Information security investments: When being idle equals negligence

Abstract

The Learned Hand's rule, comparing security investments against the expected loss from data breaches, can be used as a simple tool to determine the negligence of the company holding the data. On the other hand, companies may determine their investments in security by maximizing their own net profit. We consider the well known Gordon-Loeb models as well as the more recent Huang-Behara models for the relationship between investments and the probability of money loss due to malicious attacks to determine the outcome of the application of three forms of Hand's rule: status quo (loss under no investments), ex-post (loss after investment), transitional (loss reduction due to investment). The company is always held negligent if it does not invest in both the status quo and the transitional form. In the ex-post form, it is instead held negligent just if the potential loss is below a threshold, for which we provide the exact expression. © 2013 Springer International Publishing.