Stories concerning cybersecurity issues are now common in the news media. Articles addressing the theft of laptop computers with entire confidential databases have topped the list in recent months. The need to protect the nations infrastructure, a large part of which is controlled by computer networks, has also been the subject of many recent news stories and government reports. In response to the stories and reports, computer security experts have been working hard to develop all sorts of technical solutions to prevent, or at least quickly detect and correct, cybersecurity breaches. At the same time, a new breed of researchers has emerged. This new breed tackles the cybersecurity concerns from an economics perspective. Smith School Professors Lawrence A. Gordon and Martin P. Loeb are among those leading the charge to apply economic concepts to cybersecurity issues.
Gordon, who is the Ernst and Young Alumni Professor of Accounting and Information Assurance and director of the Smith Schools PhD program, argues that too much emphasis has been placed on spending more on cybersecurity activities and not enough attention has been given to the notion of efficiently allocating the funds spent. In essence, Gordon and colleagues argue that cybersecurity problems are as much about economics as they are about technical flaws. Thus, these cybersecurity economists advocate that cybersecurity spending needs to be viewed through an economic lens in the same fashion that organizations view any other expenditures.
Gordon and Loeb started their research related to applying economic concepts, such as cost-benefit analysis, to cybersecurity issues back in 1998. At first, some skeptics accused them of advocating voodoo economics in large part due to the uncertainty that permeates the process of evaluating information security activities. Yet, as Loeb points out, "risk and uncertainty are too often a convenient excuse for avoiding careful economic analysis and just following the herd." However, today these skeptics have largely disappeared and most now believe these researchers are on the right track. In fact, Gordon receives multiple invitations each month to speak at various conferences and seminars throughout the U.S. and world, including Europe, Asia and Australia. Although he turns down the majority of these invitations due to time constraints, over the past few years he has agreed to speak at such places as the London School of Economics, Carnegie Mellon University, the University of Maryland Institute for Advanced Computer Studies, and the Computer Security Institutes Annual Conference. He has also recently chaired sessions related to his research at such places as Harvard University and the University of Cambridge. This coming fall, Gordon's speaking commitments include INPUTs Conference and theSecure Knowledge Management Workshop 2006.
When asked about the cybersecurity renown that he is enjoying these days, Gordon says, it is both flattering and gratifying to have so many people recognize the merits of our research on cybersecurity economics. The icing on the cake is the fact that executives in corporations and government agencies, as well as academicians, have recognized the value of this research. Gordon is quick to point out, however, that all of his research on cybersecurity economics is with colleague Martin Loeb. This includes their highly acclaimed book entitled Managing Cybersecurity Resources: A Cost-Benefit Analysis(published by McGraw-Hill in 2006). Gordon also notes that William Lucyshyn (from the UM's School of Public Policy) and several Smith School PhD students (e.g., Tashfeen Sohail and Chih-Yang Tseng) also play an important role in this stream of research.
For more information about Larry Gordon's research, e-mail him at email@example.com.