Editing Computer security (section)

==Cost and impact of security breaches==
Serious financial damage has been caused by [[security breaches]], but because there is no standard model for estimating the cost of an incident, the only data available is that which is made public by the organizations involved. "Several computer security consulting firms produce estimates of total worldwide losses attributable to [[computer virus|virus]] and worm attacks and to hostile digital acts in general. The 2003 loss estimates by these firms range from $13 billion (worms and viruses only) to $226 billion (for all forms of covert attacks). The reliability of these estimates is often challenged; the underlying methodology is basically anecdotal."<ref>{{cite report |last1=Cashell|first1=B.|last2=Jackson|first2=W. D.|last3=Jickling|first3=M.|last4=Webel|first4=B. |year=2004 |title=The Economic Impact of Cyber-Attacks |publisher=Congressional Research Service, Government, and Finance Division |location=Washington DC |url=https://sgp.fas.org/crs/misc/RL32331.pdf |id=RL32331}}</ref>

However, reasonable estimates of the financial cost of security breaches can actually help organizations make rational investment decisions. According to the classic [[Gordon-Loeb Model]] analyzing the optimal investment level in information security, one can conclude that the amount a firm spends to protect information should generally be only a small fraction of the expected loss (i.e., the [[expected value]] of the loss resulting from a cyber/information [[security breach]]).<ref>{{cite journal |last1=Gordon |first1=Lawrence |last2=Loeb |first2=Martin |title=The Economics of Information Security Investment |journal=ACM Transactions on Information and System Security |date=November 2002 |volume=5 |issue=4 |pages=438–457 |doi=10.1145/581271.581274|s2cid=1500788 }}</ref>