Another area in which economics has direct relevance to information security is information sharing, which has become a mantra of the Department of Homeland Security and other organizations, including the federally sponsored Information Sharing Analysis Centers, or ISACs--groups of companies in industry sectors that pool information to improve the security of their respective infrastructures. Although sharing information about cyberthreats is a laudable goal, economists have shown it to be extremely difficult to put into practice. Indeed, without the appropriate economic incentives, the free-rider problem--the tendency for participants to want to get all the information they can from other participants without sharing any of their own deep, dark secrets--typically prevents organizations from obtaining the potential value of information sharing in an information security setting. Dozens of groups are drawn together by the idea that members will share their mishaps and vulnerabilities confidentially with the group--think of the local chapters of the Information Systems Audit and Control Association (ISACA), the FBI's InfraGard and, of course, the ISACs. But without purposefully changing the incentives a member has to share sensitive information with these groups, each participant typically waits for others to do the sharing, rather than risk exposing information about his or her organization's weaknesses. For more information about infosec information sharing, see Gordon, Loeb and Lucyshyn's "Sharing Information on Computer Systems Security: An Economic Analysis" in the Journal of Accounting and Public Policy (Vol. 22, No. 6, 2003).
Indeed, information security is a troublesome market: Important information is routinely hidden from those who need it most, its most important characteristics are devilishly difficult to measure, and the vendors that provide security mechanisms often don't pay the costs when those mechanisms fail. Economists have spent decades developing tools to make sense of just this sort of off-kilter market system, so it's high time for information security managers to borrow their tools and expertise to measure and improve their company's cybersecurity. What are you waiting for?
LAWRENCE A. GORDON is Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance at the Robert H. Smith School of Business, University of Maryland. Write to him at [email protected].
ROBERT RICHARDSON is editorial director at the Computer Security Institute (CSI). Write to him at [email protected].No security breach is good, but the impact of some incidents is considerably worse--and tougher to measure--than that of others. To determine the indirect costs of cybercrime, Lawrence A. Gordon (co-author of the main article) and I led a team of researchers at the University of Maryland's Smith School of Business in examining the impact of information security breaches on corporations' stock market valuations.
Our findings: The direct costs typically associated with preventing or recovering from cybercrime--investments in intrusion-detection systems, lost productivity, overtime for IT staff to fix compromised systems--have all become an unfortunate but accepted part of doing business, and they rarely affect a company's revenue over time or its stock prices. The real financial damage done by cybercrime stems from breaches of confidence. Such breaches can drive down revenue over time, and stock market investors take that possibility into account by lowering their estimation of the worth of the company's stock. It's an indirect cost, and one companies pay only when customers feel their trust has been violated.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
