ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY



Similar documents
Reducing the Challenges to Making Cybersecurity Investments in the Private Sector

INVESTING IN CYBERSECURITY:

Incentives for Improving Cybersecurity in the Private Sector: A Cost-Benefit Perspective

Information Security and Risk Management

Master of Business Administration, State University of New York at Albany, Accounting/Finance Concentration, 6/67

How To Understand The 2004 Csi/Fbi Computer Crime And Security Survey

PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS

ELEVENTH ANNUAL CSI/FBI COMPUTER CRIME AND SECURITY SURVEY. GoCSI.com

Xue Wang. Education UNIVERSITY OF CHICAGO Graduate School of Business M.B.A., 2005 Ph.D. in Accounting, 2005.

ELLEN E. ENGEL. Education Stanford University, Graduate School of Business, Ph.D. - Accounting, 1997.

Darren T. Roulstone. Analyst Following and Market Liquidity (Contemporary Accounting Research, Volume 20 No. 3, )

TENTH ANNUAL CSI/FBI COMPUTER CRIME AND SECURITY SURVEY. GoCSI.com

RAFFI J. INDJEJIKIAN Carleton H. Griffin-Deloitte & Touche Collegiate Professor of Accounting Curriculum Vitae, April 2015

Joshua G. Rosett PUBLICATIONS. Refereed Journal Articles

Curriculum Vitae -- Yuan Zhang

present: Assistant Professor, Foster Faculty Fellow Michael G. Foster School of Business, University of Washington

Ram T. S. Ramakrishnan

ERIC E. SPIRES. Ph.D. May 1987, University of Illinois (major - accounting; special area - auditing; minor - statistics and experimental design)

THE IMPACT OF INFORMATION SECURITY BREACHES ON FINANCIAL PERFORMANCE OF THE BREACHED FIRMS: AN EMPIRICAL INVESTIGATION

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

A SURVEY OF FINANCE PROFESSORS VIEWS ON DERIVATIVES. Survey Conducted by The International Swaps and Derivatives Association March 2004

YUN-CHIA (ANDERSON) YAN, PH.D. Assistant Professor of Accounting EDUCATION

JAP EFENDI. University of Texas at Arlington, Assistant Professor

JENNIFER L. JUERGENS

VENUGOPAL (VENU) GOPALAKRISHNA REMANI 3700 McDonald road, Apt #255, Tyler Texas Phone: (330) ; Fax: venugopal@uttyler.

SUSAN M. YOUNG EDUCATION RESEARCH. Capital markets, financial analysts earnings reports, investors use of analyst information.

JUDSON CASKEY. Ann Arbor, Michigan, April 2002 (with High Distinction)

PRIORITIZING CYBERSECURITY

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

DHS Incentives Study: Analysis, Recommendations, and Areas Identified for Further Research

CURRICULUM VITAE. Frank L. Heflin

Ge Bai Department of Accounting Williams School of Commerce, Economics, and Politics Washington and Lee University Lexington, VA

Gus P. Coldebella Partner, Goodwin Procter LLP Former General Counsel, Dept. of Homeland Security. What are we going to talk about today?

Tel (03) Fax (03) ACIIA ADVOCACY PROJECT ASIAN STOCK EXCHANGE PERSPECTIVES ON INTERNAL AUDIT

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Elements of the Patch Management Process

Developing a Corporate Governance Framework

Jerry Cha-Jan Chang, Ph.D.

27.9% of the graduates responded. Respondents. Degree Surveys with Salaries Male Average Female Average. Table of Contents

LEONCE L. BARGERON. University of Kentucky Lexington, KY Lexington, KY 40506

Division of Transportation Planning. Cost-Benefit Analysis of Park & Ride/Intermodal Strategies within the State Highway System in Southern California

Cyber Security for the Private Sector: What Companies and Their Lawyers Need to Know

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

SUNIL DUTTA Curriculum Vitae December, 2013

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

Chair, Department of Accounting, University of Massachusetts, and present

Albert Tsang December, 2015

Master of Financial Management: Faculty Bios

How To Discuss The Importance Of Relevant Research In Supply Chain And Operations Management

EDITOR S COMMENTS. What Are the Best MIS Programs in U.S. Business Schools?

PROFESSIONAL EXPERIENCE: Associate Professor of Management, Graduate School of Management, University of California, Davis, CA. July 2008 present.

ANANDHI S. BHARADWAJ

DALIDA KADYRZHANOVA Curriculum Vitae (Last updated: 12/2014)

Ningzhong Li. University of Chicago, Booth School of Business, Chicago, IL MBA, Ph.D. in Accounting 2009

NILABHRA (NEIL) BHATTACHARYA

ALMA COHEN Mass. Ave., Harvard Law School, Cambridge, MA Tel. (617)

SIMI KEDIA Associate Professor of Finance Rutgers Business School Phone:

UNIVERSITY OF MICHIGAN

Realization of Your Dream: Higher Study, Partnership, Collaboration Opportunities

CURRICULUM VITA: February Steven Grenadier

Assistant Professor of Marketing, Present McDonough School of Business, Georgetown University, Washington, DC

Assistant Professor William E. Simon Graduate School of Business Administration, University of Rochester,

McCOMBS SCHOOL OF BUSINESS, CBA UNIVERSITY OF TEXAS AT AUSTIN. AUSTIN, TX PHONE #:

RAGHAVAN (RAJ) J. IYENGAR Curriculum Vitae

William E. Ayen, Ph.D. Department of Information Systems College of Business and Administration University of Colorado at Colorado Springs

GOVERT VROOM. IESE Business School Tel.: Barcelona blog.iese.edu/vroom Spain

KAREN K. NELSON Harmon Whittington Chair and Professor of Accounting

The Paul Merage School of Business, SB 442 University of California, Irvine Phone: (917)

Frequently Asked Questions

Cybersecurity. Considerations for the audit committee

M. Tolga Akçura

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Research Interests: IT adoption and implementation; human-computer interaction; IT in small business; computer ethics.

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

CHRISTOPHER S. ARMSTRONG February 2015

Anna Pavlova September 2013

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Transcription:

ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY Lawrence A. Gordon Ernst & Young Alumni Professor of Managerial Accounting & Information Assurance The Robert H. Smith School of Business University of Maryland Affiliate Professor in UMIACS Researcher in Maryland Cybersecurity Center July 2011 L. A. Gordon

Objectives of Presentation A. Discuss a Few Issues Related to Cybersecurity Economics: 1. Economic Impact of Cybersecurity Breaches on Corporations 2. Making Cybersecurity Investment Decisions 3. The Effect of SOX on Disclosing Cybersecurity Activities 4. The Effect of Voluntarily Disclosing Cybersecurity Activities on Firm Value 5. Cybersecurity Insurance as a Mechanism to Transfer Risk B. Present Framework for Cybersecurity Risk Management Note: Economic Models Should be Used as Complement to, and Not as a Substitute for, Sound Business Judgment!!! L. A. Gordon 2

A1. Impact of Cybersecurity Breaches on Corporations Cybersecurity Breaches are a Key Concern to Private and Public Sector Organizations President Obama s Initiatives Economic Costs of Cybersecurity Breaches Conventional Wisdom Need to Consider Implicit and Explicit Costs Key Studies have Looked at Impact of Breaches on Stock Market Returns (SMR) L. A. Gordon 3

A1: Results of Studies Looking at Impact of Cybersecurity Breaches on SMR Large Percentages of Breaches Do Not Have Significant Impact on Firms a. Stockholders have Become Tolerant of Breaches b. Many Firms have Strengthened their Remediation Plans, thereby Substantially Reducing the Cost of an Average Breach Breaches that Do Have a Significant Impact on SMR can Threaten Firm s Survival L. A. Gordon 4

A2. Making Cybersecurity Investments Making the Business Case Net Present Value (NPV) Model Optimal Amounts to Invest (Need to Consider Security Breach Function [i.e., Vulnerabilities, Threats, and Productivity of Investments] & Potential Loss) Option Value of Investments Note: Economic Models Should be Used as a Complement to, and Not as a Substitute for, Sound Business Judgment!!! L. A. Gordon 5

A2 : The Business Case Process for Cybersecurity Investments 1. Specify Organizational Cybersecurity Objectives 2. Identify Alternatives for Achieving Cybersecurity Objectives 3. Acquire Data and Analyze Each Alternative Identified 4. Conduct Cost-Benefit Analysis and Rank Order the Alternatives Identified Select Alternative 5. Control (Postauditing) Source: Gordon and Loeb, 2006a, pp. 116 and 131. L. A. Gordon 6

A2 : Results of Studies Looking at Making Investments in Cybersecurity Optimal level of Information Security Investment Does Not Always Increase with the Level of Vulnerability For a Wide Range of Circumstances, Firms should Invest 37% of Expected Loss Wait-and-see approach is often Rational from An Economics Perspective due to Real Options L. A. Gordon 7

A3. Impact of Sarbanes Oxley Act of 2002 (SOX) on Information Security CEO Certification CFO CIO/CSO/CISO Information System Security Mandatory Disclosures Financial Reports Internal Controls Reports Financial Systems Voluntary Disclosures of Security Activities Source: Gordon, Loeb, Lucyshyn, and Sohail, 2006. L. A. Gordon 8

Number of Disclosures A3: The Impact of SOX on Voluntarily Disclosing Cybersecurity Activities 800 700 600 500 400 300 200 100 0 774 579 487 348 331 2000 2001 2002 2003 2004 SOX Passed 9 Source: Gordon, Loeb, Lucyshyn, and Sohail, 2006. L. A. Gordon 9

A4. Impact of Voluntary Disclosures of Cybersecurity Activities on Firm Value Voluntary Disclosures Concerning Information Security, in Annual Reports Filed with the SEC, were found to be Positively Associated with Increases in the Stock Market Value of Firms. Source: Gordon, Loeb and Sohail, 2010. L. A. Gordon 10

A5. Cybersecurity Insurance: A Risk Transfer Mechanism Organization s Perspective: Assess if Cybersecurity Insurance is Needed Evaluate Available Insurance Policies Select Appropriate Policy and Transfer Risk Insurance Company s Perspective Pricing Decisions Require More Actuarial Data Adverse Selection Moral Hazard Slow to Gain Momentum Executive Office of the President is Currently Involved in this Issue L. A. Gordon 11

B. Cybersecurity Risk Management (CRM) Cybersecurity Risk Uncertainty of Potentially Harmful Events Related to Cybersecurity Cybersecurity Risk Management Process of Managing (Reducing) Potentially Harmful Uncertain Events Due to the Lack of Effective Cybersecurity L. A. Gordon 12

B. Risk Metrics (Different Strokes for Different Folks) Expected Loss Most Popular in Information Security Literature = (Probability of Loss) X (Amount of Loss) Probability of No Loss Probability of Largest Loss Variance (or Standard Deviation) of Losses Most Popular Metric in Management Accounting, Economics & Finance L. A. Gordon 13

B. Cybersecurity Risk Management Assessment and Control Framework Organizational Objectives Identifying Cybersecurity Risk No Manage Cybersecurity Risk via -- Efficient Use of Resources (Investments) -- Internal Controls.--Voluntary Disclosures -- Information Sharing -- Technical Improvements -- Behavioral/Organizational Improvements Is Risk Level Acceptable? Estimate Residual Risk Yes No Further Reduce Risk via Insurance? Yes Cybersecurity Insurance Cybersecurity Risk Control and Response (e.g., intrusion detection systems, cybersecurity auditing, corrective actions) L. A. Gordon 14

Concluding Comments 1. Cybersecurity Economics Is Not Voodoo Economics 2. Many Cybersecurity Breaches do not have a Significant Impact on Firms, but some can Threaten the Survival of a Firm 3. SOX has Increased Voluntary Disclosures of Cybersecurity Activities and such Disclosures are Associated with Increasing Firm Value. 4. Cybersecurity Insurance is a Mechanism for Transferring Risk 5. There are Different Ways to View Risk 6. CRM provides a Framework for Viewing Many Economic Issues Associated with Cybersecurity 7. A Catastrophic Cybersecurity Breach May Occur L. A. Gordon 15

SELECTED REFERENCES RELATED TO STREAM OF RESEARCH Bodin, L., L.A. Gordon and M.P. Loeb, Information Security and Risk Management, Communication of the ACM, Vol. 51, No. 4, 2008, pp. 64-68. Campbell, K., L.A. Gordon, M.P. Loeb and L. Zhou, The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market, Journal of Computer Security, Vol. 11, No.3, 2003, pp. 431-448. Gordon, L.A. and M.P. Loeb, Managing Cybersecurity Resources: A Cost-Benefit Perspective (McGraw-Hill), 2006. Gordon, L.A. and M.P. Loeb, Information Security Budgeting Process: An Empirical Study, Communications of the ACM, Jan. 2006, pp. 121-125. Gordon, L.A., M.P. Loeb, Economic Aspects of Information security: An Emerging Field of Research, Information System Frontiers, Vol. 8, No. 5, 2006, pp. 335-337. Gordon, L.A. and M.P. Loeb, The Economics of Information Security Investment, ACM Transactions on Information and System Security, November 2002, pp. 438-457. (reprinted in Economics of Information Security, 2004). Gordon, L.A. and M.P. Loeb, Return on Information Security Investments: Myths vs. Reality, Strategic Finance, November 2002, pp. 26-31. Gordon, L.A., M.P. Loeb, W. Lucyshyn, Private Sector Investments in Cybersecurity, in progress. Gordon, L.A., M.P. Loeb, and W. Lucyshyn, Sharing Information on Computer Systems Security: An Economic Analysis, Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003, pp. 461-485, Gordon, L.A., M.P. Loeb, and W. Lucyshyn, Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal, Vol. 19, No. 2, 2003, pp. 1-7. Gordon, L.A., M.P Loeb, W. Lucyshyn, and R. Richardson, CSI/FBI Computer Crime and Security Survey, Computer Security Journal, Summer 2004. Gordon, L.A., M.P. Loeb and T. Sohail, Market Value of Voluntary Disclosures Concerning Information Security, MIS Quarterly, September 2010, pp. 567-594. Gordon, L.A., M.P. Loeb, and T. Sohail, A Framework for Using Insurance for Cyber-Risk Management, Communications of the ACM, March 2003, pp. 81-85. Gordon, L.A., M.P. Loeb, T. Sohail, C-Y Tseng and L. Zhou, Cybersecurity Capital Allocation and Management Control Systems, European Accounting Review, Vol. 17, No. 2, 2008, pp. 215-241. Gordon, L.A., M.P. Loeb, and L. Zhou, "The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?" Journal of Computer Security Vol. 19, No. 1, 2011, pp. 33-56. L. A. Gordon 16

Biography of Dr. Lawrence A. Gordon Dr. Lawrence A. Gordon is the Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland s Robert H. Smith School of Business. He is also an Affiliate Professor in the University of Maryland Institute for Advanced Computer Studies. Dr. Gordon earned his Ph.D. in Managerial Economics from Rensselaer Polytechnic Institute. His research focuses on corporate performance measures, economic aspects of cyber and information security, cost management systems, and capital investments. He is the author of more than 90 articles that have been published in the accounting and computer/information security journals, and is considered to be one of the pioneers in the emerging field of cybersecurity economics. Dr. Gordon is also the coauthor or author of several books, including MANAGING CYBERSECURITY RESOURCES: A Cost-Benefit Analysis and Managerial Accounting: Concepts and Empirical Evidence (6th Edition). In addition, he is the Editor-in-Chief of the Journal of Accounting and Public Policy and serves on the editorial boards of several other academic journals. In two authoritative studies, Dr. Gordon was cited as being among the world's most influential/productive accounting researchers. An award-winning teacher, Dr. Gordon has been an invited speaker at numerous universities around the world, including: Columbia University, Harvard University, London School of Economics, London Business School, University of Manchester, University of Toronto, Carnegie Mellon University, Instituto de Empresa. and UC-Berkeley. Dr. Gordon s Ph.D. students (i.e., those students for whom he has served as the Chair or Co-Chair of their dissertation) have had initial placements as an Assistant Professor of Accounting at the Business Schools of such universities as: Northwestern University, University of Southern California, Purdue University, Rensselaer Polytechnic Institute, Instituto de Empresa, McGill University, National Taiwan University, College of William & Mary, and Michigan State University. Dr. Gordon has served as a consultant to several private and public organizations. He is also a frequent speaker at various professional meetings of corporate and government executives. In October 2007, Dr. Gordon was invited to provide formal Congressional Testimony concerning his research on cybersecurity economics before a Subcommittee of the U.S. House Committee on Homeland Security. He has also been a frequent contributor to the popular press (e.g., Wall Street Journal, Washington Post, Business Week, Baltimore Sun, Washington Business Journal, etc.). L. A. Gordon 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information