Experts Map Cyber Governance in UMD Business-Public Policy Forum
The fledgling cyberinsurance industry needs stronger data analysis fed by companies more willing to self-report cyber incidents.
That assessment, by Department of Homeland Security Senior Cybersecurity Strategist Tom Finan, was part of the annual Financial Information Systems and Cybersecurity Forum on Jan. 14, 2015, co-hosted by the Robert H. Smith School of Business and School of Public Policy at the University of Maryland.
“Right now, there’s a lot of gut-checking to determine how much insurance is needed to get by,” Finan told the gathering of researchers and senior executives.
“A lack of common standards, metrics and best practices really hobbles insurers in making risk comparisons across different companies – comparisons that otherwise would help them build out both first- and third-party policies,” said Finan, referencing participant feedback drawn from a recent series of DHS Cybersecurity Insurance workshops.
A survey of 59 U.S. firms – reported in the wake of high-profile breaches affecting the likes of Target and Kmart -- revealed a $12.7 million annual cost per company to respond to cyber attacks.
While facing such exposure, “(Chief information security officers) are hesitant to reveal information related to cyber incidents, fearing public exposure to such detail could be embarrassing to their companies,” Finan said. “It’s a sort of ‘shame factor’ contributing to “a persistent lack of actuarial data for underwriters.”
“First-party insurers, for example, don't have a feel for potential damages from an incident in one sector cascading to other sectors.”
Insurance is part of what other presenters referred to as a broader “cyber-governance conundrum.”
Since its first cybercrime prosecution – of a Cornell grad student for infecting MIT’s network in 1988 with a “logic bomb” – the United States has 20 related statutes, and prosecutions have increased 400 percent since 2005.
“But it’s not enough,” said Indiana University business law and ethics professor Scott Shackelford. “It’s a global problem.”
As attacks proliferate in numbers, sophistication and severity, cooperative Internet governance is increasingly tricky, Shackelford said. “Definitions for cybersecurity vary country to country”.
The lone international treaty for law enforcement, the (Budapest) Convention on Cybercrime, is ratified by just 42 nations. “Others have opted out, concerned the treaty infringes on such interests as sovereignty and public order.”
“This demonstrates the difficulty with relying on a top-down, state-centric international law approach to getting a handle on the problem,” he added. “Polycentric (multi-leveled) governance is the endgame to shoot for.”
This private sector-driven, bottom-up form of governance is based on self-organization and networking regulations at multiple levels.
“We can't stop cyberattacks, but we can manage them more effectively by taking a ‘network and distribution’ approach to a ‘network and distributor’ problem,” Shackelford said.
“Communities can self-organize and control these resources for the common good” he added. “This framework really magnifies the notion that cybersecurity should be treated as a matter of corporate social responsibility.”
More from Academia; Agency Tactics and Organizers’ Recognition
Academic perspectives also came from Penn State University professors John Bagby (“Cybersecurity Risk Management Requires Infrastructure Protection Policy Conformance”) and Jens Grosskags (“How Many Down? Toward Understanding Systematic Risk in Networks”) who separately discussed their recent research findings.
The Federal Housing Finance Agency’s Ralph Mosios presented “The Intersection of Internal Controls and Cybersecurity” based on his oversight of IT security compliance and operational security FHFA chief information security officer. FBI Information Crime Unit Chief Steven Pandelides detailed the bureau’s Malware Investigator and National Security Council Director for Cybersecurity Policy and Law Nathaniel Gleicher spoke about President Obama’s recently proposed cybersecurity legislation.
Lt. Gen. Harry D. Raduege, senior advisor and director for cyber risk service at the Deloitte Center for Cyber Innovation, delivered the Ira M. Shapiro Memorial Lecture, commemorating Shapiro, a Smith accounting alumnus. Raduege, with 35 years of U.S. military service covering telecommunications, space, information and network operations, spoke about the “Nature of Increasing Cybersecurity Threats.”
The forum, in its 11th year, “was successful, due in great part to outstanding participation by executive leaders in industry and government and from academia,” said Martin Loeb, Smith School professor of accounting and information assurance and Deloitte & Touche LLP Faculty Fellow.
The presenters engaged throughout the forum with leaders representing the likes of the International Monetary Fund, U.S. Nuclear Regulatory Commission, Federal Reserve Board, U.S. Air Force, Freddie Mac, and higher education from Johns Hopkins to Tokyo University and UMD’s Smith School, whose Lawrence Gordon noted through several exchanges that “a fundamental issue underlying the cybersecurity conundrum is the need to figure out how much to spend on cybersecurity activities and how to allocate those funds.”
“It is crucial for organizations in both the private and public sectors to address this issue,” said Gordon, EY Professor of Accounting and Information Assurance.
Gordon and Loeb coordinated the forum along with William Lucyshyn, senior research scholar at the Center for Public Policy and Private Enterprise in UMD’s School of Public Policy.
“Eleven years ago, few cared about cybersecurity -- much less cybersecurity economics,” said Michael Ball, Smith’s senior associate dean and Dean's Chair in Management Science, as he welcomed the forum participants.
“Now, every day, this is a critical area for investigation,” Ball said. “This speaks to (Gordon’s, Loeb’s and Lucyshyn’s) foresight in conceiving this gathering while building a substantial body of related research.”
The trio recently garnered funding totaling more than $666,000 to continue an influential stream of cybersecurity economics research. The researchers have applied the DHS grant to extend their Gordon-Loeb Model to help private sector firms improve their decisions regarding cybersecurity investments.
Gordon will speak about the research and model to an international gathering senior policymakers and business leaders in April at the 2015 National Cyber Security Centre One Conference in the Netherlands.
Media Relations Manager
About the University of Maryland's Robert H. Smith School of Business
The Robert H. Smith School of Business is an internationally recognized leader in management education and research. One of 12 colleges and schools at the University of Maryland, College Park, the Smith School offers undergraduate, full-time and part-time MBA, executive MBA, online MBA, specialty master's, PhD and executive education programs, as well as outreach services to the corporate community. The school offers its degree, custom and certification programs in learning locations in North America and Asia.