FALL 2008 VOL. 9 NO. 2

SMITH BUSINESS:  HOME  Site Index  Previous Issue  Archives  Download PDF

Subscribe to the print version. It's free!

Cyber Security Forum 2008

Probing questions and lively discussion punctuated the presentations at the 5th Annual Cybersecurity Forum at the Robert H. Smith School of Business on May 29, 2008. The forum brought together academic researchers and industry professionals from around the globe to discuss risk-management issues related to information security. The day included expert presentations followed by discussions that ranged from the extremely theoretical to the practical to the purely political. The issues ranged from personal security risks to corporate and national security risks.

Speakers highlighted the changing threat posed to digital systems. Businesses no longer have to worry about teen hackers taking a shot at the Pentagon for bragging rights. Instead, multinational corporations are suffering attacks from organized crime, large-scale fraud, disgruntled employees and even terrorists. The result is direct financial losses via theft or embezzlement, data breaches, business disruption, and in some cases infrastructure failure.

Larry Clinton, president of the Internet Security Alliance, argued in his presentation that both the public and private sector need to collaborate to create a coherent, multifaceted system capable of evolving quickly enough to effectively address the continually developing security problems our digital infrastructures face. But he also cautioned that regulation may not be the best answer, as federal or state standards for security tend to be too low and too inflexible, and could slow technological progress, one of the prime drivers of the U.S. economy.

Other presenters examined some of the difficulties of defining and implementing truly effective cybersecurity standards. Sasha Romanosky, doctoral student at Carnegie Mellon University, reviewed the effectiveness of state laws governing data breach disclosure. Every year there are 8.1 million victims of identity theft in the United States, and state governments have implemented data breach disclosure laws that mandate that firms must notify customers when their information is lost or stolen. Proponents of these laws have argued that notifying consumers allows them to take actions to mitigate risk, and exposing poor cybersecurity on the part of companies will shame those companies into adopting more effective cybersecurity. But Romanoskyís study found that data breach laws donít appear to reduce identity theft in states where they have been enacted.

The forum, which was started by Larry Gordon, Ernst & Young Alumni Professor of Managerial Accounting, and Martin Loeb, professor of accounting and information assurance and Deloitte & Touche LLP Faculty Fellow, encourages the kind of rich interchange of ideas that can only occur when people from many academic backgrounds and industries gather. Information security is a tremendously complex problem, one that can be approached from an economics perspective, as Smith professors Gordon and Loeb have done for many years, or from a quality-assurance, legal, or public policy perspective. The Cybersecurity Forum brings together these perspectives in dynamic informal discussions.


Copyright 2008 Robert H. Smith School of Business