I recently attended the Fifteenth Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective at the University of Maryland. The forum was hosted by Professors Lawrence A. Gordon, Martin P. Loeb, and William Lucyshyn. You may remember the interview I did with Professor Gordon a while back on his collaboration with Professor Loeb on a cyber investment model. The investment model is still receiving much attention as senior government and commercial officials continue to wrestle with their cyber investment decision needs. You can catch a summary of the model in the slide below or find out more in my interview here.

Professor Michael Ball (Dean’s Chair in Management Science at the Smith School of Business, joint appointment within the Institute for Systems Research (ISR) in the Clark School of Engineering, and Managing Director of the Center for Technology, Analytics, and Data Science at Smith School) kicked off the event amidst much good-natured repartee with the hosts. He also pointed out how much the forum has grown in 15 years and its attraction to a worldwide set of researchers.

Then Rebecca Mercuri (Founder & CEO, Notable Software, Inc.) provided some insight into the underlying dynamics involved in cyber forensics cases from her many years of experience on the defense side (or as she refers to it – the “Dark Side”) and why forensics is different on the “Dark” side. She discussed “NITs” or network investigative techniques as a method to uncover Tor users. And emphasized how timeline analysis and alibi development are critical methods of cellphone forensics for the defense. She hopes to come out with a book soon on the Dark Side forensics.

Next, Shaun Wang (Professor and Director of Insurance Risk and Finance Research Center, Nanyang Business School, Nanyang Technological University) presented some research findings from a long-running study about cyber insurance and risk. The Cyber Risk Management (CyRiM) project is led by NTU-IRFRC in collaboration with industry partners and academic experts. CyRiM is a pre-competitive research project that aims to foster an efficient cyber risk insurance market place through engaging industry and academic experts guided by government and policy level research. One of the interesting research findings to date is that cyber bug hunting to reduce zero days appears to be more economical from a risk reduction / cost trade-off than attack surface reduction. The study also touts an asset-based approach to assessing risk – that is, identify your most critical assets and focus on mitigating the impact on them from harm or threats. Another interesting hypothesis was also presented around the inclusion of indirect impacts resulting from a data breach, such as whether customer losses due to identity theft that occur long after the breach but which can be attributed to the breach – should these losses be counted towards insurance losses. Check out the project to find out more details.

To conclude the morning, Stacey Ferris of RM Advisory Services described her “Economic Impact Study of the Advanced Encryption Standard, 1996-2017” as sponsored by NIST. She and her colleagues devised a cost avoidance approach that showed a significant savings to industry by NIST creating a standard cryptographic algorithm (AES) to replace DES. It is interesting to note that real cost avoidance savings produced by creating and adopting AES were deferred due to late adoption by industry. This is due to the large legacy and interdependencies of DES and 3DES hardware that needed to be turned over. The report can be found here.

At lunch we were educated by Antigone Davis – Director, Global Head of Safety at Facebook – about trade-offs confronting Facebook regarding on-line safety, privacy, and security. The intricacies of GDPR, challenges of deep fakes, the need for AI and human inspection of content, and the fine line between privacy and safety were all discussed. It appears to me that these challenges will continue to be difficult problems even with the growing maturity of AI and machine learning techniques for filtering.

Following lunch, Shouhuai Xu, Professor of Computer Science and Director of Laboratory of Cybersecurity Dynamics, University of Texas-San Antonio, provided an overview of a comprehensive model for defining the dynamics of cybersecurity attack/defend interactions to better understand risk. This ambitious work is conceptually linked to a cyber “digital twin” or the development of a virtual cybersecurity model of the system under risk evaluation. Such a detailed model can provide significant insight into how to better protect systems and what are the cost-effective trade-offs when it comes to allocating cyber resources. More about this research can be found here and here.

Next was the introduction to the Maryland Global Initiative in Cybersecurity (MaGIC) by Dr. Charles Harry (Director of Operations, and Associate Research Professor, School of Public Policy, University of Maryland). MaGIC is a new initiative headed by Dan Ennis, (a former senior executive of NSA’s NTOC), which is intended to promote and coordinate efforts across the University of Maryland to expand its cyber education, research, and development activities. An inaugural summit event is planned April 4-5, 2019 at The Hotel in College Park, MD. More can be found at http://magic.umd.edu/forum. Also, look out for an upcoming interview with Dr. Charles Harry on MaGIC and more here at ActiveCyber.net.

The business part of the day ended with the Ira H. Shapiro Memorial Lecture: “The Role of Cybersecurity in Accounting” by Gerry Stellatos, Principal, PwC’s Cyber Incident Threat Management Practice. Gerry’s informative talk described his extensive experiences in developing strategies involving sensitive data breaches, intellectual property thefts, hacking events, forensic investigations and security and vulnerability assessments.


It was a fruitful day of learning and sharing ideas among a diverse group of practitioners and researchers. I would like to thank Professor Gordon and his colleagues for their invitation and I look forward to attending the 16th annual forum in 2020. And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, securing the Internet of Things, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.