You are on page 1of 28

CYBERSECURITY RISK MANAGEMENT

:
AN ECONOMICS PERSPECTIVE
by

Dr. Lawrence A. Gordon

Ernst & Young Alumni Professor of Managerial Accounting & Information Assurance Robert H. Smith School of Business University of Maryland Affiliate Professor in University of Maryland Institute for Advanced Computer Studies Lgordon@rhsmith.umd.edu http://www.rhsmith.umd.edu/faculty/lgordon/
© Lawrence A. Gordon

October, 2006

Motivation
Cybersecurity Risk Management (CRM) is a Fundamental Concern to all Organizations in a Digital Economy (CRM is subset of Enterprise Risk Management) Cost and Frequency of Breaches (Empirical Evidence)
CSI/FBI 2006 Survey  Campbell, Gordon, Loeb and Zhou (2003)

Externalities (including International Concerns)
Due to Spillover Effects, Security of Computer Network Depends on All of the Users of the Network

Popular Myths

Applying Cost-Benefit Analysis to Cybersecurity is Voodoo Economics  All Cybersecurity Breaches have a Significant Impact on Organizations  Risk Management related to Cybersecurity is Well Understood  Information Sharing Reduces Cybersecurity Related Problems
© Lawrence A. Gordon

2

Main Objectives Explain the Concept and Importance of Cybersecurity Risk Management Discuss Methods for Managing Cybersecurity Risk Discuss Relations Among Economics. Cybersecurity Risk Management and Firm Value © Lawrence A. Gordon 3 .

Basic Concepts Cybersecurity Protection of Information Transmitted and Stored over the Internet or any other Computer Network Objectives of Cybersecurity Protect Confidentiality of Private Information Ensure Availability of Information to Authorized Users on a Timely Basis .e.Authentication . and Validity) © Lawrence A. Gordon 4 .I.Nonrepudiation Protect the Integrity of Information (i. Reliability.. Accuracy.

Basic Concepts (Cont:) Cybersecurity Risk Uncertainty of Potentially Harmful Events Related to Cybersecurity Cybersecurity Risk Management Process of Managing (Reducing) Potentially Harmful Uncertain Events Due to the Lack of Effective Cybersecurity © Lawrence A. Gordon 5 .

Gordon 6 . Economics & Finance © Lawrence A.II. Risk Metrics Expected Loss Most Popular in Information Security Literature = (Probability of Loss) X (Amount of Loss) Probability of No Loss Probability of Largest Loss Variance (or Standard Deviation) of Losses Most Popular Metric in Management Accounting.

000 $2.000 Investment C 0.60 0.Figure 1: Different Risk Metrics (1) (2) (3) = (1) x (2) (4) (5) = (1) x (4) (6) (7) = (1) x (6) Probability of Expected Value Probability of Expected Probability of Expected Losses of the given loss Losses Value of the Losses Value of the given loss given loss Possible Losses $0 $1. Equal Expected Value of Loss © Lawrence A.60 0 $0 $0 $1.15 0.000.200. p.200.200. B and C are Equal Amounts $1. 98.200.000 $300. 2006a.000 $0 Investment B 0.000.000 $3.200.000 $1.10 $0 $600.000 Expected Value of Losses Investment A=sum of column (3) Investment B=sum of column (5) Investment C=sum of column (7) Investment A.40 $0 $0 $0 $1.000 Source: Gordon and Loeb.40 0 0. Gordon 7 .000 Investment A 0.000 $1.60 0 0 0.000 $300.15 0.000.

B and C are Equal Amounts $1.10 $0 $600.40 0 0.000 Source: Gordon and Loeb. 98.000.60 0.200.000. p.000 Investment C 0.000.000 Expected Value of Losses Investment A=sum of column (3) Investment B=sum of column (5) Investment C=sum of column (7) Investment A.60 0 $0 $0 $1.200.60 0 0 0.000 $1.000 $2.000 $300. Smallest Probability of Largest Loss Largest Probability of No Loss Smallest Variance of Losses 8 © Lawrence A. 2006a.000 $1.200.15 0.200.Figure 1: Different Risk Metrics (1) (2) (3) = (1) x (2) (4) (5) = (1) x (4) (6) (7) = (1) x (6) Probability of Expected Value Probability of Expected Probability of Expected Losses of the given loss Losses Value of the Losses Value of the given loss given loss Possible Losses $0 $1.000 $3.000 $300.200.000 $0 Investment B 0.000 Investment A 0. Gordon .15 0.40 $0 $0 $0 $1.

Cybersecurity Insurance B. Information Sharing 4. Technical Methods C. Gordon 9 .III. Methods for Managing Cybersecurity Risk A. Increase Investment Efficiency 2. Behavioral Methods © Lawrence A. Internal Controls 3. Economic Methods 1.

Economic Methods: Increase Investment Efficiency Methods Planning and Control of Cybersecurity Investments .Postauditing © Lawrence A.1.The Business Case . Gordon 10 .

Conduct Cost-Benefit Analysis and Rank Order the Alternatives Identified 5.Figure 2: The Business Case for Cybersecurity Investments 1. Identify Alternatives for Achieving Cybersecurity Objectives 3. Gordon © Lawrence A. Control (Postauditing) Source: Gordon and Loeb. Specify Organizational Cybersecurity Objectives 2. 116 and 131. pp. 2006a. Acquire Data and Analyze Each Alternative Identified 4. 11 .

Figure 3: Postauditing Cybersecurity Investment Timeline • CFO contracts with CISO • CISO submits cybersecurity investment proposal to CFO Realization of Information Security Breaches CISO expends capital and effort t0 t1 t2 CFO allocates funds for cybersecurity investments to CISO Source: Gordon and Loeb. t3 t4 Postauditing and payment of incentives 12 © Lawrence A. Gordon . 2006a.

and (3) compliance with applicable laws and regulations. 13 . 1992). Components of Internal Control are: .Risk Assessment . Internal Control – Integrated Framework. Economic Methods: Internal Controls Methods COSO’s Definition of Internal Control The Committee of Sponsoring Organizations of the Treadway Commission (usually referred to as COSO) defined internal control as “a process.Control Activities . (2) reliability of financial reporting. designed to provide reasonable assurance regarding the achievement of objectives” in the following three categories: (1) effectiveness and efficiency of operations. Executive Summary. effected by an entity’s board of directors. management and other personnel.Information and Communication . Gordon (Source: COSO.Control Environment .Monitoring © Lawrence A.2.

4) Chartered Institute of Management Accountants on Internal Control “…perceptions of risk may vary according to the particular context. 1999. Gordon 14 . p. p. companies in different countries may have different views on what risks are important. for example.Internal Controls (Cont:) Institute of Chartered Accountants (in England & Wales) on Internal Control “A Company’s system of internal control has a key role in the management of risks that are significant to the fulfillment of its business objectives” (ICAEW. There may also be different views as to what constitutes effectiveness of risk management” (CIMA. the appropriate risk appetite and the optimum way of managing the risks. © Lawrence A. 2005.3).

entitled “Management Assessment of Internal Controls”. requires corporations to include an internal control report when filing with the SEC. requires the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) to take personal responsibility for establishing and maintaining the corporation’s internal controls and for certifying that the financial statements provide an accurate representation of a corporation’s financial condition. entitled “Corporate Responsibility for Financial Reports”.Internal Controls (Cont:) Sarbanes-Oxley (SOX) Act of 2002 Section 302 of SOX. Section 404 of SOX. Gordon 15 . © Lawrence A.

it is a Widely Held View that Information and System Security is an Implicit Requirement of the Internal Control Structure and Procedures Mandated by Sections 302 and 404 of SOX (see Figure 4) © Lawrence A.Internal Controls (Cont:) SOX & Information Security Activities Although not Explicit in SOX or SEC Rules for Complying with SOX. Gordon 16 .

and Sohail. 2006. Loeb. Gordon Mandatory Voluntary 17 .A.Figure 4: Impact of Sarbanes Oxley Act of 2002 on Information Security CEO Certification Mandatory Disclosures • Financial Reports • Internal Controls Reports Financial Systems Information System Security Legend CFO CIO/CSO/CISO Voluntary Disclosures of Security Activities (see Figure 5) © Lawrence Source: Gordon. Lucyshyn.

Figure 5: Empirical Evidence on SOX and Disclosure of Information Security Activities Number of Disclosures 800 700 600 500 400 300 200 100 0 Number of Disclosures 774 487 579 331 348 2000 2001 2002 SOX Passed 2003 2004 Source: Gordon. Loeb. and Sohail. 2006. © Lawrence A. Gordon 18 . Lucyshyn.

Gordon 19 . © Lawrence A. Economic Methods: Information Sharing Methods Free-Rider Problem .3. 2003. Loeb and Lucyshyn.Need Economic Incentives Potentially Valuable Source: Gordon.

Loeb and Sohail. 2003. © Lawrence A.Pricing – Need More Actuarial Data .Adverse Selection .Evaluate Available Insurance Policies .Select Appropriate Policy Insurance Company’s Perspective .Moral Hazard Source: Gordon. Economic Methods: Cybersecurity Insurance Methods Organization’s Perspective: . Gordon 20 .Assess if Cybersecurity is Needed .4.

reducing and managing the events that could potentially prevent the organization from achieving its objectives (Source: Gordon and Loeb. Gordon 21 . B. Risk Management Process A. p. 1995. 2006. Enterprise Risk Management The overall process of managing an organization’s exposure to uncertainty with particular emphasis on identifying. p.59). 106). Controlling and Minimizing the Impact of Uncertain Events” (NIST.IV. © Lawrence A. Risk Management “The Process of Identifying.

and (4) Compliance. (3) Reporting. © Lawrence A. Entity’s Objectives in COSO (2004) are:(1) Strategic high-level goals. to provide reasonable assurance regarding the achievement of entity objectives (COSO. 2004). designed to identify potential events that may affect the entity. management and other personnel. effected by an entity’s board of directors. Gordon 22 .Risk Management Process (Cont:) C. applied in strategy setting and across the enterprise. COSO’s Enterprise Risk Management – Integrated Framework (2004) Enterprise risk management is a process. (2) Operating. and manage risk to be within its risk appetite.

© Lawrence A. Gordon 23 .Efficient Use of Resources -.Information Sharing -. intrusion detection system.Figure 6: Cybersecurity Risk Management Assessment and Control Framework Organizational Objectives Identifying Cybersecurity Risk No -. cybersecurity auditing) Source: Figure 5-4.Technical Improvements -.g.Internal Controls -.Behavioral/Organizational Improvements Manage Cybersecurity Risk via Is Risk Level Acceptable? Yes Estimate Residual Risk No Need to Further Reduce Risk via Insurance? Yes Cybersecurity Insurance Cybersecurity Risk Control (e. Gordon and Loeb (2006a).

Analytical Model Auditing Cybersecurity Investments Enhanced Firm Value (Gordon. Empirical Evidence Voluntary Disclosure of Information Security Activities (including Investments and Internal Control) Increased Firm Value (Gordon. Loeb and Sohail. Loeb. Cybersecurity Risk Management and Firm Value A. 2006) B. Gordon 24 . and Zhou.V. 2006) © Lawrence A.

Performance. Penetration Testing © Lawrence A. Examine the Relation Among Cybersecurity Budgeting. Research/Business Opportunities          Develop Economic Models and Study “Best Practices” to help Derive the Right Amount to Spend on Cybersecurity. Consider the Contingency View of Cybersecurity Risk Management. Devise Economic Incentives to Encourage Information Sharing. Determine the Appropriate Financial/Nonfinancial Metrics for Assessing Cybersecurity Risk? Develop Models and Study “Best Practices” for Assessing the Appropriate Use of Cybersecurity Insurance. Gordon 25 .VI. Develop Best Internal Control Model for Cybersecurity Activities. Develop Economic Models and Study “Best Practices” to help Allocate Resources to Specific Cybersecurity Projects. and Managerial Incentives.

rather than a substitute for. Gordon 26 . play an important role in Managing Cybersecurity Risk. less formal (and/or less qualitative) approaches. Uncertainty needs to be built into these models. Concluding Comments Cybersecurity Risk Management is a Fundamental Concern to all Organizations in a Digital Economy and is an Important Subset of Enterprise Risk Management. applying economic analysis is best viewed as a complement to. and not used as an excuse for avoiding careful economic analysis (i. this is not Voodoo Economics).e.VII. © Lawrence A. Economics Analysis can.. and should. However.

” Strategic Finance. Gordon. Committee of Sponsoring Organizations of the Treadway Commission (COS). A. 2003. 2006a.. 19. Spring 2003a. K.. A. November 2002a. Gordon.Integrated Framework. Loeb. L. L. Gordon. 1-7. Vol. MANAGING CYBERSECURITY RESOURCES: A Cost-Benefit Analysis. Lucyshyn. P. pp. 438-457. Chartered Institute of Management Accountants. 49. and W. L. “Enterprise Risk Management Integrated Framework. L. © Lawrence A. L. A.” 2005. “Internal Control . No. “Risk Management and Internal Control in the EU discussion paper. McGraw Hill. P.” Journal of Computer Security. 3.htmm . No. No. 11. Vol. and M. Reality. M.” Communications of the ACM. Loeb. References Campbell. Gordon 27 . 2. Gordon. M. November 2002b. Loeb. “Budgeting Process for Information Security Expenditures: Empirical Evidence.. Loeb. “The Economics of Information Security Investment. Committee of Sponsoring Organizations of the Treadway Commission (COS). 4. P. “Return on Information Security Investments: Myths vs.” ACM Transactions on Information and System Security Vol. A.VIII. 26-31. and M.” see: Gordon. P. Zhou.” see: http://www. 1992. pp.coso. P. 2006b. Loeb. P.org/publications/executive_summary_integrated_framework. pp. Gordon. L. and M... 5. 431-448. A. “Information Security Expenditures and Real Options: A Wait and See Approach. No. Loeb. and L. “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. and M.. pp. A. 1. Vol. pp. 121-125.” Computer Security Journal.

Gordon. 2006. References (Cont:) Gordon. Loeb.. L. National Institute of Standards and Technology (NIST): An Introduction to Computer Security: The NIST Handbook.” Journal of Accounting and Public Policy. M. Loeb and L. P. A. M. March 2003. P.” Computer Security Journal.. Vol. pp. A. Gordon. Loeb.. Gordon. No. © Lawrence A. pp. “Market Value of Voluntary Disclosure of Information Security Activities. M. Gordon. 6. Vol. 1995. No. Sohail. L. W. Vol. P. 461-485..” Communications of the ACM. A. 46. A. “Cybesecurity Auditing and Enhancing Firm Value. P. 503-530. 2003b. M. L.. and T. M. 5. Richardson. Gordon 28 . Sohail. Zhou. A. 22. M. 2006. and R.” 1999. P. Lucyshyn. Loeb and T. 2006. 3. A. Gordon. “Sharing Information on Computer Systems: An Economic Analysis. No. and W. L. Lucyshyn. “The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities. Lucyshyn.” Working paper. Loeb. “Internal Control: Guidance for Directors on the Combined Code. Summer 2005. The Institute of Chartered Accountants in England & Wales. “A Framework for Using Insurance for Cyber Risk Management. W. Loeb and T.” Journal of Accounting and Public Policy. 1-25..” Working paper. 81-85. L. P. pp. 25. Sohail. pp.VIII. Special Publication 800-12. “2005 CSI/FBI Computer Crime and Security Survey. L.