Reducing the Challenges to Making Cybersecurity Investments in the Private Sector



Similar documents
ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY

INVESTING IN CYBERSECURITY:

Information Security and Risk Management

Incentives for Improving Cybersecurity in the Private Sector: A Cost-Benefit Perspective

ECONOMIC ASPECTS OF CYBERSECURITY. Cybersecurity Breaches are a Key Concern to Private and Public Sector Organizations

How To Understand The 2004 Csi/Fbi Computer Crime And Security Survey

Master of Business Administration, State University of New York at Albany, Accounting/Finance Concentration, 6/67

How To Understand And Understand Risk Management

THE IMPACT OF INFORMATION SECURITY BREACHES ON FINANCIAL PERFORMANCE OF THE BREACHED FIRMS: AN EMPIRICAL INVESTIGATION

Classification of security breaches and their impact on the market value of firms

TENTH ANNUAL CSI/FBI COMPUTER CRIME AND SECURITY SURVEY. GoCSI.com

Economics of Information Security - A Review

ELEVENTH ANNUAL CSI/FBI COMPUTER CRIME AND SECURITY SURVEY. GoCSI.com

DTEC Kelly Lucas. Network Administrator. Morgan Stanley. Economic Evaluation of a Company s Information Security Expenditures.

TENTH ANNUAL CSI/FBI COMPUTER CRIME AND SECURITY SURVEY. GoCSI.com

The use of the Internet has significantly increased the vulnerability of

Increasing cybersecurity investments in private sector firms

PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS

Estimating the Cost of a Security Breach. By Andrew Wong. 23 Feb 2008

Private Sector Cyber Security Investment Strategies: An Empirical Analysis *

See See See

How To Justify A Security Program

SECURITY BREACH IN TRADING SYSTEM- COUNTERMEASURE USING IPTRACEBACK

Sharing Information on Computer Systems Security: An Economic Analysis

Impact of Software Vulnerability Announcements on the Market Value of Software Vendors an Empirical Investigation 1

S 2 ERC Project: A Review of Return on Investment for Cybersecurity. Author: Joe Stuntz, MBA EP 14, McDonough School of Business.

FC 2 Collaborative Seed Grant Program

Digital Forensics Educational Needs in the Miami Valley Region

Pharmacoeconomic, Epidemiology, and Pharmaceutical Policy and Outcomes Research (PEPPOR) Graduate Program

REDUCING THE INFORMATION TECHNOLOGY SECURITY RISK IN MEDICAL SUPPLY CHAINS

Web Development Evolution: The Assimilation of Web Engineering Security

Statistical Analysis on Relation between Workers Information Security Awareness and the Behaviors in Japan

Big Data Analytics; The value of the right action. April 1 st, 2014 Edwin Steenvoorden VP Business Analytics & Information Strategy

Evaluating Effectiveness of Global Software Development Using the extreme Programming Development Framework (XPDF)

2.2 Reviewing the company s internal financial controls and the company s internal control and risk management systems;

PhD News. Modeling the Impact of Marketing Drivers on Consumer Behavior. An Example from the Fast-Moving Goods Category

Financial Statements, Attestation Level and Lending Decision by Small Banks. Neung J. Kim Rafik Z. Elias California State University, Los Angeles

Driving Strategic Impact. Mastering the Tools of Strategy Consulting Spring 2016

Cyber Security for the Private Sector: What Companies and Their Lawyers Need to Know

Computer Ethics. (Ethics) Ethics in Computer System (COMPUTER ETHICS AND COMPUTER SECURITY) Computer Ethics and Computer Security

How To Know If A Cyber Attack On The United States Is A National Security Risk

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Business Process Outsourcing: Implications for Process and Information Integration

USF Graduate Catalog SECTION 18.

Corporate Training. About London Economics. Basic Course Information Detailed information available on request

The Life Settlement Market, An Actuarial Perspective on Consumer Economic Value A Response

AHMED BIN MOHAMED MILITARY COLLEGE DESCRIPTION OF THE COURSES OFFERED IN THE BACHELOR DEGREE IN THE BUSINESS ADMINISTRATION CURRICULUM

129. Using Reputation System to Motivate Knowledge Contribution Behavior in Online Community

Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls

Voluntary Participation in Cyber-insurance Markets

How To Improve Security Awareness In Organizations

University of Maryland Cybersecurity Center (MC 2 )

FY2015 Annual Report. Towards an Economic Behavioral Science Approach to Cyber Security. Scott Farrow UMBC,

Secure Passage through a World of Technological Threats

THE INFLUENCE OF INFORMATION SYSTEMS SECURITY ON JOB PERFORMANCE: A PROPOSED RESEARCH TOPIC

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

State Governments at Risk: The Data Breach Reality

HR Business Value Metrics Study

MARYLAND CYBERSECURITY CENTER

Quality Information by Charity Organizations and its Relationship with Donations

Voluntary Participation in Cyber-insurance Markets

Roles of Practitioners and Strategic Planning Practices

Last update: December 19, Global Master of Finance Dual Degree Course Descriptions. Foundation Courses. FIN B Introduction to Finance

REQUEST FOR PROPOSALS: CENTER FOR LONG-TERM CYBERSECURITY

THE ROLE OF MARKETING IN MULTINATIONAL SUBSIDIARIES: STANDARDIZATION VERSUS LOCALIZATION

Objective. Background FSP FAS FASB STAFF POSITION. No. FAS Title: Determination of the Useful Life of Intangible Assets

MKT3415 Internet Strategy And Marketing Semester I, 2014/2015 Course Outline August 2014

Healthcare and IT Working Together KY HFMA Spring Institute

ONTHEEDGE. Sending Out an SOS. The Use & Misuse of Information

Security and privacy standardization for the SME community

USF Graduate Catalog SECTION 23.

Cyber Security Incident Response High-level Maturity Assessment Tool

Why is this National Cyber Security Month? Stephen G. Austin, CPA, MBA Swenson Advisors, LLP

Another Element for Security Improvement Approach in Web Development Application

The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market

DELEGATION OF FIDUCIARY POWER UNDER THE CALIFORNIA PRUDENT INVESTOR ACT

UNDERSTANDING THE COST ASSOCIATED WITH DATA SECURITY BREACHES

Cybersecurity y Managing g the Risks

Nasdaq - A New Way to Ride the Federal Government

CAPITAL SHORTFALL: A NEW APPROACH TO RANKING and REGULATING SYSTEMIC RISKS Viral Acharya, Robert Engle and Matthew Richardson 1

Berkshire Hathaway Inc. Audit Committee Charter

11/27/2015. Cyber Risk as a Component of Business Risk: Communicating with the C-Suite. Conflict of interest. Learning Objectives

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Ranking Barriers to Implementing Marketing Plans in the Food Industry

Comments on Incentives To Adopt Improved Cybersecurity Practices

EFFECTIVENESS OF DETECTIVE AND PREVENTATIVE INFORMATION SECURITY CONTROLS IN INFORMATION SYSTEMS ORGANIZATIONS

Evaluation of the Science Education Partnership Award (SEPA) Program (OD)

How To Create A Cyber Security Program For Itd

Corporate Perspectives On Cybersecurity: A Survey Of Execs

Total Credits: 30 credits are required for master s program graduates and 51 credits for undergraduate program.

Personal Injury Accreditation Scheme

EVALUATION OF THE EFFECTIVENESS OF ACCOUNTING INFORMATION SYSTEMS

Effectiveness of Human Resource Information Systems: A Study with Reference to Greaves Cotton Limited

Social Media Management 社 會 媒 體 管 理

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Gerald Whitney. Department of Economics and Finance University of New Orleans New Orleans, LA

HBEH 750: Applied Research Methods Fall 2015

THE ABET CAC ACCREDITATION: IS ACCREDITATION RIGHT FOR INFORMATION SYSTEMS?

Exploring the Drivers of E-Commerce through the Application of Structural Equation Modeling

Leveraging Regulatory Compliance to Improve Cyber Security

Transcription:

Cyber Security Division 2012 Principal Investigators Meeting TTA: Cyber Economics PI - Dr. Lawrence A. Gordon* (lgordon@rhsmith.umd.edu), (301) 405-4072 Co-PI Dr. Martin P. Loeb* (mloeb@rhsmith.umd.edu), (301) 405-4072 Co-PI Mr. William Lucyshyn** (lucyshyn@umd.edu), (301) 405-8257 *Smith School of Business, Accounting and Information Assurance Department, University of Maryland **School of Public Policy, Center for Public Policy and Private Enterprise, University of Maryland

Primary Objective: to understand more fully the challenges associated with making cybersecurity investments in the private sector and to recommend policies for facilitating the appropriate level of such investments (emphasis will be given to firms that own and/or operate assets critical to the national infrastructure). In pursuing this objective, we begin by developing a conceptual framework for making cybersecurity investments. In other words, since cybersecurity investments compete with other investment opportunities available to firms, they need to be justified by showing that the benefits exceed the costs, in terms of NPV. 2

Technical Approach: Examine Existing Literature Develop Model(s) for Investing in Cybersecurity Conduct In-Depth Interviews with CFOs & CIOs from major firms Conduct Survey and Analyze Data Develop Recommendations for Policies and Procedures that Incentivize Appropriate Level of Private Sector Cybersecurity Investment 3

The Business Case for Cybersecurity Investments Total Costs Dollars Cost of Cybersecurity Breaches Cost of Cybersecurity Optimal Level Level of Cybersecurity 4

Conceptual View of Costs of Security Breaches 5

H1: The uncertainties associated with measuring the benefits from cybersecurity have created a situation such that it is more difficult for managers to get funds for cybersecurity investments than for investments related to traditional revenue generating projects. H2: The risk associated with cybersecurity investments is poorly understood by most individuals involved in making cybersecurity investments. H3: Due to externalities, when firms only consider private profits they tend to under-invest in cybersecurity. 6

Research Design 1. Provide Conceptual Framework for Making Cybersecurity Investments Z 1 = argmin [P(z)L +z] Z 2 = argmin [P(z)L +z + CS(z)] 2. Conduct 4-6 in-depth case studies of the cybersecurity investment activities of organizations operating in critical infrastructure industries, based on interviews with the CFOs and CSOs. The case studies will be viewed as a series of miniexperiments. 3. Design questionnaire for conducting a large empirical survey. The data collected from the survey will be used to statistically test the hypotheses underlying the study. The questionnaire will be sent to the CFOs and CSOs of approximately 300 major organizations from a variety of critical structure industries. 4. Analyze survey data via statistical and econometric procedures. Y = β 0 + β 1 X 1 + β 2 X 2 + Σ α i C i n i=1 7

Inappropriate regulatory strategies can cause firms to reduce their overall levels of cybersecurity 8

Deliverables Monthly Progress Reports Interim Report after the first 12 months. Final Report after the 24 months that will summarize the entire research project, including: (a) survey of private sector firms, (b) case studies, (c) cyber security investment models, and (d) policy recommendations. Preparation of Articles for submission to major Research Journals Presentations at Academic and Professional Conferences 9

Application of research Inform the formulation of policies and regulations aimed at incentivizing an appropriate level of investment in cybersecurity measures by the private sector Assist firms as they analyze their cybersecurity requirements, and work to determine the appropriate level of investment 10

Gordon, L.A., M.P. Loeb, and L. Zhou, "The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?" Journal of Computer Security, Vol. L. A. Gordon 11 19, No. 1, 2011, pp. 33-56. Selected References Bodin, L., L.A. Gordon and M.P. Loeb, Information Security and Risk Management, Communication of the ACM, Vol. 51, No. 4, 2008, pp. 64-68. Campbell, K., L.A. Gordon, M.P. Loeb and L. Zhou, The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market, Journal of Computer Security, Vol. 11, No.3, 2003, pp. 431-448. Gansler, J. S. and W. Lucyshyn, Improving the Security of Financial Management Systems: What Are We to Do? Journal of Accounting and Public Policy, Vol. 24, No.1, pp. 1-9. Gordon, L.A. and M.P. Loeb, Managing Cybersecurity Resources: A Cost-Benefit Perspective (McGraw-Hill), 2006. Gordon, L.A. and M.P. Loeb, Information Security Budgeting Process: An Empirical Study, Communications of the ACM, Jan. 2006, pp. 121-125. Gordon, L.A., M.P. Loeb, Economic Aspects of Information security: An Emerging Field of Research, Information System Frontiers, Vol. 8, No. 5, 2006, pp. 335-337. Gordon, L.A. and M.P. Loeb, The Economics of Information Security Investment, ACM Transactions on Information and System Security, November 2002, pp. 438-457. (reprinted in Economics of Information Security, 2004). Gordon, L.A. and M.P. Loeb, Return on Information Security Investments: Myths vs. Reality, Strategic Finance, November 2002, pp. 26-31. Gordon, L.A., M.P. Loeb, and W. Lucyshyn, Sharing Information on Computer Systems Security: An Economic Analysis, Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003, pp. 461-485, Gordon, L.A., M.P. Loeb, and W. Lucyshyn, Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal, Vol. 19, No. 2, 2003, pp. 1-7. Gordon, L.A., M.P Loeb, W. Lucyshyn, and R. Richardson, CSI/FBI Computer Crime and Security Survey, Computer Security Journal, Summer 2004. Gordon, L.A., M.P. Loeb and T. Sohail, Market Value of Voluntary Disclosures Concerning Information Security, MIS Quarterly, September 2010, pp. 567-594. Gordon, L.A., M.P. Loeb, and T. Sohail, A Framework for Using Insurance for Cyber-Risk Management, Communications of the ACM, March 2003, pp. 81-85. Gordon, L.A., M.P. Loeb, T. Sohail, C-Y Tseng and L. Zhou, Cybersecurity Capital Allocation and Management Control Systems, European Accounting Review, Vol. 17, No. 2, 2008, pp. 215-241.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information