pith. sign in

arxiv: 2304.07909 · v1 · submitted 2023-04-16 · 💻 cs.CR · cs.CY

SECAdvisor: a Tool for Cybersecurity Planning using Economic Models

Muriel Figueredo Franco , Christian Omlin , Oliver Kamer , Eder John Scheid , Burkhard Stiller This is my paper

Pith reviewed 2026-05-24 09:17 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords cybersecurity planningeconomic modelsinvestment optimizationrisk valuationprotection recommendationscost-efficiencybudget allocation
0
0 comments X

The pith

SECAdvisor applies economic models to calculate optimal cybersecurity spending and recommend cost-efficient protections for companies.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents SECAdvisor, a software tool built to help digitized companies plan cybersecurity by blending technical needs with economic analysis. Users can value their information assets and risks, compute the spending level that maximizes returns, obtain protection suggestions matched to their budget, and rank options by cost-effectiveness. The work addresses the widespread problem of underinvestment or misallocated security budgets that leave firms exposed to attacks and financial losses. By embedding economic models into the planning process, the tool aims to produce strategies that are both technically sound and financially rational.

Core claim

SECAdvisor is a tool that supports cybersecurity planning using economic models. It allows companies to understand the risks and valuation of different businesses' information, calculate the optimal investment in cybersecurity, receive a recommendation of protections based on the budget available and demands, and compare protection solutions in terms of cost-efficiency.

What carries the argument

The SECAdvisor tool, which embeds economic models to perform risk valuation, optimal investment calculation, budget-constrained recommendation, and cost-efficiency comparison.

If this is right

  • Companies gain a repeatable method to set cybersecurity budgets that balance expected losses against protection costs.
  • Protection choices become ranked by economic return rather than chosen solely on technical features.
  • Training sessions can use the tool to demonstrate trade-offs between budget limits and residual risk.
  • Different vendors' solutions can be evaluated side-by-side on a common cost-efficiency metric.
  • Planning shifts from reactive spending to proactive optimization grounded in valuation of information assets.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Widespread use could create industry benchmarks for reasonable cybersecurity spend as a fraction of revenue.
  • The tool's outputs could serve as inputs to insurance pricing or regulatory compliance checks.
  • Periodic updates to the underlying models with fresh breach data would be required to keep recommendations current.
  • Integration with existing asset-management systems would reduce the manual effort of supplying valuation inputs.

Load-bearing premise

The economic models inside the tool accurately represent real-world cybersecurity risks, returns on investment, and optimal spending levels without significant oversimplification.

What would settle it

A controlled comparison in which companies following SECAdvisor recommendations show no measurable reduction in breach costs or no improvement in protection per dollar spent relative to companies using conventional planning methods would falsify the tool's claimed benefit.

Figures

Figures reproduced from arXiv: 2304.07909 by Burkhard Stiller, Christian Omlin, Eder John Scheid, Muriel Figueredo Franco, Oliver Kamer.

Figure 1
Figure 1. Figure 1: Level of Investment in Cybersecurity from [10] [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Conceptual Architecture of the SECAdvisor [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Dashboard of SECAdvisor with the Optimal Investments per Segment Calculated [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Interface for Customization and Zoom-In on the [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: Input Parameters for ROSI Calculation for Protections [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗
Figure 6
Figure 6. Figure 6: Interface for Customization of BPF using SECAdvisor [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
read the original abstract

Cybersecurity planning is challenging for digitized companies that want adequate protection without overspending money. Currently, the lack of investments and perverse economic incentives are the root cause of cyberattacks, which results in several economic impacts on companies worldwide. Therefore, cybersecurity planning has to consider technical and economic dimensions to help companies achieve a better cybersecurity strategy. This article introduces SECAdvisor, a tool to support cybersecurity planning using economic models. SECAdvisor allows to (a) understand the risks and valuation of different businesses' information, (b) calculate the optimal investment in cybersecurity for a company, (c) receive a recommendation of protections based on the budget available and demands, and (d) compare protection solutions in terms of cost-efficiency. Furthermore, evaluations on usability and real-world training activities performed using SECAdvisor are discussed.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript introduces SECAdvisor, a software tool that integrates economic models to support cybersecurity planning. It claims four core capabilities: (a) valuing risks and information assets for different businesses, (b) computing optimal cybersecurity investment levels, (c) generating protection recommendations constrained by budget and requirements, and (d) ranking solutions by cost-efficiency. The paper additionally reports usability evaluations and experiences from real-world training activities using the tool.

Significance. If the underlying economic models are correctly implemented and produce reliable outputs, the tool could provide a practical bridge between technical security controls and economic decision-making for companies, addressing documented underinvestment issues. The reported usability testing and training use cases constitute a modest strength by demonstrating deployability, but the absence of any model derivations, calibration data, or predictive validation substantially limits the assessed significance of the contribution.

major comments (2)
  1. [Tool description section] Tool description section: no equations, parameter definitions, loss functions, or references to standard models (e.g., Gordon-Loeb) are supplied for the risk valuation or optimal-investment calculations that underpin claims (a)–(d). Without these, it is impossible to determine whether the tool’s outputs rest on defensible assumptions about attack probabilities and loss magnitudes.
  2. [Evaluation section] Evaluation section: the reported usability and training assessments contain no quantitative checks on the economic component, such as sensitivity analysis on key parameters or comparison of recommended investment levels against observed firm behavior or breach datasets. This directly affects the reliability of the four claimed functions.
minor comments (1)
  1. [Abstract] Abstract: the four capabilities are listed without any indication of the economic models employed or the presence/absence of validation results, which would better orient readers to the manuscript’s technical contribution.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for their thorough review and valuable comments on our manuscript describing SECAdvisor. We address each major comment below and indicate the revisions we intend to make.

read point-by-point responses

  1. Referee: Tool description section: no equations, parameter definitions, loss functions, or references to standard models (e.g., Gordon-Loeb) are supplied for the risk valuation or optimal-investment calculations that underpin claims (a)–(d). Without these, it is impossible to determine whether the tool’s outputs rest on defensible assumptions about attack probabilities and loss magnitudes.

    Authors: The primary focus of the manuscript is on the development and usability of the SECAdvisor tool rather than on deriving new economic models. The tool builds upon established economic frameworks from the cybersecurity economics literature. We agree that including explicit references and basic formulations would improve clarity. In the revised manuscript, we will expand the tool description section to include references to standard models such as the Gordon-Loeb model, along with key equations and parameter definitions for risk valuation and optimal investment calculations. This addition will be made without altering the core contribution of the tool itself. revision: yes

  2. Referee: the reported usability and training assessments contain no quantitative checks on the economic component, such as sensitivity analysis on key parameters or comparison of recommended investment levels against observed firm behavior or breach datasets. This directly affects the reliability of the four claimed functions.

    Authors: We recognize that the evaluation section emphasizes usability testing and real-world training use cases to demonstrate the tool's practical application. Quantitative validation of the economic models, including sensitivity analysis or comparisons to external datasets, was not included because the paper's scope centers on the tool's design and user experience rather than empirical validation of the models. We will revise the manuscript to explicitly discuss this limitation and add a basic sensitivity analysis example using the tool to illustrate robustness of the outputs. However, access to comprehensive firm behavior or breach datasets for direct comparison is not available to us at this time, limiting the extent of such validation. revision: partial

standing simulated objections not resolved
  • Comprehensive predictive validation against observed firm behavior or breach datasets, as this would require access to proprietary or large-scale external data not available in the current study.

Circularity Check

0 steps flagged

No circularity; tool-description paper presents no derivations or predictions.

full rationale

The paper introduces SECAdvisor and enumerates four high-level functions (risk valuation, optimal investment calculation, protection recommendations, cost-efficiency comparison) but supplies no equations, no fitted parameters, no self-referential predictions, and no load-bearing self-citations. The manuscript describes UI/workflow and mentions use of economic models without deriving them or renaming known results. No step reduces by construction to its own inputs; validity therefore depends on external model accuracy rather than internal circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the assumption that economic models can be directly applied to produce actionable cybersecurity recommendations; no free parameters, new entities, or additional axioms are described in the abstract.

axioms (1)
  • domain assumption Economic models can be used to calculate optimal cybersecurity investments and protection recommendations
    Invoked to justify the tool's core calculation and recommendation functions.

pith-pipeline@v0.9.0 · 5672 in / 1186 out tokens · 20680 ms · 2026-05-24T09:17:42.398552+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

39 extracted references · 39 canonical work pages

  1. [1]

    CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment,

    M. F. Franco, “CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment,” February 2023, PhD Thesis, Communication Systems Group, Department of Informatics, Universit ¨at Z¨urich UZH, Z ¨urich, Switzerland, Available at https://figueredofranco. com/static/files/PhD-M-Franco.pdf

    work page 2023

  2. [2]

    Cybersecurity for SMEs: Challenges and Recommendations,

    European Union Agency for Cybersecurity (ENISA), “Cybersecurity for SMEs: Challenges and Recommendations,” June 2021, Available at https://www.enisa.europa.eu/publications/ enisa-report-cybersecurity-for-smes

    work page 2021

  3. [3]

    SecGrid: A Visual System for the Analysis and ML-Based Classification of Cyberattack Traffic,

    M. Franco, J. von der Assen, L. Boillat, C. Killer, B. Rodrigues, E. J. Scheid, L. Granville, and B. Stiller, “SecGrid: A Visual System for the Analysis and ML-Based Classification of Cyberattack Traffic,” in IEEE 46th Conference on Local Computer Networks (LCN 2021) , Edmonton, Canada, October 2021, pp. 1–8

    work page 2021

  4. [4]

    SaCI: a Blockchain-based Cyber Insurance Approach for the Deployment and Management of a Contract Coverage,

    M. Franco, N. Berni, E. J. Scheid, B. Rodrigues, C. Killer, and B. Stiller, “SaCI: a Blockchain-based Cyber Insurance Approach for the Deployment and Management of a Contract Coverage,” in Lecture Notes in Computer Science (LNCS) , no. 13072. Virtually: Springer, September 2021, pp. 79–92

    work page 2021

  5. [5]

    Economics of Security: Facing the Challenges,

    European Union Agency for Cybersecurity (ENISA), “Economics of Security: Facing the Challenges,” December 2012, https://www.enisa.europa.eu/topics/threat-risk-management/ risk-management/files/EoSFinalreport

    work page 2012

  6. [6]

    The Economics of Information Security Investment,

    L. A. Gordon and M. P. Loeb, “The Economics of Information Security Investment,” Association for Computing Machinery Transactions on Information and System Security (TISSEC) , vol. 5, no. 4, pp. 438–457, 2002, association for Computing Machinery

    work page 2002

  7. [7]

    Information Segmentation and Investing in Cybersecurity,

    L. A. Gordon, M. P. Loeb, L. Zhou, “Information Segmentation and Investing in Cybersecurity,” Journal of Information Security , vol. 12, pp. 115–136, January 2021

    work page 2021

  8. [8]

    MENTOR: The Design and Evaluation of a Protection Services Recommender System,

    M. Franco, B. Rodrigues, and B. Stiller, “MENTOR: The Design and Evaluation of a Protection Services Recommender System,” in 15th International Conference on Network and Service Management (CNSM 2019). Halifax, Canada: IEEE, October 2019, pp. 1–7

    work page 2019

  9. [9]

    The Economics of Information Security Investment,

    L. A. Gordon and M. P. Loeb, “The Economics of Information Security Investment,” ACM Transactions on Information and System Security , vol. 5, no. 4, p. 438–457, November 2002

    work page 2002

  10. [10]

    Investing in Cybersecurity: Insights from the Gordon-Loeb Model,

    L. A. Gordon, M. P. Loeb, and L. Zhou, “Investing in Cybersecurity: Insights from the Gordon-Loeb Model,” Journal of Information Security , vol. 7, pp. 49–59, 2016

    work page 2016

  11. [11]

    IT Security Investment and Gordon-Loeb’s 1/e rule,

    Y . Baryshnikov, “IT Security Investment and Gordon-Loeb’s 1/e rule,” Berlin, Germany, June 2007, https://econinfosec.org/archive/weis2012/ papers/Baryshnikov WEIS2012.pdf

    work page 2007

  12. [12]

    Extending the Gordon and Loeb Model for Information Security Investment,

    J. Willemson, “Extending the Gordon and Loeb Model for Information Security Investment,” in International Conference on Availability, Reli- ability and Security (ARES 2010) , Krakow, Poland, 2010, pp. 258–261

    work page 2010

  13. [13]

    Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model,

    L. A. Gordon, M. P. Loeb, W. Lucyshyn, and L. Zhou, “Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model,” Journal of Information Security , vol. 6, p. 24–30, January 2015

    work page 2015

  14. [14]

    Calibration of the Gordon-Loeb Models for the Probability of Security Breaches,

    M. Naldi and M. Flamini, “Calibration of the Gordon-Loeb Models for the Probability of Security Breaches,” in 19th International Conference on Computer Modelling Simulation (UKSim) , Cambridge, UK, 2017, pp. 135–140

    work page 2017

  15. [15]

    Expanding the Gordon-Loeb Model to Cyber- Insurance,

    H. R.K. Skeoch, “Expanding the Gordon-Loeb Model to Cyber- Insurance,” Computers & Security , p. 102533, 2021

    work page 2021

  16. [16]

    Return On Security Investment (ROSI): A Practical Quantitative Model,

    W. Sonnenreich, J. Albanese, B. Stout, “Return On Security Investment (ROSI): A Practical Quantitative Model,” Journal of Research and Practice in Information Technology , pp. 239–252, 2005

    work page 2005

  17. [17]

    Introduction to Return on Security Investment: Helping CERTs Assessing the Cost of (Lack of) Security,

    European Union Agency for Cybersecurity (ENISA), “Introduction to Return on Security Investment: Helping CERTs Assessing the Cost of (Lack of) Security,” 2012, https://www.enisa.europa.eu/publications/ introduction-to-return-on-security-investment

    work page 2012

  18. [18]

    Self assessment questionnaire,

    Cybersecurity Osservatorio, “Self assessment questionnaire,” november 2022, Available at https://www.cybersecurityosservatorio.it/en/Services/ survey.jsp, last visit November 2022

    work page 2022

  19. [19]

    A Prototype to Manage Cybersecurity in Small Companies,

    M. Rea-Guaman, J. A. Calvo-Manzano, and T. S. Feliu, “A Prototype to Manage Cybersecurity in Small Companies,” in 13th Iberian Conference on Information Systems and Technologies (CISTI) , Caceres, Spain, June 2018, pp. 1–6

    work page 2018

  20. [20]

    Deliverable D4.3: 3rd Year Report on Cybersecurity Threats,

    M. Franco, B. Stiller (Editors), “Deliverable D4.3: 3rd Year Report on Cybersecurity Threats,” December 2021, https://www.concordia-h2020. eu/wp-content/uploads/2022/07/CONCORDIA-D4.3.pdf

    work page 2021

  21. [21]

    A Recommender System for Tracking Vulnerabilities,

    P. Huff, K. McClanahan, T. Le, and Q. Li, “A Recommender System for Tracking Vulnerabilities,” in 16th International Conference on Avail- ability, Reliability and Security (ARES 2021) , Vienna, Austria, August 2021, pp. 1–7

    work page 2021

  22. [22]

    Return on Cybersecurity Investment in Operational Technology Systems: Quantifying the Value That Cybersecurity Tech- nologies Provide after Integration,

    R. Hallman, M. Major, J. Romero-Mariona., R. Phipps, E. Romero, and J. Miguel, “Return on Cybersecurity Investment in Operational Technology Systems: Quantifying the Value That Cybersecurity Tech- nologies Provide after Integration,” in 5th International Conference on Complexity, Future Information Systems and Risk (COMPLEXIS 2020) , Prague, Malta, May 20...

    work page 2020

  23. [23]

    Calculated Risk? A Cybersecurity Evalu- ation Tool for SMEs,

    M. Benz and D. Chatterjee, “Calculated Risk? A Cybersecurity Evalu- ation Tool for SMEs,” Business Horizons , vol. 63, no. 4, pp. 531–540, August 2020

    work page 2020

  24. [24]

    A Visual Tool for the Analysis of Cybersecurity Investments,

    C. Inan, “A Visual Tool for the Analysis of Cybersecurity Investments,” Bachelor Thesis, Communication Systems Group, Department of Infor- matics, Universit¨at Z ¨urich UZH, Z ¨urich, Switzerland, August 2020

    work page 2020

  25. [25]

    CSAT: A User-interactive Cyber Security Architecture Tool based on NIST- compliance Security Controls for Risk Management,

    Y . Huang, J. Debnath, M. Iorga, A. Kumar, and B. Xie, “CSAT: A User-interactive Cyber Security Architecture Tool based on NIST- compliance Security Controls for Risk Management,” in IEEE 10th Annual Ubiquitous Computing, Electronics Mobile Communication Con- ference (UEMCON 2019) , New York, USA, October 2019, pp. 0697– 0707

    work page 2019

  26. [26]

    What Data Should I Protect? Recommender and Planning Support for Data Security An- alysts,

    T. Li, G. Convertino, R. K. Tayi, and S. Kazerooni, “What Data Should I Protect? Recommender and Planning Support for Data Security An- alysts,” in 24th International Conference on Intelligent User Interfaces (IUI ’19) , California, USA, March 2019, p. 286–297

    work page 2019

  27. [27]

    SecBot: a Business-Driven Conversational Agent for Cybersecurity Planning and Management,

    M. Franco, B. Rodrigues, E. J. Scheid, A. Jacobs, C. Killer, L. Z. Granville, and B. Stiller, “SecBot: a Business-Driven Conversational Agent for Cybersecurity Planning and Management,” in International Conference on Network and Service Management (CNSM 2020) , Izmir, Turkey, November 2020, pp. 1–7

    work page 2020

  28. [28]

    Protect- DDoS: A Platform for Trustworthy Offering and Recommendation of Protections,

    M. Franco, E. Sula, B. Rodrigues, E. Scheid, and B. Stiller, “Protect- DDoS: A Platform for Trustworthy Offering and Recommendation of Protections,” in Economics of Grids, Clouds, Systems, and Services . Izola, Slovenia: Springer, September 2020

    work page 2020

  29. [29]

    Cyber Risk Calculator (CERCA),

    A. Spain, “Cyber Risk Calculator (CERCA),” 2022, https://booklet. atosresearch.eu/assets/cerca

    work page 2022

  30. [30]

    SECAdvisor - Source Code,

    C. Omlin, O. Kamer, M. F. Franco, “SECAdvisor - Source Code,” 2023, https://github.com/sec-advisor/cybersecurity-investment-tool

    work page 2023

  31. [31]

    Interactive Visualizations for Management of NFV- enabled Networks,

    M. F. Franco, “Interactive Visualizations for Management of NFV- enabled Networks,” Master’s thesis, 2017

    work page 2017

  32. [32]

    Expanding the Gordon-Loeb model to Cyber-Insurance,

    H. R. Skeoch, “Expanding the Gordon-Loeb model to Cyber-Insurance,” Computers & Security , vol. 112, p. 102533, Jan. 2022

    work page 2022

  33. [33]

    Cybersecurity Investment Guidance: Exten- sions of the Gordon and Loeb Model,

    S. Farrow and J. Szanton, “Cybersecurity Investment Guidance: Exten- sions of the Gordon and Loeb Model,” Journal of Information Security , vol. 07, no. 02, pp. 15–28, 2016

    work page 2016

  34. [34]

    Calibration of the Gordon-Loeb Models for the Probability of Security Breaches,

    M. Naldi and M. Flamini, “Calibration of the Gordon-Loeb Models for the Probability of Security Breaches,” in 19th International Conference on Computer Modelling & Simulation (UKSim 2017) . Cambridge: IEEE, Apr. 2017, pp. 135–140

    work page 2017

  35. [35]

    Investing in Cybersecurity: Insights from the Gordon-Loeb Model,

    L. A. Gordon, M. P. Loeb, and L. Zhou, “Investing in Cybersecurity: Insights from the Gordon-Loeb Model,” Journal of Information Security, vol. 07, no. 02, pp. 49–59, 2016. [Online]. Available: http://www.scirp.org/journal/doi.aspx?DOI=10.4236/jis.2016.72004

    work page doi:10.4236/jis.2016.72004 2016

  36. [36]

    Information Segmentation and Investing in Cybersecurity,

    ——, “Information Segmentation and Investing in Cybersecurity,” Jour- nal of Information Security , vol. 12, no. 01, pp. 115–136, 2021

    work page 2021

  37. [37]

    Brooke, SUS: A ’Quick and Dirty‘ Usability Scale

    J. Brooke, SUS: A ’Quick and Dirty‘ Usability Scale . London: Taylor & Francis, 1996, ch. 21, pp. 189–194

    work page 1996

  38. [38]

    CONCORDIA Course “Becom- ing a Cybersecurity Consultant

    F. Cutas, A. Chatzopoulou, L. Sleem, “CONCORDIA Course “Becom- ing a Cybersecurity Consultant” The Pilot – Structure and Deployment,” 2021, Available at https://www.concordia-h2020.eu/wp-content/uploads/ 2021/07/Pilot Course BCSC Report Final.pdf

    work page 2021

  39. [39]

    CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment,

    M. F. Franco, L. Z. Granville, and B. Stiller, “CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment,” in 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023) , Miami, USA, May 2023, pp. 1–6. All links provided above were last accessed on April, 2023

    work page 2023