One of the most difficult problems information-assurance managers face is integrating IA into the financial management architecture underlying modern organizations. Because of the lack of centralized, verifiable reporting on information security breaches and their costs, it is impossible to emulate the actuarial statistics common to other forms of loss avoidance such as insurance, preventive maintenance, and healthcare.
Strictly numerical methods such as annualized loss expectancies are of limited value in our field because of uncertain probabilities of occurrence and due to nebulous cost estimates for recovery from events that have not yet occurred in a specific environment.
Readers interested in this subject who can travel to the lovely New England town of Hanover, N.H., at the end of June this year will be able to spend a few days concentrating on a range of topics centering on “risks, decision-making behaviors and metrics for evaluating business and policy options.”
The home page for the 2008 Workshop on the Economics of Information Security continues by asking, “How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems?”
This seventh Workshop follows successful events hosted by leading universities in the United States and the United Kingdom from 2002 through 2007. Topics this year include the following (see the program for details including the full titles and the speakers):
* Cyber Policy and Regulation- Risk in Retail Payments- Homogeneous and Heterogeneous User Agents- USB Memory Stick Security- The Disclosure Debate- SOx and Role of the Media- Economics of Covert Community Detection and Hiding
- Identity Theft
- Security Economics and European Policy
* Media Panel: Journalists’ Perspective on Communicating Security
* CISO Panel: Evaluating ad Communicating Information Risk
* Risk Management and Security Investment
- Business-Oriented Management of Information Security
- Productivity Space of Information Security
- Communicating the Economic Value of Security Investments
* Technology and Policy Adoption
- Information Governance
- Digital Rights Management
* Combatting Cybercrime
- Malicious Web sites and the Underground Economy in China
- Botnet Economics
* Cybercrime Panel: Investigating and Prosecuting Cybercrime
* End-to-End Trust
* Disclosure and Firm Valuation
- Information Security Disclosures and Incidents
- Cyber Insurance
* Privacy and Trust
- Transparency in Personal Data Processing
- Distributed Trust
- Competition for Information
The Workshop is hosted this year by the Center for Digital Strategies of the Tuck School of Business at Dartmouth College. The Dartmouth campus is a three-hour drive from Boston (not counting rush hour) and is a two-hour interstate-highway drive from Manchester-Boston Regional Airport (code MHT) in New Hampshire and from the Burlington International Airport (code BTV) in Vermont. Once in New Hampshire or in Vermont, congestion is measured in rush minutes and the scenery is spectacularly lush in mid-summer.
Registration via the Web form is quick and relatively inexpensive. Students and faculty receive substantial discounts. I think many readers will find the event of great value.
I am looking forward to attending the Workshop and I invite readers to come say hello if you see me there!