Abstract
The Learned Hand’s rule, comparing security investments against the expected loss from data breaches, can be used as a simple tool to determine the negligence of the company holding the data. On the other hand, companies may determine their investments in security by maximizing their own net profit. We consider the well known Gordon-Loeb models as well as the more recent Huang-Behara models for the relationship between investments and the probability of money loss due to malicious attacks to determine the outcome of the application of three forms of Hand’s rule: status quo (loss under no investments), ex-post (loss after investment), transitional (loss reduction due to investment). The company is always held negligent if it does not invest in both the status quo and the transitional form. In the ex-post form, it is instead held negligent just if the potential loss is below a threshold, for which we provide the exact expression.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cooter, R., Ulen, T.: Law and economics. Addison-Wesley (2000)
D’Acquisto, G., Flamini, M., Naldi, M.: Damage Sharing May Not Be Enough: An Analysis of an Ex-ante Regulation Policy for Data Breaches. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 149–160. Springer, Heidelberg (2012)
D’Acquisto, G., Flamini, M., Naldi, M.: A game-theoretic formulation of security investment decisions under ex-ante regulation. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 412–423. Springer, Heidelberg (2012)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)
Huang, C.D., Behara, R.S.: Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics 141(1), 255–268 (2013)
Markovits, R.S.: Tort-Related Risk Costs and the Hand Formula for Negligence. The University of Texas School of Law, Working Paper (November 2004)
Naldi, M., Flamini, M., D’Acquisto, G.: A revenue-based sanctioning procedure for data breaches. In: The 7th International Conference on Network and System Security NSS, Madrid, June 3-4. LNCS. Springer (2013)
Rustad, M.L., Koenig, T.H.: Extending Learned Hands Negligence Formula To Information Security Breaches. I/S: A Journal on Law and Policy for the Information Society 3(2), 236–270 (2007)
Schneider, J.W.: Preventing Data Breaches: Alternative Approaches to Deter Negligent Handling of Consumer Data. Journal of Science & Technology Law 15(2), 279–332 (2009), Boston University School of Law
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Naldi, M., Flamini, M., D’Acquisto, G. (2013). Information Security Investments: When Being Idle Equals Negligence. In: Altmann, J., Vanmechelen, K., Rana, O.F. (eds) Economics of Grids, Clouds, Systems, and Services. GECON 2013. Lecture Notes in Computer Science, vol 8193. Springer, Cham. https://doi.org/10.1007/978-3-319-02414-1_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-02414-1_20
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-02413-4
Online ISBN: 978-3-319-02414-1
eBook Packages: Computer ScienceComputer Science (R0)