The Fourth Annual Forum on Financial Information Systems & Cybersecurity: A Public Policy Perspective, held on May 23, 2007 at the Robert H. Smith School of Business, brought together experts and industry professionals from around the globe to discuss risk management issues related to information security. The day included expert presentations followed by discussions that ranged from the extremely theoretical to the practical to the purely political, and the issues ranged from personal security risks to corporate and national security risks. The Journal of Accounting and Public Policy, the University of Maryland's Robert H. Smith School of Business, and the Center for Public Policy and Private Enterprise (from Maryland's School of Public Policy) co-sponsored the event.
Smith School Dean Howard Frank opened the event, which included nine presentations on current cybersecurity research and concluded with the annual Ira Shapiro Dinner, featuring Mike Herrinton, of Ernst & Young, on the "Importance of Information Security to Internal Control: A Sarbanes-Oxley (SOX) Perspective.
M. Eric Johnson, professor at Tuck School of Business, Dartmouth University, discussed the security risks inherent in peer to peer (P2P) file-sharing, a practice that began with Napster and has only proliferated since Napster's demise. P2P clients are downloaded from the Internet and allow customers to choose which files on their computers they wish to share with the network, and allow customers to search others computers for music and video content.
Music and videos aren't all you can download, however. Johnson and his graduate students at Dartmouth found that in one afternoon of using LimeWire, a popular file-sharing client, they were able to download hundreds of personal identity documents, including passports, drivers licenses, even bank statements and financial aid forms.
Consumer ignorance (of how the client works) or general disorganization (of keeping media files segregated from sensitive files) is part of what allows sensitive documents to be leaked to these P2P networks. But Johnson pointed out that deliberate obfuscation by the clients themselves is also to blame: some of the P2P clients are designed to be confusing, making it harder for the customer to figure out how to safeguard their personal information.
Financial institutions also suffer from the security risks presented by P2P networks, and identity theft continues to be a serious concern. But many of the steps taken to prevent file-sharing networks from gaining access to confidential information are quickly subverted by savvy software designers, and even by users themselves. Since many of these issues are not caused by sabotage or terrorism but through inadvertent leaks, education of the workers might be the best way to circumvent security problems associated with file-sharing.
Lawrence A. Gordon, Ernst & Young Alumni Professor of Managerial Accounting, discussed the need for empirical research on cybersecurity in order to determine the real cost of cybersecurity breaches and cybersecurity-related investments, and the impact of Sarbanes-Oxley (SOX) on information security activities and the role of information sharing on cybersecurity. Total cybersecurity-related losses for 2006 were $52,494,290, per the most recent Computer Security Institute (CSI) and Federal Bureau of Investigation (FBI) Annual Computer Crime and Security Survey, said Gordon. Based on the Gordon-Loeb Model, the amount a firm should spend to protect information should generally be only a small fraction of the expected loss.
"Empirical research on information security is growing, slowly, but more empirical data is needed to develop and test new and existing models," said Gordon. Since SOX was passed in 2002, voluntary disclosures of cybersecurity-related expenditures have increased. "Everyone wants to put in a little and take out a lot, though," said Gordon.
One of the real benefits of the forum is the rich interchange of ideas that occurs when people from many academic backgrounds and industries gather. Information security is a tremendously complex problem, one that can be approached from an economics perspective, as Smith professors Gordon and Loeb have done for many years, or from a quality assurance perspective, a legal perspective, or a public policy perspective. The forum brings together these perspectives in lively and informal discussions.
Forum coordinators are Lawrence A. Gordon, Ernst & Young Alumni Professor of Managerial Accounting, and Martin P. Loeb, Deloitte and Touche LLP Faculty Fellow, both of the Smith Schools accounting and information assurance department, and William Lucyshyn, director of research and senior research scholar at the Center for Public Policy and Private Enterprise.
Rebecca Winner, Alissa Arford-Leyl, Office of Marketing Communications