Comparison of the Most Important Models of Investments in Cyber and Information Security

Methodology/methods: This paper is based on previous research (Podešva et al., 2021), where two most used methods of the ROI / ROSI (Bojanc, 2008) and Gordon-Loe model (Gordon, Loeb, 2002) were identified in the field of investments in cyber and information security. Both methods are described and the advantages and limitations for further research are identified.
Scientific aim: The main goal is to select the most suitable method for further research in the field of investment in cyber and information security.
Findings: ROI / ROSI does not seem suitable for further research because it only tells us what percentage of return on in-vestment will be provided during a given period. The separate use of this method (ROI / ROSI) provides us with very limited results and it is necessary to combine it with other methods. On the other hand, the Gordon-Loeb model is much more complex despite several limitations, especially for coefficients ʎ and t. Further research will therefore focus on the constant t (probability of attack on a given information set) and its value will be modelled based on the SIR epidemic model on network with standard incidents (Podešva, Koch 2019).
Conclusions: At present, there is no standardised approach to decision-making and the size of investments in cyber and in-formation security. This is a very complex issue, and it is very difficult to find one universal model. Nevertheless, there are several models that help in this decision-making process, and as the most appropriate method for further research is GordonLoe model.