In the most established model to evaluate the effectiveness of security investments by Gordon and Loeb, the probability of data breaches is represented as a function of investments only. The more the company invests to protect the data of its customers, the lower the probability that a data breach occurs. But is that truthful? Are investments the only factor on the attacked side? Actually, the attacked side is represented by at least two members: the company holding the data and its customers (probably holding the same data and data leading to to the company's repository). Whenever a customer releases its data to the company, it gets exposed to data breaches. The more data are released, the larger the exposure is. And the chart attached at the beginning of this post shows that customer are more often than not at the root of data breaches. So, the customer plays a role in the probability that a data breach occurs and cannot be overlooked. This is the reason why we have introduced a model for the probability of data breaches that takes into account the role of customers as well. We have presented that model at major conferences and think that it fills a gap in Gordon and Loeb's model, to achieve a wider comprehension of the role of all the stakeholders in decisions about security investments. You can read the details in our papers presented at IFIP SEC 2012, Trustbus 2012, and NSS 2013.