Vigilance, Resilience, Flexibility as Keys to Countering Evolving Cyber Threats

Various emerging technologies (from cloud and edge computing and applied AI to virtual reality and blockchain) increasingly complicate cyber risk management. And intensifying this dynamic are “risk entanglement,” the “interconnectedness (‘not Internet’) of things” and, more simply, bad actors.

Subsequently, “the future of cyber risk management depends on three things: vigilance, resilience and flexibility,” said Smith’s Clifford Rossi in summing up a recent presentation to an international gathering of experts from academia, business and government for the 20th annual “Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective.”

Rossi, director of the Smith Enterprise Risk Consortium (SERC), was delivering the Ira Shapiro Memorial Lecture as part of the forum co-hosted on January 8, 2025, by the University of Maryland's Robert H. Smith School of Business and School of Public Policy and directed by professors Lawrence A. Gordon, Charles Harry, Martin P. Loeb and William Lucyshyn.

Attendees of the forum included representatives from the World Bank, the Federal Reserve Bank, the U.S. Security and Exchange Commission, University of Michigan, National Taiwan University, University of Tokyo, The Ohio State University, Rutgers University, General Dynamics and Verizon.

“Though 20 years running, today’s forum freshly reinforced its mission to spur learning and idea-sharing among a diverse group of practitioners and researchers,” said Gordon, EY Alumni Professor of Managerial Accounting and Information Assurance, who co-founded the series with Lucyshyn and Loeb, newly retired professor of accounting and information assurance. (Gordon and Loeb co-developed the seminal Gordon-Loeb Model for Cybersecurity Investments.)

“My role has been especially rewarding,” said Loeb. “The forum positioned the Smith School and the School of Public Policy to lead the university in increasing cross-disciplinary research on challenges associated with financial and public policy aspects of cybersecurity.” 

In Rossi’s Shapiro lecture, he defined resilience as “an organization investing in and deploying emerging technologies to help ensure it stays abreast of innovations that can pose new cyber threats.” Smaller organizations with limited resources, he added, “will need to tap support networks —the likes of universities, trade associations and consortiums.”

But any organization should “conduct simulations, scenarios and wargaming exercises on potential emerging cyber threats across the enterprise and leverage these practices as part of a holistic cyber threat deterrent toolkit.”

Regarding “vigilance,” approach it, Rossi said, in terms of “continuous focus on three pillars: “identify, measure and manage-mitigate.”

And “flexibility,” he said, hinges on organizations “remaining pliable and ready to adopt new strategies, techniques and controls quickly.” He added: “The pace of technological change and cyber threat evolution demands a strike force mentality among the risk community that a single attack threatens the integrity of the enterprise and as such maintaining a posture of flexible readiness is an integral part of the cyber risk apparatus.”

Rossi, with 25 years in banking and government as a senior executive in risk management at several of the largest financial services companies, referenced the 2008 Great Financial Crisis as a cautionary tale in describing how innovation outstrips risk management controls: “Mortgage products in early 2000’s morphed into a new class of riskier products, but risk controls remained much the same,” he said. “Corollary for cyber risk is current practices and controls to detect and mitigate existing cyber threats may be insufficient to ward off threats evolving from new technology.”

The forum further included “A Moving Target: Assessing Changes in Integrated Attack Surfaces” presented by UMD’s Harry, associate research professor for the School of Public Policy and director of the school’s Center for Governance of Technology and Systems (GoTech), where Lucyshyn serves as research director.

Separately, a presentation titled “The Value of the 2023 SEC Cybersecurity Disclosure Rules (Item 1C): Preliminary Evidence” featured recent work (related story) by Gordon and Loeb, along with Smith research scholar and Master of Science in Accounting Academic Director Lei Zhou and National Taiwan University Associate Professor C.Y. Tseng.

In addition, Yueming (Lucy) Qiu, associate dean for research and faculty affairs for the School of Public Policy introduced luncheon speaker George Barnes, Red Cell Partners president for cyber practice.

Topics and speakers rounding out the forum:

• Economic Impacts and Threats of Cyber Monocultures by Rebecca Mercuri, digital forensics expert and founder of Notable Software
• Analyzing Corporate Privacy Policies using LLMs by Mingyan Liu, professor of electrical engineering and computer science at the University of Michigan
• Cybersecurity Economics for Development by Estefania Vergara-Cobos, economist in the Chief Economist's Office for the Infrastructure Vice Presidency at the World Bank 
• Managing the Strategic Cyber Challenge: A View from the Statehouse by Chris Shank of C. Shank Consulting and formerly senior advisor to Governor Larry Hogan

Michael Kimbrough, chair of Smith's Department of Accounting and Information Assurance, opened the event by weighing the forum’s launch by Gordon, Loeb and Lucyshyn based on their early 2000s research focused on the concept of “economics of information sharing related to cybersecurity breaches.”

“They had the foresight to envision the world we now live in when much of the most sensitive assets and information are digitized and therefore vulnerable to cybersecurity threats,” said Kimbrough. “Therefore, one cannot assess or ensure adequate internal controls without a full consideration of cybersecurity risk.”

Cybersecurity threats, he added, “have become so ubiquitous, with wide-ranging impacts on businesses, governments, and individuals—it has become almost routine to hear that our personal information has been compromised. Thus, it is an economically important challenge we need to examine through many lenses: accounting, economics, computer science, information systems, law and public policy.”