|
Probing questions and lively discussion punctuated the
presentations at the 5th Annual Cybersecurity Forum at the
Robert H. Smith School of Business on May 29, 2008. The
forum brought together academic researchers and industry
professionals from around the globe to discuss
risk-management issues related to information security. The
day included expert presentations followed by discussions
that ranged from the extremely theoretical to the practical
to the purely political. The issues ranged from personal
security risks to corporate and national security risks.
Speakers highlighted the changing threat posed to digital
systems. Businesses no longer have to worry about teen
hackers taking a shot at the Pentagon for bragging rights.
Instead, multinational corporations are suffering attacks
from organized crime, large-scale fraud, disgruntled
employees and even terrorists. The result is direct
financial losses via theft or embezzlement, data breaches,
business disruption, and in some cases infrastructure
failure.
Larry Clinton, president of the Internet Security
Alliance, argued in his presentation that both the public
and private sector need to collaborate to create a coherent,
multifaceted system capable of evolving quickly enough to
effectively address the continually developing security
problems our digital infrastructures face. But he also
cautioned that regulation may not be the best answer, as
federal or state standards for security tend to be too low
and too inflexible, and could slow technological progress,
one of the prime drivers of the U.S. economy.
Other presenters examined some of the difficulties of
defining and implementing truly effective cybersecurity
standards. Sasha Romanosky, doctoral student at Carnegie
Mellon University, reviewed the effectiveness of state laws
governing data breach disclosure. Every year there are 8.1
million victims of identity theft in the United States, and
state governments have implemented data breach disclosure
laws that mandate that firms must notify customers when
their information is lost or stolen. Proponents of these
laws have argued that notifying consumers allows them to
take actions to mitigate risk, and exposing poor
cybersecurity on the part of companies will shame those
companies into adopting more effective cybersecurity. But
Romanosky’s study found that data breach laws don’t appear
to reduce identity theft in states where they have been
enacted.
The forum, which was started by Larry Gordon, Ernst &
Young Alumni Professor of Managerial Accounting, and Martin
Loeb, professor of accounting and information assurance and
Deloitte & Touche LLP Faculty Fellow, encourages the kind of
rich interchange of ideas that can only occur when people
from many academic backgrounds and industries gather.
Information security is a tremendously complex problem, one
that can be approached from an economics perspective, as
Smith professors Gordon and Loeb have done for many years,
or from a quality-assurance, legal, or public policy
perspective. The Cybersecurity Forum brings together these
perspectives in dynamic informal discussions.
|
