Susan Lincke PhD CISA is an Associate Professor of Computer Science at University of Wisconsin-
Parkside. She is the author of Security Planning: An Applied Approach (Springer), and received an NSF
grant CCLI Grant: ‘Information Security: Audit, Case Study, and Service Learning’ between 2009-2013.
She developed the cyber-security certificate at University of Wisconsin-Parkside and co-developed its
security lab. She has 17 years of software engineering and project management experience in
telecommunications, including at Motorola, GE and MCI. She has 50 academic publications in
information security and wireless modeling.
Risk is important to cybersecurity professionals to justify security controls, to engineers during the
requirements phase of an engineering project and to management in project planning. In its Internet
Security Threat Report, Symantec reports that in 2016, 791,820,040 data records were breached in the
United States, which averages two breaches per American. France, Canada and Taiwan also
encountered breaches above or near their population levels – or double it. This begs the question: are
we doing and spending enough for security?
Risk management states that an organization shall not pay more for controls than it may lose due to risk.
In information security, it is commonly accepted that corporations underspend for risk because as a
Tech Republic news article is titled: “The real reason companies don't take security seriously: Their
money isn't on the line.” The commonly held view of risk is that risk management is a cost-saving
measure to protect the organization. Following this philosophy, it is possible for an organization to
protect itself at the expense of customers, the neighborhood, employees and/or the environment. This
view can frustrate engineers and IT staff when their best efforts to protect organizations and customers
are not sufficiently respected and prioritized.
What does an interdisciplinary study of risk indicate about how we should evaluate risk? As we develop
automated vehicles and other Internet of Things products, security breaches may not just divulge
information, but could potentially harm health, homes and lives. This interdisciplinary study of ethical
risk considers how to calculate risk and engineer solutions for this new environment. I also introduce a
maturity model of ethical risk.