In the 10 years that Lawrence Gordon, Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance, has spent pondering the economic issues related to cybersecurity, the risks have changed significantly. Businesses and government agencies no longer have to worry about teen hackers taking a shot at their organizations for bragging rights. Instead, multinational corporations and government agencies are suffering cyber-attacks from organized crime, large-scale fraud, disgruntled employees and even terrorists. The result is direct financial losses, as well as violations of personal privacy, via theft or embezzlement, data breaches, business disruption, and in some cases infrastructure failure.
The seriousness of these problems, and Gordon’s commitment to the University of Maryland and the Robert H. Smith School of Business, led him to create the Gordon Prize in Managing Cybersecurity Resources. His gift to the university will initially endow the annual prize of $1,000 for the best English-language essay on the topic “Managing Cybersecurity Resources.”
Gordon, with frequent collaborator Martin P. Loeb, Deloitte and Touche LLP Faculty Fellow, are among the pioneers in the field of cybersecurity economics research. Gordon and Loeb started exploring the idea of applying economic concepts, such as cost-benefit analysis, to cybersecurity issues in 1998. At first, some skeptics accused them of advocating voodoo economics, in large part due to the uncertainty that permeates the process of evaluating information security activities. Today these skeptics have largely disappeared, and the interactions of economics and cybersecurity are being more intensively scrutinized by both scholars, business leaders, and government executives eager to maximize the value of their information security investments.
The Gordon-Loeb Model presents an economic framework that helps managers evaluate the right amount of resources to expend on information security. This is an immensely practical issue. “If there was no limit to how much a company could spend, everyone would have near perfect security,” says Gordon. “Using an economic framework helps people determine the point at which the marginal cost of security measures—putting in firewalls or better access controls, for example—equals the marginal benefits. You don’t want to spend beyond that point.”
Gordon is committed to raising awareness of the issue of cybersecurity and its importance to business and government leaders. In 2003 he and two other colleagues at the University of Maryland instituted the Smith School’s annual Cybersecurity Forum, now in its fifth year, to bring together the rich interchange of ideas that can only occur when people from many academic backgrounds and industries gather.
Gordon sees the Gordon Prize as another way of encouraging practitioners and theoreticians alike to approach the problem of cybersecurity in a multi-disciplinary way. Information security is a tremendously complex problem, one that can be approached from an economics perspective, as Gordon and Loeb have done for many years, or from a quality assurance perspective, a computer science or engineering perspective, a legal perspective, or a public policy perspective. Gordon hopes that discussions of these problems will be enriched as Gordon Prize applicants examine the issue of managing cybersecurity resources from many different perspectives and points of view.
The prize will be offered yearly and the competition is open to students, faculty, and information security professionals in both the public and private sector.
Gordon is the co-author (with Loeb) of the highly acclaimed book entitled “Managing Cybersecurity Resources: A Cost-Benefit Analysis” (published by McGraw-Hill in 2006). In addition, Gordon is editor-in-chief of the Journal of Accounting and Public Policy, serves on the editorial boards of several other journals, and is a frequent contributor to the popular press. He has been cited as being among the world’s most influential and productive accounting researchers. An award-winning teacher, he is also a frequent speaker at various universities and professional meetings and has testified as an expert before the U.S. House of Representatives Subcommittee on Homeland Security.