Infusing Accounting, Economics in the Cybersecurity Curriculum

Smith School of Business Professor Lawrence A. Gordon recently co-developed a formula to determine how much a company should invest in cybersecurity. Now, he targets University of Maryland honors students with this innovation.

His course, Accounting and Economic Aspects of Cybersecurity, introduces financial management principles to a discipline grounded in computer science and engineering.

The offering bolsters the UMD Honors College ACES (Advanced Cybersecurity Experience for Students) curriculum, which launched in fall 2013 as the nation's first, four-year honors undergraduate program in cybersecurity.

ACES Director Michel Cukier, associate director for education in the Maryland Cybersecurity Center, said the course is “path-breaking and signals a new standard for educating those to be tasked with protecting their organizations' information.”

That field is rife with opportunity.

"Demand for properly trained cybersecurity professionals far exceeds the supply," said Gordon, the EY Alumni Professor of Managerial Accounting and Information Assurance in UMD's Robert H. Smith School of Business. "Job openings are in the hundreds of thousands and growing."

Students taking the course have an opportunity to master a widely respected formula – the Gordon-Loeb Model – co-authored by Gordon and Smith colleague Martin Loeb, professor of accounting and information assurance and a Deloitte & Touche Faculty Fellow.

Gordon and Loeb deconstructed the framework through a 2011 Wall Street Journal column, 'You may be fighting the wrong security battles." Their book, “Managing Cybersecurity Resources: A Cost-Benefit Analysis,” expands on the model as well.

“Companies tend to approach cybersecurity from a technical, computer security perspective,” said Gordon, whose related research with Loeb has drawn funding from the NSA and Department of Homeland Security. “I look at the problem in terms of economics and accounting.”

"Challenges associated with cybersecurity are as much about issues like resource allocation, financial disclosure and understanding the real cost of breaches, as they are about the technical problems associated with computer software and hardware development, Gordon said.”

The course is designed to prepare students to manage cybersecurity resources by determining:

• Costs of cybersecurity breaches to corporations
• Impact of cybersecurity requirements on the internal control systems of organizations
• Optimal amount a firm should invest in cybersecurity activities
• Importance of cybersecurity to global business
• Impact of the recent U.S. Securities and Exchange Commission's disclosure guidelines for reporting cyber risks and incidents

The latter point signals the offering’s timeliness.

"Cybersecurity is key policy agenda item for the Obama administration and one of the hottest discussion topics among corporate executives, government administrators, politicians and academicians," said Gordon. "The recent high-profile cybersecurity breaches have moved these discussions to the corporate boardroom."

Cukier said the Accounting and Economic Aspects of Cybersecurity course is helping ACES "drive UMD as an innovator in cybersecurity education." 

“Professor Gordon is a leader in the field of cybersecurity economics and the first faculty teaching an ACES honors seminar,” he said. “His contributions highlight the multidisciplinary aspect of this program.”