Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMPIRICAL RESEARCH RELATED TO ECONOMIC ASPECTS OF CYBER/ INFORMATION SECURITY: Concerns and Potential Solutions by Dr. Lawrence A. Gordon E rnst & Young.

Similar presentations


Presentation on theme: "EMPIRICAL RESEARCH RELATED TO ECONOMIC ASPECTS OF CYBER/ INFORMATION SECURITY: Concerns and Potential Solutions by Dr. Lawrence A. Gordon E rnst & Young."— Presentation transcript:

1 EMPIRICAL RESEARCH RELATED TO ECONOMIC ASPECTS OF CYBER/ INFORMATION SECURITY: Concerns and Potential Solutions by Dr. Lawrence A. Gordon E rnst & Young Alumni Professor of Managerial Accounting and Information Assurance Director, Ph.D. Program Robert H. Smith School of Business University of Maryland Affiliate Professor in University of Maryland Institute for Advanced Computer Studies © Lawrence A. Gordon

2 2 A. Determining the Real Economic Cost of Cybersecurity Breaches 1. Explicit Costs of Cybersecurity Breaches Detection Costs Correction & Prevention Costs 2. Implicit Costs of Cybersecurity Breaches Existing and Potential Revenue Actual and Potential Legal Liability 3. Archival, Survey, Experiment, Simulations and Case Studies (Strengths and Weaknesses) 4. Stock Market Effect of Breaches (Strengths and Weaknesses)

3 © Lawrence A. Gordon3 The Real Economic Costs of Information Security Breaches Other Stock Market Studies (e.g., Ishiguro et al, 2006) Campbell, K., L. A. Gordon, M. P. Loeb, and L. Zhou, “ The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. ” Journal of Computer Security, Vol. 11, No. 3, 2003, pp. 431-448.

4 © Lawrence A. Gordon4 B. Cybersecurity Related Activities 1.Firms are not required to report Cybersecurity Activities (e.g., Cost of Breaches, Vulnerabilities, and Proactive Steps) 2. Archival, Survey, Experiment, Simulation and Case Studies (Strength and Weaknesses) 3. Impact of SOX and Voluntary Disclosures

5 © Lawrence A. Gordon5 Empirical Evidence on SOX and Disclosure of Information Security Activities Source: Gordon, Loeb, Lucyshyn, and Sohail, 2006, p. 516. SOX Passed

6 © Lawrence A. Gordon6 Security Investment Activities Gordon, L. A., M. P. Loeb, W. Lucyshyn, and R. Richardson, “2006 CSI/FBI Computer Crime and Security Survey,” Computer Security Journal, Summer 2006, p. 16. CSI/FBI Computer Security Survey Source: Computer Security Institute Figure 18.Security technologies used 2006: 616 Respondents

7 © Lawrence A. Gordon7 C. Cybersecurity Related Investments 1.Organizations are not required to report Cybersecurity Investments 2. Archival, Survey, Experiment, Simulation and Case Studies (Strength and Weaknesses)

8 © Lawrence A. Gordon8 Optimal Security Investments & Vulnerability Gordon, L. A. and M.P., Loeb (2002), “The Economics of Information Security Investment,” ACM Transactions on Information and System Security, Vol. 5, No. 4, pp. 450. Optimal Level of Information Security Investment Vulnerability This paper used actual data on e-local governments in Japan. The results related to actual information security investments support the economic framework developed by Gordon and Loeb (2002) concerning the relation between the optimal level of investment and vulnerability. Tanaka, H., K. Matsuura and O. Sudoh(2005), ” Vulnerability and information security investment: An empirical analysis of e-local government in Japan,” Journal of Accounting and Public Policy, Vol. 24, No. 1, p56. Theoretical Model Empirical Evidence

9 © Lawrence A. Gordon9 D. References  Campbell, K., L. A. Gordon, M. P. Loeb, and L. Zhou, “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market.” Journal of Computer Security, Vol. 11, No. 3, 2003, pp. 431-448.  Gordon, L. A., and M. P. Loeb. “The Economics of Information Security Investment,” ACM Transactions on Information and System Security Vol. 5, No. 4, November 2002, pp. 438-457.  Gordon, L. A., and M. P. Loeb, “Return on Information Security Investments: Myths vs. Reality,” Strategic Finance, November 2002, pp. 26-31.  Gordon, L. A., and M. P. Loeb, MANAGING CYBERSECURITY RESOURCES: A Cost- Benefit Analysis, McGraw Hill, 2006.  Gordon, L. A., and M. P. Loeb, “Budgeting Process for Information Security Expenditures: Empirical Evidence,” Communications of the ACM, Vol. 49, No. 1, 2006. pp. 121-125.  Gordon, L. A., M. P. Loeb, and W. Lucyshyn, “Information Security Expenditures and Real Options: A Wait and See Approach.” Computer Security Journal, Vol. 19, No. 2, Spring 2003, pp. 1-7.

10 © Lawrence A. Gordon10 D. References (Cont:)  Gordon, L. A., M. P. Loeb, W. Lucyshyn, and R. Richardson, “2006 CSI/FBI Computer Crime and Security Survey,” Computer Security Journal, Summer 2006, pp. 1-21.  Gordon, L. A., M. P. Loeb, W. Lucyshyn, and T. Sohail, “ The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities,” Journal of Accounting and Public Policy, Vol. 25, No. 5, 2006. pp. 503-530.  Gordon, L. A., M. P. Loeb and T. Sohail, “A Framework for Using Insurance for Cyber Risk Management,” Communications of the ACM, Vol. 46, No. 3, March 2003, pp. 81-85. Ishiguro, M., H. Tanaka, K. Matsuura, I. Murase, “The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market,“ Proceedings of The 2006 Workshop on the Economics of Securing the Information Infrastructure.  Gordon, L. A., M. P. Loeb, and W. Lucyshyn, “Sharing Information on Computer Systems: An Economic Analysis,” Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003b, pp. 461-485.  Tanaka, H., K. Matsuura and O. Sudoh, ”Vulnerability and information security investment: An empirical analysis of e-local government in Japan,” Journal of Accounting and Public Policy, Vol. 24, No. 1, pp. 37-59, 2005


Download ppt "EMPIRICAL RESEARCH RELATED TO ECONOMIC ASPECTS OF CYBER/ INFORMATION SECURITY: Concerns and Potential Solutions by Dr. Lawrence A. Gordon E rnst & Young."

Similar presentations


Ads by Google