Analysis of Loss Expectancy on Personal Information leakage using Quantitative Invest Decision Model

Jeong Yeon Kim


Providing trading partners with personal information to establish an e-commerce financial transaction is inevitable. Most e-commerce companies keep personal information and transaction data for user’s convenience and develop additional services as their applications. However, keeping personal information increases the likelihood of identity theft causing direct or indirect damage while it may simplify repetitive financial transactions.
This study introduces risk management methods based on quantitative and qualitative analysis including demand-supply curve model and Gordon & Loeb model to analyze the risks for security management. The empirical analysis with survey results from KISA (Korea Information Security Agency) shows that the root cause of different statistics of personal information leakage incidents according to core business of internet companies is the difference in their Loss Expectancy caused by them. Also we suggest disciplinary compensation and higher standard for personal information protection as a solution to prevent the variation of investment on it between individual companies.

Full Text:



Ahn, J. H., Choi, K. C., Sung, K. M., and Lee, J. H., “A Study on the Impact of Security Risk on the Usage of Knowledge Management System: Focus on Parameter of Trust,” The Journal of Society for e-Business Studies, Vol. 15, No. 4, pp. 143-163, 2011.

Anderson, R. and Moore, T., “The economics of information security,” Science, Vol. 314, No. 5799, pp. 610-613, 2006.

Andre, A., Fredrik, V., Giovanni, V., and Richard, A. K., Using hidden markov models to evaluate the risks of intrusions. In: Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, pp. 145-164, 2006.

Bojanc, R. and Jerman-Blažič, B., “Quantitative Model for Economic Analyses of information Security investment in an Enterprise information System,” Organizacija, Vol. 45, No. 6, pp. 276-288, 2012.

Bojanc, R., Jerman-Blažič, B., and Tekavčič, M., “Managing the Investment in Information Security Technology by use of Quantitative Modeling Approach,” Information Processing & Management, Vol. 48, No. 6, pp. 1031-1052, 2012.

Chai, S. W., “Economic Effects of Personal Information Protection,” Journal of consumer policy studies, pp. 43-64, 2008.

Chae, J. W. and Jeong, J. H., “Study on decision making for the industrial security management factor’s priority,” Journal of Security Engineering, Vol. 10, No. 2, pp. 123-140, 2013.

Gordon, L. A. and Loeb, M. P., “The economics of information security investment,” ACM Transactions on Information and System Security (TISSEC), Vol. 5, No. 4, pp. 438-457, 2002.

Gordon, A. L. and Richardson, R.(April 13, 2004), “The New Economics of Information Security,” Information Week, 53-56. Retrieved February 11th, 2007.

Han, C. H., Chai, S. W., Yoo, B. J., Ahn, D. H., and Park, C. H., “A Quantitative Assessment Model of Private Information Breach,” The Journal of Society for e-Business Studies, Vol. 16, No. 4, pp. 17-31, 2011.

Kim, S. H. and Park, S. Y., “Influencing Factors for Compliance Intention of Information Security Policy,” The Journal of Society for e-Business Studies, Vol. 16, No. 4, pp. 33-51, 2011.

Korea Internet & Security Agency, A handbook on ISMS certification system, Jun 2013.

Korea Internet & Security Agency, 2013 Research on the actual condition of the information security, Dec. 2013.

Lee, C. C., KIM, J., and Lee, C. H., “A comparative study on the priorities between perceived importance and investment of the areas for Information Security Management System,” Journal of The Korea Institute of Information Security and Cryptology, Vol. 24, No. 5, pp. 919-929, 2014.

Mclean, G. and Brown, J., Determining the ROI in IT Security, CA Magazine, 2003.

Purser, S. A., “Improving the ROI of the security management process,” Computers and Security, Vol. 23, No. 7, pp. 542-546, 2004.

Sklavos, N., Souras, P., “Economic Models & Approaches in Information Security for Computer Networks,” IJ Network Security, Vol. 2, No. 1, pp. 14-20, 2006.


  • There are currently no refbacks.