Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability

Four kinds of marginal returns to security investment to protect an information set are decrease, first increase and then decrease (logistic function), increase, and constancy. Gordon, L. A. and Loeb, M. (ACM Trans. Inf. Syst. Secur., 5:438-457, 2002). find for decreasing marginal returns that a firm invests maximum 37% (1/e) of the expected loss from a security breach, and that protecting moderately rather than extremely vulnerable information sets may be optimal. This article presents classes of all four kinds where the optimal investment is no longer capped at 1/e. First, investment in information security activities for the logistic function is zero for low vulnerabilities, jumps in a limited "bang-bang" manner to a positive level for intermediate vulnerabilities, and thereafter increases concavely in absolute terms. Second, we present an alternative class with decreasing marginal returns where the investment increases convexly in the vulnerability until a bound is reached, investing most heavily to protect the extremely vulnerable information sets. For the third and fourth kinds the optimal investment is of an all-out "bang-bang" nature, that is, zero for low vulnerabilities, and jumping to maximum investment for intermediate vulnerabilities.