Regional Security through Data Protection

Abstract

Author: Daniel C. Hurley, Jr.
National Telecommunications and Information Administration, USA

Title: Economic Aspects of Data Protection

Abstract: Mr. Hurley’s remarks begin with a description of the Department of Commerce’s role in economic security and its appropriateness as an agency to take on the challenges of critical infrastructure assurance. He discusses the costs of computer crime that companies face and provides examples of recent attacks. In promoting the “business case” for cybersecurity, Mr. Hurley states that there is a “21 percent return on investment for cyber security systems implemented early in network development.” However, he points out, “The costs of a severe computer attack are likely to be greater than the preemptive investment in a cyber security program would have been.”

To make the “business case,” Mr. Hurley’s comments focus on shareholder value, the benefit of auditing, and the importance of insurance in attaining economic security. He begins with the premise that infrastructure security can have a direct effect on shareholder value. Following the Gordon Growth Model, Mr. Hurley provides an investment analyst view and a CEO view in making the case for early installation of security measures to reduce expenses, increase revenues, and ensure maintenance of shareholder value. Mr. Hurley provides a checklist of ten questions about information security that companies must ask, describes good management practices, and provides a Systems Assurance and Control Model. He also describes the security responsibilities of the Board of Directors, the Audit Committee of the Board, and the company executives.

Mr. Hurley then focuses on the important role of private insurance, which promotes behavior through positive reinforcement (e.g. availability of insurance and lower premiums). He describes the types of risks that underwriters must manage, and points out that in addition to providing coverage, insurance firms should help prevent the loss by aligning themselves with quality security technology companies, creating a specialized technology security unit of the underwriting firm.

In conclusion, Mr. Hurley states that “Effective information security management and monitoring practices can either be adopted and enforced by management, or they will eventually be mandated by regulation, legislation, lawsuits, and/or insurer requirements. It is clear that those businesses who benefit most from effective security practices will be those early adopters who recognize them as good business practice and build them into the systems and processes as integral business components.”