|
Smith School Hosts Fourth
Annual Forum on
Financial Information Systems &
Cybersecurity
The Fourth Annual Forum on
Financial Information Systems &
Cybersecurity: A Public Policy
Perspective, held on May 23, 2007 at the
Robert H. Smith School of Business,
brought together experts and industry
professionals from around the globe to
discuss risk management issues related
to information security. The day
included expert presentations followed
by discussions that ranged from the
extremely theoretical to the practical
to the purely political, and the issues
ranged from personal security risks to
corporate and national security risks.
The
Journal of Accounting and Public Policy,
the University of Maryland's Robert H.
Smith School of Business, and the Center
for Public Policy and Private Enterprise
(from Maryland's School of Public
Policy) co-sponsored the event.
Smith School Dean Howard Frank opened
the event, which included nine
presentations on current cybersecurity
research and concluded with the annual
Ira Shapiro Dinner, featuring Mike
Herrinton, of Ernst & Young, on the
"Importance of Information Security to
Internal Control: A Sarbanes-Oxley (SOX) Perspective.”
M. Eric Johnson, professor at Tuck
School of Business, Dartmouth
University, discussed the security risks
inherent in peer to peer (P2P)
file-sharing, a practice that began with
Napster and has only proliferated since
Napster’s demise. P2P clients are
downloaded from the Internet and allow
customers to choose which files on their
computers they wish to share with the
network, and allow customers to search
others’ computers for music and video
content.
Music and videos aren’t all you can
download, however. Johnson and his
graduate students at Dartmouth found
that in one afternoon of using LimeWire,
a popular file-sharing client, they were
able to download hundreds of personal
identity documents, including passports,
driver’s licenses, even bank statements
and financial aid forms.
Consumer ignorance (of how the client
works) or general disorganization (of
keeping media files segregated from
sensitive files) is part of what allows
sensitive documents to be leaked to
these P2P networks. But Johnson pointed
out that deliberate obfuscation by the
clients themselves is also to blame:
some of the P2P clients are designed to
be confusing, making it harder for the
customer to figure out how to safeguard
their personal information.
Financial institutions also suffer
from the security risks presented by P2P
networks, and identity theft continues
to be a serious concern. But many of the
steps taken to prevent file-sharing
networks from gaining access to
confidential information are quickly
subverted by savvy software designers,
and even by users themselves. Since many
of these issues are not caused by
sabotage or terrorism but through
inadvertent leaks, education of the
workers might be the best way to
circumvent security problems associated
with file-sharing.
Lawrence A. Gordon, Ernst & Young
Alumni Professor of Managerial
Accounting, discussed the need for
empirical research on cybersecurity in
order to determine the real cost of
cybersecurity breaches and cybersecurity-related
investments, and the impact of
Sarbanes-Oxley (SOX) on
information security activities and the
role of information sharing on cybersecurity.
Total cybersecurity-related losses for
2006 were $52,494,290, per the most
recent
Computer Security Institute (CSI) and
Federal Bureau of Investigation (FBI)
Annual Computer Crime and Security
Survey, said Gordon. Based on the
Gordon-Loeb Model, the amount a firm
should spend to protect information
should generally be only a small
fraction of the expected loss.
"Empirical research on information
security is growing, slowly, but more
empirical data is needed to develop and
test new and existing models," said Gordon. Since
SOX was passed in 2002,
voluntary disclosures of cybersecurity-related
expenditures have increased. "Everyone
wants to put in a little and take out a
lot, though," said Gordon.
One of the real benefits of the forum
is the rich interchange of ideas that
occurs when people from many academic
backgrounds and industries gather.
Information security is a tremendously
complex problem, one that can be
approached from an economics
perspective, as Smith professors Gordon
and Loeb have done for many years, or
from a quality assurance perspective, a
legal perspective, or a public policy
perspective. The forum
brings together these perspectives in
lively and informal discussions.
Forum coordinators are Lawrence A. Gordon,
Ernst & Young Alumni Professor of
Managerial Accounting, and Martin P.
Loeb, Deloitte and Touche LLP Faculty
Fellow, both of the Smith School’s
accounting and information assurance
department, and William Lucyshyn,
director of research and senior research
scholar at the Center for Public Policy
and Private Enterprise. For more
information on the forum, contact
Gordon (lgordon@rhsmith.umd.edu).
Download the Agenda
[ PDF ]
►
▓
Rebecca Winner, Alissa Arford-Leyl,
Office of Marketing Communications
|
