Risk and security can no longer be separated, if they ever could. In fact, at some companies, cybersecurity is being moved from its corporate silo into a broader basket of risk management. The argument has been made that Target had the right strategy in neglecting cybersecurity; the hit from being hit, they say, still cost it less than the costs and friction of a proper cybersecurity strategy, which may not have been effective anyway. That view is too cynical for most organizations, but a realistic assessment that puts cybersecurity as just one element in a broad framework of costs, risks, and rewards is surely in order.
We’ll look at a variety of risks that need to be managed, focusing on those introduced by computer systems, mobile devices, IoT, and cloud computing. We’ll also consider the tensions and tradeoffs among security, efficiency, customer satisfaction, and privacy.
Andy Ozment, CISO at Goldman Sachs and formerly head of cybersecurity at DHS, will speak about how government can support business when it comes to cybersecurity, how business can work with government, and what to do when their interests diverge.
According to Arvind Narayanan, you’re not nearly as anonymous as you would like to be. Netflix, for example, went to great lengths to anonymize the Netflix Prize 500,000-subscriber dataset, yet Narayanan and a fellow researcher has shown that an adversary who knows only a little bit about an individual subscriber can easily identify this subscriber’s record in the dataset.
Suzanne Barber is the Director of the Center for Identity at The University of Texas at Austin, which has developed an ID360 Scorecard that helps organizations assess the maturity and risks of their identity management and ability to combat fraud.
Maciej Ceglowski compares data to nuclear waste which comes in two flavors: extremely radioactive and concentrated, and low-grade waste, such as contaminated topsoil. In data, we have especially sensitive financial and medical records, but also bulky low-grade but still dangerous data, such as from your fitness tracker, which might reveal that you're having an affair on your lunch hour.
Corporations say that people give up their data because they understand they are getting something for those data. But according to Joseph Turow, “What is really going on is a sense of resignation.” They do not think the trade-off of their data for personalized services, giveaways or discounts is a fair deal, and Turow has some ideas of what a fairer deal would look like.
Arwen P. Mohun, author of the 2013 book, Risk: Negotiating Safety in American Society, says that there have been three stages in the evolution of risk in American society, matching three stages of society itself: the pre-industrial, industrial/manufacturing, and consumer. By studying this progression, we can see the outline of a fourth understanding of risk, one that matches the digital era of cyber-insecurity.