“Our model has real-world applications and we want to make it more accessible to corporations. I’m trying to explain how to use it in a more practical setting without getting caught up in all the mathematics.”
Gordon to Speak at International Cybersecurity Conference
In order to protect valuable information and still run economically, businesses need to make the important decision of just how much of their budget should be spent on cybersecurity.
Considered a pioneer in the growing field of cybersecurity economics, Lawrence A. Gordon, who holds an appointment in the Maryland Cybersecurity Center (MC2) and serves as the Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance at UMD’s Robert H. Smith School of Business, will speak at the 2015 International National Cyber Security Centre (NCSC) One Conference April 13 – 14 in the Netherlands. His talk is entitled “Investing in Cybersecurity: Insights from the Gordon-Loeb Model.”
Developed more than a decade ago by Gordon and Martin Loeb, a professor of accounting and information assurance who also holds an appointment in MC2, the Gordon-Loeb Model is a mathematical economic model analyzing the optimal investment level in cybersecurity. The model dictates that the amount a firm spends to protect information should generally be only a small fraction of the expected loss (i.e., the expected value of the loss resulting from an cyber/information security breach).
Gordon says the goal of his talk, which is part of a lecture series he launched in October at the Johns Hopkins University's Senior Executive Cybersecurity Conference, is to help corporations make better cybersecurity investment decisions based on the Gordon-Loeb Model.
“Our model has real-world applications and we want to make it more accessible to corporations,” he says. “I’m trying to explain how to use it in a more practical setting without getting caught up in all the mathematics.”
For example, Gordon will suggest companies segment their most valuable information—such as social security numbers, passwords, employee health records, etc.—into different sets and then decide which data they should spend more money protecting.
“Companies have to decide just how much they should invest in protecting their information, on a cost-benefit basis,” he says. “They cannot spend all their funds on cybersecurity.”
The NCSC One Conference is being organized in cooperation with the Global Conference on Cyber Space (GCCS 2015). More than 800 people—including senior business executives and government officials—are expected to attend the event.
—Story by Melissa Brachfeld
April 6, 2015