Lack of information security should have an effect on books
Changing the way cyber security is considered in corporations
Today, nobody could doubt that information systems are key elements in most organizations and that information is one of the most valuable assets. For this reason, having an adequate level of protection is essential to assure that organizations meets its corporate goals.
Nevertheless, identifying the optimum level of protection is not trivial and there is always stress between security functions — that look for higher levels of protection, and business areas that perceive it as higher costs and more operational difficulties.
Achieve a balance between them is difficult, not only because security characteristics (like, for example, having a random component — although we do not invest in security,we may never suffer an incident), but also because many times, security is an externality[i].
This property makes that decisions regarding security have a bias due to not-considering the consequences of insecurity into our considerations. This could sound a bit extrange, but it is not. Let’s have a look of data privacy protection; if there was not a legislation imposing penalties for violating their confidentiality, organizations should not have incentives to avoid it, because consequences will be suffered by owners of data, not the organization.
But there is other example, even more interesting; let’s imagine that we are a small enterprise that sells shoes by Internet. In order to sell, we need an ERP, a web server for the online shop, another server for sharing network resources (printers, files…) and around 30 end users stations. We could think, perhaps, that we have a small probability of suffering an attack for stealing us (information, money…), but it is possible that if our infrastructure is nos adequately protected:
· Our web server is compromised to install some malware that infect all that browse our site.
· Someone install malware [ii] in our users endpoints to remotely control them (what it is called a botnet) and launch attacks against other organizations or, “simply”, to send spam.
In this case, we could see that consequences of insufficient security is suffered by third parties (visitors of our site that are infected or organizations being attacked with botnets).
For this reason, it is important that lack of security has an effect in organizations; in this way, decisions regarding security will be closer to the optimum for the whole system.
So, how could we achieve security was considered in decision taking by business senior managers? My proposal is that lack of security should have an impact in the books, reducing the assets value [iii].
If we agree on this, we could observe that:
· Organizations should periodically evaluate the presence of vulnerabilities or threats on their information systems and reduce the assets value in a proportional way (more reduction, with more severe vulnerabilities).
· This value reduction should impact also business processes supported by information systems, because it could be argued that vulnerable systems could not serve to generate revenues (an insecure system is going to be rejected by customers that, for example, do not buy in our online shop).
· Due to the value reduction in books, business managers could not ignore the systems security level and, moreover, they will have incentives to protect them, because a vulnerable system would mean a lower revenue affecting share price and managers’ bonuses.
· Security assessments should become much more important than today and audit responsibilities should grow in a equivalent way, improving the quality of this kind of activity.
· Due to financial auditors should have to express an opinion about assets valuation, they should have to add security assessments in their processes and check that information systems do not have severe security risks (i.e., that value in books is consistent with the security level).
In summary, a more suitable scenario to assure that organizations protect information assets and contribute to a higher security level in the entire society in which we live, since we should not forget that information systems are interconnected and the resulting security level is as strong as the weakest link.
[i] A externality is a situation in which costs or benefits of manufacturing and/or consume of some good or service are not reflected in their market price. In other words, all activities that affect to others to improve or to worsen others, without paying for it are externalities. There are externalities when private costs or benefits are not equal to social costs or benefits.
[ii] A Trojan is a type of malware that presents itself to the user as an apparently legal and inoffensive program but when executed, gives an attacker a remote access to the infected equipment.
[iii] For example, in Spain, the Resolution of September 18, 2013 of Instituto de Contabilidad y Auditoría de Cuentas (accounting and audit institute), that dictate standards about record and valuation and information to be included in annual accounts content all the necessary foundation to articulate this proposal.
