Lawrence A. Gordon
· EY Alumni Professor of Managerial Accounting and Information AssuranceUniversity of Maryland, College Park · Accounting & Information Assurance
Active 1961–2025
About
Dr. Lawrence A. Gordon is the EY Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland's Robert H. Smith School of Business. He is also an Affiliate Professor in the Institute for Advanced Computer Studies, an Affiliate Researcher at the Maryland Cybersecurity Center, and a faculty member in the ACES program offered by UMD’s Honors College. He earned his Ph.D. in Managerial Economics from Rensselaer Polytechnic Institute. Dr. Gordon is an internationally recognized scholar in managerial accounting and cybersecurity economics, with research focusing on economic aspects of cybersecurity, corporate performance measures, cost management systems, and capital investments. He is known for his pioneering work in cybersecurity economics, including the development of the Gordon-Loeb Model, which provides an economic framework for determining optimal cybersecurity investments and is widely referenced in the field. His research emphasizes the importance of accounting and economic considerations within an interconnected digital economy, and he has contributed significantly to policy discussions, including providing Congressional testimony on cybersecurity economics. Dr. Gordon has authored over 100 articles published in leading journals and several books, and he has served in editorial roles for prominent academic publications. His work has been recognized with numerous awards, and he is frequently invited to speak at universities and conferences worldwide.
Research topics
- Computer Science
- Computer Security
- Business
- Economics
- Risk analysis (engineering)
- Engineering
- Finance
- Law
- World Wide Web
- Engineering management
Selected publications
Journal of Information Security · 2025-01-01
articleOpen access1st authorCorrespondingThis paper provides evidence of the impact of the 2023 U.S. Security and Exchange Commission (SEC) disclosure rules requiring registrants to disclose their approach toward Cybersecurity Risk Management (CRM) in Item 1C (Cybersecurity) of Form 10-K. Specifically, the paper investigates how Material Weaknesses in Internal Control (MWIC) influence a firm’s decision to disclose the integration of its CRM system into its Enterprise Risk Management (ERM) framework in Item 1C. The empirical analysis indicates that firms reporting MWIC are significantly less likely to disclose in Item 1C the fact that they integrated their CRM system into their ERM framework compared to companies that do not report any MWIC. However, companies reporting both IT MWIC and non-IT MWIC are significantly more likely to disclose in Item 1C the fact that they integrated their cyber risk management systems into their overall enterprise risk management framework compared to companies only reporting non-IT MWIC.
Empirical evidence on disclosing cyber breaches in an 8-K report: Initial exploratory evidence
Journal of Accounting and Public Policy · 2024-06-14 · 9 citations
article1st authorJournal of Information Security · 2024-01-01
articleOpen accessThere are two broad objectives of the research reported in this paper. First, we assess whether government-provided cyber threat intelligence (CTI) is helpful in preventing, or responding to, cyber-attacks among small businesses within the U.S. Defense Industrial Base (DIB). Second, we identify ways of improving the effectiveness of government-provided CTI to small businesses within the DIB. Based on a questionnaire-based survey, our findings suggest that government-provided CTI helps businesses within the DIB in preventing, or responding to, cyber-attacks providing a firm is familiar with the CTI. Unfortunately, a large percentage of small firms are not familiar with the government-provided CTI feeds and consequently are not utilizing the CTI. This latter situation is largely due to financial constraints confronting small businesses that prevent firms from having the wherewithal necessary to effectively utilize the government-provided CTI. However, we found a significant positive association between a firm’s familiarity with the government-provided CTI and whether a firm is being periodically reviewed by the Defense Counterintelligence and Security Agency (DCSA) or is compliant with the Cybersecurity Maturity Model Certification (CMMC) program. The findings from our study also show that the participating firms believe that external cyber threats are more likely to be the cause of a future cybersecurity breach than internal cybersecurity threats. Finally, our study found that the portion of the IT budget that small businesses within the DIB spend on cybersecurity-related activities is dependent on the perception that a firm would be the target of an external cyber-attack.
Technology and an Organization’s Business Model
Transactions on Machine Learning and Artificial Intelligence · 2024-02-10
articleOpen access1st authorCorrespondingThe contemporary view of the interconnected digital world began to take shape in the mid-1990s with the commercialization of the Internet.[1] In the early years of the 21st Century, social media companies started to surface.[2] The use of computers and the Internet, combined with social media, have substantially changed the way most companies conduct business when compared to the way business was conducted prior the mid-1990s. The effective execution of this changed business model is based on digital interconnections among computer-based communication systems.
Journal of Cybersecurity · 2023-01-01 · 9 citations
articleOpen accessAbstract The primary objective of the current study is to analytically examine the economic benefits an organization can obtain by receiving and processing cyber threat intelligence (CTI) shared by the US government. Our results show that the benefits from receiving CTI are closely associated with the difference between the threat level indicated by the CTI and the receiving organization’s prior belief of the threat level. In addition, for the same difference between the threat levels indicated by the CTI and the organization’s prior belief, our analyses show that the magnitude of adjustments to an organization’s cybersecurity investments is inversely related to the organization’s prior belief of the threat level. Thus, larger benefits can be obtained when the receiving organization’s prior belief of a threat level is lower. Taken together, our results suggest that the common belief that it is optimal for a federal government agency or department to focus on sharing CTI related to vulnerabilities with the highest threat level is misguided. More generally, the benefits from CTI sharing can be improved if producers of CTI could develop a clearer understanding of the prior beliefs that organizations have concerning their threat level and focus on sharing CTI that is significantly different from those prior beliefs.
Cost Management and Strings of Increasing Earnings
Open Journal of Accounting · 2022-01-01 · 1 citations
articleOpen accessBarth et al. (1999) document that firms sustaining a string of increasing earnings have higher price-earnings ratios and Myers et al. (2007) find such firms receive higher abnormal stock market returns during the string periods compared to firms not exhibiting this earnings pattern. The primary objective of the current study is to improve our understanding of how firms can maintain a consecutive string of increasing earnings. Most firms that have a string on increasing earnings do so by increasing revenues (Ghosh et al., 2005). Firms that maintain a string of earnings during periods of decreasing revenues must effectively manage costs to decrease their expenses sufficiently to increase earnings during those periods. Prior literature does not provide insights into the characteristics of firms and their market environments that allow them to maintain a string of consecutive earnings over periods that include both increasing and decreasing revenues. This paper contributes to filling that gap in the literature using large data and shows that cost flexibility is an important factor associated with a firm that can maintain a string of increasing earnings and finds that demand uncertainty for a firm’s products is inversely related to a firm’s ability to maintain a string of increasing earnings. In addition, an examination of the asymmetric cost behavior of the firms that experience at least one sales decrease during a consecutive string of increasing earnings indicates that these firms are associated with anti-sticky cost behavior during the string periods and exhibit sticky costs when the string ends.
Cost Management and Strings of Increasing Earnings
Open Journal of Accounting · 2022-01-01 · 1 citations
articleOpen accessBarth et al. (1999) document that firms sustaining a string of increasing earnings have higher price-earnings ratios and Myers et al. (2007) find such firms receive higher abnormal stock market returns during the string periods compared to firms not exhibiting this earnings pattern. The primary objective of the current study is to improve our understanding of how firms can maintain a consecutive string of increasing earnings. Most firms that have a string on increasing earnings do so by increasing revenues (Ghosh et al., 2005). Firms that maintain a string of earnings during periods of decreasing revenues must effectively manage costs to decrease their expenses sufficiently to increase earnings during those periods. Prior literature does not provide insights into the characteristics of firms and their market environments that allow them to maintain a string of consecutive earnings over periods that include both increasing and decreasing revenues. This paper contributes to filling that gap in the literature using large data and shows that cost flexibility is an important factor associated with a firm that can maintain a string of increasing earnings and finds that demand uncertainty for a firm’s products is inversely related to a firm’s ability to maintain a string of increasing earnings. In addition, an examination of the asymmetric cost behavior of the firms that experience at least one sales decrease during a consecutive string of increasing earnings indicates that these firms are associated with anti-sticky cost behavior during the string periods and exhibit sticky costs when the string ends.
Journal of Information Security · 2022 · 7 citations
- Computer Security
- Computer Science
- Computer Security
This paper extends the literature on the economics of sharing cybersecurity information by and among profit-seeking firms by modeling the case where a government agency or department publicly shares unclassified cyber threat information with all organizations. In prior cybersecurity information sharing models a common element was reciprocity—i.e., firms receiving shared information are also asked to share their private cybersecurity information with all other firms (via an information sharing arrangement). In contrast, sharing of unclassified cyber threat intelligence (CTI) by a government agency or department is not based on reciprocal sharing by the recipient organizations. After considering the government’s cost of preparing and disseminating CTI, as well as the benefits to the recipients of the CTI, we provide sufficient conditions for sharing of CTI to result in an increase in social welfare. Under a broad set of general conditions, sharing of CTI will increase social welfare gross of the costs to the government agency or department sharing the information. Thus, if the entity can keep the sharing costs low, sharing cybersecurity information will result in an increase in net social welfare.
Information Segmentation and Investing in Cybersecurity
Journal of Information Security · 2021-01-01 · 7 citations
articleOpen access1st authorCorrespondingThis paper provides an analysis of how the benefits of information segmentation can assist an organization to derive the appropriate amount to invest in cybersecurity from a cost-benefit perspective. An analytical model based on the framework of the Gordon-Loeb Model ([1]) is presented that provides a set of sufficient conditions for information segmentation to lower the total investments in cybersecurity and the expected loss from cybersecurity breaches. A numerical example illustrating the insights gained from the model is also presented.
The Role of Data Analytics and Machine Learning in Resurrecting Inductive-Based Accounting Research
Transactions on Machine Learning and Artificial Intelligence · 2021-04-01 · 1 citations
articleOpen access1st authorCorrespondingThe objective of this paper is to assess the impact of data analytics (DA) and machine learning (ML) on accounting research.[1] As discussed in the paper, the inherent inductive nature of DA and ML is creating an important trend in the way accounting research is being conducted. That trend is the increasing utilization of inductive-based research among accounting researchers. Indeed, as a result of the recent developments with DA and ML, a rebalancing is taking place between inductive-based and deductive-based research in accounting.[2] In essence, we are witnessing the resurrection of inductive-based accounting research. A brief review of some empirical evidence to support the above argument is also provided in the paper.
Frequent coauthors
- 51 shared
Martin P. Loeb
- 16 shared
Lei Zhou
Shanghai Jiao Tong University
- 12 shared
William Lucyshyn
- 8 shared
Herbert Lin
Stanford University
- 6 shared
Andrew W. Stark
University of Bern
- 5 shared
Chih‐Yang Tseng
National Taiwan University
- 5 shared
Tashfeen Sohail
Brock University
- 5 shared
Stephen E. Loeb
University of Maryland, College Park
Awards & honors
- Recognition in the NSA’s 2016 Annual Best Scientific Cyberse…
- Resume-aware match score
- Save to shortlist
- AI-drafted outreach
See your match with Lawrence A. Gordon
PhdFit ranks faculty by your research interests, methods, and publications — grounded in their actual work, not templates.
- Free to start
- No credit card
- 30-second signup