There are two broad objectives of the research reported in this paper. First, we assess whether government-provided cyber threat intelligence (CTI) is helpful in preventing, or responding to, cyber-attacks among small...There are two broad objectives of the research reported in this paper. First, we assess whether government-provided cyber threat intelligence (CTI) is helpful in preventing, or responding to, cyber-attacks among small businesses within the U.S. Defense Industrial Base (DIB). Second, we identify ways of improving the effectiveness of government-provided CTI to small businesses within the DIB. Based on a questionnaire-based survey, our findings suggest that government-provided CTI helps businesses within the DIB in preventing, or responding to, cyber-attacks providing a firm is familiar with the CTI. Unfortunately, a large percentage of small firms are not familiar with the government-provided CTI feeds and consequently are not utilizing the CTI. This latter situation is largely due to financial constraints confronting small businesses that prevent firms from having the wherewithal necessary to effectively utilize the government-provided CTI. However, we found a significant positive association between a firm’s familiarity with the government-provided CTI and whether a firm is being periodically reviewed by the Defense Counterintelligence and Security Agency (DCSA) or is compliant with the Cybersecurity Maturity Model Certification (CMMC) program. The findings from our study also show that the participating firms believe that external cyber threats are more likely to be the cause of a future cybersecurity breach than internal cybersecurity threats. Finally, our study found that the portion of the IT budget that small businesses within the DIB spend on cybersecurity-related activities is dependent on the perception that a firm would be the target of an external cyber-attack.展开更多
Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy a...Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and government executives. This paper examines how the existence of well-recognized externalities changes the maximum a firm should, from a social welfare perspective, invest in cyber security activities. By extending the cyber security investment model of Gordon and Loeb [1] to incorporate externalities, we show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss.展开更多
Given the importance of cybersecurity to the survival of an organization, a fundamental economics-based question that must be addressed by all organizations is: How much should be invested in cybersecurity related act...Given the importance of cybersecurity to the survival of an organization, a fundamental economics-based question that must be addressed by all organizations is: How much should be invested in cybersecurity related activities? Gordon and Loeb [1] presented a model to address this question, and that model has received a significant amount of attention in the academic and practitioner literature. The primary objective of this paper is to discuss the Gordon-Loeb Model with a focus on gaining insights for the model’s use in a practical setting.展开更多
This paper provides an analysis of how the benefits of information segmentation can assist an organization to derive the appropriate amount to invest in cybersecurity from a cost-benefit perspective. An analytical mod...This paper provides an analysis of how the benefits of information segmentation can assist an organization to derive the appropriate amount to invest in cybersecurity from a cost-benefit perspective. An analytical model based on the framework of the Gordon-Loeb Model (<span><span><span style="font-family:Verdana;">[1]</span><span></span></span></span><span><span></span></span><span></span><span><span></span></span><span style="font-family:Verdana;"><span style="font-family:Verdana;"><span style="font-family:Verdana;">) is presented that provides a set of sufficient conditions for information segmentation to lower the total investments in cybersecurity and the expected loss from cybersecurity breaches. A numerical example illustrating the insights gained from the model is also presented.</span></span></span>展开更多
This paper extends the literature on the economics of sharing cybersecurity information by and among profit-seeking firms by modeling the case where a government agency or department publicly shares unclassified cyber...This paper extends the literature on the economics of sharing cybersecurity information by and among profit-seeking firms by modeling the case where a government agency or department publicly shares unclassified cyber threat information with all organizations. In prior cybersecurity information sharing models a common element was reciprocity—i.e., firms receiving shared information are also asked to share their private cybersecurity information with all other firms (via an information sharing arrangement). In contrast, sharing of unclassified cyber threat intelligence (CTI) by a government agency or department is not based on reciprocal sharing by the recipient organizations. After considering the government’s cost of preparing and disseminating CTI, as well as the benefits to the recipients of the CTI, we provide sufficient conditions for sharing of CTI to result in an increase in social welfare. Under a broad set of general conditions, sharing of CTI will increase social welfare gross of the costs to the government agency or department sharing the information. Thus, if the entity can keep the sharing costs low, sharing cybersecurity information will result in an increase in net social welfare.展开更多
Investments in cybersecurity are critical to the national and economic security of a nation. There is, however, a strong tendency for firms in the private sector to underinvest in cybersecurity activities. This paper ...Investments in cybersecurity are critical to the national and economic security of a nation. There is, however, a strong tendency for firms in the private sector to underinvest in cybersecurity activities. This paper reports the results of a survey designed to empirically assess whether treating cybersecurity as an important component of a firm’s internal control system for financial reporting purposes serves as a driver for private sector firms to invest in cybersecurity activities. The findings, in this regard, are significantly positive. The study also shows that a firm’s concern over the risk of incurring a large loss due to a cybersecurity breach and the degree the firm treats cybersecurity investments as generating a competitive advantage are drivers of the level of private sector investment in cybersecurity activities. The implications of the empirical results for designing public policies to mitigate the tendency of private sector firms to underinvest in cybersecurity are also explored.展开更多
文摘There are two broad objectives of the research reported in this paper. First, we assess whether government-provided cyber threat intelligence (CTI) is helpful in preventing, or responding to, cyber-attacks among small businesses within the U.S. Defense Industrial Base (DIB). Second, we identify ways of improving the effectiveness of government-provided CTI to small businesses within the DIB. Based on a questionnaire-based survey, our findings suggest that government-provided CTI helps businesses within the DIB in preventing, or responding to, cyber-attacks providing a firm is familiar with the CTI. Unfortunately, a large percentage of small firms are not familiar with the government-provided CTI feeds and consequently are not utilizing the CTI. This latter situation is largely due to financial constraints confronting small businesses that prevent firms from having the wherewithal necessary to effectively utilize the government-provided CTI. However, we found a significant positive association between a firm’s familiarity with the government-provided CTI and whether a firm is being periodically reviewed by the Defense Counterintelligence and Security Agency (DCSA) or is compliant with the Cybersecurity Maturity Model Certification (CMMC) program. The findings from our study also show that the participating firms believe that external cyber threats are more likely to be the cause of a future cybersecurity breach than internal cybersecurity threats. Finally, our study found that the portion of the IT budget that small businesses within the DIB spend on cybersecurity-related activities is dependent on the perception that a firm would be the target of an external cyber-attack.
文摘Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and government executives. This paper examines how the existence of well-recognized externalities changes the maximum a firm should, from a social welfare perspective, invest in cyber security activities. By extending the cyber security investment model of Gordon and Loeb [1] to incorporate externalities, we show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss.
文摘Given the importance of cybersecurity to the survival of an organization, a fundamental economics-based question that must be addressed by all organizations is: How much should be invested in cybersecurity related activities? Gordon and Loeb [1] presented a model to address this question, and that model has received a significant amount of attention in the academic and practitioner literature. The primary objective of this paper is to discuss the Gordon-Loeb Model with a focus on gaining insights for the model’s use in a practical setting.
文摘This paper provides an analysis of how the benefits of information segmentation can assist an organization to derive the appropriate amount to invest in cybersecurity from a cost-benefit perspective. An analytical model based on the framework of the Gordon-Loeb Model (<span><span><span style="font-family:Verdana;">[1]</span><span></span></span></span><span><span></span></span><span></span><span><span></span></span><span style="font-family:Verdana;"><span style="font-family:Verdana;"><span style="font-family:Verdana;">) is presented that provides a set of sufficient conditions for information segmentation to lower the total investments in cybersecurity and the expected loss from cybersecurity breaches. A numerical example illustrating the insights gained from the model is also presented.</span></span></span>
文摘This paper extends the literature on the economics of sharing cybersecurity information by and among profit-seeking firms by modeling the case where a government agency or department publicly shares unclassified cyber threat information with all organizations. In prior cybersecurity information sharing models a common element was reciprocity—i.e., firms receiving shared information are also asked to share their private cybersecurity information with all other firms (via an information sharing arrangement). In contrast, sharing of unclassified cyber threat intelligence (CTI) by a government agency or department is not based on reciprocal sharing by the recipient organizations. After considering the government’s cost of preparing and disseminating CTI, as well as the benefits to the recipients of the CTI, we provide sufficient conditions for sharing of CTI to result in an increase in social welfare. Under a broad set of general conditions, sharing of CTI will increase social welfare gross of the costs to the government agency or department sharing the information. Thus, if the entity can keep the sharing costs low, sharing cybersecurity information will result in an increase in net social welfare.
文摘Investments in cybersecurity are critical to the national and economic security of a nation. There is, however, a strong tendency for firms in the private sector to underinvest in cybersecurity activities. This paper reports the results of a survey designed to empirically assess whether treating cybersecurity as an important component of a firm’s internal control system for financial reporting purposes serves as a driver for private sector firms to invest in cybersecurity activities. The findings, in this regard, are significantly positive. The study also shows that a firm’s concern over the risk of incurring a large loss due to a cybersecurity breach and the degree the firm treats cybersecurity investments as generating a competitive advantage are drivers of the level of private sector investment in cybersecurity activities. The implications of the empirical results for designing public policies to mitigate the tendency of private sector firms to underinvest in cybersecurity are also explored.