University of Maryland researchers and the U.S. Attorney for Maryland described the significance of cybersecurity as a collective action, as part of the 19th Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective.
The interdisciplinary event on Jan. 10, 2024, was hosted by the Robert H. Smith School of Business and School of Public Policy at the University of Maryland. Smith Dean Prabhudev Konana and Accounting and Information Assurance Department Chair Michael Kimbrough gave welcome remarks to an international gathering of experts from academia, business and government.
School of Public Policy Associate Research Professor Charles Harry, who directs the school’s Center for Governance of Technology and Systems (GoTech), discussed a current study at the center that identifies and assesses local government cyber vulnerabilities across 3,158 county governments and involves 26,000 internet-facing devices. The work, with UMD’s College of Information Studies Ido Sevan-Sevilla, aggregates the data to show the extent to which local government insecurity could reverberate across county lines and impact the nation's overall cyber resilience. “The project is really informed and framed by very specific national policy documents, [especially] the Cyberspace Solarium Commission Report [that provides] a really deep understanding of how the U.S. government is approaching the issue of cyber,” said Harry.
Harry organized the forum along with School of Public Policy colleague William Lucyshyn, research professor and director of research for the Center for Governance of Technology and Systems, along with Smith faculty Lawrence A. Gordon, EY Alumni Professor of Managerial Accounting and Information Assurance and Martin Loeb, professor of accounting and information assurance and a Deloitte & Touche Faculty Fellow.
Related to Harry’s presentation, the forum’s luncheon speaker Erek L. Barron, U.S. Attorney for the District of Maryland, referred to law enforcement in cybersecurity as a “collective action challenge in terms of organizing protection across local, state and federal governments; financial institutions; and various industries. And the challenge extends to leveraging these resources effectively and efficiently.”
Barron, a UMD graduate who was introduced by School of Public Policy Dean Robert C. Orr, said: “Stakeholders are fragmented, operating in silos and addressing the issue through their respective mandates. Financial institutions focus on resilience. Policymakers focus on standards. National security agencies focus on intelligence and counterintelligence. Industry executives focus on company-specific risks, and law enforcement agencies like the Department of Justice, which is itself fragmented, focus on catching individual wrongdoers. This responsibility gap and continued uncertainty about goals and mandates to protect the global financial system fuel risks, and we at the Department of Justice and the Maryland United States Attorney's Office are working to meet that challenge. We are trying to prioritize cyber disruption.”
Barron’s and Harry’s insights fit with a paper, “Maximizing the benefits from sharing CTI (Cyber Threat Intelligence) by government agencies and departments,” by Smith’s Gordon, Loeb and research scholar Lei Zhou, along with Josiah Dykstra, director of strategic initiatives for Trail of Bits.
The work, recently published by the Journal of Cybersecurity, was shared with participants and complemented a presentation of related research by authors on “Effective utilization of government-provided CTI by small businesses in the defense industrial base.” Benjamin Wall of the National Security Agency also contributed to the study. In discussing the latter paper during the forum, Gordon said, “A key finding from our study is that government-provided CTI helps businesses within the DIB (Defense Industrial Base) in preventing, or responding to, cyber-attacks — providing a firm is familiar with the CTI.”
(Gordon also produced a guest column, “Cybersecurity Risk: A Technology Problem Requiring an Economic Solution” for the January 2024 issue of Dataquest Magazine.)
Additional presentations:
- “Cyber Trust Labels” by L. Jean Camp, professor of computer science and professor of informatics at Indiana University
- “Bounty Hunting in Cyberspace: Navigating the Future of Cybersecurity (Ira Shapiro Memorial Lecture) by Rahul Telang, professor of Information systems and Management at Carnegie Mellon University
- “Evaluating the Effectiveness of Cybersecurity Risk Management Policy Coordination: Evidence from the UK” by Paul Klumpes, associate professor of accounting at Aalborg University Business School (Denmark)
- “Incentivizing Secure Software Development: The Role of Liability (Waiver) and Audit” by Mingyan Liu, professor of electrical engineering and computer science at the University of Michigan
- “Cybersecurity and IT Governance” by Robert Pinsker, professor of accounting at Florida Atlantic University
Gordon, Loeb and Lucyshyn launched the forum after researching together on the “economics of information sharing related to cybersecurity breaches.” After presenting the work in 2002 at a University of California -Berkeley conference, the paper was published in the Journal of Accounting and Public Policy.
Media Contact
Greg Muraski
Media Relations Manager
301-405-5283
301-892-0973 Mobile
gmuraski@umd.edu
About the University of Maryland's Robert H. Smith School of Business
The Robert H. Smith School of Business is an internationally recognized leader in management education and research. One of 12 colleges and schools at the University of Maryland, College Park, the Smith School offers undergraduate, full-time and flex MBA, executive MBA, online MBA, business master’s, PhD and executive education programs, as well as outreach services to the corporate community. The school offers its degree, custom and certification programs in learning locations in North America and Asia.