy aspects of cybersecurity.”
I was first introduced to this model 10 years ago when I did an interview with Professor Gordon – you can see the interview at this link. Besides sharing a common appreciation for improving cybersecurity risk management, I learned at the time we also shared a common interest in the arts – especially opera – which continues through today.
The Gordon Loeb model has been growing in use and popularity over its 25-year life with more than 2,100 Google Scholar citations, including 160-plus since 2025. According to Professor Gordon, “When Marty Loeb and I first published the Model (via ACM Transactions on Information and System Security, Vol. 5, No. 4, November 2002, Pages 438–457), we believed that cybersecurity was important, but we underestimated the astonishing breadth, depth and velocity with which the computer-based interconnected digital world would grow.” Gordon went on to say, “Now more than ever, I strongly believe that cybersecurity is a necessary, though not sufficient, condition for a smoothly functioning computer-based digital world—including one increasingly dominated by AI.”
Many of the citations refer to the model as the seminal, foundational gold standard, or pioneering economic model for deriving the optimal amount to invest in cybersecurity. Furthermore, 2025 had the highest number of citations, suggesting that both interest in, and the importance of, the model continues to grow rather than diminish. Gordon has also provided Congressional Testimony in 2007 (before the U.S. House Committee on Homeland Security) that focused on using the model to increase cybersecurity investments in private sector firms. The Council of Better Business Bureaus’ 2017 report on cybersecurity for small businesses in North America has also picked up on the model as “… a useful guide for organizations trying to find the right level of cybersecurity investment.”
Another interesting aspect of the model is that it has been embraced by academics from a wide variety of countries and disciplines (e.g., computer science, engineering, economics, finance, information systems, accounting, marketing, operations research, etc.), as well as by industry and government practitioners. Gordon notes that even academic mathematicians are now working on extensions of the model.
The cybersecurity environment is very dynamic– threats mobilize rapidly, new technologies are introduced constantly, and operational practices are evolving quickly. This escalating rate of change makes it dangerous for cybersecurity executives to rely solely on experience and instinct in making investment decisions. Although measuring cybersecurity performance is hard, it is necessary that we move in the direction of a rational basis for investing in tools, processes, and people for cyber protections. The Gordon Loeb model provides a time-tested and thoroughly examined method for making these cyber risk investment decisions.
Links to Articles that Refer to the Gordon-Loeb Model
https://academic.oup.com/cybersecurity/article/10/1/tyae019/7900094
https://onlinelibrary.wiley.com/doi/10.1155/2020/3239591
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5244679
https://www.researchgate.net/publication/356056512_Expanding_the_Gordon-Loeb_Model_to_Cyber-Insurance
https://onlinelibrary.wiley.com/doi/full/10.1111/joes.12456
https://onlinelibrary.wiley.com/doi/abs/10.1111/risa.13713
https://www.aimspress.com/article/doi/10.3934/DSFE.2024025?viewType=HTML
https://ideas.repec.org/p/arx/papers/2112.04310.html
So have you checked out the Gordon Loeb model? What do you use as an economic guide for cyber investment? Let me know your views on this topic. And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, quantum cryptography, risk assessment and modeling, autonomous security, AI security, digital forensics, securing OT / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.
