|
||||||||||||||||||||
|
||||||||||||||||||||
|
||||||||||||||||||||
¤•i‚Ìà–¾
“à—eà–¾
Breaches in cybersecurity are on the rise. Between 1998 and 2003, reported cybersecurity incidents increased over thirty-fold. Well-publicized information security breaches have made cybersecurity a critical and timely topic for the general public, as well as for corporations, not-for-profit organizations and the government. As a result, organizations need to be able to make the business case for spending the right amount on cybersecurity. They also need to know how to efficiently allocate these funds to specific cybersecurity activities. Managing Cybersecurity Resources is the first book to specifically focus on providing a framework for understanding how to use economic and financial management tools in helping to address these important issues. The McGraw-Hill Homeland Security Series draws on frontline government, military, and business experts to detail what individuals and businesses can and must do to understand and move forward in this challenging new environment. Books in this timely and noteworthy series will cover everything from the balance between freedom and safety to strategies for protection of intellectual, business, and personal property to structures and goals of terrorist groups including Al-Qaeda.
’˜ŽÒ‚ɂ‚¢‚Ä
Lawrence A. Gordon, Ph. D., is the Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance, at the University of Maryland's Smith School of Business. Gordon is one of the worldfs leading experts and frequent speaker on the subjects of cybersecurity economics, capital investments, cost management systems and performance measures. He is also the Editor-in-Chief of the Journal of Accounting and Public Policy.
Martin P. Loeb, Ph.D., a professor of accounting and information assurance at the University of Maryland's Robert H. Smith School of Business, is also an affiliate professor at the University of Maryland Institute for Advanced Computer Studies. Loebfs research on information security economics, mechanism design, and incentive regulation is internationally recognized, and has been published in leading academic journals in economics, computer science, and accounting.
“o˜^î•ñ
|
‚±‚Ì–{‚Ì‚È‚©Œ©IŒŸõ‚æ‚è
iÚׂ͂±‚¿‚çj
‚¨‚à‚Ä•\Ž† | ’˜ìŒ | –ÚŽŸ | ”²ˆ | õˆø | — •\Ž†
‚»‚Ì‘¼‚Ì‹@”\
•po’PŒêˆê——
‚±‚Ì–{‚̃Tƒ“ƒvƒ‹ƒy[ƒW‚ð‰{——‚·‚é
•po’PŒêˆê——
‚¨‚à‚Ä•\Ž† | ’˜ìŒ | –ÚŽŸ | ”²ˆ | õˆø | — •\Ž†
‚±‚̤•i‚ɂ‚¯‚ç‚ê‚Ä‚¢‚éƒ^ƒO(Ú×)ƒ^ƒO‚ðƒNƒŠƒbƒN‚·‚é‚ÆAƒ^ƒO‚ª‚‚¯‚ç‚ꂽ¤•iAƒ^ƒO‚ð‚‚¯‚½l‚ª•\Ž¦‚³‚ê‚Ü‚·B¦ƒ^ƒO‚͉ŠúÝ’è‚ÅŒöŠJ‚É‚È‚Á‚Ä‚¢‚Ü‚·BÚ‚µ‚‚Í‚±‚¿‚ç
|
ƒJƒXƒ^ƒ}[ƒŒƒrƒ…[
Å‚àŽQl‚É‚È‚Á‚½ƒJƒXƒ^ƒ}[ƒŒƒrƒ…[
Œ`Ž®:ƒn[ƒhƒJƒo[
ŒoÏŠw‚ª“¾ˆÓ‚Å‚Í‚È‚¢l‚ð‘O’ñ‚É‘‚©‚ê‚Ä‚¨‚èA
IT•”–å‚͉½‚ðl‚¦‚È‚¯‚ê‚΂Ȃç‚È‚¢‚Ì‚©A
‚Ç‚¤‚¢‚¤•—‚Él‚¦‚ê‚΂¢‚¢‚Ì‚©‚𖾊m‚É‹LÚ‚³‚ê‚Ä‚¢‚Ü‚·B
“Á‚ɗᕶ‚â•\‚ðŽg‚Á‚½ƒTƒ“ƒvƒ‹‚Í–ð‚É—§‚¿‚Ü‚·B
‚±‚Ì–{‚ðŽæ‚Á‚½‚«‚Á‚©‚¯‚ÍŽö‹Æ‚¾‚Á‚½‚¯‚ê‚ÇA
ÅŒã‚Ü‚Å“Ç‚ñ‚Å‚µ‚Ü‚¢‚Ü‚µ‚½B
‚½‚¾‚µA“ü–å–{‚È‚Ì‚ÅA[–x‚Í‚µ‚Ä‚¢‚Ü‚¹‚ñB
‚Ü‚½ŒoÏŠwE‰ïŒvŠw‚Ì•û‚É‚Í“–‚½‚è‘O‚Ì“à—e‚¾‚ÆŽv‚¢‚Ü‚·B
‚à‚µAIT•”–劑®‚ÅA‰ïŒv“I‚È“à—e‚ðl‚¦‚È‚¯‚ê‚΂Ȃç‚È‚¢—§ê‚Æ‚È‚Á‚½‰SŽÒ‚Ö‚¨Š©‚ß‚µ‚Ü‚·B
IT•”–å‚͉½‚ðl‚¦‚È‚¯‚ê‚΂Ȃç‚È‚¢‚Ì‚©A
‚Ç‚¤‚¢‚¤•—‚Él‚¦‚ê‚΂¢‚¢‚Ì‚©‚𖾊m‚É‹LÚ‚³‚ê‚Ä‚¢‚Ü‚·B
“Á‚ɗᕶ‚â•\‚ðŽg‚Á‚½ƒTƒ“ƒvƒ‹‚Í–ð‚É—§‚¿‚Ü‚·B
‚±‚Ì–{‚ðŽæ‚Á‚½‚«‚Á‚©‚¯‚ÍŽö‹Æ‚¾‚Á‚½‚¯‚ê‚ÇA
ÅŒã‚Ü‚Å“Ç‚ñ‚Å‚µ‚Ü‚¢‚Ü‚µ‚½B
‚½‚¾‚µA“ü–å–{‚È‚Ì‚ÅA[–x‚Í‚µ‚Ä‚¢‚Ü‚¹‚ñB
‚Ü‚½ŒoÏŠwE‰ïŒvŠw‚Ì•û‚É‚Í“–‚½‚è‘O‚Ì“à—e‚¾‚ÆŽv‚¢‚Ü‚·B
‚à‚µAIT•”–劑®‚ÅA‰ïŒv“I‚È“à—e‚ðl‚¦‚È‚¯‚ê‚΂Ȃç‚È‚¢—§ê‚Æ‚È‚Á‚½‰SŽÒ‚Ö‚¨Š©‚ß‚µ‚Ü‚·B
Amazon.com ‚ÅÅ‚àŽQl‚É‚È‚Á‚½ƒJƒXƒ^ƒ}[ƒŒƒrƒ…[ (beta)
Amazon.com:
4Œ‚̃JƒXƒ^ƒ}[ƒŒƒrƒ…[
9 l’†A9l‚Ì•û‚ªA¢‚±‚̃Œƒrƒ…[‚ªŽQl‚É‚È‚Á‚½£‚Æ“Š•[‚µ‚Ä‚¢‚Ü‚·B
Managing Cybersecurity Resources: A Cost-Benefit Analysis
2005/11/23
Œ`Ž®:ƒn[ƒhƒJƒo[
Managing Cybersecurity Resources: A Cost-Benefit Analysis is excellent! Information security practitioners will appreciate the insightful economic analysis on how to determine the right amount to spend on cybersecurity projects and how to prepare a business case to justify such projects. I especially liked the chapter on risk that included perspectives and analysis not found in any other information security books. The book discusses many topics (for example, economics of cybersecurity and its role in national security) in a manner that novice and expert alike will find appealing. Its clear that the authors, chaired professors from a top business school and pioneers in cybersecurity economics, have a strong understanding of the security environment along with great technical skills. Of more importance, is their intuitive understanding of problems in the cybersecurity trenches. Policy makers, CISOs, CFOs, and managers at all levels, should find enormous value in this book. While at times I wish the authors would not have condensed their discussion, the good news is that they have left some important issues for a follow-up book. I am recommending this book to co-workers and friends.
5 l’†A5l‚Ì•û‚ªA¢‚±‚̃Œƒrƒ…[‚ªŽQl‚É‚È‚Á‚½£‚Æ“Š•[‚µ‚Ä‚¢‚Ü‚·B
An excellent economic analysis of cybersecurity investments
2006/2/7
Œ`Ž®:ƒn[ƒhƒJƒo[
This book is very timely and extremely useful as a tool for key decision-makers in organizations - Chief Technology Offiers, Information System Managers, and general managers, including CEOs, as well as academics. How do you allocate scarce resources to increasing cybersecurity, in the context of other competing claims ? Professors Gordon and Loeb provide a solid economic framework to do this. They bring their decades of experience researching and teaching about a cost-benefit approach to managerial decisions to the table, in the context of cybersecurity investments.
What I like about the book is its appeal to practitioners and academics alike. There is a nice section on developing a business case for cybersecurity investments. Empirical evidence to support their arguments are provided throughout the book. Complex ideas like real options and cybersecurity investments are nicely explained with simple and insightful examples.
Overall, whether you are a manager making or evaluating the case for cybersecurity investments, or teaching in this area, this book is a must-read.
What I like about the book is its appeal to practitioners and academics alike. There is a nice section on developing a business case for cybersecurity investments. Empirical evidence to support their arguments are provided throughout the book. Complex ideas like real options and cybersecurity investments are nicely explained with simple and insightful examples.
Overall, whether you are a manager making or evaluating the case for cybersecurity investments, or teaching in this area, this book is a must-read.
6 l’†A5l‚Ì•û‚ªA¢‚±‚̃Œƒrƒ…[‚ªŽQl‚É‚È‚Á‚½£‚Æ“Š•[‚µ‚Ä‚¢‚Ü‚·B
An excellent book with only one major flaw
2007/8/10
Œ`Ž®:ƒn[ƒhƒJƒo[
Managing Cybersecurity Resources (MCR) is an excellent book. I devoured it in one sitting on a weather-extended flight from Washington-Dulles to Boston. MCR teaches security professionals how to think properly about making security resource allocation decisions by properly defining terms, concepts, and models. The only problem I have with MCR is the reason I subtracted one star: its recommended strategy, cost-benefit analysis, relies upon estimated probabilities of loss and cost savings that are unavailable to practically every security manager. Without these figures, constructing cost-benefit equations as recommended by MCR is impossible in practice. Nevertheless, I still strongly recommend reading this unique and powerful book.
My favorite aspect of MCR is its explanation of economics and finance terms to the security audience. I felt like applauding when I read on p 47 "[M]any managers... are merely calling the IRR an ROI or ROSI (return on security investment). Given that the concepts of "return on investment" and "internal rate of return" are well established in the accounting, finance, and economics literature, as well as among nearly all senior financial managers (e.g., CFOs), security managers should be careful how they use these terms. Indeed, misusing these terms can only lead to problems for the security manager." (See p 45 for a comparison of ROI, IRR, and NPV.)
In a similar fashion, MCR explains what a "return" is for security on p 21: "The benefits associated with cybersecurity activities are derived from the cost savings (often called cost avoidance) that result from preventing cybersecurity breaches. These benefits are difficult, and often impossible, to predict with any degree of accuracy. Moreover, since the actual benefits are conceptually the cost savings associated with potential security breaches that did not occur, it is not possible to measure these benefits precisely after the security investments are made."
What of "investment"? Pp 28-30 say: "[O]rganizations tend to treat the bulk of their cybersecurity expenditures as operating costs and charge them to the period in which they are incurred," unlike capital investments, which "represent assets of an organization that should appear on the organization's balance sheet." The authors recommend us to "view all costs related to cybersecurity activities... as capital investments with varying time horizons."
So what is a cost? P 5 says "The cost of information security is essentially a negative network externality associated with the Internet... [It] arises when malevolent individuals and organizations [which the authors properly label "threats" on p 12] join the network, thereby imposing costs on all well-intentioned users. These costs take the form of losses caused by actual security breaches plus the cost of actions... designed to prevent such breaches."
P 30 wisely states "[N]o amount of security can guarantee that breaches will not occur... The goal of the organization should be to implement security procedures up to the point where the benefits minus the costs are at a maximum." The footnote on p 31 continues with "An alternative way to view this discussion is to think of the goal as one of trying to minimize the sum of the costs associated with cybersecurity activities and the costs associated with breaches... the optimal level of cybersecurity for an organization would be the same under the cost minimization goal as it would be if the organization were to maximize the net benefits." I think most managers prefer to think in terms of cost minimization, which is a prevalent throughout IT.
Costs are dissected on pp 56-58: "The direct costs of cybersecurity breaches are those costs that can be clearly linked to specific breaches... the indirect costs of cybersecurity breaches cannot be linked... Explicit costs of cybersecurity breaches are those costs of breaches that can be measured in an unambiguous manner... implicit costs are opportunity costs (i.e., costs associated with lost opportunities), which cannot be measured without ambiguity... the benefits derived from spending funds on cybersecurity activities come largely from the cost savings derived by avoiding the implicit costs of breaches."
Page 63 explains why companies have "Chief Privacy Officers" and the like, even though preserving privacy is the confidentiality aspect of the CIA triad and could be a CISO responsibility: "The findings from our study show that, on average, information breaches that compromise confidentiality do have a significant negative impact on the stock market value of corporations experiencing breaches. Indeed, the average decline in the firm's stock market value... was approximately 5 percent."
So far so good, right? The major flaw with MCR arrives in ch 4, on p 68: "The variables affecting potential cost savings include (1) the potential losses associated with information security breaches, (2) the probability that a particular breach will occur, and (3) the productivity associated with specific investments, which translates into a reduction in the probability of potential losses." This is true -- but this is the key problem: devising even rough estimates of 1, 2, and 3 is nearly impossible in practice. The authors' examples (see figure 4-2 for one) assume these factors can be determined (like $10 mil total potential loss without countermeasures, 75% probability of loss with no countermeasures / 50% with $650,000 of countermeasures, and so on). When I saw these contrived examples I wondered "what is the origin of these figures?" The fact of the matter is that they are all guesswork, which means the calculator can say anything the analyst wishes to produce.
In some sense we are back to square one, although much better educated in economics. (Note that Andy Jaquith's book Security Metrics also observes how calculating these figures is nearly impossible in real life.)
Because MCR is so right in all of its other discussions, the book deserves 4 stars. A proper acceptance of the difficulty or impossibility of determining 1, 2, and 3 might have resulted in 5 stars. Perhaps a second edition will address these concerns?
PS: I would be remiss to not quote the authors' exceptional insights into the problems with security auditing. P 132 says "[T]he checklist approach tends to shift attention away from the cost-benefit aspects of such security. That is, the checklist approach usually assumes that conducting a particular procedure is inherently worth doing." P 137 hits the nail on the head: "[F]or some firms, it is quite possible that the costs of cybersecurity auditing will exceed the benefits. If this were to occur, then cybersecurity auditing would in effect decrease the firm's value." Amen.
My favorite aspect of MCR is its explanation of economics and finance terms to the security audience. I felt like applauding when I read on p 47 "[M]any managers... are merely calling the IRR an ROI or ROSI (return on security investment). Given that the concepts of "return on investment" and "internal rate of return" are well established in the accounting, finance, and economics literature, as well as among nearly all senior financial managers (e.g., CFOs), security managers should be careful how they use these terms. Indeed, misusing these terms can only lead to problems for the security manager." (See p 45 for a comparison of ROI, IRR, and NPV.)
In a similar fashion, MCR explains what a "return" is for security on p 21: "The benefits associated with cybersecurity activities are derived from the cost savings (often called cost avoidance) that result from preventing cybersecurity breaches. These benefits are difficult, and often impossible, to predict with any degree of accuracy. Moreover, since the actual benefits are conceptually the cost savings associated with potential security breaches that did not occur, it is not possible to measure these benefits precisely after the security investments are made."
What of "investment"? Pp 28-30 say: "[O]rganizations tend to treat the bulk of their cybersecurity expenditures as operating costs and charge them to the period in which they are incurred," unlike capital investments, which "represent assets of an organization that should appear on the organization's balance sheet." The authors recommend us to "view all costs related to cybersecurity activities... as capital investments with varying time horizons."
So what is a cost? P 5 says "The cost of information security is essentially a negative network externality associated with the Internet... [It] arises when malevolent individuals and organizations [which the authors properly label "threats" on p 12] join the network, thereby imposing costs on all well-intentioned users. These costs take the form of losses caused by actual security breaches plus the cost of actions... designed to prevent such breaches."
P 30 wisely states "[N]o amount of security can guarantee that breaches will not occur... The goal of the organization should be to implement security procedures up to the point where the benefits minus the costs are at a maximum." The footnote on p 31 continues with "An alternative way to view this discussion is to think of the goal as one of trying to minimize the sum of the costs associated with cybersecurity activities and the costs associated with breaches... the optimal level of cybersecurity for an organization would be the same under the cost minimization goal as it would be if the organization were to maximize the net benefits." I think most managers prefer to think in terms of cost minimization, which is a prevalent throughout IT.
Costs are dissected on pp 56-58: "The direct costs of cybersecurity breaches are those costs that can be clearly linked to specific breaches... the indirect costs of cybersecurity breaches cannot be linked... Explicit costs of cybersecurity breaches are those costs of breaches that can be measured in an unambiguous manner... implicit costs are opportunity costs (i.e., costs associated with lost opportunities), which cannot be measured without ambiguity... the benefits derived from spending funds on cybersecurity activities come largely from the cost savings derived by avoiding the implicit costs of breaches."
Page 63 explains why companies have "Chief Privacy Officers" and the like, even though preserving privacy is the confidentiality aspect of the CIA triad and could be a CISO responsibility: "The findings from our study show that, on average, information breaches that compromise confidentiality do have a significant negative impact on the stock market value of corporations experiencing breaches. Indeed, the average decline in the firm's stock market value... was approximately 5 percent."
So far so good, right? The major flaw with MCR arrives in ch 4, on p 68: "The variables affecting potential cost savings include (1) the potential losses associated with information security breaches, (2) the probability that a particular breach will occur, and (3) the productivity associated with specific investments, which translates into a reduction in the probability of potential losses." This is true -- but this is the key problem: devising even rough estimates of 1, 2, and 3 is nearly impossible in practice. The authors' examples (see figure 4-2 for one) assume these factors can be determined (like $10 mil total potential loss without countermeasures, 75% probability of loss with no countermeasures / 50% with $650,000 of countermeasures, and so on). When I saw these contrived examples I wondered "what is the origin of these figures?" The fact of the matter is that they are all guesswork, which means the calculator can say anything the analyst wishes to produce.
In some sense we are back to square one, although much better educated in economics. (Note that Andy Jaquith's book Security Metrics also observes how calculating these figures is nearly impossible in real life.)
Because MCR is so right in all of its other discussions, the book deserves 4 stars. A proper acceptance of the difficulty or impossibility of determining 1, 2, and 3 might have resulted in 5 stars. Perhaps a second edition will address these concerns?
PS: I would be remiss to not quote the authors' exceptional insights into the problems with security auditing. P 132 says "[T]he checklist approach tends to shift attention away from the cost-benefit aspects of such security. That is, the checklist approach usually assumes that conducting a particular procedure is inherently worth doing." P 137 hits the nail on the head: "[F]or some firms, it is quite possible that the costs of cybersecurity auditing will exceed the benefits. If this were to occur, then cybersecurity auditing would in effect decrease the firm's value." Amen.
‚±‚ê‚ç‚̃Œƒrƒ…[‚ÍŽQl‚É‚È‚è‚Ü‚µ‚½‚©H
‚²ˆÓŒ©‚̓Nƒ`ƒRƒ~‚Å‚¨•·‚©‚¹‚‚¾‚³‚¢B
ƒŠƒXƒgƒ}ƒjƒA
ŠÖ˜A¤•i‚ð’T‚·
- —m‘ > Business & Investing > Management & Leadership > Leadership
- —m‘ > Business & Investing > Management & Leadership > Management
- —m‘ > Computers & Internet > Business & Culture
- —m‘ > Computers & Internet > Certification Central
- —m‘ > Computers & Internet > Computer Science
- —m‘ > Computers & Internet > Networking
- —m‘ > Nonfiction > Economics
- —m‘ > Nonfiction > Politics
- —m‘ > Professional & Technical > Business Management > Management & Leadership
- —m‘ > Special Features > all foreign books
“¯‚¶ƒL[ƒ[ƒh‚̤•i‚ð’T‚·
ƒtƒB[ƒhƒoƒbƒN
- ƒJƒ^ƒƒOî•ñA‚Ü‚½‚͉摜‚ɂ‚¢‚Ä•ñ
- ’˜ŽÒ‚©‚ç‚̃Rƒƒ“ƒg
- o”ŎЂ©‚ç‚̃Rƒƒ“ƒg
|
