Cybersecurity management, Part 1

* Review of 'Managing Cybersecurity Resources: A Cost-Benefit Analysis'

For younger readers, the expression “over the transom” may not mean much. A transom is (or was) a window placed above a door to improve ventilation; these devices are common in old office or campus buildings that predate widespread installation of built-in air conditioning.

For people in the literary world, a book is described as over-the-transom when it arrives for review from its publisher or author without warning. I receive about a dozen over-the-transom books per year because I write this column but I review only a few of them because other writers, notably the distinguished security specialist Robert Slade, make a practice of reviewing many security books and do a fine job.

Also, I have a peculiar attitude towards reviewing books that disqualifies me as a _bona fide_ reviewer: I dislike publishing negative reviews. On those occasions where I have not liked a book, I have sent my review to the author in the form of suggestions for the next edition but declined to publish it. On the other hand, I do occasionally like to point out especially good texts that can be useful to readers and to fellow teachers. Today's topic is one such book: _Managing Cybersecurity Resources: A Cost-Benefit Analysis_ by Lawrence A. Gordon & Martin P. Loeb.

According to the book jacket, Gordon “is the Ernst & Young alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland's Smith School of Business. Gordon is one of the world's leading experts and frequent speakers on the subject of cybersecurity economics, capital investments, cost management systems, and performance measures.”

Gordon has a rich Web site with many valuable pointers for readers of this column. Loeb is “a professor of accounting and information assurance” at the same institution and is “also an affiliate professor at the University of Maryland Institute for Advanced Computer Studies [as is Prof Gordon]. Loeb’s research on information security economics, mechanism design, and incentive regulation is internationally recognized and has been published in leading academic journals in economics, computer science, and accounting.” His Web site also has a wide range of valuable information.

The text has the following structure:

1. Introduction

2. A Cost-Benefit Framework for Cybersecurity

3. The Costs and Benefits Related to Cybersecurity Breaches

4. The Right Amount to Spend on Cybersecurity

5. Risk Management and Cybersecurity

6. The Business Case for Cybersecurity

7. Cybersecurity Auditing

8. Cybersecurity's Role in National Security

9. Concluding Comments




Selected Annotated Bibliography


In my next three columns, I will discuss some of the fundamental issues covered by professors Gordon and Loeb in their text.


Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022