{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,7]],"date-time":"2026-07-07T17:06:13Z","timestamp":1783443973777,"version":"3.54.6"},"reference-count":35,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2020,3,30]],"date-time":"2020-03-30T00:00:00Z","timestamp":1585526400000},"content-version":"vor","delay-in-days":89,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,1,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>The National Institute for Standards and Technology (NIST) Cybersecurity Framework has rapidly become a widely accepted approach to facilitating cybersecurity risk management within organizations. An insightful aspect of the NIST Cybersecurity Framework is its explicit recognition that the activities associated with managing cybersecurity risk are organization specific. The NIST Framework also recognizes that organizations should evaluate their cybersecurity risk management on a cost\u2013benefit basis. The NIST Framework, however, does not provide guidance on how to carry out such a cost\u2013benefit analysis. This article provides an approach for integrating cost\u2013benefit analysis into the NIST Cybersecurity Framework. The Gordon\u2013Loeb (GL) Model for cybersecurity investments is proposed as a basis for deriving a cost-effective level of spending on cybersecurity activities and for selecting the appropriate NIST Implementation Tier level. The analysis shows that the GL Model provides a logical approach to use when considering the cost\u2013benefit aspects of cybersecurity investments during an organization\u2019s process of selecting the most appropriate NIST Implementation Tier level. In addition, the cost\u2013benefit approach provided in this article helps to identify conditions under which there is an incentive to move to a higher NIST Implementation Tier.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaa005","type":"journal-article","created":{"date-parts":[[2020,3,30]],"date-time":"2020-03-30T07:55:05Z","timestamp":1585554905000},"source":"Crossref","is-referenced-by-count":99,"title":["Integrating cost\u2013benefit analysis into the NIST Cybersecurity Framework via the Gordon\u2013Loeb Model"],"prefix":"10.1093","volume":"6","author":[{"given":"Lawrence A","family":"Gordon","sequence":"first","affiliation":[{"name":"Department of Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD, 20742-1815, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Martin P","family":"Loeb","sequence":"first","affiliation":[{"name":"Department of Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD, 20742-1815, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Lei","family":"Zhou","sequence":"first","affiliation":[{"name":"Department of Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD, 20742-1815, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"286","published-online":{"date-parts":[[2020,3,30]]},"reference":[{"key":"2020033003550104100_tyaa005-B1","first-page":"1","article-title":"A taxonomy of cyber-harms: defining the impacts of cyber-attacks and understanding how they propagate","volume":"4","author":"Agrarafiotis","year":"2018","journal-title":"J Cybersecur"},{"key":"2020033003550104100_tyaa005-B2","doi-asserted-by":"crossref","first-page":"431","DOI":"10.3233\/JCS-2003-11308","article-title":"The economic cost of publicly announced information security breaches: empirical evidence from the stock market","volume":"11","author":"Campbell","year":"2003","journal-title":"J Comput Secur"},{"key":"2020033003550104100_tyaa005-B3","doi-asserted-by":"crossref","first-page":"33","DOI":"10.3233\/JCS-2009-0398","article-title":"The impact of information security breaches: has there been a downward shift in costs?","volume":"19","author":"Gordon","year":"2011","journal-title":"J Comput Secur"},{"key":"2020033003550104100_tyaa005-B4","first-page":"121","article-title":"Examining the costs and causes of cyber incidents","volume":"2","author":"Romansky","year":"2016","journal-title":"J Cybersecur"},{"key":"2020033003550104100_tyaa005-B5","doi-asserted-by":"crossref","first-page":"216","DOI":"10.1016\/j.cose.2015.12.006","article-title":"The impact of information security events to the stock market: a systematic literature review","volume":"58","author":"Spanos","year":"2016","journal-title":"Comput Secur"},{"key":"2020033003550104100_tyaa005-B6","author":"Bush","year":"2003"},{"key":"2020033003550104100_tyaa005-B7","author":"Obama","year":"2013"},{"key":"2020033003550104100_tyaa005-B8","year":"2014"},{"key":"2020033003550104100_tyaa005-B9","author":"Trump","year":"2017"},{"key":"2020033003550104100_tyaa005-B10","year":"2018"},{"key":"2020033003550104100_tyaa005-B11","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","author":"Gordon","year":"2002","journal-title":"ACM T Inform Syst Sec"},{"key":"2020033003550104100_tyaa005-B12","doi-asserted-by":"crossref","first-page":"49","DOI":"10.4236\/jis.2016.72004","article-title":"Investing in cybersecurity: insights from the Gordon-Loeb model","volume":"07","author":"Gordon","year":"2016","journal-title":"J Inform Secur"},{"key":"2020033003550104100_tyaa005-B13","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1145\/1330311.1330325","article-title":"Information security and risk management","volume":"51","author":"Bodin","year":"2008","journal-title":"Commun ACM"},{"key":"2020033003550104100_tyaa005-B14","first-page":"161","article-title":"A fundamental approach to cyber risk analysis","volume":"12","author":"B\u00f6hme","year":"2008","journal-title":"Variance"},{"key":"2020033003550104100_tyaa005-B15","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1016\/j.cose.2015.11.001","article-title":"Taxonomy of information security risk assessment (ISRA)","volume":"57","author":"Shameli-Sendi","year":"2016","journal-title":"Comput Secur"},{"key":"2020033003550104100_tyaa005-B16","doi-asserted-by":"crossref","first-page":"300","DOI":"10.1016\/j.cose.2016.12.008","article-title":"Introducing OSSF: a framework for online service cybersecurity risk management","volume":"65","author":"Meszaros","year":"2017","journal-title":"Comput Secur"},{"key":"2020033003550104100_tyaa005-B17","doi-asserted-by":"crossref","first-page":"169","DOI":"10.1016\/j.cose.2016.06.002","article-title":"Information security policy development and implementation: the what, how and who","volume":"61","author":"Flowerday","year":"2016","journal-title":"Comput Secur"},{"key":"2020033003550104100_tyaa005-B18","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1093\/cybsec\/tyw002","article-title":"The economics of mandatory security breach reporting to authorities","volume":"2","author":"Laube","year":"2016","journal-title":"J Cybersecur"},{"key":"2020033003550104100_tyaa005-B19","doi-asserted-by":"crossref","first-page":"610","DOI":"10.1126\/science.1130992","article-title":"The economics of information security","volume":"314","author":"Anderson","year":"2006","journal-title":"Science"},{"key":"2020033003550104100_tyaa005-B20","first-page":"65","article-title":"Economics of IT security management: four improvements to current security practices","volume":"14","author":"Cavusoglu","year":"2004","journal-title":"Commun Assoc Inform Syst"},{"key":"2020033003550104100_tyaa005-B21","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1145\/1107458.1107465","article-title":"Information security expenditures","volume":"49","author":"Gordon","year":"2006","journal-title":"Commun ACM"},{"key":"2020033003550104100_tyaa005-B22","volume-title":"Managing Cybersecurity Resources: A Cost-Benefit Analysis","author":"Gordon","year":"2006"},{"key":"2020033003550104100_tyaa005-B23","volume-title":"15th Workshop on the Economics of Information Security (WEIS)","author":"Moore","year":"2016"},{"key":"2020033003550104100_tyaa005-B24","first-page":"63","article-title":"Assessing ICT security risks in socio-technical systems (Dagstuhl Seminar 16461)","volume":"6","author":"Moore","year":"2017","journal-title":"Dagstuhl Rep"},{"key":"2020033003550104100_tyaa005-B25","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1016\/j.cose.2016.10.009","article-title":"Introducing cybernomics: a unifying economic framework for measuring cyber risk","volume":"65","author":"Ruan","year":"2017","journal-title":"Comput Secur"},{"key":"2020033003550104100_tyaa005-B26","author":"Swaminatha","year":"2018"},{"key":"2020033003550104100_tyaa005-B27","article-title":"You may be fighting the wrong security battles","volume":"26","author":"Gordon","year":"2011","journal-title":"The Wall Street Journal"},{"key":"2020033003550104100_tyaa005-B28","year":"2013"},{"key":"2020033003550104100_tyaa005-B29","author":"Fanelli","year":"2017"},{"key":"2020033003550104100_tyaa005-B30","doi-asserted-by":"crossref","first-page":"34","DOI":"10.3390\/g9020034","article-title":"Risk assessment uncertainties in cybersecurity investments","volume":"9","author":"Fielder","year":"2018","journal-title":"Games"},{"key":"2020033003550104100_tyaa005-B31","first-page":"1","article-title":"A holistic approach to evaluating cyber security defensive capabilities","volume":"9","author":"Iannacone","year":"2018","journal-title":"ACM Comput Surv"},{"key":"2020033003550104100_tyaa005-B32","volume-title":"11th Workshop on the Economics of Information Security (WEIS)","author":"Baryshnikov","year":"2012"},{"key":"2020033003550104100_tyaa005-B33","first-page":"2856","author":"Lelarge","year":"2012"},{"key":"2020033003550104100_tyaa005-B34","doi-asserted-by":"crossref","first-page":"2210","DOI":"10.1109\/JSAC.2012.121213","article-title":"Coordination in network security games: a monotone comparative statics approach","volume":"30","author":"Lelarge","year":"2012","journal-title":"IEEE J Sel Area Commun"},{"key":"2020033003550104100_tyaa005-B35","doi-asserted-by":"crossref","first-page":"101173","DOI":"10.1016\/j.pacfin.2019.101173","article-title":"Integrated framework for information security investment and cyber insurance","volume":"57","author":"Wang","year":"2019","journal-title":"Pac Basin Finance J"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa005\/32979473\/tyaa005.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa005\/32979473\/tyaa005.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,3,30]],"date-time":"2020-03-30T07:55:15Z","timestamp":1585554915000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaa005\/5813544"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,1]]},"references-count":35,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,1,1]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaa005","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2020]]},"published":{"date-parts":[[2020,1,1]]},"article-number":"tyaa005"}}