Cyber Security
Author: Nitesh Khedekar
(1) A rough cut cybersecurity investment using portfolio of security controls with maximum cybersecurity value.
SAWIK, T. and SAWIK, B. (2022) states that this study extends the literature on cybersecurity investment in three significant ways. First, an intuitive idea of ‘the expected net benefits’ originally introduced to compare the expected benefits of the cybersecurity investment with cost of the investment, was applied to introduce the concept of cybersecurity value of individual security control. The cybersecurity value of a control is defined as the value gained by implementing a single control to secure a subset of components and can be seen as a measure of its efficiency in reducing vulnerability of a secured system or component. Second, a simple unconstrained binary program was formulated for a rough-cut optimisation of cybersecurity investment by maximising total cybersecurity value of selected security controls. Third, using the optimal solution to the binary program, a simple formula was developed to immediately obtain the portfolio of security controls with maximum total cybersecurity value and determine a rough-cut cybersecurity investment. The results of theoretical and computational study show that portfolio of security controls with maximum total cybersecurity value may best reduce the losses from cybersecurity breaches and mitigate the impact of cyber risk. The required cybersecurity investment may be substantial, unless the available budget is limited. In the future research, the models proposed for the risk-neutral decision making can be enhanced for the risk-averse optimisation of cybersecurity investment, using Conditional Value-at-Risk as a risk measure and to model trade-off between expected and worst-case losses and investments. In the objective functions of the proposed models, cost of losses from security breaches and cybersecurity investment are assumed to be equally important. However, in practice, the decision makers may assign different weights to these costs, which may lead to evaluation of the new objective functions in the future research.
(2) Material Contract Redactions and Cybersecurity Breaches.
HUGHES, H. et al (2023) extends the literature on cybersecurity investment in three significant ways. The cybersecurity value of a control is defined as the value gained by implementing a single control to secure a subset of components and can be seen as a measure of its efficiency in reducing vulnerability of a secured system or component. Second, a simple unconstrained binary program was formulated for a rough cut optimization of cybersecurity investment by maximizing total cybersecurity value of selected security controls. Third, using the optimal solution to the binary program, a simple formula was developed to immediately obtain the portfolio of security controls with maximum total cybersecurity value and determine a rough cut cybersecurity investment. In practice, instead of attack scenarios by different threats, the scenarios of attack on different components may be more easily obtained. For example, if instead of probabilities for threats, the probabilities of security breaches for components are available based on the frequency of breaches.
(3) AN ANALYSIS OF IMPACT OF A SPECIALIST AND EMPHASIS OF MATTER PARAGRAPHS ON JURORS’ ASSESSMENTS OF AUDITOR’S CYBERSECURITY ATTESTATION.
ANDERSON, J. C. and PEROLS, R. (2023) states that findings of this study have implications for the practice of cybersecurity attestation services. Regarding the question of the extent to which jurors would hold the CPA responsible for any potential losses resulting from a breach, the use of a specialist had no effect. However, using emphasis of matter paragraphs had the effect of significantly lessening the extent that jurors perceive the CPA should be responsible for any potential losses from a breach. Regarding information items indicating potential weaknesses in cybersecurity control, jurors may perceive these items as sufficiently important such that they should have been disclosed by the CPA in emphasis of matter paragraphs. Judgment is required by the CPA to determine if the potential weaknesses rise to the level of importance to require emphasis of matter paragraphs. The results of this study suggest that CPA’s may need to exercise particular care regarding the application of this judgment, with appropriate documentation of the resulting decision. Also, more precise guidance from the AICPA may be needed for CPA’s seeking to determine what level of importance would require emphasis of matter paragraphs. Building on Kadoun (2012, 2016), future research could examine whether more precise guidelines for the use of emphasis of matter paragraphs in cybersecurity risk attestation engagements could result in a safe harbor for auditors when faced with a jury verdict. Brasel et. al (2016) found that the disclosure of a critical audit matter that was less foreseeable (overstatement of client’s inventory) had the effect of reducing auditor liability judgment, whereas an outcome that was more foreseeable (understatement of client’s environmental restoration liability) did not have the effect of reducing auditor liability judgment. Our results showed that using emphasis of matter paragraphs had the effect of lessening the extent that jurors perceived the CPA should be responsible for any potential losses from the cybersecurity controls not being effective. Cybersecurity breaches may vary by their foreseeability. Future research could examine whether use of emphasis of matter paragraphs becomes increasingly important as some types of breaches become less foreseeable.
(4) Defining Cyber Security and Cyber Security Risk within a Multidisciplinary Context using Expert Elicitation.
CAINS, M. G. et al. (2022) states terminology standardization facilitates efficient communication. The results of this research suggest there is a communication gap across disciplines which can be partially bridged by developing and applying standardized language. The potential benefits associated with standardizing terminology include effective laws and policies. Despite the aforementioned challenges of qualitative data and thematic analysis, the present research is the first known effort to determine a cross‐disciplinary working definition of cyber security and cyber security risk. While similarities can be drawn between the composite definitions above and the National Initiative for Cybersecurity Careers and Studies definitions for cyber security and risk, visual analysis of the thematic maps highlights both the disparate and recurrent themes that make cyber security and cyber security risk complex concepts.
Additionally, the third‐order themes emphasize the diversity of thought across disciplines conducting cyber security and cyber security research and the ubiquity of fundamental concepts (e.g., CIA). The number of third‐order themes also illustrates that the definitions of cyber security and cyber security risk cannot be distilled down to a single concept. The third‐order themes also reflect cultural differences between the two sectors, academia and ARL. Academia as a culture pushes the researcher toward analysis and context consideration, whereas the cultural focus of applied cyber security specialists is on the protection against constant and dynamic threats throughout the network. Given the necessary collaboration across these sectors, it is all the more important for common definitions to encompass the use of these terms within both sectors.
We argue that:
- The current definitions of cyber security and cyber security risk are inadequate due to the lack of inclusion of human factors,
- No standardized cyber security terminology exists across disciplines, and
- Communication to develop interdisciplinary definitions for cyber security and cyber security risk is lacking.
Given the multidisciplinary nature of cyber security and the complexities associated with quantifying and managing cyber risk, it is important that researchers, from collaborating fields share a common understanding of what is meant by cyber security and cyber security risk. This common understanding can help move cyber security from a multidisciplinary effort to a truly interdisciplinary domain.
(5) Deep learning algorithms for cyber security applications: A survey.
LI, G. et al. (2021) states deep learning has better results and more possible solutions when it is used to deal with cyber security issues. This is done by absorbing knowledge about the human brain, statistics, and applied mathematics. In the previous analysis, we reviewed the comparison between methods of deep learning and that of traditional machine learning in malware detection. The results show that the methods of deep learning have better accuracy. Deep learning also has different solutions for intrusion detection and privacy leakage.
At the same time, in cyber security there are also facing new problems, such as marking a large amount of sample data for deep learning, how to balance the training time and recognition accuracy of deep learning, model selection and parameter selection.
(6) Balancing cybersecurity in a supply chain under direct and indirect cyber risks.
SAWIK, T. (2022) states this paper discusses the importance of cybersecurity in global supply chains and presents a stochastic programming formulation for optimizing cybersecurity investments. It aims to balance direct and indirect cyber risks in a multi-tier supply chain by selecting security controls. Key elements include the use of minmax and maximin objectives, network transformation, and the linearization of nonlinear constraints. The study extends previous research by considering both direct and propagated cyber risks. The proposed integrated model aims to minimize breach probability or loss at supply chain nodes and provides decision-making insights. The literature review highlights previous studies on cybersecurity investment and risk management in supply chains, pointing out the need for more sophisticated optimization tools for addressing multi-tier supply chain networks’ cybersecurity challenges. The problem is described in terms of supply chain nodes, security controls, implementation levels, vulnerability, breach probability, and loss costs. The exponential function of breach probability is used to model vulnerability reduction, and cybersecurity investment is necessary to implement security controls. The paper presents a comprehensive framework for optimizing cybersecurity investments in supply chains and highlights the importance of considering both direct and indirect cyber risks in decision-making processes to protect critical assets and mitigate potential disruptions.
(7) Accountants, Cybersecurity Isn’t Just for “Techies”: Incorporating Cybersecurity into the Accounting Curriculum.
BOSS, S. et al. (2022) states these cases present instructors and students with an easy, effective, and interesting way to introduce an oft-neglected but very important topic of cybersecurity into accounting curricula in all sub-disciplines and at all levels. As cybersecurity increasingly impacts accounting and disclosure issues and financial statement quality, it is essential that accounting students are exposed as early and as often as possible to these concepts. These cases can be used in both undergraduate and graduate courses throughout the accounting curriculum. We have identified cases for financial reporting, managerial accounting, financial audit, and tax classes; however, many of the cases are appropriate for several levels and/or topics of instruction based on the discussion questions used.
(8) That’s interesting: An examination of interest theory and self‐determination in organisational cybersecurity training.
KAM, H. et al. (2022) states Organisations have consistently been at risk of attacks on their information assets. The shortage of employees trained in cybersecurity skills exacerbates this problem. Our study examines the interplay between situational motivational determinants (i.e., perceived skill competency, perceived learning autonomy, and perceived relatedness) and interest regarding cybersecurity training to understand better how future cybersecurity workforce may be cultivated. We have empirically established that SI can be cultivated in a training environment that fosters key situational motivational determinants—feelings of competency, autonomy, and relatedness to training. Furthermore, our findings empirically highlight how organizations can help facilitate employee interest and motivation and hopefully lead to a more robust workforce and ultimately a safer environment for organizational information assets.
(9) ZERO TRUST AND INDUSTRY’S ROLE IN GROWING CYBERSECURITY SOLUTIONS.
WOODY, C. et all (2023) states in Applying Zero Trust strategy to enterprises is an effective way to reduce cybersecurity risks. The remaining challenge is determining how to implement this strategy in a way that supports organizations’ missions, time frames, technical competencies, and risk tolerances. Current guidance lacks the specificity required for organizations to implement the strategy on their own.
Still these organizations cannot acquire ready-made, commercially available Zero Trust solutions that fully meet their needs. Vendors must collaborate to integrate their offerings and create more comprehensive solutions. This integration cannot be accomplished only with other vendors; they must also continue collaborating with government organizations to understand their unique challenges. The views expressed in this article are those of the author alone and not the Department of Défense.
WOODY is a principal researcher in the CERT Division of the Software Engineering Institute. Her research interests focus on cybersecurity engineering for complex, software-reliant systems. She is a published coauthor on software engineering and led a research effort to develop the CERT Cybersecurity Engineering and Software Assurance Professional Certificate. Woody holds a Ph.D. in Information Science from Nova Southeastern University, an M.B.A. from Wake Forest University, and a B.S. in Mathematics from William and Mary.
(10) Firm Use of Cybersecurity Risk Disclosures.
JIANG, W. et al. (2022) states in this study, their examine firms’ use of cybersecurity risk disclosures following a cybersecurity breach event. Given increased cybersecurity attention and uncertainty, Their study underscores the importance of cybersecurity disclosures in reducing cybersecurity-related information asymmetry between managers and external stakeholders. They note that not all breached firms change their disclosure behaviour the same way following a breach. Our results suggest that on average, firms provide additional cybersecurity disclosures after an initial and subsequent breaches. That is, after a firm has been initially breached, the next breach is also associated with firms providing additional cybersecurity disclosures. They further find that breached firms with a negative market reaction in the period surrounding a breach provide additional cybersecurity disclosures after both initial and subsequent breach events, possibly reflecting an attempt to mitigate negative shareholder perceptions. Collectively, our results suggest that firms provide additional cybersecurity disclosures both within Item 1A and other sections of the 10-K following a breach event.
As in all studies, our study has limitations that provide opportunities for future research. First, they breach sample ends prior to the issuance of updated cybersecurity disclosure guidance. The updated guidance suggests that cybersecurity risks from intra-firm operations and outsourced functions, in addition to cybersecurity-related risks that could remain undetected for extended periods of time, should be discussed in Item 1A. Second, they cannot speak to whether the cybersecurity risk disclosures provided reach the optimal level intended by regulators. They do not seek to address the quality of disclosures made and only note that additional disclosure is being provided. Future research can examine the role of the updated guidance on the provision and quality of cybersecurity disclosures following a breach. Additionally, examine cybersecurity breaches with high per-breach costs faced by U.S. firms. Globally, in jurisdictions with reduced litigation or cybersecurity costs, firms could be more willing to disclose cybersecurity risks. Future research can examine whether cybersecurity risk disclosure use depends on the extent of jurisdictional regulatory guidance.
CONCLUSION:
In the ever-evolving landscape of digital technology, cyber security stands as an indispensable safeguard against a myriad of threats that constantly endanger our digital assets, privacy, and even physical safety. As our reliance on interconnected systems, cloud services, and IoT devices continues to deepen, the stakes of cyber security have never been higher. Cyber-attacks, ranging from simple phishing scams to sophisticated nation-state-sponsored espionage, pose significant risks to individuals, businesses, and even entire nations.
A robust cyber security strategy must be comprehensive, adaptive, and proactive. It entails deploying state-of-the-art technical solutions such as firewalls, intrusion detection systems, encryption, and advanced threat intelligence. However, technology alone is not sufficient. Effective cyber security also requires a culture of awareness and responsibility across all levels of an organization. From the C-suite to front-line employees, everyone must understand the risks and best practices for protecting sensitive data and systems.
Moreover, collaboration and information sharing among organizations, government agencies, and security professionals are paramount. Cyber criminals often exploit vulnerabilities that transcend individual organizations or borders. By pooling resources, sharing threat intelligence, and collaborating on defense strategies, we can collectively enhance our cyber resilience.
Education and training are also essential components of cyber security. Continual learning and skill development ensure that security professionals are equipped to counter emerging threats effectively. Likewise, educating end-users about common attack vectors, such as phishing and social engineering, can help prevent successful intrusions.
In conclusion, cyber security is not a one-time investment or a static solution; it is an ongoing journey that requires constant vigilance, adaptation, and collaboration. By embracing a holistic approach to cyber security, leveraging advanced technologies, fostering a culture of security awareness, and promoting collaboration, we can better protect our digital assets and mitigate the ever-evolving threats in the cyber realm.
REFERENCES
166.disponívelem: https://research.ebsco.com/linkprocessor/plink?id=8ae980d7-170d-3a78-
Accounting horizons, [s. L.], v. 37, n. 3, p. 193–219, 2023. Doi 10.2308/horizons-2020-
ANDERSON, J. C. and PEROLS, R. (2023). An Analysis of Impact of a Specialist and
Attestation. Journal of Business & Accounting, [s. l.], v. 16, n. 1, p. 3–16, 2023. Disponível
B00f-4b569b91d923. Acesso em: 22 fev. 2024.
b3a652dec337. Acesso em: 22 fev. 2024.
BOSS, S. R.; GRAY, J.; JANVRIN, D. J. Accountants, Cybersecurity Isn’t Just for “Techies”: Incorporating Cybersecurity into the Accounting Curriculum. Issues in Accounting Education, [s. l.], v. 37, n. 3, p. 73–89, 2022. DOI 10.2308/ISSUES-2021-001. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=0d7de195-44d2-3e1a-8cef-cc63773ffa3b. Acesso em: 25 fev. 2024.
CAINS, M. G. et al. Defining Cyber Security and Cyber Security Risk within a Multidisciplinary Context using Expert Elicitation. Risk Analysis: An International Journal, [s. l.], v. 42, n. 8, p. 1643–1669, 2022. DOI 10.1111/risa.13687. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=d0002495-1975-3f27-8c1f-716ffa38a390. Acesso em: 23 fev. 2024.
em: https://research.ebsco.com/linkprocessor/plink?id=b9e99604-de2f-36ce-af2e-
Emphasis of Matter Paragraphs on Jurors’ Assessments of Auditor’s Cybersecurity
Hughes, h. Etal (2023). Material contract redactions and cybersecurity breaches.
JIANG, W. et al. Firm Use of Cybersecurity Risk Disclosures. Journal of Information Systems, [s. l.], v. 36, n. 1, p. 151–180, 2022. DOI 10.2308/ISYS-2020-067. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=6bc3c31d-fb43-31b6-86ea-db86f3ef42e6. Acesso em: 25 fev. 2024.
KAM, H. et al. That’s interesting: An examination of interest theory and self‐determination in organisational cybersecurity training. Information Systems Journal, [s. l.], v. 32, n. 4, p. 888–926, 2022. DOI 10.1111/isj.12374. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=46dc92fd-e876-3ee3-881b-c03c072c7c19. Acesso em: 25 fev. 2024.
LI, G. et al. Deep learning algorithms for cyber security applications: A survey. Journal of Computer Security, [s. l.], v. 29, n. 5, p. 447–471, 2021. DOI 10.3233/JCS-200095. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=0a90c06b-e660-372a-b5a5-1d36e92ca79d. Acesso em: 23 fev. 2024.
SAWIK, T. and SAWIK, B. (2022). A roughcut cybersecurity investment using portfolio of security controls with maximum cybersecurity value. International Journal of Production Research, [s. l.], v. 60, n. 21, p. 6556–6572, 2022. DOI 10.1080/00207543.2021.1994166. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=1e9c5b11-6f80-30e8- aa4a-4285f4f9d7a5. Acesso em: 20 fev. 2024.
SAWIK, T. Balancing cybersecurity in a supply chain under direct and indirect cyber risks. International Journal of Production Research, [s. l.], v. 60, n. 2, p. 766–782, 2022. DOI 10.1080/00207543.2021.1914356. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=cb6529e0-0391-3dd7-951b-b0566b1b80cf. Acesso em: 25 fev. 2024.
WOODY, C. S.; MORROW, T. B. Zero Trust and Industry’s Role in Growing Cybersecurity Solutions. Defense Acquisition, [s. l.], v. 52, n. 2, p. 20–25, 2023. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=d63962a7-cce4-3701-9ea7-d965e4a7eed9. Acesso em: 25 fev. 2024.