Smith School Holds Seventh Annual Cybersecurity Forum

Fascinated questions peppered the presentations at the 7th Annual Forum on Financial Information Systems and Cybersecurity at the University of Maryland’s Robert H. Smith School of Business on January 19, 2011.

The forum gave academic researchers from around the world, industry professionals and government officials the chance to share their perspectives on the economic, technological and policy issues related to cybersecurity. Attendees came from Spain, France, Canada, and Japan, as well as across the United States. Throughout the day, expert presentations explored cybersecurity issues that affect both public policy and the day-to-day decision-making in organizations.

Sasha Romanosky, doctoral student at Carnegie Mellon University, examined the relationships between data breaches and lawsuits and found that industry matters when breaches happen. Businesses and banks are much more likely to be sued than hospitals or government agencies, he found, and individuals were more likely to sue if the breach seemed to be caused by company carelessness rather than fraud.

Studying data breach disclosure laws, and their resulting lawsuits, has become important in recent years because the threat of lawsuits are often cited a key driver for firms to improve their security practices. But most companies fear damage to their brand reputation even more than they fear lawsuits, said presenters Brian Geffert and Mike Gelles, both consultants with Deloitte. Geffert and Gelles discussed how to identify threats from insiders within the organization and recommended that both technology and HR solutions be applied to prevent such threats. Many companies guard against insider threats related to fraud or sabotage, but most companies need to be more aware of the dangers presented by those with legitimate access.

Larry Gordon, Ernst & Young Alumni Professor of Managerial Accounting“Suppose SAP doesn’t give your boss the report in the format he wants,” said Geffert. “So you copy the sensitive data into Excel to create a report, and all the money the company spent on data security goes out the window. I’m not concerned about hackers—I’m concerned about the access you give your employees.” Wikileaks provided a recent high-profile example of the dangers presented by legitimate access, as a Marine was able to download sensitive Department of State documents to the Wikileaks site. (A later presenter, Rebecca Mercuri, a cyber forensics expert who is CEO of Notable Software, Inc., pointed out that the incident was made possible by the post-9/11 push to get federal agencies to share information amongst themselves, which made the information vulnerable to many more potential insiders).

Samuel Visner, vice president and lead executive for cybersecurity for CSC, discussed gaps in U.S. cybersecurity policies and the need for a “global cybersecurity environment,” with a policy architecture that supports the national interest in cyberspace and is part of a broader global effort. He described the current policy framework as “reactive” and said the federal government’s Comprehensive National Cybersecurity Initiative doesn’t go far enough, focusing mainly on financial networks and cybercrime.

The forum, which was started by Larry Gordon, Ernst & Young Alumni Professor of Managerial Accounting, Martin Loeb, professor of accounting and information assurance and Deloitte & Touche LLP Faculty Fellow, and William Lucyshyn, director of research and senior research scholar at the University of Maryland School of Public Policy, encourages the kind of rich interchange of ideas that can only occur when people from many academic backgrounds and industries gather. The Smith School’s cybersecurity research is part of a wider university focus on cybersecurity issues, highlighted by the recent launch of the Maryland Cybersecurity Center. The center brings together experts from engineering and computer science with colleagues from across campus in fields such as economics, social sciences and public policy to help establish broad-based cybersecurity initiatives.

“The university is really on the move on cybersecurity because it is such an important issue, and we’re delighted to be part of that effort,” said Vice Dean Hugh Courtney. He went on to say of the forum: “This is the right time, the right place and the right people to address these issues.”