New
books by Kellogg alumni explain how to guard against network
break-ins
By
Rebecca Lindell
Most
people lock the doors of their homes and guard their keys
carefully. But many don't do the same with their businesses,
says Joel Dubin '91.
"Countless
companies leave the doors to their networks wide open or give
the keys away to all of their employees," says Dubin,
author of a recently published book on network security. "Typically,
the people in charge aren't aware of the potential for damage."
Dubin
seeks to illuminate those perils in The Little Black Book
of Computer Security (29th Street Press), a recently published
primer on how to protect a network from breaches by hackers.
The book is intended as a reference guide for IT managers
who want a comprehensive yet easy-to-read summary of current
IT security practices.
"It's
not highly technical; it doesn't get into the nitty-gritty
of setting up a firewall, for example," says Dubin, an
independent computer security consultant based in Chicago.
"But it does explain the difference between the three
types of firewalls, how to 'harden' your server so that it
is less vulnerable to attack, and what your hiring practices
should be."
The
last point merits special consideration in the book, as Dubin
notes that many network break-ins are often remarkably low-tech.
"When
a hacker is testing the security of a computer system, he
doesn't always use a complicated means to break in,"
Dubin says. "He might, for example, pose as a UPS driver,
and then check to see if passwords are posted near the computer.
The methods aren't necessarily on a par with brain surgery,
but the damage can be considerable."
Given
the risks involved in having so much information on computers,
it's easy to imagine spending "whatever it takes"
to secure the network. But how much is enough — and
how can companies get the best return on their investment?
Martin Loeb, who earned his doctorate from Kellogg
in 1975, addresses that question in his new book, Managing
Cybersecurity Resources: A Cost-Benefit Analysis (McGraw
Hill).
Loeb
and co-author Lawrence Gordon are professors at the University
of Maryland's Robert H. Smith School of Business. They aim
to provide techies with the economic understanding and financial
tools to compete effectively for the resources they need to
protect a firm's networks, Loeb says.
The
book takes the approach that modern economic analysis, including
the theory of real options, can be applied to computer security.
The authors seek to help readers determine their exposure
to risk and provide measures for investments in cybersecurity.
"Risk isn't just expected loss," Loeb explains.
"You also have to look at the maximum you could afford
or expect to lose" in the event of a breach.
Some
breaches, the authors note, have a bigger impact on the bottom
line than others. Those that involve the loss of confidential
customer information tend to be far more devastating than
other types of breaches, and protection against such attacks
is likely to be worth the expense, the authors suggest.
The
book provides readers with decision-making models that help
managers identify key parameters to analyze the costs and
benefits of cybersecurity investments. "Allocating money
efficiently among different investments will give you more
security and more bang for your buck," Loeb says.
