CYBERSECURITY RISK MANAGEMENT:

AN ECONOMICS PERSPECTIVE
by

Dr. Lawrence A. Gordon

Ernst & Young Alumni Professor of Managerial Accounting & Information Assurance Robert H. Smith School of Business University of Maryland Affiliate Professor in University of Maryland Institute for Advanced Computer Studies Lgordon@rhsmith.umd.edu http://www.rhsmith.umd.edu/faculty/lgordon/
Lawrence A. Gordon

October, 2006

Motivation
Cybersecurity Risk Management (CRM) is a Fundamental Concern to all Organizations in a Digital Economy (CRM is subset of Enterprise Risk Management) Cost and Frequency of Breaches (Empirical Evidence)
CSI/FBI 2006 Survey Campbell, Gordon, Loeb and Zhou (2003)

Externalities (including International Concerns)

Due to Spillover Effects, Security of Computer Network Depends on All of the Users of the Network

Popular Myths

Applying Cost-Benefit Analysis to Cybersecurity is Voodoo Economics All Cybersecurity Breaches have a Significant Impact on Organizations Risk Management related to Cybersecurity is Well Understood Information Sharing Reduces Cybersecurity Related Problems
Lawrence A. Gordon

Main Objectives
Explain the Concept and Importance of Cybersecurity Risk Management Discuss Methods for Managing Cybersecurity Risk Discuss Relations Among Economics, Cybersecurity Risk Management and Firm Value
Lawrence A. Gordon 3

I. Basic Concepts
Cybersecurity
Protection of Information Transmitted and Stored over the Internet or any other Computer Network

Objectives of Cybersecurity
Protect Confidentiality of Private Information Ensure Availability of Information to Authorized Users on a Timely Basis - Authentication - Nonrepudiation Protect the Integrity of Information (i.e., Accuracy, Reliability, and Validity)
Lawrence A. Gordon 4

Basic Concepts (Cont:)

Cybersecurity Risk
Uncertainty of Potentially Harmful Events Related to Cybersecurity

Cybersecurity Risk Management

Process of Managing (Reducing) Potentially Harmful Uncertain Events Due to the Lack of Effective Cybersecurity

Lawrence A. Gordon

II. Risk Metrics

Expected Loss
Most Popular in Information Security Literature = (Probability of Loss) X (Amount of Loss)

Probability of No Loss Probability of Largest Loss Variance (or Standard Deviation) of Losses
Most Popular Metric in Management Accounting, Economics & Finance
Lawrence A. Gordon 6

Figure 1: Different Risk Metrics

(1) (2) (3) = (1) x (2) (4) (5) = (1) x (4) (6) (7) = (1) x (6) Probability of Expected Value Probability of Expected Probability of Expected Losses of the given loss Losses Value of the Losses Value of the given loss given loss Possible Losses $0 $1,000,000 $2,000,000 $3,000,000 Expected Value of Losses Investment A=sum of column (3) Investment B=sum of column (5) Investment C=sum of column (7) Investment A, B and C are Equal Amounts $1,200,000 $1,200,000 $1,200,000 Investment A 0.40 0 0.60 0 $0 $0 $1,200,000 $0 Investment B 0.60 0 0 0.40 $0 $0 $0 $1,200,000 Investment C 0.15 0.60 0.15 0.10 $0 $600,000 $300,000 $300,000

Source: Gordon and Loeb, 2006a, p. 98.

Equal Expected Value of Loss

Lawrence A. Gordon 7

Figure 1: Different Risk Metrics

(1) (2) (3) = (1) x (2) (4) (5) = (1) x (4) (6) (7) = (1) x (6) Probability of Expected Value Probability of Expected Probability of Expected Losses of the given loss Losses Value of the Losses Value of the given loss given loss Possible Losses $0 $1,000,000 $2,000,000 $3,000,000 Expected Value of Losses Investment A=sum of column (3) Investment B=sum of column (5) Investment C=sum of column (7) Investment A, B and C are Equal Amounts $1,200,000 $1,200,000 $1,200,000 Investment A 0.40 0 0.60 0 $0 $0 $1,200,000 $0 Investment B 0.60 0 0 0.40 $0 $0 $0 $1,200,000 Investment C 0.15 0.60 0.15 0.10 $0 $600,000 $300,000 $300,000

Source: Gordon and Loeb, 2006a, p. 98.

Smallest Probability of Largest Loss

Largest Probability of No Loss

Smallest Variance of Losses

8

Lawrence A. Gordon

III. Methods for Managing Cybersecurity Risk A. Economic Methods

1. Increase Investment Efficiency 2. Internal Controls 3. Information Sharing 4. Cybersecurity Insurance

B. Technical Methods C. Behavioral Methods

Lawrence A. Gordon 9

1. Economic Methods: Increase Investment Efficiency Methods

Planning and Control of Cybersecurity Investments - The Business Case - Postauditing

Lawrence A. Gordon

10

Figure 2: The Business Case for Cybersecurity Investments

1. Specify Organizational Cybersecurity Objectives

2. Identify Alternatives for Achieving Cybersecurity Objectives 3. Acquire Data and Analyze Each Alternative Identified

4. Conduct Cost-Benefit Analysis and Rank Order the Alternatives Identified

5. Control (Postauditing)
Source: Gordon and Loeb, 2006a, pp. 116 and 131. Gordon Lawrence A. 11

Figure 3: Postauditing Cybersecurity Investment Timeline

CFO contracts with CISO CISO submits cybersecurity investment proposal to CFO Realization of Information Security Breaches

CISO expends capital and effort

t0

t1 t2
CFO allocates funds for cybersecurity investments to CISO
Source: Gordon and Loeb, 2006a.

t3

t4
Postauditing and payment of incentives
12

Lawrence A. Gordon

2. Economic Methods: Internal Controls Methods

COSOs Definition of Internal Control
The Committee of Sponsoring Organizations of the Treadway Commission (usually referred to as COSO) defined internal control as a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: (1) effectiveness and efficiency of operations; (2) reliability of financial reporting; and (3) compliance with applicable laws and regulations. Components of Internal Control are:
- Control Environment - Risk Assessment - Control Activities - Information and Communication - Monitoring
Lawrence A. Gordon (Source: COSO, Internal Control Integrated Framework, Executive Summary, 1992). 13

Internal Controls (Cont:) Institute of Chartered Accountants (in England & Wales) on Internal Control
A Companys system of internal control has a key role in the management of risks that are significant to the fulfillment of its business objectives (ICAEW, 1999, p.4)

Chartered Institute of Management Accountants on Internal Control

perceptions of risk may vary according to the particular context, for example, companies in different countries may have different views on what risks are important, the appropriate risk appetite and the optimum way of managing the risks. There may also be different views as to what constitutes effectiveness of risk management (CIMA, 2005, p.3).
Lawrence A. Gordon 14

Internal Controls (Cont:) Sarbanes-Oxley (SOX) Act of 2002 Section 302 of SOX, entitled Corporate Responsibility for Financial Reports, requires the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) to take personal responsibility for establishing and maintaining the corporations internal controls and for certifying that the financial statements provide an accurate representation of a corporations financial condition. Section 404 of SOX, entitled Management Assessment of Internal Controls, requires corporations to include an internal control report when filing with the SEC.
Lawrence A. Gordon 15

Internal Controls (Cont:)

SOX & Information Security Activities

Although not Explicit in SOX or SEC Rules for Complying with SOX, it is a Widely Held View that Information and System Security is an Implicit Requirement of the Internal Control Structure and Procedures Mandated by Sections 302 and 404 of SOX (see Figure 4)

Lawrence A. Gordon

16

Figure 4: Impact of Sarbanes Oxley Act of 2002 on Information Security

CEO

Certification Mandatory Disclosures Financial Reports Internal Controls Reports Financial Systems Information System Security Legend

CFO

CIO/CSO/CISO

Voluntary Disclosures of Security Activities (see Figure 5)

Lawrence Source: Gordon, Loeb, Lucyshyn, and Sohail, 2006.A. Gordon

Mandatory Voluntary

17

Figure 5: Empirical Evidence on SOX and Disclosure of Information Security Activities

Number of Disclosures 800 700 600 500 400 300 200 100 0

Number of Disclosures

774 487 579

331

348

2000

2001

2002
SOX Passed

2003

2004

Source: Gordon, Loeb, Lucyshyn, and Sohail, 2006. Lawrence A. Gordon

18

3. Economic Methods: Information Sharing Methods

Free-Rider Problem - Need Economic Incentives Potentially Valuable

Source: Gordon, Loeb and Lucyshyn, 2003. Lawrence A. Gordon

19

4. Economic Methods: Cybersecurity Insurance Methods

Organizations Perspective:
- Assess if Cybersecurity is Needed - Evaluate Available Insurance Policies - Select Appropriate Policy

Insurance Companys Perspective

- Pricing Need More Actuarial Data - Adverse Selection - Moral Hazard
Source: Gordon, Loeb and Sohail, 2003.

Lawrence A. Gordon

20

IV. Risk Management Process

A. Risk Management
The Process of Identifying, Controlling and Minimizing the Impact of Uncertain Events (NIST, 1995, p.59).

B. Enterprise Risk Management

The overall process of managing an organizations exposure to uncertainty with particular emphasis on identifying, reducing and managing the events that could potentially prevent the organization from achieving its objectives (Source: Gordon and Loeb, 2006, p. 106).
Lawrence A. Gordon 21

Risk Management Process (Cont:)

C. COSOs Enterprise Risk Management Integrated Framework (2004)
Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO, 2004). Entitys Objectives in COSO (2004) are:(1) Strategic high-level goals, (2) Operating, (3) Reporting, and (4) Compliance.
Lawrence A. Gordon 22

Figure 6: Cybersecurity Risk Management Assessment and Control Framework

Organizational Objectives Identifying Cybersecurity Risk No
-- Efficient Use of Resources -- Internal Controls -- Information Sharing -- Technical Improvements -- Behavioral/Organizational Improvements

Manage Cybersecurity Risk via

Is Risk Level Acceptable?

Yes

Estimate Residual Risk

No

Need to Further Reduce Risk via Insurance?

Yes Cybersecurity Insurance

Cybersecurity Risk Control

(e.g. intrusion detection system, cybersecurity auditing)
Source: Figure 5-4, Gordon and Loeb (2006a).

Lawrence A. Gordon

23

V. Cybersecurity Risk Management and Firm Value

A. Empirical Evidence
Voluntary Disclosure of Information Security Activities (including Investments and Internal Control) Increased Firm Value (Gordon, Loeb and Sohail, 2006)

B. Analytical Model
Auditing Cybersecurity Investments Enhanced Firm Value (Gordon, Loeb, and Zhou, 2006)
Lawrence A. Gordon 24

VI. Research/Business Opportunities

Develop Economic Models and Study Best Practices to help Derive the Right Amount to Spend on Cybersecurity. Develop Economic Models and Study Best Practices to help Allocate Resources to Specific Cybersecurity Projects. Develop Best Internal Control Model for Cybersecurity Activities. Devise Economic Incentives to Encourage Information Sharing. Determine the Appropriate Financial/Nonfinancial Metrics for Assessing Cybersecurity Risk? Develop Models and Study Best Practices for Assessing the Appropriate Use of Cybersecurity Insurance. Consider the Contingency View of Cybersecurity Risk Management. Examine the Relation Among Cybersecurity Budgeting, Performance, and Managerial Incentives. Penetration Testing

Lawrence A. Gordon

25

VII. Concluding Comments

Cybersecurity Risk Management is a Fundamental Concern to all Organizations in a Digital Economy and is an Important Subset of Enterprise Risk Management.

Economics Analysis can, and should, play an important role in Managing Cybersecurity Risk. Uncertainty needs to be built into these models, and not used as an excuse for avoiding careful economic analysis (i.e., this is not Voodoo Economics). However, applying economic analysis is best viewed as a complement to, rather than a substitute for, less formal (and/or less qualitative) approaches.
Lawrence A. Gordon 26

VIII. References
Campbell, K., L. A. Gordon, M. P. Loeb, and L. Zhou, The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, Vol. 11, No. 3, 2003, pp. 431-448. Chartered Institute of Management Accountants, Risk Management and Internal Control in the EU discussion paper, 2005. Committee of Sponsoring Organizations of the Treadway Commission (COS), Internal Control - Integrated Framework, see: http://www.coso.org/publications/executive_summary_integrated_framework.htmm , 1992. Committee of Sponsoring Organizations of the Treadway Commission (COS), Enterprise Risk Management Integrated Framework, see: Gordon, L. A., and M. P. Loeb. The Economics of Information Security Investment, ACM Transactions on Information and System Security Vol. 5, No. 4, November 2002a, pp. 438-457. Gordon, L. A., and M. P. Loeb, Return on Information Security Investments: Myths vs. Reality, Strategic Finance, November 2002b, pp. 26-31. Gordon, L. A., and M. P. Loeb, MANAGING CYBERSECURITY RESOURCES: A Cost-Benefit Analysis, McGraw Hill, 2006a. Gordon, L. A., and M. P. Loeb, Budgeting Process for Information Security Expenditures: Empirical Evidence, Communications of the ACM, Vol. 49, No. 1, 2006b. pp. 121-125. Gordon, L. A., M. P. Loeb, and W. Lucyshyn, Information Security Expenditures and Real Options: A Wait and See Approach. Computer Security Journal, Vol. 19, No. 2, Spring 2003a, pp. 1-7.

Lawrence A. Gordon

27

VIII. References (Cont:)

Gordon, L. A., M. P. Loeb, and W. Lucyshyn, Sharing Information on Computer Systems: An Economic Analysis, Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003b, pp. 461-485. Gordon, L. A., M. P. Loeb, W. Lucyshyn, and R. Richardson, 2005 CSI/FBI Computer Crime and Security Survey, Computer Security Journal, Summer 2005, pp. 1-25. Gordon, L. A., M. P. Loeb, W. Lucyshyn, and T. Sohail, The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities, Journal of Accounting and Public Policy, Vol. 25, No. 5, 2006, pp. 503-530. Gordon, L. A., M. P. Loeb and T. Sohail, A Framework for Using Insurance for Cyber Risk Management, Communications of the ACM, Vol. 46, No. 3, March 2003, pp. 81-85. Gordon, L. A., M. P. Loeb and T. Sohail, Market Value of Voluntary Disclosure of Information Security Activities, Working paper, 2006. Gordon, L. A., M. P. Loeb and L. Zhou, Cybesecurity Auditing and Enhancing Firm Value, Working paper, 2006. National Institute of Standards and Technology (NIST): An Introduction to Computer Security: The NIST Handbook. Special Publication 800-12, 1995. The Institute of Chartered Accountants in England & Wales, Internal Control: Guidance for Directors on the Combined Code, 1999.

Lawrence A. Gordon

28