Investments in cybersecurity are critical to the national and economic security of a nation. There is, however, a strong tendency for firms in the private sector to underinvest in cybersecurity activities. This paper reports the results of a survey designed to empirically assess whether treating cybersecurity as an important component of a firm’s internal control system for financial reporting purposes serves as a driver for private sector firms to invest in cybersecurity activities. The findings, in this regard, are significantly positive. The study also shows that a firm’s concern over the risk of incurring a large loss due to a cybersecurity breach and the degree the firm treats cybersecurity investments as generating a competitive advantage are drivers of the level of private sector investment in cybersecurity activities. The implications of the empirical results for designing public policies to mitigate the tendency of private sector firms to underinvest in cybersecurity are also explored.
References
[1]
OECD (2012) Cybersecurity Policy Making at a Turning Point.
https://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf
[2]
Obama, B. (2013) Executive Order—Improving Critical Infrastructure Cybersecurity.
https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
[3]
National Institute of Standards and Technology (NIST) (2014) Framework for Improving Critical Infrastructure Cybersecurity.
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
[4]
Trump, D. (2017) Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
[5]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Increasing Cybersecurity Investments in Private Sector Firms. Journal of Cybersecurity, 1, 3-17.
https://doi.org/10.1093/cybsec/tyv011
[6]
Gordon, L.A., Loeb, M.P. and Lucyshyn, W. (2014) Cybersecurity Investments in the Private Sector: The Role of Governments. Georgetown Journal of International Affairs, International Engagement on Cyber IV, 79-88.
[7]
Gordon, L.A., Loeb, M.P. and Lucyshyn, W. (2003) Information Security Expenditures and Real Options: A Wait-And-See Approach. Computer Security Journal, 19, 1-7.
[8]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective. Journal of Accounting and Public Policy, 34, 509-519.
https://doi.org/10.1016/j.jaccpubpol.2015.05.001
[9]
Moore, T., Dynes, S. and Chang, F. (2015) Identifying How Firms Manage Cybersecurity Investment. Working Paper. Southern Methodist University, Dallas, TX, 1-32.
[10]
Filkins, B. (2016) IT Security Spending Trends. SANS Institute, Bethesda, MD, 1-23.
https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697
[11]
The Senate and House of Representatives of the United States of America (2002) Sarbanes-Banes Oxley Act. https://www.sec.gov/about/laws/soa2002.pdf
[12]
Gordon, L.A. and Wilford, A. (2012) An Analysis of Multiple Consecutive Years of Material Weaknesses in Internal Control. The Accounting Review, 87, 2027-2060. https://doi.org/10.2308/accr-50211
[13]
U.S. Securities and Exchange Commission (2011) SEC Disclosure Guidance: Topic No. 2. https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
[14]
Gordon, L.A. (2007) Incentives for Improving Cybersecurity in the Private Sector: A Cost-Benefit Perspective. Congressional Testimony.
[15]
Gordon, L.A. and Loeb, M.P. (2006) Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill, Inc., New York.
[16]
Gordon, L.A. (2004) Managerial Accounting: Concepts and Empirical Evidence. McGraw-Hill, Inc., New York.
C-SPAN (2017) Equifax Senate Banking Committee Hearing on Equifax Data Breach.
https://www.c-span.org/video/?434469-1/equifax-ceo-testifies-senate-banking-panel
[19]
Gartner, Inc. (2017) Gartner Says Detection and Response is Top Security Priority for Organizations in 2017. https://www.gartner.com/newsroom/id/3638017
[20]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Richardson, R. (2006) CSI/FBI Computer Crime and Security Survey. Computer Security Institute, San Francisco, CA.
https://www.scribd.com/document/112548521/CSI-FBI-Computer-Crime-and-Security-Survey
[21]
PwC (2017) Strengthening Digital Society against Cyber Shocks: Key Findings from the Global State of Information Security Survey 2018.
https://www.pwc.com/us/en/cybersecurity/information-security-survey/strengthening-digital-society-against-cyber-shocks.html
[22]
EY (2017) EY’s 19th Global Information Security Survey 2016-17.
http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2016-pdf/$FILE/GISS_2016_Report_Final.pdf
[23]
Ponemon Institute (2017) 2017 Cost of Cyber Crime Study: Insights on the Security Investments that Make a Difference.
https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
[24]
U.S. Government (1996) Health Insurance Portability and Accountability Act (HIPPA).
https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm
[25]
Gordon, L.A. and Loeb, M.P. (2002) Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457.
https://doi.org/10.1145/581271.581274
[26]
Gordon, L.A., Loeb, M.P. and Zhou, L. (2016) Investing in Cybersecurity: Insights from the Gordon-Loeb Model. Journal of Information Security, 7, 49-59.
https://doi.org/10.4236/jis.2016.72004
[27]
Fanelli, B., Pessanha, R., Gwiazdowski, A., Chng-Castor, A. and Auger, A. (2017) 2017 State of Cybersecurity among Small Businesses in North America. Better Business Bureau.
http://saginllc.com/wp-content/uploads/2017/10/Cybersecurity_FINAL_LoRes_Embargoed.pdf
[28]
Armed Forces Communications and Electronics Association (AFCEA) (2013) The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment. https://www.afcea.org/committees/cyber/documents/cybereconfinal.pdf
[29]
Gordon, L.A. and Loeb, M.P. (2011) You May Be Fighting the Wrong Security Battles. The Wall Street Journal.
https://www.wsj.com/articles/SB10001424053111904900904576554762089179984
[30]
Palin, A. (2013) Maryland Professors Weigh Up Cyber Risks. The Financial Times.
https://www.ft.com/content/606e0e5a-b345-11e2-b5a5-00144feabdc0
[31]
Gordon, L.A., Loeb, M.P. and Lucyshyn, W. (2003) Sharing Information on Computer Systems: An Economic Analysis. Journal of Accounting and Public Policy, 22, 461-485. https://doi.org/10.1016/j.jaccpubpol.2003.09.001
[32]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Sohail, T. (2006) The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities. Journal of Accounting and Public Policy, 25, 503-530.
https://doi.org/10.1016/j.jaccpubpol.2006.07.005
[33]
C-SPAN (2014) Target and Neiman Marcus Cybercrime and Privacy Congressional Hearing. https://www.c-span.org/video/?317553-1/hearing-cybercrime-privacy
[34]
Malcolm, H. (2014) Target Breach Helps Usher in New World of Data Security.
https://www.usatoday.com/story/money/business/2014/02/22/retail-hacks-security-standards/5257919/
