Robert H. Smith School of Business - University of Maryland, College Park

Smith School Holds 6th Annual Cybersecurity Forum

The minds of teachers, researchers and industry professionals alike came together as they discussed solutions to the current problems surrounding the issue of cybersecurity at the 6th Annual Cybersecurity Forum at the Robert H. Smith School of Business on Oct. 28, 2009.

The forum, which took place in Van Munching Hall, was started in 2004 by Lawrence Gordon, Ernst & Young Alumni Professor of Managerial Accounting, Martin Loeb, professor of accounting and information assurance and Deloitte & Touche LLP Faculty Fellow, and Bill Lucyshyn, the Director of Research and Senior Research Scholar at the Center for Public Policy and Private Enterprise in the School of Public Policy.

Before the presentations for the event began, Dean G. “Anand” Anandalingam welcomed the visitors, who came from all across the world including a small group from Japan, to discuss the issues concerning cyber safety.

“This event is one of my favorites,” Anandalingam said, adding that he enjoyed working with the School of Public Policy to put on the event each year.

The event featured faculty and practitioners who spoke about the research they are doing in the field of information technology. After each presentation, audience members were able to ask questions and further discuss the speaker’s points.

Larry Clinton, president of the Internet Security Alliance (ISA) and one of the speakers at the forum, explained the need for better security with regards to information technology.

“Cybersecurity is a situation that we cannot deal with without rethinking things completely,” Clinton – who joked that he is no relation to the Secretary of State or the former President of the United States – said.

Clinton, who also spoke at last year’s Cybersecurity Forum, emphasized that cybersecurity is not an IT issue.

“If we are thinking about it as something the IT guys are going to fix, we’re thinking about it all wrong,” Clinton said, adding that the ISA believes the problem needs to be looked at with a much broader perspective.

“All economic initiatives favor the bad guys,” Clinton said. “We used to have to know the basics of Star Trek to pose a cybersecurity threat, but it is much easier now. The perimeter we need to defend is so large.”

Clinton also pointed out that the government needs to play a part in enhancing cybersecurity. Government and industry must rethink and evolve new roles, responsibilities and practices to create a sustainable system of cyber security, Clinton said.

President Barack Obama’s Cyberspace Policy Review states that “industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion,” a number Clinton said is shocking.

“If we are losing so much money in cybersecurity, then why is there no investment?” Clinton asked.

Obama’s Cyberspace Policy Review states: “The United States faces the dual challenge of maintaining an environment that promotes innovation, open interconnectivity, economic prosperity, free trade, and freedom while also ensuring public safety, security, civil liberties, and privacy. … It is not enough for the information technology workforce to understand the importance of cybersecurity; leaders at all levels of government and industry need to be able to make business and investment decisions based on knowledge of risks and potential impacts.”

Clinton pointed out that 75 percent of U.S. corporations do not have a chief risk officer, a percentage he said ties back to the problems mentioned in Obama’s policy review and that needs to change if we are going to see an improvement.

Other speakers at the event included Sasha Romanosky, a doctoral student at Carnegie Mellon University, and Gordon. Romanosky spoke about data breach and identity theft and Gordan spoke about a recent study he completed with Loeb and Lei Zhou, visiting assistant professor of accounting and information assurance.

The study examined the stock prices of companies that experienced information security breaches between 1995 and 2007, a huge dataset that encompassed the longest period and the most companies ever studied. Before 2001, an information security breach had a noticeable negative impact on stock prices. But post 9/11, the effects of a breach on a firm’s stock price was insignificant.

That may be because these events have become so common, Gordon said. A few months ago his credit card company sent Gordon a letter saying the firm’s system had been breached and personal customer information had been compromised. Rather than getting upset and canceling his account, Gordon just cut up his old card and activated his new one. Consumers don’t appear to be penalizing companies for security breaches, which means investors aren’t raising the red flag either.

“That’s one of the dangers. You get lulled into looking at the averages, but a few companies every year suffer disastrous consequences as a result of a significant security breach,” Gordon said. “I think it makes it tougher for firms to make the financial case for investing in information security.”

Visitors at the event had the opportunity to ask questions of all of the speakers and network throughout the day. This year’s forum, like all past years, reinforced that information technology and cybersecurity are complex topics that can be looked at from many different perspectives. The 2009 Cybersecurity Forum succeeded in bringing together these different ideas with each speaker and subsequent discussions.

Jessica Bauer, Office of Marketing Communications