Академический Документы
Профессиональный Документы
Культура Документы
AN ECONOMICS PERSPECTIVE
by
Ernst & Young Alumni Professor of Managerial Accounting & Information Assurance Robert H. Smith School of Business University of Maryland Affiliate Professor in University of Maryland Institute for Advanced Computer Studies Lgordon@rhsmith.umd.edu http://www.rhsmith.umd.edu/faculty/lgordon/
Lawrence A. Gordon
October, 2006
Motivation
Cybersecurity Risk Management (CRM) is a Fundamental Concern to all Organizations in a Digital Economy (CRM is subset of Enterprise Risk Management) Cost and Frequency of Breaches (Empirical Evidence)
CSI/FBI 2006 Survey Campbell, Gordon, Loeb and Zhou (2003)
Popular Myths
Applying Cost-Benefit Analysis to Cybersecurity is Voodoo Economics All Cybersecurity Breaches have a Significant Impact on Organizations Risk Management related to Cybersecurity is Well Understood Information Sharing Reduces Cybersecurity Related Problems
Lawrence A. Gordon
Main Objectives
Explain the Concept and Importance of Cybersecurity Risk Management Discuss Methods for Managing Cybersecurity Risk Discuss Relations Among Economics, Cybersecurity Risk Management and Firm Value
Lawrence A. Gordon 3
I. Basic Concepts
Cybersecurity
Protection of Information Transmitted and Stored over the Internet or any other Computer Network
Objectives of Cybersecurity
Protect Confidentiality of Private Information Ensure Availability of Information to Authorized Users on a Timely Basis - Authentication - Nonrepudiation Protect the Integrity of Information (i.e., Accuracy, Reliability, and Validity)
Lawrence A. Gordon 4
Lawrence A. Gordon
Probability of No Loss Probability of Largest Loss Variance (or Standard Deviation) of Losses
Most Popular Metric in Management Accounting, Economics & Finance
Lawrence A. Gordon 6
Lawrence A. Gordon
Lawrence A. Gordon
10
2. Identify Alternatives for Achieving Cybersecurity Objectives 3. Acquire Data and Analyze Each Alternative Identified
5. Control (Postauditing)
Source: Gordon and Loeb, 2006a, pp. 116 and 131. Gordon Lawrence A. 11
t0
t1 t2
CFO allocates funds for cybersecurity investments to CISO
Source: Gordon and Loeb, 2006a.
t3
t4
Postauditing and payment of incentives
12
Lawrence A. Gordon
Internal Controls (Cont:) Institute of Chartered Accountants (in England & Wales) on Internal Control
A Companys system of internal control has a key role in the management of risks that are significant to the fulfillment of its business objectives (ICAEW, 1999, p.4)
Internal Controls (Cont:) Sarbanes-Oxley (SOX) Act of 2002 Section 302 of SOX, entitled Corporate Responsibility for Financial Reports, requires the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) to take personal responsibility for establishing and maintaining the corporations internal controls and for certifying that the financial statements provide an accurate representation of a corporations financial condition. Section 404 of SOX, entitled Management Assessment of Internal Controls, requires corporations to include an internal control report when filing with the SEC.
Lawrence A. Gordon 15
Lawrence A. Gordon
16
CEO
Certification Mandatory Disclosures Financial Reports Internal Controls Reports Financial Systems Information System Security Legend
CFO
CIO/CSO/CISO
Mandatory Voluntary
17
Number of Disclosures
331
348
2000
2001
2002
SOX Passed
2003
2004
18
19
Organizations Perspective:
- Assess if Cybersecurity is Needed - Evaluate Available Insurance Policies - Select Appropriate Policy
Lawrence A. Gordon
20
Yes
No
Lawrence A. Gordon
23
B. Analytical Model
Auditing Cybersecurity Investments Enhanced Firm Value (Gordon, Loeb, and Zhou, 2006)
Lawrence A. Gordon 24
Develop Economic Models and Study Best Practices to help Derive the Right Amount to Spend on Cybersecurity. Develop Economic Models and Study Best Practices to help Allocate Resources to Specific Cybersecurity Projects. Develop Best Internal Control Model for Cybersecurity Activities. Devise Economic Incentives to Encourage Information Sharing. Determine the Appropriate Financial/Nonfinancial Metrics for Assessing Cybersecurity Risk? Develop Models and Study Best Practices for Assessing the Appropriate Use of Cybersecurity Insurance. Consider the Contingency View of Cybersecurity Risk Management. Examine the Relation Among Cybersecurity Budgeting, Performance, and Managerial Incentives. Penetration Testing
Lawrence A. Gordon
25
Economics Analysis can, and should, play an important role in Managing Cybersecurity Risk. Uncertainty needs to be built into these models, and not used as an excuse for avoiding careful economic analysis (i.e., this is not Voodoo Economics). However, applying economic analysis is best viewed as a complement to, rather than a substitute for, less formal (and/or less qualitative) approaches.
Lawrence A. Gordon 26
VIII. References
Campbell, K., L. A. Gordon, M. P. Loeb, and L. Zhou, The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, Vol. 11, No. 3, 2003, pp. 431-448. Chartered Institute of Management Accountants, Risk Management and Internal Control in the EU discussion paper, 2005. Committee of Sponsoring Organizations of the Treadway Commission (COS), Internal Control - Integrated Framework, see: http://www.coso.org/publications/executive_summary_integrated_framework.htmm , 1992. Committee of Sponsoring Organizations of the Treadway Commission (COS), Enterprise Risk Management Integrated Framework, see: Gordon, L. A., and M. P. Loeb. The Economics of Information Security Investment, ACM Transactions on Information and System Security Vol. 5, No. 4, November 2002a, pp. 438-457. Gordon, L. A., and M. P. Loeb, Return on Information Security Investments: Myths vs. Reality, Strategic Finance, November 2002b, pp. 26-31. Gordon, L. A., and M. P. Loeb, MANAGING CYBERSECURITY RESOURCES: A Cost-Benefit Analysis, McGraw Hill, 2006a. Gordon, L. A., and M. P. Loeb, Budgeting Process for Information Security Expenditures: Empirical Evidence, Communications of the ACM, Vol. 49, No. 1, 2006b. pp. 121-125. Gordon, L. A., M. P. Loeb, and W. Lucyshyn, Information Security Expenditures and Real Options: A Wait and See Approach. Computer Security Journal, Vol. 19, No. 2, Spring 2003a, pp. 1-7.
Lawrence A. Gordon
27
Lawrence A. Gordon
28