Modern bank managers need to protect their
assets from both traditional security threats but also from cybersecurity
threats. Information security isn’t a problem solely for banks, however—in
this age of digital information and interconnected networks, every
organization needs to be concerned with cybersecurity.
Lawrence Gordon, Ernst & Young Alumni Professor of Managerial Accounting
and Information Assurance, and Martin Loeb, professor of accounting and
information assurance and Deloitte & Touche LLP Faculty Fellow, address the
economics and financial management of cybersecurity resources in a new book,
Managing Cybersecurity Resources: A Cost-Benefit Analysis. The book
deals with the crucial role economics and financial management issues play
in helping to secure cyberspace.
“Many ‘techies’ with little or no business or economics training find
themselves managing their organization’s cybersecurity activities,” says
Loeb. “Our book gives these managers the necessary economic understanding
and financial tools to compete effectively for their organization's
and Loeb debunk common myths about cybersecurity, including the myth that
cybersecurity activities do not lend themselves to cost-benefit analysis.
“Managers take the attitude, ‘Information security is so important, we
should just be given the funds,’” says Gordon. “But companies have finite
resources, so any resources given to cybersecurity are in effect taken away
from other departments within the company. Our book helps managers who are
responsible for securing and allocating cybersecurity funds understand how
to make the business case for resources, and then how to use those resources
In a chapter devoted specifically to the business case for cybersecurity,
Gordon and Loeb consider the costs as well as the benefits of information
Gordon and Loeb present an economic framework that helps managers
evaluate the right amount of resources to expend on information security.
This is an immensely practical issue. “If there was no limit to how much a
company could spend, everyone would have perfect security,” says Gordon.
“Using an economic framework helps people determine the point at which the
cost of security measures—putting in firewalls, for example—equals the
benefits. You don’t want to spend beyond that point.”
Surprisingly, the authors have found that many security breaches have
little real economic impact on firms. Security breaches that involve denial
of service, for example, are irritating for both customers and companies,
but don’t have a huge economic impact. Security breaches that involve
confidential customer information, on the other hand, can result in
short-term loss of income and long-term loss of customer trust—far more
costly in the long run. Gordon and Loeb recommend that firms first focus
their resources where the payoff is largest before spending money on
preventing other kinds of security breaches.
The book also discusses cybersecurity’s role in national security,
cybersecurity auditing and risk management.
Gordon and Loeb have played an influential role in the developing field
of cybersecurity economics (see the article about Smith’s Cybersecurity
Forum in this issue) Much of the information in the book is based on their
research at the Smith School.
Managing Cybersecurity Resources: A Cost-Benefit Analysis is
published by McGraw-Hill.
►Purchase at Amazon.com via this link, and the referral fee will support
Smith School scholarships.
►Read the review of this book by IT World, February 15, 2006