ECONOMIC ASPECTS OF CYBER/INFORMATION …scholar.rhsmith.umd.edu/sites/default/files/lgordon/...ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY Lawrence A. Gordon Ernst & Yo ng Al mni

ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY

Lawrence A. GordonErnst & Yo ng Al mni Professor ofErnst & Young Alumni Professor of

Managerial Accounting & Information Assurance

The Robert H Smith School of BusinessThe Robert H. Smith School of BusinessUniversity of MarylandAffiliate Professor in UMIACSResearcher in Maryland CybersecurityResearcher in Maryland Cybersecurity

Center

December 2010 L. A. Gordon ©

OBJECTIVES

D fi B i C t f C b itA. Define Basic Concept of Cybersecurity

i l d b i iB. Discuss a Few Issues Related to Cybersecurity Economics:1. Economic Impact of Cybersecurity Breaches on

CorporationsCorporations2. Making Cybersecurity Investment Decisions3 The Effect of SOX on Disclosing Cybersecurity Activities3. The Effect of SOX on Disclosing Cybersecurity Activities4. The Effect of Voluntarily Disclosing Cybersecurity

Activities on Firm ValueActivities on Firm Value 5. Cybersecurity Insurance

C. Framework for Cybersecurity Risk Management(Cybersecurity Risk Management is a Subset of ERM)(Cybersecurity Risk Management is a Subset of ERM)

L. A. Gordon © 2

A. Basic Concept of Cybersecurity

CybersecurityCybersecurity― Protection of Information Transmitted and Stored over the

Internet or any other Computer Network

Objectives of CybersecurityObjectives of Cybersecurity― Protect Confidentiality of Private Informationy― Ensure Availability of Information to Authorized

Users on a Timely Basisy― Authentication― NonrepudiationNonrepudiation

―Protect the Integrity of Information(i.e., Accuracy, Reliability, and Validity)( , y, y, y)

L. A. Gordon © 3

B1. Impact of Cybersecurity Breaches on Corporations

Cybersecurity Breaches are a Key Concern to Private and Public Sector Organizations g

President Obama’s InitiativesPresident Obama s Initiatives

Economic Costs of Cybersecurity BreachesCon entional Wisdom― Conventional Wisdom

― Need to Consider Implicit and Explicit Costs― Key Studies have Looked at Impact of

Breaches on Stock Market Returns (SMR)Breaches on Stock Market Returns (SMR)

L. A. Gordon © 4

B1: Research Methodology

OneOne--factor Model (Basic CAPM)factor Model (Basic CAPM)

RFRMbRFR )(

Fama and French (F&F) 3Fama and French (F&F) 3--Factor ModelFactor Model

itttiitit RFRMbaRFR ε+−+=− )(

R fi ’ t RF i k f t RM k t’ t

ittitittiitit HMLhSMBsRFRMbaRFR ε+++−+=− )(

─ Rit: firm’s return, RFt: risk-free rate, RMt: market’s return─ bi = the CAPM market model’s slope parameter (i.e., the systematic risk of

the return for firm i, relative to the return of the entire market place, and , p ,often call the firm’s beta)

─ SMBt: the difference between the return on a portfolio of small stocks d th t tf li f l t kand the return on a portfolio of large stocks

─ HMLt: the difference between the return on a portfolio of high-book-to-market stocks and the return on a portfolio of low-book-to-market stocksp

L. A. Gordon © 5

B1: Research Methodology

Abnormal Returns:Abnormal Returns:

)](ˆˆ[)( RFRMbaRFRAR +=or

)]([)( ttiititit RFRMbaRFRAR −+−−=

]ˆˆ)(ˆˆ[)( titittiititit HMLhSMBsRFRMbaRFRAR ++−+−−=

120 d

t-121 t-1 t0 t1

120 days3 days

Cumulative Abnormal Returns:Cumulative Abnormal Returns:Estimation Period Test Window

2

,t

i itCAR AR=∑Average CAR across Firms:Average CAR across Firms: 1t t=

1

1 N

ii

CAR CARN

= ∑1iN =

L. A. Gordon © 6

B1: Research Methodology Results of Studies Looking at Impact of Cybersecurity Breaches on SMR

Large Percentages of Breaches Do Not Have Significant Impact on SMR of FirmSignificant Impact on SMR of Firma. Stockholders have Become Tolerant of Breaches b M Fi h St th d th i R di tib. Many Firms have Strengthened their Remediation

Plans, thereby Substantially Reducing the Cost of A B han Average Breach

― Breaches that Do Have a Significant Impact on SMR can Threaten Firm’s Survival

Note: Economic Models Should be Used as Complement toNote: Economic Models Should be Used as Complement to, and Not as a Substitute for, Sound Business Judgment!!!

L. A. Gordon © 7

B2. Making Cybersecurity Investments

− Making the Business Case

− Net Present Value (NPV) Model

− Optimal Amounts to Invest (Need to Consider Security Breach Function [i.e., Vulnerabilities, y [ , ,Threats, and Productivity of Investments] & Potential Loss)

− Option Value of Investmentsp

Note: Economic Models Should be Used as a Complement to,Note: Economic Models Should be Used as a Complement to, and Not as a Substitute for, Sound Business Judgment!!!

L. A. Gordon © 8

B2 : The Business Case Process for Cybersecurity InvestmentsCybersecurity Investments

1. Specify Organizational Cybersecurity Objectivesp y g y y j

2 Identify Alternatives for Achieving Cybersecurity2. Identify Alternatives for Achieving Cybersecurity Objectives

3. Acquire Data and Analyze Each Alternative Identified

4. Conduct Cost-Benefit Analysis and Rank Order the Alternatives Identified – Select Alternative

5. Control (Postauditing)

Source: Gordon and Loeb, 2006a, pp. 116 and 131.

L. A. Gordon © 9

B2 : Net Present Value (NPV) Model

The NPV model shown below in Eq 1 gives riseThe NPV model, shown below in Eq. 1, gives rise to a simple decision rule for accepting or rejecting incremental information security investments. y

NPV = (Bt – Ct) / (1+K)t Eq. 1,

where B=Benefits, C=Costs, K=Discount Rate, t=Time and n=Number of Time Periods Biggestt=Time and n=Number of Time Periods. Biggest Challenge is estimating B.

L. A. Gordon © 10

B2: Optimal Amount to Invest in Cybersecurity (Gordon-Loeb Model)

Expected benefits of an investment in information security, denoted as EBIS, are equal to the reduction in the firm's expected l ib bl h i Th i

( )

loss attributable to the extra security. That is:EBIS(z) = [v- S(z,v)] L [1]

EBIS is written above as a function of z since the investment inEBIS is written above as a function of z, since the investment in information security is the firm’s only decision variable (v and L are parameters of the information set). The expected net benefits from an investment in information security denoted ENBIS equalfrom an investment in information security, denoted ENBIS equal EBIS less the cost of the investment, or:

ENBIS(z) = [v -S(z,v)]L -z [2]Maximizing [2] is equivalent to minimizing:

s(z,v)L +z [3]Interior maximum z*>0 is characterized by the first orderInterior maximum z*>0 is characterized by the first-order condition for maximizing [2] (or minimizing [3]) :

[4]1)*( =− LvzSz 1),( =LvzSz

L. A. Gordon © 11

B2 : Results of Studies Looking at Making Investments in Cybersecurity

i l l l f f i i― Optimal level of Information Security InvestmentDoes Not Always Increase with the Level of Vulnerability

― For a Wide Range of Circumstances, Firms should Invest ≤ 37% of Expected Lossshould Invest ≤ 37% of Expected Loss

Wait and see approach is often Rational from An― Wait-and-see approach is often Rational from An Economics Perspective due to Real Options

L. A. Gordon © 12

B3. Impact of Sarbanes Oxley Act of 2002 on Information Securityy

CEO Certification

Mandatory Disclosures• Financial Reports • Internal Controls ReportsCFO CIO/CSO/CISO p

FinancialSystems

Information System Security

Legend

Voluntary Disclosures of S it A ti iti

MandatoryVoluntary

Legend

Security Activities

Source: Gordon, Loeb, Lucyshyn, and Sohail, 2006.L. A. Gordon © 13

B3: The Impact of SOX on Voluntarily Disclosing Cybersecurity Activitiesg y y

700800

ures

774

400500600

Dis

clos

u

331 348487

579

200300400

mbe

r of

D

331

0100200

Num

SOX Passed

2000 2001 2002 2003 2004

14 Source: Gordon, Loeb, Lucyshyn, and Sohail, 2006.

SOX Passed

L. A. Gordon © 14

B4. Impact of Voluntary Disclosures of Cybersecurity Activities on Firm ValueCybersecurity Activities on Firm Value

METHODOLOGY: Pooled Stock Price Regression by Industry on Disclosure ProxiesDisclosure Proxies

PRC-3Mit = b0 + b1*Disit + b2*BVPSit + b3*EPSit + b4*LnAstitit 0 1 it 2 it 3 it 4 it+ b5*NEGit + S bk*Yearit + eit

Results: Voluntary Disclosures Concerning InformationResults: Voluntary Disclosures Concerning Information Security, in Annual Reports Filed with the SEC, were found to be Positively Associated with Increases in thefound to be Positively Associated with Increases in the Stock Market Value of Firms.

Note: Economic Models Should be Used as Complement to, and Not as a Substitute for, Sound Business Judgment!!!

Source: Gordon, Loeb and Sohail, 2010.

L. A. Gordon © 15

B5. Cybersecurity Insurance is Slowly Gaining Momentum

― Organization’s Perspective:

Momentum

― Assess if Cybersecurity Insurance is Needed― Evaluate Available Insurance Policies

S l A i P li― Select Appropriate Policy

Insurance Company’s Perspective― Insurance Company s Perspective― Pricing Decisions Require More Actuarial Data ― Adverse Selection― Moral Hazard

― Executive Office of the President is Currently Involved in this Issue

L. A. Gordon © 16

B5. Cybersecurity Risk Management (CRM)

Cybersecurity RiskCybersecurity Risky yy y―Uncertainty of Potentially Harmful Events

Related to CybersecurityRelated to Cybersecurity

C b it Ri k M tC b it Ri k M tCybersecurity Risk ManagementCybersecurity Risk Management―Process of Managing (Reducing) Potentially

H f l U i E D h L k fHarmful Uncertain Events Due to the Lack of Effective Cybersecurity

L. A. Gordon © 17

C. Risk Metrics

―― Expected LossExpected Loss― Most Popular in Information Security LiteratureMost Popular in Information Security Literature

= (Probability of Loss) X (Amount of Loss)

―― Probability of No Loss Probability of No Loss

―― Probability of Largest LossProbability of Largest Lossy gy g

Variance (or Standard Deviation) of LossesVariance (or Standard Deviation) of Losses―― Variance (or Standard Deviation) of LossesVariance (or Standard Deviation) of LossesMost Popular Metric in Management Accounting, Most Popular Metric in Management Accounting, E i & FiE i & FiEconomics & FinanceEconomics & Finance

L. A. Gordon © 18

C. Different Risk Metrics

(1) (2) (3)= (1) x (2)

(4) (5)= (1) x (4)

(6) (7)= (1) x (6)

Probability of Losses

Expected Value of the

Probability of Losses

Expected Value of the

Probability of Losses

Expected Value of theof Losses Value of the

given lossof Losses Value of the

given lossof Losses Value of the

given loss

Possible Losses Investment A Investment B Investment C

$0 0 40 $0 0 60 $0 0 15 $0$0 0.40 $0 0.60 $0 0.15 $0

$1,000,000 0 $0 0 $0 0.60 $600,000

$2 000 000 0 60 $1 200 000 0 $0 0 15 $300 000$2,000,000 0.60 $1,200,000 0 $0 0.15 $300,000

$3,000,000 0 $0 0.40 $1,200,000 0.10 $300,000

Expected Value of Losses p

Investment A=sum of column (3) $1,200,000

Investment B=sum of column (5) $1,200,000

Investment C=sum of column (7) Investment A, B and C are Equal Amounts

$1,200,000

Equal Expected

19Source: Gordon and Loeb, 2006a, p. 98.

Equal Expected Value of Loss

L. A. Gordon © 19

C. Different Risk Metrics

(1) (2) (3)= (1) x (2)

(4) (5)= (1) x (4)

(6) (7)= (1) x (6)

Probability of Losses

Expected Value of the

Probability of Losses

Expected Value of the

Probability of Losses

Expected Value of theof Losses Value of the

given lossof Losses Value of the

given lossof Losses Value of the

given loss

Possible Losses Investment A Investment B Investment C

$0 0 40 $0 0 60 $0 0 15 $0$0 0.40 $0 0.60 $0 0.15 $0

$1,000,000 0 $0 0 $0 0.60 $600,000

$2 000 000 0 60 $1 200 000 0 $0 0 15 $300 000$2,000,000 0.60 $1,200,000 0 $0 0.15 $300,000

$3,000,000 0 $0 0.40 $1,200,000 0.10 $300,000

Expected Value of Losses p

Investment A=sum of column (3) $1,200,000

Investment B=sum of column (5) $1,200,000

Investment C=sum of column (7) Investment A, B and C are Equal Amounts

$1,200,000

Smallest Largest Smallest

20Source: Gordon and Loeb, 2006a, p. 98.

Probability of Largest Loss

Probability of No Loss

Variance of Losses

L. A. Gordon © 20

C . Cybersecurity Risk Management Assessment and Control Framework

Identifying Cybersecurity Risk

Organizational Objectives

Identifying Cybersecurity Risk

No YesIs Risk Level

Manage Cybersecurity Risk via-- Efficient Use of Resources (Investments)-- Internal Controls.--Voluntary Disclosures

I f ti Sh i

Acceptable?

-- Information Sharing -- Technical Improvements-- Behavioral/Organizational Improvements

Estimate Residual Risk

No YesFurther Reduce Risk

via Insurance?Cybersecurity Insurance

Cybersecurity Risk Control and ResponseCybersecurity Risk Control and Response(e.g., intrusion detection systems, cybersecurity auditing,

corrective actions)

L. A. Gordon © 21

Concluding Comments

1. Cybersecurity Economics Is Not Voodoo Economics 2. Many Cybersecurity Breaches do not have a

Significant Impact on Firms, but some can Threaten the Survival of a Firm

3. SOX has Increased Voluntary Disclosures of Cybersecurity Activities and such Disclosures are Associated with Increasing Firm Value.

4. Cybersecurity Insurance is Slowly Gaining Momentum.

5. There are Different Ways to View Risk6. CRM provides a Framework for Viewing Many

Economic Issues Associated with Cybersecurity7. A Catastrophic Cybersecurity Breach May Occur

L. A. Gordon © 22

SELECTED REFERENCES RELATED TO STREAM OF RESEARCH NOTED IN GANTT CHART

Bodin, L., L.A. Gordon and M.P. Loeb, “Information Security and Risk Management,” Communication of the ACM, Vol. 51, No. 4, 2008, pp. 64-68.

Campbell, K., L.A. Gordon, M.P. Loeb and L. Zhou, “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market,” Journal of Computer Security, Vol. 11, No.3, 2003, pp. 431-448.

Gordon, L.A. and M.P. Loeb, Managing Cybersecurity Resources: A Cost-Benefit Perspective (McGraw-Hill), 2006.

Gordon, L.A. and M.P. Loeb, “Information Security Budgeting Process: An Empirical Study,” Communications of the ACM , Jan. 2006, pp. 121-125.

Gordon, L.A., M.P. Loeb, “Economic Aspects of Information security: An Emerging Field of Research,” Information System Frontiers, Vol. 8, No. 5, 2006, pp. 335-337.

Gordon, L.A. and M.P. Loeb, “The Economics of Information Security Investment,” ACM Transactions on Information and System Security, November 2002, pp. 438-457. (reprinted in Economics of Information Security, 2004).

Gordon, L.A. and M.P. Loeb, “Return on Information Security Investments: Myths vs. Reality,” Strategic Finance, November 2002, pp. 26-31.Gordon, L.A. and M.P. Loeb, Return on Information Security Investments: Myths vs. Reality, Strategic Finance, November 2002, pp. 26 31.

Gordon, L.A., M.P. Loeb, W. Lucyshyn, “Private Sector Investments in Cybersecurity,” in progress.

Gordon, L.A., M.P. Loeb, and W. Lucyshyn, “Sharing Information on Computer Systems Security: An Economic Analysis,” Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003, pp. 461-485,

Gordon, L.A., M.P. Loeb, and W. Lucyshyn, “Information Security Expenditures and Real Options: A Wait-and-See Approach,” Computer Security Journal , Vol. 19, No. 2, 2003, pp. 1-7.

Gordon, L.A., M.P Loeb, W. Lucyshyn, and R. Richardson, “CSI/FBI Computer Crime and Security Survey,” Computer Security Journal, Summer 2004.

Gordon, L.A., M.P. Loeb and T. Sohail, “Market Value of Voluntary Disclosures Concerning Information Security,” MIS Quarterly, September 2010, pp. 567-594.

Gordon, L.A., M.P. Loeb, and T. Sohail, “A Framework for Using Insurance for Cyber-Risk Management,” Communications of the ACM, March 2003, pp. 81-85.

Gordon, L.A., M.P. Loeb, T. Sohail, C-Y Tseng and L. Zhou, “Cybersecurity Capital Allocation and Management Control Systems,” European Accounting Review, Vol. 17, No. 2, 2008, pp. 215-241., , , pp

Gordon, L.A., M.P. Loeb, and L. Zhou, "The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?" Journal of Computer Security (forthcoming).

L. A. Gordon © 23

Biography of Dr. Lawrence A. Gordon

Dr. Lawrence A. Gordon is the Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland’s Robert H. Smith School of Business. He is also an Affiliate Professor in the University of Maryland Institute for Advanced Computer Studies. Dr. Gordon earned his Ph.D. in Managerial Economics from Rensselaer Polytechnic Institute. His research focuses on corporatePh.D. in Managerial Economics from Rensselaer Polytechnic Institute. His research focuses on corporate performance measures, economic aspects of cyber and information security, cost management systems, and capital investments. He is the author of more than 90 articles that have been published in the accounting and computer/information security journals, and is considered to be one of the pioneers in the emerging field of cybersecurity economics. Dr. Gordon is also the coauthor or author of several books, including MANAGING CYBERSECURITY RESOURCES: A Cost-Benefit Analysis and Managerial Accounting: Concepts andCYBERSECURITY RESOURCES: A Cost Benefit Analysis and Managerial Accounting: Concepts and Empirical Evidence (6th Edition). In addition, he is the Editor-in-Chief of the Journal of Accounting and Public Policy and serves on the editorial boards of several other academic journals. In two authoritative studies, Dr. Gordon was cited as being among the world's most influential/productive accounting researchers.

A d i i t h D G d h b i it d k t i iti d thAn award-winning teacher, Dr. Gordon has been an invited speaker at numerous universities around the world, including: Columbia University, Harvard University, London School of Economics, London Business School, University of Manchester, University of Toronto, Carnegie Mellon University, and Instituto de Empresa. Dr. Gordon’s Ph.D. students (i.e., those students for whom he has served as the Chair or Co-Chair of their dissertation) have had initial placements as an Assistant Professor of Accounting at the Business S h l f h i iti N th t U i it U i it f S th C lif i P dSchools of such universities as: Northwestern University, University of Southern California, Purdue University, Rensselaer Polytechnic Institute, Instituto de Empresa, McGill University, National Taiwan University, College of William & Mary, and Michigan State University.

Dr. Gordon has served as a consultant to several private (e.g., IBM) and public (e.g. U.S. GovernmentDr. Gordon has served as a consultant to several private (e.g., IBM) and public (e.g. U.S. Government Accountability Office) organizations. He is also a frequent speaker at various professional meetings of corporate and government executives. In October 2007, Dr. Gordon was invited to provide formal Congressional Testimony concerning his research on cybersecurity economics before a Subcommittee of the U.S. House Committee on Homeland Security. He has also been a frequent contributor to the popular press (e.g., Wall Street Journal, Washington Post, Business Week, Baltimore Sun, etc.).(e.g., Wall Street Journal, Washington Post, Business Week, Baltimore Sun, etc.).

L. A. Gordon © 24