Cybersecurity Risk Management - An ERM Approach-Nova Science Publishers (2022)

CYBERCRIME AND CYBERSECURITY RESEARCH
CYBERSECURITY RISK
MANAGEMENT
AN ENTERPRISE RISK
MANAGEMENT APPROACH
No part of this digital document may be reproduced, stored in a retrieval system or transmitted in any form or
by any means. The publisher has taken reasonable care in the preparation of this digital document, but makes no
expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No
liability is assumed for incidental or consequential damages in connection with or arising out of information
contained herein. This digital document is sold with the clear understanding that the publisher is not engaged in
rendering legal, medical or any other professional services.
CYBERCRIME AND
CYBERSECURITY RESEARCH
Additional books and e-books in this series can be found

on Nova’s website under the Series tab.
CYBERCRIME AND CYBERSECURITY RESEARCH
CYBERSECURITY RISK
MANAGEMENT
AN ENTERPRISE RISK
MANAGEMENT APPROACH
KOK-BOON OH
BRUCE HO
AND
BRET SLADE
Copyright © 2022 by Nova Science Publishers, Inc.
DOI: https://doi.org/10.52305/TNSD3712
All rights reserved. No part of this book may be reproduced, stored in a retrieval system or transmitted
in any form or by any means: electronic, electrostatic, magnetic, tape, mechanical photocopying,
recording or otherwise without the written permission of the Publisher.
We have partnered with Copyright Clearance Center to make it easy for you to obtain permissions to
reuse content from this publication. Simply navigate to this publication’s page on Nova’s website and
locate the “Get Permission” button below the title description. This button is linked directly to the
title’s permission page on copyright.com. Alternatively, you can visit copyright.com and search by
title, ISBN, or ISSN.
For further questions about using the service on copyright.com, please contact:
Copyright Clearance Center
Phone: +1-(978) 750-8400 Fax: +1-(978) 750-4470 E-mail: [email protected].
NOTICE TO THE READER

The Publisher has taken reasonable care in the preparation of this book, but makes no expressed or
implied warranty of any kind and assumes no responsibility for any errors or omissions. No liability is
assumed for incidental or consequential damages in connection with or arising out of information
contained in this book. The Publisher shall not be liable for any special, consequential, or exemplary
damages resulting, in whole or in part, from the readers’ use of, or reliance upon, this material. Any
parts of this book based on government reports are so indicated and copyright is claimed for those parts
to the extent applicable to compilations of such works.
Independent verification should be sought for any data, advice or recommendations contained in this
book. In addition, no responsibility is assumed by the Publisher for any injury and/or damage to persons
or property arising from any methods, products, instructions, ideas or otherwise contained in this
publication.
This publication is designed to provide accurate and authoritative information with regard to the subject
matter covered herein. It is sold with the clear understanding that the Publisher is not engaged in
rendering legal or any other professional services. If legal or any other expert assistance is required,
the services of a competent person should be sought. FROM A DECLARATION OF PARTICIPANTS
JOINTLY ADOPTED BY A COMMITTEE OF THE AMERICAN BAR ASSOCIATION AND A
COMMITTEE OF PUBLISHERS.
Additional color graphics may be available in the e-book version of this book.
Library of Congress Cataloging-in-Publication Data
ISBN: H%RRN
Published by Nova Science Publishers, Inc. † New York

Contents
List of Figures ....................................................................................... vii

List of Tables ........................................................................................ ix
Preface ........................................................................................ xi
Acknowledgments ................................................................................ xiii
List of Acronyms and Glossary............................................................ xv
Chapter 1 Cyber Threats and Enterprise Risk ............................ 1
Chapter 2 Corporate Risk Environment and Cyber Risk ........ 23
Chapter 3 Cybersecurity Enterprise Risk Management .......... 43
Chapter 4 Standards and Regulations ........................................ 69
Chapter 5 Cyber Risk Identification ........................................... 93
Chapter 6 Cyber Risk Assessment............................................. 115
Chapter 7 Cyber Risk Mitigation .............................................. 139
Chapter 8 Cyber Risk Monitoring, Detection and Reporting . 165
Chapter 9 Cyber Attack Response and Recovery .................... 179
Chapter 10 Strategic Cybersecurity Risk Management ........... 197
References ..................................................................................... 219
About the Authors ............................................................................... 239
Index ..................................................................................... 241
LIST OF FIGURES
Figure 1.1. Business strategy and risk management alignment. 5

Figure 1.2. Cybersecurity uncertainty and risk. 11
Figure 1.3. Risk types. 14
Figure 1.4. Chinese characters for “risk.” 15
Figure 1.5. Cyber risk and opportunity nexus. 16
Figure 2.1. Corporate risk environment. 26
Figure 3.1. Value creation from portfolio risk management. 46
Figure 3.2. ERM, SRM & ORM processes. 47
Figure 3.3. Five attributes of cybersecurity risk management. 48
Figure 3.4. Cyber risk control and ERM convergence. 51
Figure 3.5. ERM framework. 53
Figure 3.6. Strategic risk management. 54
Figure 3.7. Operational risk and crisis management processes. 55
Figure 3.8. Cyber risk exposure relationships. 59
Figure 3.9. SRM process for cybersecurity ERM. 64
Figure 3.10. Operational risk management/
crisis management cycle. 67
Figure 4.1. Standards categories. 74
Figure 4.2. ERM/SRM related standards. 75
Figure 4.3. ISO 31000 - framework, principles, and process. 76
viii List of Figures
Figure 4.4. ERM/ORM related standards. 79

Figure 4.5. NIST/CSF Framework core & ERM/ORM alignment. 81
Figure 4.6. NIST/CSF Framework Core. 82
Figure 4.7. ISO 27000 series standards (selected). 85
Figure 5.1. Risk identification phase in the ERM/ORM cycle. 95
Figure 5.2. ERM/ORM & NIST/CSF alignment. 102
Figure 5.3. Bow tie risk analysis. 109
Figure 6.1. Risk assessment phase in the ERM/ORM cycle. 118
Figure 6.2. Risk assessment –
ERM/ORM & NIST/CSF alignment. 120
Figure 6.3. Risk likelihood and impact matrix. 123
Figure 6.4. Heat maps showing severity levels of risks. 124
Figure 6.5. EMV based on potential impact and probability
of events. 129
Figure 6.6. Economic risk paradigm. 132
Figure 7.1. Risk mitigation phase in the ERM/ORM cycle. 141
Figure 7.2. Risk mitigation –
ERM/ORM & NIST/CSF alignment. 146
Figure 8.1. Monitor, detect & report risk
in the ERM/ORM cycle. 168
Figure 8.2. Monitoring, detecting, and reporting cyber risks. 168
Figure 8.3. Risk monitoring & reporting - ERM & NIST
CSF alignment. 174
Figure 9.1. Cyber crisis management cycle. 181
Figure 9.2. Incident response process. 187
Figure 10.1. Integrated cybersecurity ERM. 202
Figure 10.2. Cybersecurity strategic plan, vision, goals,
and objectives. 203
LIST OF TABLES
Table 2.1. Top 10 risks in 2017 & 2020 27

Table 2.2. Industry critical systems 30
Table 2.3. Types of cyber threats 37
Table 2.4. Cyber security incidents, by affected sector
(1 July 2019 to 30 June 2020) 41
Table 4.1. ERM-ISO 27001 alignment 87
Table 5.1. Threat identification questions 97
Table 5.2. Vectors, threat actors, and objectives 98
Table 5.3. Identify function – outcome categories/
sub-categories 100
Table 6.1. Risk aassessment activities & outcomes
(per “Identify” function) 119
Table 6.2. Probability, impact, severity and action 123
Table 6.3. Severity scale 130
Table 6.4. WEF recommended VaR cyber risk variables 135
Table 7.1. Protect function – outcome categories/sub-categories 147
Table 7.2. Four steps of hedging 154
Table 7.3. Cyberthreat mitigation tools 156
Table 8.1. Detect – Outcome categories and sub-categories 175
x List of Tables
Table 9.1. Respond and recover –

outcome categories/sub-categories 183
Table 10.1. Identify – outcome categories/subcategories 211
PREFACE
The motivation for writing this book is to share our knowledge,

analyses, and conclusions about cybersecurity in particular and risk
management in general to raise awareness among businesses, academics,
and the general public about the cyber landscape changes and challenges
that are occurring with emerging threats that will affect individual and
corporate information security. As a result, we believe that all stakeholders
should adopt a unified, coordinated, and organized approach to addressing
corporate cybersecurity challenges based on a shared paradigm. There are
two levels at which this book can be read. For starters, it can be read by
regular individuals with little or no risk management experience. Because
of the book's non-technical style, it is appropriate for this readership. The
intellectual information may appear daunting at times, but we hope the
reader will not be disheartened. One of the book's most notable features is
that it is organized in a logical order that guides the reader through the
enterprise risk management process, beginning with an introduction to risk
management fundamentals and concluding with the strategic
considerations that must be made to successfully implement a cyber risk
management framework. Another group of readers targeted by this book is
practitioners, students, academics, and regulators. We do not anticipate
that everyone in this group will agree with the book's content and views.
xii Kok-Boon Oh, Bruce Ho and Bret Slade
However, we hope that the knowledge and material provided will serve as
a basis for them to expand on in their work or endeavors.
The book comprises ten chapters. Chapter 1 is a general introduction
to the theoretical concepts of risk and constructs of enterprise risk
management. Chapter 2 presents the corporate risk landscape and cyber
risk in terms of the characteristics and challenges of cyber threats vis-à-vis
the emerging risks thereof from the perspective of a business organization.
Chapter 3 presents the idea of enterprise risk management and explains the
structure and functions of enterprise risk management as they relate to
cybersecurity. Chapter 4 provides the cybersecurity risk management
standards, which may be used to build a cybersecurity risk management
framework that is based on best practices. The cyber operational risk
management process begins in Chapter 5 with the introduction of the risk
identification function. Chapter 6 continues with the next step of this
process by presenting the risk assessment procedures for evaluating and
prioritizing cyber risks. Chapter 7 explains the activities in the third step
in the ORM process of risk mitigation and provides examples of the tools
and techniques for addressing risk exposures. Chapter 8 presents a critical
function from an operational perspective for its role in detecting risk and
continual improvement of the organization's cybersecurity processes
through the reporting function. Chapter 9 discusses the crisis management
steps that businesses must take to respond to and recover from a cyber
incident. Chapter 10 emphasizes the essential ERM components that senior
management should be aware of and cultivate to create an effective cyber
risk control framework by focusing on the strategic aspects of
cybersecurity risk management from a business viewpoint. This chapter
proposes a cybersecurity ERM framework based on the content given in
this book.
ACKNOWLEDGMENTS
First and foremost, we want to express our gratitude to our families for
their unwavering support throughout the creation of this book. We'd also
want to express our appreciation and thanks to the numerous people who
have assisted us in learning and practising enterprise cybersecurity risk
management in academia and business over the years.
Additionally, my special thanks to John Sturdy, my colleague and co-
author on my many journal and conference papers, for helping us network
with the numerous organisations that have helped in providing information
and encouragement in the writing of this book. We could not have done
this without your help and passion for networking.
An additional thanks to La Trobe University for the opportunity to
share our knowledge and insights on cybersecurity and enterprise risk
management with academics and students of the School of Business. Also,
special thanks to the many organizations: eGalaxy Solutions Pty. Ltd.,
Texila College Australia, SERVTAC Chartered Accountants, Shanghai
Academy of Social Sciences, National Chung Hsing University, and
Career Dragon Pty. Ltd., where we were able to continue teaching,
training, and most importantly learning about the many elements of
cybersecurity and enterprise risk management.
Without these organizations, large and small, that have allowed us to
explore and test insight-related concepts in classrooms, projects,
xiv Kok-Boon Oh, Bruce Ho and Bret Slade
workshops, and consulting engagements over the last decade, this book
would not have been possible.
LIST OF ACRONYMS AND GLOSSARY
BIA Business impact analysis.

CIA Confidentiality, integrity and availability of
information assets.
COSO Committee of Sponsoring Organisations of the
Treadway Commission.
Crisis An adverse event caused by the realisation of a risk.
Crisis A process to prevent or minimise the impact a risk
management incident can inflict on a company or its stakeholders.
The process involves three phases, pre-crisis
(planning & preparation), crisis response and post-
crisis (recovery).
CCM Cybersecurity crisis management.
CCMP An action plan that instructs the incident response
team about a comprehensive approach to managing
cyber-attacks before, during and after the incidents
to minimize disruptions to business operations.
CISO Chief information security officer.
CRO Chief risk officer.
CSP Cybersecurity strategic plan.
xvi List of Acronyms and Glossary
(Continued)
Cyber incident A cyber security event, both accidental and

malicious, as a result of SND vulnerability that
compromises the CIA of an information asset.
Cyber risk Risk related to the threats to both digital and physical
vulnerabilities of SND leading to a cyber incident or
breach, both accidental and deliberate, which could
result in losses to a company’s earnings, liability or
capital position.
CRM The process of analysing, assessing and mitigating
cyber security threats.
Cybersecurity The practice of protecting both information and non-
information assets that are within cyberspace or can
be affected via cyberspace from attacks.
Cybersecurity A framework consists of security best practices
framework (including standards) that companies adopt for
implementing a cybersecurity ERM program to
manage cyber risk.
Cybersecurity Recommended guidelines, processes and controls
standards for the implementation of cybersecurity measures.
Cybersecurity Outlines the vision, goals and objectives of the
strategic plan organization’s cybersecurity program.
(CSP)
Data Breach A cyber incident that results in the confirmed
disclosure of data to an unauthorised party.
EISP Enterprise information security policy
EMV Expected monetary value.
ERM Enterprise risk management. It is an integrated and
layered firm-wide risk management approach
covering strategic and operational activities for
protecting a company against threats to its business
activities.
List of Acronyms and Glossary xvii
ERM/ORM Operational risk management in the ERM

framework.
ERM/SRM Strategic risk management in the ERM framework.
ICT Information and communications technology.
Impact A negative consequence from a cyber incident.
Information The security of information assets whether or not the
security information assets are stored inside or outside
cyberspace.
IRP Incidence response plan.
ISO International Organisation for Standardisation.
ISMS Information Security Management System
KPI Key performance indicators.
KRI Key risk indicators.
NIST National Institute of Standards and Technology.
NIST/CSF The National Institute of Standards and
Technology’s framework for improving critical
infrastructure cybersecurity.
Operational The continual cyclic process of implementation of
risk risk controls and decision-making involving risk
management identification, risk assessment, risk mitigation, and
risk monitoring and reporting.
ORM Operational risk management
Risk Quantifiable uncertainty/threat using a combination
of probability of an event and its adverse
consequences.
Risk analysis Systematic use of information to identify sources
and to estimate the risk (ISO/IEC 2002).
Risk The overall process of risk quantification and risk
assessment evaluation.
Risk control The action taken by a firm to eliminate, reduce or
optimise threats.
xviii List of Acronyms and Glossary
(Continued)
Risk evaluation The process of comparing the estimated risk against

given risk criteria to determine the significance of
risk (ISO/IEC 2002).
Risk To explore and investigate the corporate risk
identification landscapes for threats.
Risk Typically includes risk identification, risk
management assessment, risk treatment, risk acceptance and risk
communication, including exchange or sharing of
information about risk between the decision-maker
and other stakeholders (ISO/IEC 2002).
Risk mitigation Applying risk treatment with a prospective view of
balancing risk and opportunity.
Risk The process of tracking and evaluation of the levels
monitoring of risk in a company to help create new strategies
and update older strategies that may have proved to
be obsolete or ineffective.
Risk reporting The communication of risk information to the
relevant stakeholders in the company.
Risk treatment Treatment process of selection and implementation
of measures to modify risk (ISO/IEC 2002).
RP Recovery plan.
SND Systems, networks and data.
SRM Strategic risk management.
Strategic risk The process of planning the control of any risk that
management affects a company's business strategy, strategic
objectives and strategy execution.
TRM Traditional risk management
Threat An exposure to a risk event that might result in a
financial loss or harm to a company.
Vulnerability Weakness of SND or their safeguards that expose
the company to cyber threats or attacks.
Chapter 1
CYBER THREATS AND ENTERPRISE RISK
1. INTRODUCTION
Cyber risk management is becoming an essential aspect of an

organization's major management capabilities. The recent incidents of
large-scale cyber incidents involving the compromise of critical systems,
networks, and massive data breaches highlight the need for a focused and
comprehensive cyber risk management approach within the broader
enterprise risk management (ERM) function. Therefore, it is important that
organizations design and implement an effective risk management
structure and process that is consistent with best practice to allow a
systematical coverage of the diversity of cyber risks internal and external
to the organization. This measure is often referred to as cybersecurity,
which is about protecting an organization's Internet-connected systems
such as data, software, and hardware against unauthorized access or
damage. Cybersecurity involves implementing risk management measures
to strengthen both cybersecurity and physical security for safeguarding the
organization's digital assets.
This book discusses the enterprise risk management concepts as they
pertain to cyber threats and provides a holistic cyber risk management
framework within the broader enterprise risk management function of an
2 Kok-Boon Oh, Bruce Ho and Bret Slade
organization. As the two types of enterprise risk functions cannot be

addressed in isolation, this book takes the reader through the process of
developing an integrated and structured approach for enterprise cyber risk
management (CRM) in the context of ERM by describing the foundations
of risk management, the policies and processes, the risk factors, cyber
threats, the vulnerable assets, and best practices for managing critical
information assets. This book posits that ERM and CRM alignment can
provide management with a cohesive and effective organizational risk
strategy (Frosdick, 1997), albeit the challenges. Therefore, this book
attempts to analyze and highlight the theory, frameworks, standards, best
practices, and processes associated with the effective implementation of
enterprise risk management in an integrative approach as applied to
cybersecurity. We adopt and follow the ERM framework presented in Oh,
Ho, Pham, Huang & Wang (2018), which delineates enterprise risk
management into strategic and operational activities. This book will adapt
the ERM model to address cybersecurity by benchmarking with ISO 31000
for strategic risk management and the National Institute of Technology and
Science (NIST) Cybersecurity Framework for operational risk
management by incorporating the processes and best practices for an
effective cybersecurity ERM framework.
It is not within the scope of this book to dwell on the technical elements
of information technology or the behavioral psychology of cyber threats or
attacks. The intent is to present and analyze the key concepts and
constructs that form the foundations of an effective and practical enterprise
cybersecurity management framework. This chapter starts by defining the
general concept of corporate risk by introducing the need for risk
management and different types, definitions, and dimensions of risk. It
explains the difference between concepts of uncertainty, threat, and risk
and how and where the dangers exist within the corporate environment,
and the inherent threat to businesses. The new phenomenon of cyber risk
is discussed in its presence in the enterprise risk landscape. The concept of
enterprise risk management is explained as a strategic business planning
and management approach for enhancing decision-making and value.
Cyber Threats and Enterprise Risk 3
2. WHY IS RISK MANAGEMENT IMPORTANT?
Under Modigliani and Miller's (1958) perfect market conditions,

corporate financial decisions do not influence the value of the firm. Since
corporate risk management is a part of the firm’s financing policy, it is
therefore irrelevant because investors can alter their holdings of risky
assets by themselves to avoid any adverse impact on their wealth position.
So why is corporate risk management important if it does not add value?
ERM scholars counter by arguing that corporate risk management is
relevant because capital market imperfections cause risks to impose real
costs on firms and ERM can increase firm value by reducing aggregate risk
(Lam, 2001; Segal, 2011).
The traditional risk management (TRM) approach is usually used after
an incident has occurred to prevent the same circumstance from occurring
again. TRM mainly focuses on insurable risks and adopts a silo approach
for managing risk that is compartmentalized. Using this approach, an
organization excludes all exposure linked to business risk from its scope,
rarely draws relative comparisons among its risks to understand how they
interact with one another or to assess their overall impact on the
organization. ERM, on the other hand, is a forward-looking approach and
tries to predict prospective threats events, and circumstances that may or
may not materialize.
Risk management has become critical in a rapidly changing economic
environment and the need for corporate accountability. The business world
is getting more complex for risk managers due to globalization, advanced
technology, and new developments in finance. Cyber risk is a critical risk
factor facing the corporate world today and it can cause a company to
suffer a loss of revenue from harm to its reputation, products, supply
chains, customer service, and other areas. Hence, effective risk
management offers significant benefits and value to business enterprises
and their stakeholders (Didraga, 2013). An important benefit of risk
management is to reduce cash flow volatility which helps organizations
avoid liquidity risk and allow more productive funds to be invested for
higher returns (Froot, Sharfstein & Stein, 1993; Nocco & Stultz, 2006).
Risk management practice ensures that organizations understand and

prioritize potential risks for better decision-making to help them achieve
strategic goals.
The conventional classification of risk management is that of risk
identification, assessment, prioritization, mitigation, and reporting (Coyle,
2014; Calandro, 2015). In a report by KPMG Australia (AFR, 2015) titled,
"Business Risks are Getting Bigger and Faster," the risk to businesses from
technology, terrorism, natural disasters, global financial crisis, and
geopolitical turmoil is ever-growing. The way these risks manifest
themselves in an organizational context differs because of how they
interact with each other and with the other risks in the organization.
Therefore, there has been a shift lately to focus on risk control strategy in
an organizational context where it is aligned to the organization’s business
mission, goals and objectives, and core values to achieve its vision1 (Figure
1.1). Therefore, there is a need for an effective enterprise risk management
process for firms to be able to quickly identify, quantify, mitigate and
report risks, in line with the organization’s objectives. ERM encourages
risk control in an integrated way by asking what and why risks are
important to the company's performance. It is a continuous, forward-
looking process that integrates both business and technical management
for addressing risk issues that can potentially jeopardize the fulfillment of
essential goals.
Figure 1.1. depicts a taxonomy of the strategic risk management
(SRM) and operational risk management (ORM) processes where the
corporate vision, goals, and objectives are aligned with the operational
functions of identifying, assessing, mitigating, and communicating risk
(Elliot, 2019). The four steps in the ORM can be further categorized into
activities relating to “risk awareness” and “risk reduction and reporting”
(Figure 1.1.). Risk awareness entails the process that is capable of
identifying and assessing corporate risk exposures to recognize the
potential for risks within the organization. The firm must have determined
1
A vision describes the company's desired future position and a mission explains what the
organization’s goals and objectives are, and how it plans to achieve them. A company’s
statement on aims, goals, and values reflects elements of its mission and vision statements.
a risk-return trade-off balance for it to undertake informed risk mitigation

strategies. The risk-return balance is used to assess the acceptable risk
levels, and once management has formed expectations about the severity
of the risk the mitigation process begins. Mitigation involves choosing the
appropriate risk treatment that includes the selective use of various tools
and techniques to protect the organization’s assets.
Organisational Risk Strategy

Vision, Mission & Objectives
Identification Assessment Mitigation Reporting
Risk Awareness Risk Reduction

& Reporting
Figure 1.1. Business strategy and risk management alignment.
The risk reduction and reporting category relates to risk mitigation and
reporting of risks, respectively. Risk reduction involves carrying out risk
control actions to reduce or minimize the frequency or severity of potential
losses. The risk reduction step involves making decisions on whether the
corporation should treat, tolerate, terminate or transfer (4Ts) the risk
exposure. Having made this decision, the enterprise risk strategy
necessitates the company to report to management and the risk team the
status of each risk situation and any necessary adjustments to address
changes in risk conditions (Ho, et al., 2010).
3. CYBER RISK AND CYBERSECURITY
The critical role of the digital economy for firms to gain a competitive
edge and expand their business has raised serious concerns about
information security. Von Solms & Van Niekerk (2013) define
information security as protecting information assets that reside inside or

outside cyberspace and cybersecurity relates to the vulnerability of
information and non-information assets embedded within cyberspace.
Information security has undergone two major changes; initially, it was the
need for “computer security” (Madnick, 1978) and subsequently “network
security” with the introduction of distributed systems and networks
(Stalling, 2017). The proliferation in the use of technology in our personal
lives and business has seen greater connectivity in the way we interact with
each other on our smart devices, which are collectively referred to as the
Internet of things (IOTs). This has caused greater concerns about
information security from among stakeholders due to the scope and scale
of such usage. Technology threats constitute one of the "fastest-changing
risks to the global and local economies" and “cyber-attacks and disruption
of the digital economy by malevolent actors is a growing problem that
changes in technique and capability every month” (Cambridge, 2016).
Cyber risk refers to the risk of an enterprise to financial loss due to
disruption or damage from the failure of its information technology
systems and to its reputation. Digital threats of cyber-attacks by hackers
are attempts to breach an organization's digital assets to compromise to
change or destroy sensitive information or interrupt normal business
processes for malicious intents. Therefore, an effective cyber risk
management system minimizes cyber disruptions to business operation by
reducing cash flow volatility that firms can reinvest funds back into the
business for growth.
Cyber risk comprises a group of risks that differ in dimension,
technology, methods of attack, and means. In an enterprise risk
management context, cybersecurity predicates on human factors (people)
and non-human factors (hardware and software) and comprises the use of
both virtual and physical security measures against unauthorized access to
corporate information infrastructures. Information security, which is about
the protection of the confidentiality, integrity, and availability of systems
and data, is a subset of cybersecurity.2
2
Von Solms and Van Niekerk (2013) distinguish information security as relating to the human
factor in the context of “the role(s) of humans in the security process” and cybersecurity
Generally, cybersecurity is about protecting an enterprise's internet-

connected digital assets such as systems, networks, and data from digital
threats. It includes the protection of hardware, software, and data against
unauthorized access to data centers and other computerized systems to
prevent unauthorized access, modification, or deletion of data. Von Solms
and Van Niekerk (2013) describe cybersecurity as “the collection of tools,
policies, security concepts, security safeguards, guidelines, risk
management approaches, actions, training, best practices, assurance and
technologies that can be used to protect the cyber environment and
organization, and users’ assets.” This protection is related to maintaining
the confidentiality, integrity, and availability (CIA) of the organization's
information, which is commonly referred to as the CIA triad or the three
pillars of security. The cybersecurity risk management function
incorporates a combination of policies, processes, practices, and
technologies to protect systems, networks, and data from unauthorized
access, attack, and damage.
4. CYBERCRIME AND CYBER-TERRORISM
Both cybercrime and cyber-terrorism are similar in that the

perpetrators use computer or information and communication technology
(ICT) to carry out an illegal act (Holt, 2012). However, it is important to
bear in mind that cyber-terror should not be confused with cybercrime.
While cybercrime may degrade and destroy the capability of individuals,
organizations, or the state, and it may terrify its victims, it is executed for
reasons that are not political. These may be for (and not limited to),
financial gain, individual notoriety, or access to information; it does not,
therefore, fit within the generally accepted definition of cyber terrorism.
having an additional human dimension “as potential targets of cyber-attacks or even

unknowingly participating in a cyber-attack.” Human factors play an important part in the
cyber risk environment about their role in providing the leadership and resources in the risk
control processes and this distinction is useful when studying the human aspects of
cybersecurity.
Foltz (2004) defines cyber-terrorist attacks if they are intended to "interfere

with the political, social or economic functioning of a group, organization
or country." There is no unified definition of cyber-terrorism but the
literature indicates a common understanding that computers and
telecommunications networks form a vector through which malicious
parties may seek to interrupt, degrade or destroy the capabilities of a
nation-state or its instruments for politically motivated reasons. Holt
(2012) argues for a broader definition of cyber-terrorism to “provide a
much more comprehensive framework for exploring the ways that
extremist groups utilize technology in support of their various agendas.”
5. WHAT IS ENTERPRISE RISK MANAGEMENT?
Enterprise Risk Management (ERM) is defined by the word enterprise,

which has a distinct connotation from Traditional Risk Management
(TRM). The concept of ERM is explained as a strategic business planning
and management approach for enhancing decision-making and corporate
value. The term “enterprise” refers to a business-wide approach to risk
management that is driven by high-level goals and implemented via
integrating tools and procedures across all corporate departments. The
term “integration” refers to the process of changing a company's
operations, adapting its capital structure, and utilising certain financial
instruments (Meulbroek, 2002).
There are numerous definitions in the market of what constitutes
enterprise risk management and the International Standards Organization
(ISO) in ISO 31000 defines enterprise risk management as an integral part
of organizational processes as well as a part of decision making and the
Association of Insurance and Risk Managers in Industry and Commerce
(AIRMIC) provides a functional description of ERM as a management tool
that enables an organization to formally drive a process for continuous
improvement of its risk control capabilities in a changing business
environment. Other characteristics in the literature for ERM include
describing it as a comprehensive and robust risk management tool,
compliance process, holistic approach, control structure, strategic

framework, and management response to changing environment.
The Committee of Sponsoring Organizations of the Treadway
Commission3 (COSO) published an Enterprise Risk Management (ERM)
standard in 2004. The COSO ERM cube is a well-known risk management
framework for undertaking ERM4. It points out that ERM is an ongoing
process that applies risk management practices in a strategy setting across
the enterprise. It is designed to include a series of risk mitigation activities
from the identification of potential threats to monitoring and managing risk
within its risk tolerance to provide reasonable assurance for the
achievement of business objectives.
In the context of cybersecurity, it is about developing a strategic
capability to optimize and enhance the organization’s value by protecting
its most valuable business systems, networks, and data that are often
vulnerable to cyber-attacks. ERM is a systematic strategy to identify,
assess, mitigate and monitor any threats or risks of a digital, financial, and
operational nature that may disrupt an organization's objectives and
operations. It emphasizes a holistic approach to gaining a systematic
understanding of the complexities of risks to control them as opposed to
the “silo” approach of TRM. By controlling risk, a company can optimize
the expensive equity capital needed to support its operating risk cost
(Nocco and Stulz, 2006).
While enterprise risk management is gaining global acceptance among
practitioners and industry, others still have reservations. The following are
comments made about ERM:
 “Enterprise risk management is an enigma.” (Corporate

Compliance Insights)
 “... enterprise risk management processes are relatively immature
and ad hoc.” (North Carolina State University)
3
The Committee of Sponsoring Organizations Board published in 2004 “Enterprise Risk
Management—Integrated Framework” as a reference to help organizations manage risk.
Information about COSO can be obtained at https://www.coso.org/Pages/default.aspx.
4
COSO is popular among practitioners because it is linked to the Sarbanes-Oxley requirements
for companies listed in the United States.
 “… the state of development of ERM in non-financial companies

is at a relatively immature stage.” (Standards & Poor’s)
While ERM is a relatively immature practice (Slagmulder &

Devoldere, 2018; AICPA, 2020) that is still evolving, nevertheless, it
offers a strategic, integrated, structural, and systematic approach to address
organizational risk exposure and its innate challenges. A successful ERM
system requires strong leadership and alignment to business objectives and
functions.
Essentially, enterprise risk management (ERM) is a strategic risk
control process for assessing risks in an integrated, structured, and
systematic manner to identify, quantify, mitigate and report risk that poses
a financial threat to a company. Due to the difficulty to identify and
understand strategic risk there is no particular definition for it (Mango,
2007). Deliotte (2013) defines strategic risks as those that are influenced
or produced by a company's business strategy and strategic goals. The goal
of an ERM program is to acknowledge and understand, in a holistic
approach, an organization's risk exposure, tolerance for risk, and capability
to manage it. The ERM architecture implies a structural process that has a
top-down and bottom-up approach for managing risk.
6. UNCERTAINTY, THREAT & RISK
Risk is a multidimensional concept and, essentially, enterprise risk is

the uncertainty of future outcomes measured against some future
objectives, such as the uncertainty of future cash flows for a firm, and it is
therefore associated with the uncertainty with an event in the future that is
unpredictable today. Thus, “uncertainty is a state of not knowing whether
a proposition is true or false” (Holton, 2004). Uncertainty presents both
risk and opportunity. Uncertainty can destroy value as well as provide an
opportunity for value creation.
All enterprises face uncertainty, to varying degrees, and this poses to
management the need in determining the level of uncertainty to accept for
growing stockholder value. It is a business tenet business that the greater

the risk associated with a decision, the greater the reward that decision will
yield. While uncertainty is an abstract concept, "risk" is quantified
uncertainty measured on two scales, impact and frequency. Impact refers
to the intensity or magnitude of damage or loss, whereas frequency is the
likelihood of damage, loss, or a missed opportunity.
In the context of cybersecurity, fear of uncertainty emanates from the
vulnerability of an organization’s information infrastructure that may pose
a threat of an adverse cyber event. Vulnerability refers to the likelihood of
a cyber-attack due to the weakness in hardware or software of the
information infrastructure that could result in the compromise to any of
one of the elements within the CIA information security triad. Therefore,
cyber threats are the particular uncertainties or dangers that create the
potential for cyber risk. Risk is a combination of vulnerability, fear of
uncertainty, threat, and potential loss (Figure 1.2). Therefore, leveraging
information technology for business poses uncertainty and opportunity to
the enterprise with the potential to cause harm or gain to the organization.
It is generally accepted that uncertainty is an abstract concept and “risk” is
quantifiable uncertainty in terms of its outcome (threat) and probable
frequency of occurrence (vulnerability). Risk is quantifiable and refers to
the potential loss to the enterprise if it occurs. An evaluation of uncertainty
using assessment techniques will allow an organization to recognize
whether it constitutes a unique or critical risk to the enterprise. The
“immediacy of exposure is critical” for defining what is exposure and
“current exposure depends on what would be your current preferences
(Holton, 2004).” Figure 1.2 depicts the connection between information
infrastructure vulnerability and risk exposure.
Figure 1.2. Cybersecurity uncertainty and risk.

Risk is the probability of an adverse event occurring with the potential

to result in loss to exposed firms. There are many other definitions of risk
and the International Organization for Standardization (ISO) in ISO
310005 defines risk as “the effect of uncertainty on objectives” and “an
effect is a positive or negative deviation from what is expected.” The
classical exposition of the concept of risk is by
Knight (1921) in which he defined risk as “measurable uncertainties.”
Knight (1921) describes risk as “unknown outcomes whose odds of
happening can be measured or at least learned about” and uncertain events
are those that “we do not even know how to describe” (Quintana, 2012).
Risk is a condition in which there is a possibility of an adverse deviation
from a desired or expected outcome. Black (1995) regards risk as the
uncertainty surrounding the return at market value on “composite capital”
invested by shareholders in a company. According to Holton (2004), risk
is the exposure to a proposition of which one is uncertain and that “risk
entails two essential components of exposure and uncertainty.”
A cyber risk exposure from the use of information technology systems
is caused by a threat that is defined as damage or disruption to the business
operation that can result in potential losses. Therefore, cyber risks are
distinct from cyber threats, which are the specific hazards that give rise to
the possibility of cyber risk. Cyber threats such phishing, trojan horse and
vulnerability exploitation are possible routes for loss of digital asset
confidentiality, integrity, and availability in the context of enterprise cyber
risk. The principal cyber risks to an organization are business operational
risk from loss due to system downtime, data loss, reputation risk from loss
because of harm caused by a cyber-attack to an organization’s reputation
or public image, fraud, financial crime and, legal and compliance risk from
loss resulting from legal action taken against a firm for breaching the law
or regulatory requirements.
Employees must understand the severity of enterprise cyber risk and
appreciate the responsibility to undergo training covering the risks
5
ISO 31000, Risk Management – Guidelines, provides principles, a framework, and a process
for managing risk. It can be used by any organization regardless of its size, activity, or
sector. https://www.iso.org/iso-31000-risk-management.html.
associated with their roles in the use of computers to prevent compromise

(Hectus, 2016). Therefore, an enterprise needs to make sure that
"communication is timely and relevant and mandatory" (Hectus, 2016)) by
properly disseminating, explaining, and training employees in the
organization on cyber risk management policies to minimize information
security weaknesses and uncertainty. Employees should also have access
to review the relevant policies and can demonstrate that they understand
the content and their roles and responsibilities according to the policy
document.
7. RISK TYPES AND DIMENSIONS
Companies typically categorize enterprise risk into financial risks,

operational risks, and regulatory risks. There are generally five types of
business risk identified in risk management literature, being market risk,
liquidity risk, credit risk, operating risk, and legal risk. In today's digital
world, cyber threats compound each one of these risks from an information
technology usage perspective (Figure 1.3). Each of these five risk types
has an underlying cybersecurity implication to it because of the widespread
adoption of technology in the economy. These five types are not the only
categories of risk but they do capture the main business risks in the market,
but the enterprise risk identification process should consider all types of
risk relative to these categories.
The different dimensions of risk provide for a better understanding of
the impact of risk on the firm. The following lists some of the key
dimensions of risk that act as foundations for evaluating the extent of the
severity it poses to the organization.
 Range of possible outcomes – potential loss or benefit from a risk

situation
 Probability of an outcome occurring – degree of likelihood of a
risk event happening
 Time and duration of risk event – length of time a risk remains a

threat to the organization or the "dwell time" of an attack in the
case of cybersecurity
 Size of exposure – the severity of the risk impact and the extent of
its contagion
 Volatility – predictability of the risk in terms of occurrence and
threat pattern
 Interrelationships – interaction between different risks
 Complexity – the difficulty of understanding the nature of a threat
and its consequences
 Manageability – availability of tools to mitigate or neutralize the
risk
 Costs to manage the risk exposure – resource implications of a risk
 The outcome of risk management – lessons from the risk event and
actions the enterprise can take to better protect itself from similar
events in the future
Figure 1.3. Risk types.

For cyber risk, the specific dimensions are interconnectivity,

interdependence, and speed. Interconnectivity refers to how extensively
systems, networks, and data are interconnected. The wider the
interconnectivity the greater the cyber risk exposure due to ease of access
and contagion or the attack surface. The more interdependent the cyber
assets are the greater the potential disruption to the systems and networks
in the event of a cyberattack. Speed suggests how rapidly it would take an
attack to breach and permeate the network.
8. RISK AND RETURN
Risk is a combination of danger and opportunity. It is not possible to

have one without the other. The definition of risk is the possibility of
adverse consequences happening and it is associated with potential losses,
but there are also benefits to be obtained from taking risks. By taking a
risk, the firm will benefit from higher returns and therefore increase the
firm's value. While taking a risk may increase the firm's value it can also
destroy value. The Chinese symbols for risk below, give a much better
description of risk (Figure 1.4.).
危機
Figure 1.4. Chinese characters for “risk.”
The first character is the symbol for “danger” while the second is the
symbol for “opportunity.” Therefore, while considering taking a risk, firms
must consider the balance between risk and reward and should not take
risks that do not commensurate with rewards. For example, while
companies benefit from increased levels of efficiency by leveraging the
use of technology in their operations this also exposes them to cyber risk.
To mitigate cyber risk, organizations should invest in safeguards for the
benefits of security to avoid the cost of cybercrime. Thus, in the context of

cybersecurity risk and return, there are two dimensions to this principle.
One is at the source of cyber risk and the other is the return on
cybersecurity investments in risk mitigations to protect the organization’s
digital assets. Figure 1.5. below depicts these dimensions of the risk and
return relationship of cybersecurity in the context of cybersecurity
investment.
There is a rather extensive body of research on risk and return analysis
on cybersecurity investment. Gordon and Loeb created a cybersecurity
investment model that has now become a standard in the field (Gordon and
Loeb, 2002). The Gordon and Loeb model focuses on information
technology with an emphasis on information asset protection. Cavusoglu,
Mishra, and Raghunathan (2004) provide an explicit outcome-based
cybersecurity investment model that tries to compute a return on IT system
security investment. Gordon et al., (2015a) consider real options and
external factors (Gordon et al., 2015b) when estimating how much a
company should spend on cybersecurity investment.
Figure 1.5. Cyber risk and opportunity nexus.

Every investment in technology or cybersecurity needs to be justified

from the point of view of return. The return from technology used in
operations can be measured in terms of cost reduction and/or increased
revenue or profits. However, it is more difficult to measure the return on
investments made in cybersecurity as they don’t ostensibly suggest any
return to the organization. Return on Investments (ROI) made in
cybersecurity is rather measured by the benefits of security in terms of
prevented losses.
9. SYSTEMATIC AND UNSYSTEMATIC RISKS
We can perceive corporate risk as alpha risk or unsystematic risk (the

competency of the company’s management) and beta risk or systematic
risk (the volatility of the market). Unsystematic risk is firm-specific risk
and caused by factors that surround an individual firm and are unique to
the firm. Unsystematic risk is the result of variations specific to the firm or
industry and is that part of a firm's risk exposure associated with random
events; it can be eliminated by proper diversification. Cyber risk can be an
example of unsystematic or firm-specific risk. Cyber risks are potential
business losses relating to reputational, financial, equipment downtime,
operational, productivity, and regulatory as a result of a firm’s digital
vulnerabilities.
On the other hand, systematic risk or market risk cannot be avoided or
diversified away and this is the risk that all firms face because of economy-
wide factors that affect them. Systematic or market risk is that part of the
total risk that occurs from the basic variability of the firm's value as
represented by its stock price, this tendency of stock prices to move
together with the general market cannot be eliminated by portfolio
diversification. Systematic risk is measured by beta, which is the slope of
the regression line between a stock's returns (the dependent variable) and
the returns on the market (the independent variable) over some time. The
higher the beta, the riskier the stock due to fluctuating returns.
A broad application of these risk concepts to cybersecurity would be

to perceive the local area networks (LAN) as the domain of unsystematic
risk and wide area networks (WAN) as a source of systematic risk.
Furthermore, the failure of a single component of a digital system or
network can result in larger-scale failures, such as the collapse of essential
infrastructure. For example, a successful attack on the core infrastructure
of the internet such as the Border Gateway Protocol (BGP) would result in
a systematic risk event to an entire country.
10. STANDALONE RISK AND PORTFOLIO RISK
Standalone risk is the risk associated with a specific entity or

investment. Standalone risk refers to the aggregate or portfolio risk of a
single company or a single operating unit, division, or asset, within a
company as opposed to a wider, well-diversified portfolio. Cyber risk is
only one of the many operational dangers that a company must deal with.
Cyber risk is the danger of company losses in the digital realm, including
financial, reputational, operational, productivity, and regulatory losses.
Losses in the physical realm, such as damage to operating equipment, can
be caused by cyber risk. It is critical to emphasise that cyber risk is a type
of business risk or standalone risk that primarily affects the firm under
attack. However, because of the interconnectedness of systems and
networks, some cyber hazards may have a larger attack surface, resulting
in digital contagion and systemic failure of these external systems and
networks.
Portfolio risk is the overall risk of a group of assets. The portfolio risk
is normally lower than the sum of the individual risks of the assets in the
portfolio where the assets are not highly correlated. The context of
portfolio risk management in cybersecurity is one where the risk manager
must have a clear understanding of the organization's investment
portfolio's aims to set risk targets according to the corporate risk tolerance,
risk-reward balance, and objectives, within an ERM setting. Doing so will
enable ERM to optimize the enterprise risk portfolio by sharing risk
information through the ERM reporting channel to implement an

appropriate risk treatment strategy, and monitor key performance
indicators (KPIs) for the effectiveness of risk mitigation and key risk
indicators (KRIs) for caution against risk exposures.
11. RISK TOLERANCE
Organizations take risks to drive business growth and the level of risk-
taking must be balanced with the organization's risk profile that includes
its risk tolerance and capability to manage risk exposure within the
accepted tolerance. They need to know what are the risk appetite or risk
tolerance levels (the terms risk appetite or risk tolerance are used
interchangeably) as they act as triggers for action. Risk tolerance refers to
the amount of risk that the management is prepared to accept to achieve
the corporation’s mandates and priorities. It is part of the enterprise risk
management policy that guides managers on the amount of risk the
enterprise is willing to tolerate to achieve its objectives. While some
organizations are conservative and more risk-averse, others are willing or
may need to take greater risk and will have to invest more resources into
risk mitigation.
There is no single risk appetite that applies to all organizations, nor is
there a “right” risk appetite (COSO, 2012). Some managers are risk-averse
while others are risk takers creating different perspectives of corporate risk
tolerance (the same can be said for investors). Therefore, through the
enterprise risk management process, the leadership can set its risk
tolerance level and any unwanted exposure may be mitigated and the
company is left bearing the residual risk it is willing to assume. If a risk
exposure falls within the risk tolerance of the firm, the risk manager doesn't
need to take any action. If the risk is greater than the level tolerated by
corporate policy, the prudent manager would examine strategies to
mitigate the risk faced by the company (Oh, Ho, Pham, Huang & Wang
2018).
It should be clear as to who is responsible or have ownership for setting

the risk tolerance policy in a company. The board of directors (BoD) and
senior management should collectively be responsible for agreeing and
establishing the cyber risk tolerance policy, including the Chief Executive
Officer (CEO), Chief Operating Officer (COO), Chief Information Officer
(CIO), and Chief Risk Officer (CRO) in conjunction with the Chief
Information Security Officer (CISO). The board needs to have a clear
understanding of the organization's risk profile to define a cyber risk
appetite statement. The statement must contain specific risk acceptance
criteria. Risk appetite is a senior management decision to accept the
residual risk having considered all relevant risks and after applying
controls to critical risks and it must be communicated throughout the
organization. Cyber risk appetite informs and implicates all business units
in an organization and justifies continuing cross-functional conversations
about its relevancy.
Organizations in highly regulated industries like banks tend to possess
highly mature risk management practices and therefore have a more
established risk tolerance policy. One way to set corporate risk appetite is
to identify risks and then assess them based on the impact of each risk if it
was to occur. The impact of varying risks is then ranked from critical to,
high, medium, and low. This ranking allows a company to establish a
threshold on what, and how much it can accept or tolerate for each
identifiable risk. Therefore, risk appetite sets the boundaries for
determining which risks can be tolerated and prioritizing those critical
risks that need to be treated.
A business risk appetite policy enables managers to align their risk
efforts to achieve business objectives by prioritizing and allocating
resources to those areas that the company has the least appetite for risk.
For example, for those cyber risks beyond the company's risk tolerance, it
enables the CISO to invest in cybersecurity measures to protect the
company's vulnerable cyber assets to ensure the company's business is
secured at the appropriate costs. Management should also consider
mitigation costs when assessing risks to determine their tolerance of them.
For some risks, it may cost more to implement risk management
solutions than to deal with the problem if it occurs. Regardless of

whether it is zero or high tolerance for cyber risks, a formal risk appetite
policy will guide the CISO and other managers on actions as to how much
to invest and devote time to what should be secured.
CONCLUSION
The focus of this book is about cyber risk management and it is

becoming a big issue for the private and public sectors. The growing use
of technology in businesses and the connectivity of smart devices are
contributing to increase cyber risk. Risk management has evolved
significantly as organizations shift from the traditional silo practice to an
enterprise-wide approach and cyber risk control is no exception. As
enterprise cyber threat is an emerging risk, some organizations have fully
integrated cybersecurity with the enterprise risk management (ERM)
function while in other organizations, cybersecurity only has a limited
presence in ERM. Ideally, cybersecurity should be treated as a critical risk
alongside traditional risk areas such as financial risk, supply chain risk,
regulatory compliance, occupational health and safety (OHS) and fraud
detection, and so on.
Some companies consider cybersecurity risks as part of operational
risk in the company's enterprise risk management framework as the
cybersecurity threat landscape poses an increasing challenge for chief
information security officers (CISOs) and senior management. The cyber
threat lurks in the borderless virtual space and creates a risk to companies
because of its anonymity and unpredictable attack motivated by political
and financial gain. Based on this pretext, the government and industry must
work together to develop a robust and formal cybersecurity risk
management framework and regulatory regime to protect themselves and
others, such as the General Data Protection Regulation (GDPR) that has
recently come into force.
The rest of this book will address the different aspects of cybersecurity
starting with Chapter 2 which deals with the cyber risk environment,
Chapter 3 explains the ERM functions with their associated components,

and Chapter 5 deals with the various standards and regulations relevant for
designing and implementing cybersecurity oriented ERM operating
framework. Chapters 5 to Chapter 9 covers the operating risk management
activities of the ERM process. Last but not least, Chapter 10 discusses the
strategic aspects of cybersecurity risk management and proposes an ERM
model for this purpose.
Chapter 2
CORPORATE RISK ENVIRONMENT

AND CYBER RISK
1. INTRODUCTION
The primary objective of the firm is to maximize shareholder wealth

and an effective enterprise risk management program enhances corporate
value. Financial theory suggests that rational firms would hedge their risk
exposure to remove the variability in their cash flows. In today’s digital
economy, cyber threats constitute a potential source of variability to the
firm's cash flow in the form of losses to earnings, liability, and capital. The
significance of this view is that by removing variability firms enhance the
predictability in cash flows allowing them to invest in future projects
without uncertainty about the negative impact of price fluctuations.
Therefore, the corporate management team is responsible to identify,
assess, mitigate and monitor all the risk variables that ultimately affect the
profitability of the firm. To the shareholders, the risk of the firm is
measured by the required rate of return on their equity investment (Ho, Oh,
Durden & Slade, 2010).
The cyber threat is a significant and growing risk facing businesses

with 72% of larger US businesses reporting a cyber-attack in the past year
and 47% of all US firms experiencing two or more (Hiscox, 2017). This
chapter explores the corporate risk environment focusing on cybersecurity
and its implications for enterprise risk management. It explains the existent
and emerging risk exposure from technology and the inherent risks from
cyber threats across corporate functions.
2. CORPORATE RISK ENVIRONMENT
The initial stage of an effective risk-management system is to identify

and understand the qualitative differences of the types of risks that
organizations face (Kaplan & Mikes, 2012). Understanding risk means that
companies can consciously plan for the consequences of adverse outcomes
and therefore are better prepared for the inevitable uncertainty (Jorion &
Khoury, 1996). Corporate or business risks can be perceived as alpha (the
competency of the company’s management – i.e., unsystematic risk) and
beta (the volatility of the market – i.e., systematic risk) risks. Alpha is a
historical comparison of an asset's return on an investment (e.g., a firm) to
its risk-adjusted expected return. Beta is a historical measure of volatility
and the beta of an asset (such as a stock or a portfolio) is a measure of how
it moves in comparison to a benchmark (i.e., a market index). These risks
can also be broadly classified into internal risks and external risks
according to their source of origin. Generally, alpha or firm-specific risks
are internal, and beta or market risks are external risks. Kaplan and Mikes
(2012) suggest there are three types of risk being “preventable,” “strategy”
and “external,” while Toma and Alexa (2012) identify seven categories of
business risk that are considered critical to business enterprises.
Alpha or firm-specific risks are those arising from the firm’s
operations such as governance, processes and procedures, human factors,
supply chain, physical factors, systems and technological factors, liquidity,
and production capacity, and marketing methods. They are also known as
unsystematic risks from the events taking place within the business
Corporate Risk Environment and Cyber Risk 25
enterprise. Theoretically, these unsystematic risks can be diversified away

by holding a portfolio of assets according to investment portfolio
management (Markowitz, 1952).
Beta or systematic risks emanates from the political and economic
environments or events occurring outside the business enterprise. Beta
risks are those related to economic factors, natural factors, regulatory and
political factors, social trends, legal systems, intergovernmental
agreements, competition, terrorist and criminal activities, international
health issues, and financial markets. In finance, systematic risk cannot be
diversified away by holding a portfolio of assets, and investors are
rewarded for taking on systematic risk.
Both the systematic and unsystematic risk factors collectively
contribute to the aggregate risk exposure of the firm.
Modern business technologies permeate all business activities from the
board down to the factory floor, which means that many organizations, big
or small, treat cybersecurity as a key management focus to prevent harm
to their organizations. All ICT processes that support information systems,
networks, and data are important digital assets of the organization. Figure
2.1. depicts the corporate risk environment where cybersecurity poses a
significant underlying risk to technology-dependent organizations in
modern business. Each enterprise has its “own unique business and
organizational structure” and “the data used to measure the risk will vary
by organization, process, and functionality” (Toma & Alexa, 2012).
Likewise, corporate cyber risk exposure is dependent upon the industry,
size, structure, and risk profile of a particular enterprise and the main risk
concerns are business interruption, data loss, theft of intellectual property,
and reputational loss. Generally, larger companies defined as having 250
or more employees are better resourced and prepared to deal with the cyber
risk but they are also more likely to be targeted (Hiscox, 2017).
Figure 2.1. depicts the corporate risk environment with the pervasive
cybersecurity risk influence on the various risk groups and risk categories.
The alpha risk or unique risk is firm-specific and only affects the firm and
the beta risk is a market-wide risk that impacts all firms. Operational risk
relates to potential losses from inadequate or failure of a firm's internal
processes and people. There are three types of operational risks being
technology risk, fraud risk, and human factor risk (Crouchy, Galai, &
Marck, 2006). All three risks are relevant to cybersecurity as they define
some of the implicit causes of cyber-attacks. Political risk to a firm arises
as a result of political instability or change and environmental risk relates
to the probability and consequence of a natural disaster or environmental
accident. The economic risk or systemic risk is an external risk that is
affected by economic factors such as unemployment, income tax, or gross
domestic production. Political risk and economic risk can affect the firm
through its operations thus creating unwanted risk exposure.
Corporate Risk Environment
Cybersecurity Risk
Alpha Beta
Figure 2.1. Corporate risk environment.
The corporate risk environment contains several layers of cyber threats

that are inherent in both the internal (alpha) and external (beta) support
infrastructures. Figure 2.1 shows these layers as administration, operation
and customer (operations), sovereign and environment (politics &
environment), and market (economics). The supply chain has also become
the main concern as a source of cyber risk emanating from third parties
such as suppliers and service providers (Starr, Newfrock & Delurey, 2003).
Hence, in recognition of the need for risk management actions and
resilience to cyber-threats in the supply chain, NIST has recently added a
new category that deals with ICT supply chain risk under the 'Identify'
function of its NIST/CSF framework.
The “Global Risk Management Survey 2017” report by Aon
Corporation presents the top 10 risks in 2017 and those projected for 2020
(Table 2.1). The top four risks have underlying technology implications
and as a consequence, they are likely to have inferences to cybersecurity-
related issues. The reported top 10 risks are as follows6:
Table 2.1. Top 10 risks in 2017 & 2020
2017 Top 10 Risks Projected 2020 Top 10

1. Damage to reputation/brand Economic slowdown/slow recovery
2. Economic slowdown/slow recovery Increasing competition
3. Increasing competition Failure to innovate/meet customer needs
4. Regulatory/legislative changes Regulatory/legislative changes
5. Cybercrime/hacking/viruses/malicious codes Cybercrime/hacking/viruses/malicious codes
6. Failure to innovate/meet customer needs Damage to reputation/brand
7. Failure to attract or retain top talent Failure to attract or retain top talent
8. Business interruption Political risk/uncertainties
9. Political risk/uncertainties Commodity price risk
10. Third-party liability (inc. E&O) Disruptive technologies/innovation
Aon (2017) reveals new driving factors such as cyber-crimes that have
evolved from stealing personal information and credit cards to hacking and
coordinated attacks on critical infrastructures. This changing situation
requires an array of new strategies, techniques, and tools to counter the
new complexities of risks.
6
Global Risk Management Survey 2017. http://www.aon.com/2017-global-risk-management-
survey/pdfs/2017-Aon-Global-Risk-Management-Survey-Full-Report-062617.pdf
(accessed 15/10/2020).
3. CORPORATE CYBERSECURITY
As business increases the use of the Internet to conduct operations,

corporations need to implement effective cybersecurity measures to
protect their systems, networks, and data from cyber-attacks. Cybercrime
involves using computers on the Internet to break the law such as
disrupting business operations by attacking corporate business systems,
stealing data, and illegally accessing information to carry out identity theft
and fraud for financial gain.
Corporations have largely focused attention on the threat of data and
privacy breaches, the emerging threats in the corporate cyber environment
are more diverse and complex. Cyber risk exposures are already
threatening businesses in the form of business interruption, intellectual
property theft, and cyber extortion from a potential cyber-attack. These
types of cyber threats can result in the business suffering financial losses
due to reputation and brand damage, fraud, disruption to business,
incurring extra costs to restore affected systems, and compliance in
notifying the relevant authorities of the breach. To be on top of the game,
firms should adopt a risk-based systems approach that integrates the
“physical, information, cognitive, and social domains” to better understand
and manage cybersecurity (Collier, Linkov & Lambert, 2013).
4. IMPACT OF TECHNOLOGY
The global economy has undergone a significant change in the last two
decades from one which was based on traditional land, labor, and capital
to include information technology as another indispensable factor of
production. The digital world embraces information and data processing
as an inalienable part of the modern business model. The technological
world is rapidly evolving with more connectivity, interdependence, and
speed of business networks. This development is largely driven by
artificial intelligence (AI), quantum computing, cloud solutions, 5G
communication, the Internet of Things (IoT), the use of robotics in

manufacturing, big data, and automated logistics.
Leveraging technology enables companies to become more efficient
in terms of cost, productivity, and reach which enhances business
competitiveness. For example, network technologies have globalized
information communication changing the ways enterprises conduct their
global value chain activities and business models. Also, cloud computing
has allowed more storage space and reduced costs. However, these benefits
also increase the cyber risk exposure of the organization’s systems,
networks, and data. Enterprises are experiencing a large number of cyber
breaches, threats, and attacks, and there is a growing urgency for them to
act swiftly and with precision to prevent disruptions to their operations and
bottom-line. Sensitive data may be at risk of financial fraud or identity theft
if it falls into the wrong hands. With the increasing use of technologies in
business and our lives, large amounts of information are generated and
shared online. The rapid rise of incidents such as data breaches, malware,
phishing, ransomware, DDoS, trojans, and social engineering attacks have
already created many challenges for these enterprises.
5. CRITICAL SYSTEMS, NETWORKS, AND DATA
The three main aims of cybersecurity are described as protecting the

“Confidentiality, Integrity and Availability” of information commonly
known as the CIA triad (or CIA model). Cyber RM protects confidentiality
by keeping sensitive information private, integrity by maintaining
consistency of systems, networks & data, and availability to free
authorized access of an organization’s information systems.
The critical information assets of a company can be categorized as
systems, networks, and data. Critical assets and sensitivity levels differ
significantly among companies and industries as certain systems, data,
systems, and applications are more vulnerable than others (McKinsey,
2017). A successful cyber-attack on critical assets will lead to business
operational disruption, loss of reputation, or compliance infringement,

which will likely result in economic losses to the company.
5.1. Critical Systems
The first step in ERM is being able to identify the organization’s

critical systems, networks, and data. The Business Impact Analysis (BIA)
method (Chapter 6) is widely used for identifying critical systems,
networks, and data, and prioritizing their criticality to business operations.
A critical system is one whose failure could endanger the existence of the
organization that runs it, the environment it operates in, or human lives
(Koski & Mikkonen, 2015). Respectively, they are referred to as mission-
critical, business-critical, and safety-critical systems. Mission-critical
systems are charged with carrying out the functions of organizations for
achieving their stated objectives; a failure would result in an organization's
incapacity to carry out its core operations. A business-critical system has a
special role to play in the efficient delivery of a company's services and
downtime would interrupt service delivery and result in economic losses.
Table 2.2. Industry critical systems
Industry System Purpose

Retail Point-of-Sale (POS) For processing customer payments.
Education Learning Management For conducting planning, delivery, and
Systems assessment of online learning.
Power, Industrial control systems Control industrial processes where hardware is
utilities, and (ICS) (e.g., Supervisory integrated with the software.
manufacturing Control and Data
Acquisition (SCADA)
systems)
Finance Avaloq Core Fintech integration and consolidation of
services.
Healthcare Healthshare Storing health records.
Aviation ERP systems To consolidating compliance, flight time
tracking, inventory control, manuals, service
bulletins, and maintenance schedule.
A safety-critical system safeguards the physical safety of a company's

employees as well as the environment. Table 2.2 presents some examples
of industries and their critical systems.
5.2. Networks
An information network is a collection of two or more computers that

are connected to share data and resources such as printers and hard drives.
It's also known as a computer network. Networks help to transmit data in
and out of the organization. The most common type of computer network
used for company administration is a local area network or LAN. LANs,
also known as Ethernet (wired) or Wi-Fi (wireless), are networks that have
restricted connections to devices that are close to each other.
A wide area network (WAN) is a huge computer network that connects
multiple computers across long distances. Large corporations frequently
utilize wide area networks (WANs) to connect their office networks; each
office normally has its LAN, which connects via a WAN. The Internet is a
WAN in and of itself.
5.3. Data
Data deemed critical to an organization's success or that must be

preserved for regulatory purposes is referred to as critical data. The
organization's servers house large amounts of confidential information that
is accessed and used throughout the organization daily. Examples of
critical data are employee information, customer data, operational data,
intellectual property data, financial data, and any personal information that
is covered by data-protection laws. The raises the question of how to
restrict access to keep this information confidential. Confidentiality refers
to restricting access to networks and data to authorized personnel only.
Unauthorized access is often prevented by using data encryption
algorithms such as RSA7, AES (Advanced Encryption Standard)8 and

Twofish/Blowfish9. Encryption alters the stored information thus making
it incomprehensible and therefore unusable to unauthorized users.
6. HUMAN FACTORS
Cybersecurity predicates on human factors (people) and non-human

factors (hardware and software) because cyber-attacks are intended to
cause confusion and information overload to influence human behavior
(Cayirci & Ghergherehchi, 2011). Human factors play an important part in
the cyber risk environment about their role in providing the leadership and
resources in the risk control processes as well as a vulnerable factor in
exposing the enterprise to cyber risk exposure. Organic personnel should
be taken seriously in developing a holistic and effective cyber risk
framework for the company. The recent WannaCry ransomware attacks
epitomize how the human factor played a major role in making businesses
worldwide vulnerable. Therefore, the human factors of cybersecurity
represent the human activities or actions (or non-actions) that result in a
malicious hack or data breach. NIST/CSF (2014) under its Protect function
in subcategory PR:IP11 prescribes cybersecurity should be included in
human resources practices.
Humans are the weakest link in the enterprise cybersecurity chain
(Dodel & Mesch, 2019). Humans are currently the greatest threat to data
security and are putting the businesses at risk, whether due to the impact
7
RSA algorithm is named after its designers in the 1970’s. Ron Rivest, Adi Shamir, and Leonard
Adleman: Rivest-Shamir-Adleman working for the Massachusetts Institute of Technology
came up with the encryption method.
8
It was designed in 1998 by the Belgian cryptographers, Vincent Rijmen and Joan Daemen. Its
original name was Rijndael. NIST chose AES as the new encryption standard as it was
declassified and was deemed 'capable of protecting sensitive government information well
into the next century. It is popular for its easy implementation.
9
Twofish is a successor to Blowfish. Both methods are developed by the same designer, Bruce
Schneier. Blowfish was designed in 1993 as a general-purpose algorithm and the security
of the cipher has been tested and proven in time. Both methods are symmetric meaning they
use the same key is used for enciphering and deciphering. Both encryption methods are not
been patented and are free to use.
of externalities (Anderson & Moore, 2006; Gordon, Loeb, Lucyshyn, &

Zhou, 2015), intentionally, through their carelessness or lack of knowledge
(Hadlington, 2017). There is a paucity of information about the
correlations between human behavior and cybersecurity. Although
technological advances and cybersecurity challenges transcend national
borders, more research is needed on the implicit role played by country-
specific factors on humans such as culture (Henshel, Sample, Cains, &
Hoffman, 2016), demographics (Klimoski, 2016; Lau, Pastel, Chapman,
Minarik, Petit & Hale, 2018) or legal regime to improve cybersecurity risk
management. A proactive approach is needed for businesses to plan and
invest the human component of cybersecurity to avoid attacks that can cost
the organization millions of dollars. Cyber risk awareness is the first line
for the defense of a company's digital assets. Human fallacies such as
carelessness, lack of knowledge, haste, misinformation, susceptibility to
social engineering trickery are targeted and exploited by cybercriminals.
Most cyber-attacks on employees are cleverly designed and targeted
through social engineering to prey on vulnerabilities using techniques that
are proven to have a high rate of success.
7. CYBER RISK LANDSCAPE
Cyber risk management has become a severe preoccupation for large

organizations and the public sector. The growing use of technology in
businesses, smart devices (e.g., smart home appliances), and personal
mobile devices, like tablets, smartphones, watches, and glasses, are
contributing to increase cyber risk. The embrace of the digital economy
has exposed companies to the potential of the loss of confidentiality,
integrity, and availability of proprietary information from cyber events,
both accidental and deliberate. Cyber threats can manifest in different ways
that may involve human and/or non-human intervention. There are four
categories of cybersecurity issues are access to information systems,
secure communication, security management, and development of secure
information systems (Siponen & Oinas-Kukkonen, 2007).
The cyber risk landscape has seen a dire change in the methods of
cyber-attacks on organizations. An objective assessment of the
organization's cyber landscape is necessary to identify and mitigate any
cybersecurity gaps and threats. The distinction between internal and
external digital architectures of organizations has become a blur with the
rise of the Internet of Things (IoT), the proliferation of mobile devices, and
third-party cloud services. The extension of the digital borders has made it
harder to protect against hackers as they exploit the expanding attack
surface where there is no clear line of defense. Many organizations believe
the perimeter is the frontline of defense10 but it is only one component of
the overall cybersecurity strategy. Defending a network and its data that
requires many levels of security is known as defense in depth. The cyber
landscape can thus be summarised as follows:
 The interconnectedness between various parties to conduct various

business activities created a diverse cybersecurity risk landscape;
 All business entities are exposed to the challenge of dealing with
cyber risk;
 Cyber threat is considered to affect only information assets but the
increasing use of physical systems that are integrated with cyber
online systems allows cyber-attacks to impact the physical sphere;
 The Internet of Things (IoT) refers to physical devices that are
connected through the internet and thus integrate the cyber world
with the physical world, and
 These smart and mobile devices are augmented with
communications, information storing, and sensory technologies.
7.1. Cyber Threat, Vulnerability, and Risk
ISO 27000 (2014) defines cyber risk as “information security risk is

associated with the potential threats that will cause vulnerabilities of an
10
Perimeter defense is one level of protection for an organization's network against cyber-
attacks, and it acts as a firewall against external threats.
information asset or group of information assets to be exploited and

thereby cause harm to an organization.” NIST (2002) describes cyber risk
as “IT-related risks arise from legal liability or mission loss due to: (i)
Unauthorized (malicious or accidental) disclosure, modification, or
destruction of information; (ii) Unintentional error and omissions; (iii) IT
disruptions due to natural or man-made disasters; (iv) Failure to exercise
due care and diligence in the implementation and operation of the IT
system.”
Cyber threats have become a major concern for both the public and
private sectors with recent attacks such as the ransomware attack on
National Health Service Trusts11 in May 2017 and the Yahoo breach12 in
December 2016 that caused major disruptions to business, and the Dyn13
attack, which saw IoT devices turned into a huge botnet that brought down
several online services. Cyber-attacks are increasing in scale and severity,
and organizations are starting to recognize that they are now a matter of
when not if. Cyber threats can manifest in the forms of loss of
data/confidentiality, cyber extortion or ransomware, network downtime,
theft of intellectual property, human error, virus transmission, internal
sabotage, and hacker attack. They can also result in the destruction or
corruption of financial records, email records, customer records, employee
personal information, trade secret, and supply chain files.
The management literature defines the concept of a threat as an
external risk factor to an organization. However, in the context of
cybersecurity threats refer to circumstances or events, that originate from
external or internal sources, with the potential to result in losses to an
organization by way of their outcome. Whilst vulnerabilities in an
organization’s information systems, networks or servers, or cybersecurity
measures are weaknesses that can be exploited to make threat outcomes
possible that can cause damage or loss. A cyber threat can manifest itself
in the form of a security incident (an attack) or a breach. An act that seeks
11
The United Kingdom.
12
One billion accounts held at Yahoo were compromised.
13
On October 21, 2016, Dyn was targeted in a series of distributed denial of service attacks
(DDoS attacks) targeting systems operated by Domain Name System (DNS) provider Dyn.
to unlawfully access data, damage information, or disrupts digital

operations by accident or exploiting weaknesses in an organization's
information systems or cybersecurity measures is regarded as a cyber
threat. Threats can be categorized as malicious or unintentional and
internal or external. Malicious internal threats are hostile acts committed
by insiders to gain unauthorized access to vital information systems.
Malicious external threat attempts by outsiders to gain unauthorized access
to sensitive information systems. Unintentional external threats are
dangers that occur as a result of the organization's interactions with
external actors. Unintentional internal threats by insiders are acts that may
have a detrimental impact on the firm's systems but are usually due to
human error or neglect.
A cybersecurity incident is a general term to refer to the fact that
attempts have been made to compromise an organization's systems,
networks, or data (Von Solms & Van Niekerk, 2013). A security incident
involving a compromise to data confidentiality, integrity, or availability is
commonly referred to as data breaches where unauthorized users gain
access to sensitive information. Data includes personally identifiable
information (PII), protected health information (PHI), and intellectual
property. A data breach is a type of security incident but not all security
incidents are data breaches. Therefore, an organization that successfully
repels a cyber-attack has experienced an incident but not a breach.
A security incident may not involve data at all but can refer to any
cyber event that violates an organization's critical system or network
infrastructure. Cyberattacks that are carried out to disrupt computers,
networks, and servers to interrupt business operations are considered
security incidents. Therefore, attacks using malware, ransomware, and
DOS/DDOS are classified as security incidents.
Cybercriminals access information and data businesses, customers,
and employees for financial gain or to disrupt a company’s operations for
other motivations. Therefore, companies must understand the attack
methods cybercriminals are likely to use to gain access to their cyber-
infrastructures to prepare for a cyberattack. The common types of cyber
threats, attacks, and installation methods employed by these threat actors
are malware, phishing, DDOS, man-in-the-middle, drive-by downloads,

malvertising, SQL injection, and password attack. The threats, attack
methods, and potential risks are summarized in Table 2.3 below:
Table 2.3. Types of cyber threats
Threats Attack & installation methods Potential risk

Malware  Spamming businesses to plant malware  Data breach
and compromise computers using email  Digital economic
attachments, software download, and espionage - stealing
operating system vulnerabilities. intellectual property or
 Use of computer viruses, worms, products in development
rootkits, adware, spyware, trojan horse,  Data theft or damage
and ransomware. systems
Social  Malicious activities are carried out  Cyber extorting &
engineering/ through human interactions, information ransoming - demand
Phishing such as through employees or customers. money for undoing
 Obtaining and exploiting user passwords, encrypted data.
usually via emails that redirect users to
bogus websites.
 Phishing is exploited for stealing
banking/login credentials & data and
impersonating users.
 Attempt to infect as many organizations
or people as possible through phishing
and spear phishing to encrypt their data.
Distributed  A sub-category of denial of service  Network downtime
Denial of (DoS) requires the use of multiple  Ransoming
Service connected devices, called botnets, to
(DDoS) inundate targeted websites with massive
fake traffic.
 The purpose of the attack is to disable a
system and make a service unavailable.
Man-in-the-  By impersonating the person or entity on  Communication
middle the other end. confidentiality
Drive-by  Drive-by download refers to the  Data breach
downloads automated download of software to a  Network downtime
user's device, without the user's
knowledge or consent.
 Occurs when computers are infected by
visiting legitimate websites.
Table 2.3. (Continued)
Threats Attack & installation methods Potential risk

 Hackers can deploy a variety of
malicious applications to a victim’s
device such as trojan horses (backdoors
or rootkits to provide remote control of
the user’s device), ransomware (allows
the attacker to encrypt or destroy data on
the device), and botnet toolkits
(attackers may directly install a botnet
application that performs actions like
sending spam email or participating in
DDoS).
Malvertising  An infected advertisement is used by  Virus transmission
perpetrators to inject malicious code into  Infecting consumers with
legitimate online advertising networks. malware by infecting ads
and banners on websites
Password  An attempt to steal or decrypt a  Data breach
attack/Brute password. This is usually done by using  Digital economic
force brute force, password sniffers, cracking espionage
programs, keylogger attacks, and  Attack on websites
dictionary attacks.
 The brute force method uses trial-and-
error to guess login information or
encryption keys to gain access to a site or
server.
Rogue  Also referred to as smitfraud or  Fraud by deceiving
software scareware. It is essentially malware victims to pay for
designed to cause disruptions to a removing a fake malware
computer system and by tricking the user
into purchasing anti-virus software.
 Once the scareware is downloaded the
user's computer is infected.
Structured  SQL is a hack using malicious code  Compromise data
Query injection to destroy or manipulate a integrity
Language database and gain access to potentially  Data theft
(SQL) valuable information.
An advanced  A generic term for an attack operation in  Compromise data
persistent which an intruder, or a group of integrity
threat (APT) intruders, establishes a long-term  Data theft
unlawful presence on a network to mine
extremely sensitive data.
Incorporating innovative technology approaches in products and

processes is the primary focus for improving cyber security. However,
technology isn't the only means through which hackers can get access to a
target system. They usually use social engineering tactics that take
advantage of human error and neglect. Exploiting human weaknesses to
get access to personal information and protected systems is known as
social engineering. So instead of hacking computer systems to get access
to a target's systems, social engineering depends on exploiting people.
Phishing is a type of social engineering in which a cybercriminal poses as
a trustworthy company and asks for personal information via email or
malicious websites. Malicious email is the most common type of
cybersecurity issue, and phishing and spearphishing emails have remained
the most common cyber security incidents (ACSC, 2020). Defending
against social engineering attacks necessitates greater attention on the
human part of cybersecurity, such as increased security awareness training
that causes employees to reconsider clicking on certain emails. A better
understanding of human behavior in the cyber security equation can lead
to more effective products and processes (Sasse & Flechais, 2005; Predd,
Pfleeger, Hunker, & Bulford, 2008; Pfleeger, Predd, Hunker & Bulford, C.
2010).
7.2. Cyber Threat Actors
The most common forms of threat actors that have evolved from the
cyber world and pose a risk to an organization's cybersecurity by gaining
unauthorized access to hardware are cybercriminals, business rivals,
insiders, and nation-states. Cybercriminals are motivated by financial
gains and they threaten an organization by stealing data, money, and
information through data theft, ransoming, and extorting activities.
Cybercriminals are professional and organized and they work as
individuals or teams to commit malicious activities14. Business rivals carry

out cybercrime to disrupt a business or illegally access data to gain a
competitive advantage, which will almost certainly result in financial
losses for the target company. Insiders are current or former workers,
suppliers, sub-contractors, and other partners who pose a threat to an
organization when they compromise a firm’s business networks. Their
illicit activities can be either malicious for financial gains or as a result of
emotional motive15. Unintentional acts are a result of human error,
negligence, or insufficient knowledge. Through espionage, disruption, and
theft, nation-states are dedicating substantial time and resources to
attaining strategic cyber advantage to enhance their national objectives,
intelligence gathering capabilities, and military capability16.
8. INDUSTRIES AT RISK
Losses due to a cyber breach can come in different forms.

Organizations that possess intellectual property (IP) as valuable assets are
susceptible to significant financial losses due to an accidental or deliberate
breach or theft. SND to most organizations are valuable assets and any
business disruption or the loss of data due to a cyber breach can result in
loss of market value (Kamiya, Kang, Kim, Milidonis & Stulz, 2020).
Private data held by an enterprise, such as personal identifiable information
(PII) should remain confidential and any unauthorized disclosure from a
cyber breach can result in costly litigation and regulatory fines against the
organization.
A cyber breach can also cause severe business interruption to an
organization’s operations or system failure resulting in a loss of revenue or
14
Sina Weibo is one of China’s largest social media platforms. In March 2020 an attacker
obtained part of its database containing 538 million Weibo users and sold the database
on the dark web for $250.
15
Ali Baba lost 1.1 billion pieces of user data in 2019 to a developer working for an affiliate
marketer.
16
A malware attack on Saudi Aramco in 2012, Cybercriminals stole 500 million accounts from
Yahoo in 2014 through the use of a phishing scheme, GitHub’s DDoS attack in 2015, and
a US nuclear facility was breached in a cyberattack in June 2017.
civil liabilities from customers. Professional cybercriminals who are

sophisticated in using IT to carry out cyber fraud or scams on
organizations, particularly ﬁnancial institutions, are becoming a common
threat. These cybercriminals are also involved in holding organizations to
ransom using ransomware software to carry out DOS/DDOS attacks.
Overall, a cyberattack can cause considerable reputational damage as an
attack that causes considerable harm to the organization is likely to be
perceived negatively resulting in a loss of confidence in stakeholders such
as investors, shareholders, customers, and regulators.
Those industries that are normally vulnerable to cyber-attacks are
financial services, healthcare, government, education, energy & utilities,
and business (retail, manufacturing & e-commerce). The ACSC (2020)
reported about 35% of incidents involving critical infrastructure in
Australia, including energy, water, health, communications, and education
(Table 2.4).
Table 2.4. Cyber security incidents, by affected sector

(1 July 2019 to 30 June 2020)
Government/Federal 20%
Government/State 16%
Other 9%
Individual 9%
Education & Research 5%
Financial services 4%
IT 4%
Health 7%
Retail 3%
Professional services 3%
Water 3%
Communications 2%
Transport 2%
Mining & resources 1%
All other sectors 10%
Source: Australian Cyber Security Centre, 2020.
CONCLUSION
Management needs to have a clear knowledge of the cyber threats in

their organizations to appreciate the risk implications to the business and
how these cyber threats can be addressed in the risk control system. The
ability of an organization to prevent harmful malware from reaching its
critical information systems is vital to cybersecurity. Malware comes in a
variety of forms, each with the potential to cause catastrophic damage to
systems, networks, and data. Protecting an organization from social
engineering attacks necessitates an acute understanding of the techniques
and software that criminals are likely to use.
Chapter 3
CYBERSECURITY ENTERPRISE
RISK MANAGEMENT
1. INTRODUCTION
Extant literature refers to Enterprise Risk Management (ERM) as an

aggregate risk control practice that is synonymous with strategic risk
management, enterprise-wide risk management, integrated risk
management, holistic risk management, and corporate risk management
(D’Arcy, 2001; Liebenberg & Hoyt, 2003; Kleffner, Lee & McGannon,
2003; Hoyt & Liebenberg, 2006). Firms use ERM as a governance tool for
predicting and managing risks as it enables them to prepare for risk
mitigation along different dimensions for improving strategic and
operational risk management. It is also a compliance device to ensure
regulatory conformity. The purpose is to enhance planning to help an
organization achieve its goals taking into consideration an organization's
tolerance for risk and opportunities in the market.
Comprehensive knowledge of the role and purpose of corporate risk
management provides a useful insight and allows the development of
practical frameworks of the risk control levers that can optimize
organizational performance (Ho, at al., 2010). This chapter introduces the
enterprise risk management approach as a management process for

decision-making by analyzing the steps involved in its implementation to
ensure risks are identified and managed effectively within an enterprise. In
this day and age of online business, the benefits of cyber risk management
(CRM) are substantial. The literature suggests shareholders behave
adversely to cyber-attacks (Bose & Leung, 2014; Modi, Wiles &
Mishra, 2015; Higgs, Pinsker, Smith & Young, 2016) and CRM helps
in addressing the threats and establish the appropriate defenses. In the
World Economic Forum's 2017 Global Risk Report, cyber risk was
highlighted as the risk of greatest concern to doing business in more than
one-third of OECD countries. The benefits to a company include increased
shareholder value from efficient risk mitigation resulting in a better brand
and reputation, and optimize risk-return outcomes from being able to
promptly identify and address risk for better outcomes for the whole
company. ERM theory postulates that all risks should be managed together
in a portfolio (Bezis, 2014; Bromiley et al., 2015; McShane, 2018). In this
chapter, we discuss the attributes of an effective ERM framework by
advocating a holistic approach for embedding and maintaining a CRM
program within the ERM framework capable of categorizing, evaluating,
and managing cyber threats.
The organization’s business strategy is articulated in its objectives that
are aligned with its risk appetite when formulating risk strategies. The
entity’s Board of directors and senior management are responsible for
establishing the ERM processes that set the strategy for managing risk
across the enterprise within its risk appetite thereby assuring the
achievement of the entity’s objectives. The enterprise risk management
(ERM) framework adopts a high-level approach on the process, guidance,
and direction to risk control by providing "a robust and holistic top-down
view of key risks facing an organization" (COSO, 2009). The ERM process
enables management to strategize risk control, identify, assess, mitigate
and monitor risk in the face of uncertainty sequentially and holistically as
risks span across different business functions. Therefore, the company’s
risk control program is designed to provide value for its stakeholders by
incorporating the cyber risk strategy into the ERM framework to allow the
Cybersecurity Enterprise Risk Management 45
entity to effectively manage cyber risk. This gives the entity a portfolio
perspective for managing cyber risks for better outcomes.
2. VALUE CREATION
Appreciating the nature of risks is to take advantage of opportunities

that arise from them to create value for the firm. The connection between
business growth and technology is indisputable and while firms leverage
technology to create value, risk management efforts enhance value by
protecting firms against cyber threats (Figure 3.1). The absence of or
inadequate risk management policies can result in adverse economic
consequences to organizations and their stakeholders. Weak risk
management can result in significant “dead weight” costs in organizations,
which negatively affect organizational value (Kerzner, 2009). Firms must
treat the enterprise risk management process as a central function that
involves a strategic and definitive risk policy, quantitative analysis,
mitigation, monitoring, and reporting to add value (Oh et al. 2018).
Beasley et al. (2008) suggest that the equity market reacts positively
to the appointment of senior management to oversee a firm’s ERM
processes. Hoyt and Liebenberg (2011) found a positive relationship
between the appointment of a CRO and firm value. Andersen and Roggi
(2012) investigated the correlation between effective risk management and
reduction of earnings and cash flow volatility. They concluded that there
are significant positive relationships to lagged performance measures
between the variables after controlling for industry effects and company
size in their study. However, the results from other studies on the
correlation between ERM and firm value have been inconclusive.
The goal of ERM is to systematically coordinate and manage all risks,
both strategic and operational risks, relating to corporate governance,
finance, production, information technology, human resources, supply
chains, or distribution networks. ERM implies a portfolio theory approach
to create value to benefit shareholders, managers, and stakeholders because
the aggregate risk of a portfolio should be less than the sum of the
individual risks provided the risks are not 100% correlated.
Figure 3.1. Value creation from portfolio risk management.
3. STRATEGIC CYBER RISK MANAGEMENT
Cyber risk control constitutes a part of the organization’s risk

management initiative and should be embedded within the broader
enterprise risk management strategic framework. Strategic cyber risk
management is crucial to the firm for value creation (Young, 2000)
because firms that have identified the risks are better prepared to deal with
them more productively and cost-effectively. Cyber risks can be construed
as risks that possess the risk characteristics of Kaplan and Mikes’ (2012)
risk categories of “strategy risk, preventable risk, and external risk.” Cyber
risks can be considered strategy risks because they originate from
leveraging information technology in business "to generate superior
returns." Cyber risks are "preventable" by "monitoring operational
processes and guiding people's behaviors and decisions toward desired
norms," while it may not be possible to eliminate "preventable" cyber risks,
they should be kept within the organization's accepted risk tolerance.

Examples are to increase employees' cyber risk management knowledge,
instill a strong cyber risk culture, and ensure compliance with operational
risk management policies and processes to avoid compromising the
organization's information infrastructure. Cyber risks also have an
"external" dimension to them as some arise from external events that are
beyond their influence or control. Some of these external factors are
advances in hacking technology, criminal intent, and third-party network
vulnerabilities.
Figure 3.2. ERM, SRM & ORM processes.
A comprehensive and robust enterprise risk management framework

is the foundation for cyber defense (Figure 3.2). Strategic Risk
Management (SRM) is a high-level function used to manage risks in an
organization to enable the organization to achieve its strategic objectives.
At the strategic level, management must allocate budgets for planning and
implementing the risk management policies. Therefore, senior
management must be involved in formulating and monitoring the strategic
risk management policies and processes. The risk management process
starts with the board of directors. Board members must ensure clear
strategy; policies and processes are established and implemented for
effective cybersecurity governance.
Operational Risk Management (ORM) is a process for conducting risk
identification, risk assessments, making risk choices, and putting risk
controls in place., The execution of the corporate risk management policy

aimed at mitigating risk exposure is conducted is at the operational level.
The performance or results of the risk management process must be
continuously monitored and reported to management to ensure that
policies are constantly under review and evaluation to ensure they remain
relevant and effective.
Figure 3.3. Five attributes of cybersecurity risk management.
There are five critical attributes for effective cybersecurity risk

management (Figure 3.3) according to Chaudhary and Hamilton (2016)17.
The different industry and organizational settings of companies and the
scale, complexity, and ever-changing nature of cyberattacks mean that
there is no one-size-fits-all solution for cybersecurity risk management.
17
“The Five Critical Attributes of Effective Cybersecurity Risk Management,” Raj Chaudhary
and Jared Hamilton (2016), BankDirector.com, Charting a Course for America’s Banking
Leaders. https://www.crowe.com/-/media/Crowe/LLP/folio-pdf/The-Five-Critical-
Attributes-of-Effective-Cybersecurity-Risk-Management_FS-16003-202A.pdf (accessed
12/9/2020).
According to Chaudhary & Hamilton (2016), to be effective, the five traits

outlined here must be part of a company's approach to limit the risk of
business disruptions and data breaches.
An "effective cybersecurity framework" is necessary, at the top, to
establish the corporate vision, goals, and objectives for safeguarding the
CIA of the company’s information assets. It provides the plans, policies,
and guidelines for the cybersecurity process to be implemented to achieve
the firm's cybersecurity objectives. A “balanced distribution of
responsibility” helps to define the role and responsibility of each member
in carrying out the cybersecurity plan. A “holistic approach to
cybersecurity” will ensure that technical, human, physical, and intangible
assets (Gerber & Von Solms, 2005) protection measures are considered,
addressed, and observed to protect the firm's critical assets against cyber
threats. An “effective risk assessment process” will accurately identify the
cyber threats the firm is exposed to and quantify the adverse impact on
critical business operations. Last but not least, a comprehensive “incident
response plan” is important for quick and efficient response to a cyber-
attack to minimize the damage and also to recover from the event
(Chaudhary and Hamilton 2016).
4. CONVERGENCE BETWEEN ERM & CYBERSECURITY
This section examines the need to align and integrate cybersecurity

risk control with enterprise risk management (ERM). The concept of ERM
has been described as a strategic business planning and management
approach for enhancing decision-making and corporate value. Madnick
(1978) suggests that the technical approach to addressing computer
security should be augmented by business and management
considerations. The convergence of business and digital risk is becoming
more evident as business growth and technology strategies are strongly
intertwined, albeit the challenges faced by organizations in the integration
process (Stine, Quinn, Witte, Scarfone & Gardner, 2020). Convergence
has been defined as “... a trend affecting global enterprises that involve the
identification of security risks and interdependencies between business

functions and processes within the enterprise and the development of
managed business process solutions to address those risks and
interdependencies.”18 Cyber risk control continues on this path as it
becomes a critical risk to organizations due to the increasing reliance on
and use of the Internet of Things. For effective integration of cyber risk
management into the strategic planning process, “the risk unit must be able
to ensure that information of strategic risk is current, complete and
reliable” (Maia & Chaves, 2016).
While conventional risks are addressed and included in the enterprise
risk management framework of many organizations (Figure 3.4),
companies are exposed to cyber risks because they leverage information
technology in their business operation as their business strategy. Effective
cyber risk management requires a dynamic approach for formulating risk
controls as an integral part of the strategic planning process. The traditional
cybersecurity approach has been one that manages cyber threats through
its own set of technical and internal controls within IT (Siponen & Oinas-
Kukkonen, 2007) or the silo approach, and is separate from the processes
required for enterprise-wide risk management. An alignment of
cybersecurity with the wider risk strategies, policies, and responsibilities
of an organization's enterprise risk management goals and objectives is
necessary (Collier et al. 2013). A comprehensive and holistic ERM
framework needs to consider all relevant risk information from managers
or employees across the organization to reduce the possibility of
formulating wrong strategies or overlooking important ones. Such a move
would entail a consistent approach between personnel of different business
units thereby minimizing risk exposure to the organization.
For convergence to enhance enterprise risk management requires the
organization to treat it as a decision-making tool and understand the benefit
of oversight and review by the board and senior management.
Cybersecurity strategies and resulting policies should target helping the
18
The Alliance for Enterprise Security Risk Management 2006, Convergence of Enterprise
Security Organizations, ISACA Information Security Management Conference ISACA
Network Security Conference 18 September 2006 Las Vegas, NV, USA.
organization achieve its business objectives, which predicates the

successful implementation of an effective ERM system (Zhao, Huang &
Low 2013).
Other corporate Enterprise Risk Cyber Risk

risk controls Management Control
Figure 3.4. Cyber risk control and ERM convergence.
Enterprise risk management is a set of policies and processes used by

organizations to manage risk. The CRM policies and processes reflect the
actions for risk mitigation that align with business goals and expectations
within the set parameters of the risk strategy. Figure 3.4 depicts how
cybersecurity operations management should integrate and align with the
ERM process, inclusive of other risk controls, to create a holistic approach
to operational security.
5. THE ERM FRAMEWORK AND PROCESS
The architecture of ERM incorporates a top-down and bottom-up

process for managing risk comprising of the strategic and operational tiers.
This form of ERM structure will be the guiding framework for the
development and implementation of the organization's CRM capabilities
in the subsequent chapters. An ERM framework helps a company visualize
the risks in its cyber environment by incorporating the risk management
process into overall corporate governance (Weill & Ross, 2004). It does
this by evaluating the process to ensure it aligns with the company’s
objectives and risk tolerance. The framework should be able to scan the
cyber environment to identify the types or nature of cyber risks an
organization encounters (Zhao et al. 2013; Elliot, 2019), assess to
determine where and how an organization would be affected, and

recommend measures for risk mitigation. According to ISO 31000, each
organization must identify all risks, including their nature, the
circumstances or events that promote their occurrence, and the potential
repercussions in terms of the company's mission objectives.
In developing a framework, the company must understand what
structure would meet the needs of a business. What underlying strategic
objectives the ERM is intended for would form the basis of the ERM
strategy. Some of the primary objectives that companies hope to achieve
in their ERM strategy are mitigation against threats, coordination &
integration of the risk control function, compliance, and leveraging on risk
to exploit opportunities for value creation. These objectives should have
the visible support of the board of directors, senior management (c-suites),
and the commitment and participation of all relevant business units,
managers, and line personnel in the organization hierarchy (Zhao, Huang
& Low, 2013) for them to be effective. In the following sections, we will
discuss some of the essential elements of the generic ERM framework,
roles and responsibilities of management, and the functional steps for the
rolling out of the process.
5.1. Structure and Elements
We define the ERM as a framework that contains the pre-emptive

measures that a company put in place to mitigate its risk exposure. The
framework consists of two tiers with built-in steps and actions to form the
holistic and comprehensive ERM process. An ERM plan includes both
SRM and ORM. SRM considers the entire company, its vision, objectives,
goals, and its strategy (Weick and Suncliffe, 2007). While ORM takes a
more practical approach to an organization's risk profile by involving in
functional risk assessment and control activities. Figure 3.5 depicts the
enterprise risk management structure consisting of both SRM and ORM.
Figure 3.5. ERM framework.
Both SRM and ORM are important to firms and must be managed as
part of their entire risk management program. At the SRM level,
management is responsible for setting the enterprise risk management
agenda with the purpose to provide companies with a framework that
defines key principles & objectives (Lerbinger, 1997), a common risk
language, budget, clear guiding processes, and direction for managing
enterprise risks (Figure 3.6). The enterprise’s risk integration starts at the
planning stage by analyzing the high-level strategic business objectives to
identify risks that can create uncertainty and drive variability in
performance. It breaks the strategic objectives down into operational
targets and key performance indicators (KPIs). Next, management states
the risk control vision, goals, and objectives for protecting the business
objectives. This approach helps managers to better appreciate the business
proposition underlying each risk control objective and encourages them to
take ownership of the risk process.
At the strategic level, the SRM elements that require attention include
establishing the risk control organizational structure, key risk indicators
(KRIs), and tolerance levels for critical risks. SRM establishes the link
between risk management with business vision, strategy, goals, and
objectives. The strategic level comprises the board of directors whose main
function is to define and approve the enterprise risk management strategic
plan and policies and to ensure that resources are budgeted for their
effective implementation (Quarantelli, 1988). Those managers at the
strategic level must then explicitly communicate these policies to the rest
of the organization (Quarantelli, 1988).
Figure 3.6. Strategic risk management.
The ORM process contains four pre-emptive steps and two reactive
steps to a potential cyber-attack, as depicted in Figure 3.7. The pre-emptive
steps are “Identify” (Step 1), “Assess & Quantify” (Step 2), “Mitigate”
(Step 3), and “Monitor and Report” (Step 4). These four steps are critical
success factors for a successful ERM process (Zhao, et al. 2013).
The two reactive actions relate to incident “Response” (Step 5) and
“Recovery” (Step 6) of the operational process (see Figure 3.7) are risk
control actions that fall into the definition of the crisis management
function of the enterprise. The ERM is a predictive risk control method for
identifying, assessing, and mitigating risk, and a crisis management
strategy is critical when a cyber incident occurs, whether or not it was
anticipated, to avoid costly lawsuits and losses. Therefore, the functions of
incident response and recovery are not strictly part of the enterprise risk
management process but they do overlap in the learning, reporting, and
mitigation enhancing activities concerning some of the ERM functions.
Crisis Operational Risk

Management Management
Management
Figure 3.7. Operational risk and crisis management processes.
The first phase of the ORM process is to identify the cyber risk
exposure of the enterprise, which requires an understanding of the firm's
business strategy, objectives, and operations. It is only with this knowledge
that we can understand and able to set the stage with the relevant objectives
and criteria for identifying cyber threats. This could be accomplished by
asking questions (Gregersen, 2018) about the “why, what, who, when, and
where” relating to the role cyber dangers play in generating corporate value
(see Chapter 5). Step Two is about assessing threats through quantification
to estimate the impacts on business performance. The estimated threats or
risks are then ranked according to their severity and probability of
occurrence on a risk map. Those risks that are highly ranked or critical are
the ones the enterprise has to prioritize effort. Step Three is to mitigate risk
exposure and the general approach is to choose from the options available
to the firm including techniques for taking on, transferring, treating, or
terminating a risk. Step Four entails the ‘monitor, detect and report’ task,
where the risk conditions are reported to the relevant parties for appropriate
action. The partial or full cycle of the operational risk control cycle is
repeated to continuously address the risk situation (Oh et al. 2018). The
crisis management actions of ‘Respond’ (Steps Five) and ‘Recovery’ (Step

Six) are addressed separately in Chapter 11.
5.2. Role of Management
The development of new requirements in many countries, such as the

Sarbanes Oxley Act 2002 in the United States, for the Board of directors
and officers to sign off on their corporate risk management practices has
greatly increased the profile of risk management and its related activities
for organizations. Strategic ownership and senior management
participation are needed to steer the ERM towards a strategic orientation.
This requires setting goals and strategic objectives for risk management
(Zhao et al. 2013) and the commitment of the Board and senior
management to follow it through. Planning and designing the ERM process
starts at the highest level of management and in a corporation, this is
normally the Board of directors. The BOD approves the corporate risk
management policy as well as the budget for the implementation and
maintenance of the procedures. There has also been an increase in attention
on the effectiveness of the Board as a risk oversight mechanism with the
greater complexities of risks facing organizations. On the other hand, ERM
champions are important key players in the organization for implementing
an effective ERM process. Stakeholders and regulators expect robust
discussions of risk assessment and risk management policies at the senior
management level culminating in more effective risk control practices and
compliance.
The management of a firm is primarily responsible for its risk
management process but the Board of directors must also be informed
about and appreciate the risks facing the firm to maintain oversight of the
risk management process. The treatment of all risks should be fully
disclosed and accepted by the Board of directors in the interest of good
corporate governance. All employees must be aware of the risk
benchmarks and senior management or the Board ought to be confident
that the risks of the business are being managed consistently and following
overall corporate strategy (Oh et al., 2019). An integrated and cooperative

approach to cyber risk management is imperative among employees to
promote an efficient and coordinated defense against cyber-attacks
(Chileshe and Kikwasi, 2014). This entails removing the silo mentality
from a company's risk management activities. Management must ensure
communication (Grabowski & Roberts, 1999; Chileshe & Kikwasi, 2014)
and aligning the various entities of the business with the ERM framework
are prioritized.
In the case of enterprise cyber risk, the strategic ownership lies with
the Chief Information Security Officer (CISO) who oversees cybersecurity
in the organization and the respective line managers to comply with the
processes. The CISO is also responsible for liaising with other technology
users in the organization in managing the CIA of the information
infrastructure. A proactive and timely approach by all employees to cyber
risk control within the ERM framework is important to a rapidly changing
environment to gain strategic competitive advantage and business success.
5.3. Enterprise Information Security Policy
The Enterprise Information Security Policy (EISP) is a high-level

document that serves as the foundation for drafting policies that cascade
down the organization's hierarchy. It is written jointly by senior
management including the company's Chief Executive Officer (CEO),
Chief Information Security Officer (CISO), Chief Technology Officer
(CTO), and Chief Risk Officer (CRO). It serves as a roadmap to guide the
company on writing policies and procedures, implementing future security
programs, and setting the benchmarks for how the company manages
specific cybersecurity matters. Essentially, the EISP describes the
company's philosophy and relevant guiding principles for an effective
cybersecurity policy and aids in setting an organization's security activities
by reflecting and supporting the organization's vision and strategic
objectives. The EISP adopts and uses risk management standards and
industry best practices to guide, determine and recommend the appropriate
cybersecurity framework for the organization. The framework consists of

instructions on guiding enterprise risk principles & culture, tolerance
levels, roles & responsibilities, lines of communication, policy
implementation and maintenance, as well as the obligations of end-users
(who may be employees, contractors, suppliers, related third parties, or
consumers). The EISP also specifies risk ownerships and the channels and
methods for line personnel and executives to communicate and key players
who are responsible and accountable for the overall security program. The
EISP does not require a frequent update.
5.4. Budgets
Advancements in digital technologies have contributed to the rapid

growth of digital activities in economies around the world. An assessment
of the organization's cyber landscape is conducted to identify the
organizational digital risk profile. Digital activity level is a determinant of
the size of an organization's cyber security threats or exposure. A firm with
a larger digital footprint would have greater cyber risk exposure. The
exposure footprint determines the resources needed to mitigate the risk and
also helps to prioritize the future investment for risk management.
The effectiveness of the ERM process is a function of the amount
invested in personnel and resources needed to manage the ERM processes
but also bearing in mind that it is impossible to achieve 100 percent
security no matter how much is invested. An organization has to decide
how much to invest in the ERM function in terms of human resources and
infrastructure (information technology). In terms of cybersecurity, the
cyber risk exposure can be construed as a function of the digital activity
level of the organization and the amounts invested in risk control resources
(Figure 3.8). Management is continually confronted with the task of
determining the level of resources to be allocated to ERM by conducting a
costs-benefits analysis to obtain an optimal trade-off between investments
and risk exposure. The level of investment will help to define the risk
mitigation strategies.
Figure 3.8. Cyber risk exposure relationships.
Gordon and Loeb (2002) propose a general digital information

vulnerability model for investment based on the “1/e rule” that suggests
that the optimal amount of information security investments should not
exceed 1/e of the value at risk.19 Hence, a digital asset with a value of $1
million with an attack probability of 30 percent and success of 60 percent
would likely incur a potential loss of $180,000 ($1m x 0.3 x 0.6). The
amount of information security investment justified under the model would
be $66,240 (i.e., $180,000 x 0.368).
5.5. Cybersecurity Risk Culture
The organization needs a strong corporate risk culture for risk

management to be successful (Grabowski & Roberts, 1999). Risk culture
is necessary to get ERM broadly understood, accepted, and implemented
across the organization (Chileshe & Kikwasi, 2014). A strong corporate
risk management regime entails consistency and engagement so that
everyone throughout the organization is aware of the process and
expectations and is responsible and accountable for its success20. Thus,
19
1/e ≈ 36. 8%.
20
The article “Corporate Discipline Underpins Risk Management” highlights the role culture
plays in enhancing the enterprise risk management function. http://www.afr.
employees should have a clear understanding of their roles in committing

to cyber security and specific responsibilities to safeguard the organization
against cyber breaches.
Cybersecurity culture is outlined in the EISP and corresponding sub-
policies. According to Deliotte (2013), some of the key elements behind a
strong cybersecurity culture are: an employee's goals, values, and ethics
are in line with the company's risk appetite, tolerance, and approach; risk
must be considered and accounted for in all aspects of the business; people
are willing to discuss risk openly and honestly; policies and procedures are
followed in SRM & ORM; there are formal communication channels and
procedures that emphasize the necessity of timely reporting, and
employees are fully aware of and comply with the policies and procedures.
5.6. Performance Measurement
The capacity to link risk measures to metrics of overall organizational

performance is a key feature of ERM. The majority of risk management
evaluation methodologies rely on indicators to assess the susceptibility of
risk-related factors using both qualitative and quantitative indicators. For
ERM to be successful, the organization needs specified and well-
understood performance measures or key performance indicators (KPIs).
The key performance indicators, which focus on the enterprise's historical
performance or key operations, are critical for effective management. The
kind of performance metrics necessary should be closely tied to the
strategic goals of the firm. Hence, risk measurements included in the ERM
framework should be capable of analyzing and measuring its benefits and
performance goals. Furthermore, the performance results could provide
feedback for the firm's cognitive and behavioral learning processes as well
as deliver concrete value (Feurer, 1995) to help review and determine risk
control strategies.
com/news/special-reports/evolving-business-risk/corporate-discipline-underpins-risk-
management-20150409-1mhril.
To monitor changes in risk conditions or circumstances and detect new

risks, effective management will implement a set of indicators or metrics.
Key risk indicators (KRIs) are used to detect and mitigate risk at the
corporate level. A key risk indicator is a forward-looking technique for
tracking risk that may or may not materialize; it is used as a warning system
for future actions. KRIs use statistics or measurements that can provide a
view into a firm's risk situation to warn the company about changes that
may signal risks (Les Coleman, 2009). A KRI is used to track a specific
risk to take measures to mitigate it. Because a firm’s environment is
constantly changing, KRIs must be implemented to gather current
information about risks to improve management's ability to lead effectively
and avoid unfavorable outcomes. An example of a KRI that measures the
aggregate risk exposure of an organization is the value at risk (VaR)
method which is a value that expresses the magnitude of a company's
potential financial losses.
6. SCOPE OF STRATEGIC CYBER RISK CONTROL

IN AN ERM PROGRAM
The scope of an ERM program needs to ensure that the scope of

business objectives and the scope of risks and their control processes are
aligned and consistent to enable the company to achieve its ERM
objectives. Management needs to agree on the expectations, objectives,
and benefits of the ERM. To set the scope of an ERM program
management should start with defining the types of risk that ERM will
cover and the business processes that ERM is intended to address. The risk
types that an ERM program is focused on can include cyber, strategic,
operational, and financial risks. Cyber risk exposure originates from the
use of information technology and permeates the company's operational,
financial, and strategic functions. Strategic risk exposure is the result of
poor planning.
Operational risks are those related to ICT, supply chain, people, and
regulatory considerations. Financial risks include investment, liquidity,
credit, investment, interest rate, exchange rate, and asset market value.
Nowadays, cyber risk pervades the entire organization in activities that are
connected to the company’s digital infrastructure.
The primary objective for defining the risk types covered in a
company's ERM program is to allow management to cohesively manage
the critical risks that can cause harm to the company’s performance and
strategic goals. The ERM program enables managers to have a common
understanding of those critical risks and as a reference to definitive
processes to manage those risks. It is described as a comprehensive,
holistic and cross-divisional risk management approach that addresses the
interdependencies as well as contradictory components of the risk
management process (Borker & Vyatkin, 2012).
To plan and implement an effective cybersecurity enterprise-wide risk
management system program, the Board of directors and senior
management need to understand all cyber threats to their organization. The
pervasive nature of cybersecurity in today’s technology-based business
environment underpins the need for an ERM system where the entire
organization is involved in tackling, tracking, and treating cyber threats.
Corporate assets should be defined according to their category and
ownership to maintain high visibility for cyber threats. Every company
should cultivate a heightened awareness by identifying the vulnerable
business systems, networks, and data to assess, manage and monitor cyber
risks. The Board should empower the CISO to oversee the management of
cyber risks by applying appropriate policies, including standard operating
procedures and cause-effect analyses. It is important that risk monitoring
with the relevant metrics are incorporated into the cybersecurity ERM
process to identify and detect risks to enable a timely and appropriate
response.
7. ERM ORGANIZATIONAL STRUCTURE

& MANAGEMENT PROCESS
There is no single best way to implement an ERM framework. A

company-specific strategic ORM framework in terms of the appropriate
organizational structure and design around ERM (Grabowski and Roberts,
1999) that works and is effective requires an understanding of the
organizational entities that will manage ERM, and their roles and
functions. The board of directors and c-suite officers are responsible for
leadership and oversight of the SRM and ORM processes around the ERM.
Furthermore, each employee and business unit need to participate in the
enterprise risk management process and understand their roles and
responsibilities and how they impact the organization's risk profile. The
following sections outline the attributes when implementing the strategic
cyber ERM framework.
7.1. Strategic Risk Management (SRM)
To implement and oversee the strategic risk management process,

senior management must understand the role of leadership and governance
in controlling cyber risk. The strategic risk management process starts with
the involvement of the BoD and c-suite followed by the appointment of a
Chief Risk Officer (CRO) and the establishment of the risk committee
(Figure 3.9). Management also allocates budgets for implementing risk
management policies. The risk management processes must be
continuously monitored and the results reported to management to ensure
that policies are periodically reviewed and evaluated to ensure they remain
relevant and effective (Oh, et al. 2019).
Creating a specialized risk entity or committee through the CRO is a
common way to institutionalize the ERM role. The chief risk officer
(CRO) will have oversight of SRM functions in conjunction with the risk
committee. The committee is often chaired by the CFO or CEO. The CRO
reports to the CFO or CEO and regularly briefs the committee on security.
The CISO's SRM reporting line is to the CRO and like the CRO may be
called upon by the committee for technical advice. It is quite likely that
organizations would also integrate existing OH&S, compliance, internal
audit, and financial risk management practices with the risk committee to
achieve a holistic approach to ERM. Figure 3.9 highlights the key SRM
activities in the ERM framework from board involvement right up to the
oversight of the ORM implementation.
Figure 3.9. SRM process for cybersecurity ERM.
The risk committee would serve as a strategic entity responsible for

developing, implementing, and managing a comprehensive, integrated risk
management plan, as well as coordinating individual functional risk
management activities, serving as an assessment center, and serving as an
advisory and technical resource for various business units, including the
organization's senior management and Board of directors.
7.2. Operational Risk Management
Operational risk is a term that describes the uncertainties and risks that
an organization faces when doing day-to-day business activities in a
specific function or industry. Cyber threats are a form of operational risk.
The Basel Committee on Banking Supervision has defined operational risk
in the financial services industry as "the risk of loss, resulting from
inadequate or failed internal processes, people and systems, or from
external events." Therefore, the operational risk exists in every aspect of a
business. The challenge for any organization is whether it has completely
identified all of the risks in the business. A risk-based approach is an
effective method for detecting cyber risk elements to target in cyber risk
management (McKinsey, 2019). The Risk-Based Approach is a method for
identifying, assessing, and prioritizing risks to an organization. It's a
flexible approach that allows businesses to adjust their cybersecurity
strategy to their individual organizational needs and operational
vulnerabilities and weaknesses. While it is not possible to identify and
eliminate 100% of all risks that an organization is exposed to, it is
important to identify the most critical risks.
A firm's standard business procedures must include a cybersecurity
operations management component. The operational level of the ERM has
the functional responsibility in seeing that the SRM cybersecurity
strategies, action plan, and policies & procedures are implemented within
the specific organizational units. Operationalization of the cyber SRM plan
is carried out through the implementation of appropriate ORM processes.
The ISO 31000, which is adopted by many firms in practice, describes
operational risk management process as including the following steps: 1)
Establish the context; 2) Identify the risks; 3) Conduct a risk analysis; 4)
Conduct a risk evaluation, and 5) Treat the risks. These steps work in a
continuous cycle in tandem with monitoring and review, and
communication and consultation.
Cybersecurity refers to the safeguarding of corporate data and
technology against theft, corruption, and unauthorized or unintentional
access. Customer trust in a company is dependent on an efficient corporate
cybersecurity operations management function. Cybersecurity operational

risk management necessitates the active engagement and dedication of
employees at all levels of the business to guarantee that the enterprise risk
management structure and processes have the following characteristics:
clear cybersecurity risk policies and processes for the business and
employees outlining the cybersecurity measures to protect the firm's
systems, networks, and data; all staff are trained and are aware of
cybersecurity policies and procedures, including roles and responsibilities;
a cyber recovery plan in place and know how to use it, and all computers,
websites, and business systems up to date.
The ORM processes consist of four important risk control measures
and two risk events response actions (Figure 3.10). All six steps
supplement and complement each other to form the ERM operational
function. The cycle is categorized into two tiers of risk management and
crisis management. To manage and mitigate cyber risk, ORM entails the
deployment of controls to identify, assess, mitigate, and monitor and report
risks. When a cyber-attack event is detected, it is reported to senior
management (CISO and CRO) for the risk events plan to be activated. Risk
management is proactive and involves activities made to prevent hazards,
whereas crisis management is reactive and involves actions taken to
counteract a risk event, as mentioned in the prior chapters. Both layers
working together will provide the organization with a comprehensive and
holistic cyber risk management framework.
The ORM framework is structured to identify cyber threats and risks
from systems, networks, and data, assess cyber risks using qualitative &
quantitative methods and understand the stock of cyber technologies,
mitigate cyber risks by designing a risk mitigation strategy, and monitor,
detect and report cyber risks (Figure 3.10). In the monitoring phase, the
effectiveness of the risk measures is reported periodically back to the
people responsible for the preceding three phases for review and to make
appropriate adjustments to ensure that the enterprise risk management
process remains relevant and adequate to address the existing risks, be it
in risk identification, risk assessment or risk mitigation. Managers must
maintain an ongoing vigilance of risk awareness at the operational level

through the monitoring, detection, and reporting process (Ho, et al., 2010).
Operational
Risk
Management
Crisis
Management
Figure 3.10. Operational risk management/crisis management cycle.
The ORM's crisis management function is responsible for putting the

Incident Respond Plan (IPR) into action in the case of a cyber-attack, as
well as the Recovery Plan (RP) for recovering from cyber-attacks. The
cybersecurity crisis management plan is a document that outlines the
actions to be taken during a cyber breach event and for reviewing and
updating the firm's risk mitigation plan. During a cyber-attack, employees
consult the risk events response plan to help them through the incident
response and incident recovery actions.
CONCLUSION
Enterprise risk management is difficult to implement because it

necessitates organizational dedication and collaboration. The ERM
cybersecurity programs must have strong leadership and top management
support, as well as the available resources for implementation. ERM has a
lot of advantages, but it also has a lot of challenges. Some challenges that
must be addressed by management for the organization to implement a
holistic and effective risk management framework include demonstrating
the benefits of ERM cybersecurity programs, the need for a common risk
vocabulary, organizational risk awareness culture, formulating risk
tolerance statements and capabilities to identify, assess, mitigate and report
cyber risks that impact on organizational objectives. An effective crisis
management plan consisting of incident response and recovery
components is also essential.
Chapter 4
STANDARDS AND REGULATIONS
1. INTRODUCTION
This chapter explains the significance and usefulness of adopting

standards to treat cyber risk for consistency, uniformity, and compliance
with best practices. In today’s dynamic cyber business environment, there
is a growing trend towards enterprise risk management that aligns risk to
strategic goals and operational priorities. Therefore, existent cyber risks
should be analyzed, categorized, and operationalized into an enterprise’s
cyber risk framework. The increasing number of cybersecurity regulations
such as international, national, and accepted best practice standards require
greater attention of management to protect critical operations and
information. A study of the major standards (also regulations) that exist
can provide insights into different cyber risk situations and practices to
generate relevant and helpful ideas for implementing a cybersecurity ERM
framework in different industrial, business, and regulatory contexts. In
addition, it heightens awareness of compliance with the privacy and data
security regulations that the company may be subjected to.
The study of enterprise risk management approach as a management
process for decision-making involves analyzing the steps involved in its
implementation to ensure risks are identified and managed effectively
within an organization. Risk management has become critical in a rapidly

changing economic environment that stems from digital connectivity,
globalization of business and financial markets, and the need for corporate
accountability. The last few years have seen an increased interest in risk
management from industry and business planners as a result of losses from
the increase in the number of cyber-attacks and high-profile corporate
failures due to risk exposure. However, the practice of enterprise risk
management is still relatively new fragmented, and under-researched
compared to other areas of management21.
Numerous risk management methodologies have been proposed, as
well as various distinct guidelines, and standards that have been published.
The purpose of this chapter is to introduce and discuss the relevant cyber
risk management standards that can be used as guides at the strategic
(governance) and operational (implementation) levels to develop a
working framework for an organization. Some popular cyber risk
management standards are presented to highlight the key components
needed for establishing a holistic and effective enterprise-wide
cybersecurity framework. The relevant imperatives in the ERM function
such as executive-level sponsorship, leadership, policy formulation, a risk
appetite definition with acceptable tolerance boundaries; structured
process steps, oversight and reporting of the identified risks, risk
monitoring, incident response, and recovery plan are illustrated and
addressed.
It is important to note that studying the different standards provides
risk managers with a solid foundation to decide the relevant elements
applicable to their company’s ERM initiative. Therefore, companies may
choose to adapt their practices from multiple frameworks rather than adopt
only one framework. The popular strategic and operational standards or
frameworks will be discussed. It is also worth noting that some areas that
standards address may overlap between the strategic and operational ERM
21
Research commissioned by the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) highlights the state of play in this area. “COSO Report on ERM
2010,” at https://www.coso.org/Documents/COSO-Survey-Report-FULL-Web-R6-
FINAL-for-WEB-POSTING-111710.pdf.
Standards and Regulations 71
levels. This book adopts the NIST Cybersecurity Framework (NIST/CSF)

as the reference standard at the operational cybersecurity risk management
(CRM) level. We do this by incorporating elements of the NIST
frameworks into a proposed cybersecurity-focused ERM model. We
highlight the key components and mechanisms to illustrate and emphasize
how they can be used by companies to establish a cyber ERM framework
with SRM and ORM capabilities to safeguard SND against cyber-attack.
2. REGULATORY RISK MANAGEMENT
The goals of standards or regulations, whether enforced or self-

regulatory, are to reduce the likelihood of vulnerability, reduce the damage
caused by vulnerability, and providing effective damage recovery
mechanisms. Standards can be classified as self-regulated or enforced
regimes. Self-regulation is a procedure in which an organization is asked
to voluntarily monitor and regulate its adherence to specific standards,
rather than having an outside, independent body such as a governmental
entity oversee and enforce those standards. Alternatively, enforceable
cybersecurity regulations are interventions that recognize the likelihood of
an attack and, as a result, allow for the integration of detection and
recovery processes into the traditional information security protection
process. Therefore, regulatory compliance is a corporate function that
focuses on meeting the criteria of externally imposed risk management
laws, security standards, and industry guidelines.
The globalization of business resulting from digital connectivity, trade,
foreign direct investment, and global supply chains, has brought about a
new set of risks that require a concerted and coordinated effort from the
professions, regulators, governments, and corporations to address.
Regulatory risk management is about aligning a company’s corporate
governance function with industry good practices to enable an organization
to mitigate those risks to achieve its strategy. The objective is to enhance
the organization’s ability to understand business processes, manage
operational changes and regulatory expectations. The task of “controlling
risk is an urgent one given that some risks are acquiring global proportions,
and international standards, regulatory response and coordinated action at
the international, regional, national and local levels are the best and
perhaps the only means of treating risks that have potentially worldwide
consequences” (UNECE, 2012). Countries have their corporate
governance structures and national practices in these jurisdictions, and the
primary objective of all countries is to promote greater efficiency and
effectiveness in managing risk (OECD, 2014)22.
Cyber risk poses a major challenge to regulators as it is a relatively
new phenomenon that exists in a technologically complex landscape. Both
technology and cyber risks are evolving rapidly. Companies must comply
with specific risk management standards in a regulated environment, yet
risk management methods are universal and evolving, and rules may not
keep up with more current and innovative approaches. The establishment
of internationally consistent standards will help multinational companies
implement ERM and regulatory CRM practices across different
jurisdictions for effective oversight. This makes CRM an organization-
wide effort and avoids the silo or weakest-link effect when responding to
threats in our highly interconnected digital world.
3. CYBERSECURITY STANDARDS AND FRAMEWORKS
All firms should have a cyber risk management framework policy that
defines the structure within which they will manage the diversity of risks,
both within and external to their business, in a manner that is consistent
with the accepted industry and firm organization-wide approach to risk
management.
22
To illustrate the different contexts of regulatory risk systems, the Organization for Economic
Co-operation and Development’s (OECD, 2014) article, “Risk Management and Corporate
Governance, Corporate Governance” on corporate governance frameworks and practices
relates to corporate risk management in three jurisdictions (Norway, Singapore, and
Switzerland) highlights the different corporate governance structures and national practices
in these jurisdictions. http://www.oecd.org/daf/ca/risk-management-corporate-
governance.pdf.
As the number of malicious cyber-attacks increases and become more

sophisticated, many organizations consider a systematic approach to
cybersecurity a necessity and a priority. This has led to initiatives by
governments, regulators, and industry peak bodies to develop
cybersecurity standards to assist organizations in establishing systemic and
effective cybersecurity programs to enhance their digital security.
Standards are defined as recommended guidelines, processes, and controls
for the implementation of cybersecurity measures. Cybersecurity standards
can also be clearly defined as measurable rules and requirements that have
to be met to consider something compliant with the standard in question.
This requires the organization to identify regulatory breaches and
implement improvement measures and processes to ensure the effective
management of compliance and regulatory obligations.
Cybersecurity frameworks, on the other hand, are working models that
incorporate best practices (focusing on “what to do,” rather than “how to
do it”) as well as strategic and systematic guidelines from standards,
defining the structures containing processes, practices, and technologies
that businesses can readily adopt to protect their systems, networks, and
data from cyber threats.
Aligning organizational CRM to the ERM framework can result in a
more robust risk control framework but this poses a challenge to most
organizations as there is no uniform approach to implementing ERM
(Rubino, 2018). The commonly cited ERM frameworks in the literature
include the ISO 31000 risk management guidelines and the COSO ERM
(Ahmad, Ng & McManus, 2014; Agarwal & Ansell, 2016). Risk
management frameworks can be categorized by the types of organization
and operation they apply to. While ISO 31000 and COSO/ERM are
enterprise risk management frameworks that offer general guidelines for
any type of organization, Basel III focuses on assessing risk and managing
capital to strengthen the regulation, supervision, and risk management of
the banking industry (see Figure 4.1).
In the CRM category, COBIT covers a wide range of IT operations,
while ISO 27001 focuses on the information security management part of
the IT function.
General
ISO31000
Operation Basel III COSO/ERM
NIST CSF
IT
COBIT
ISO27001/27002
GDPR
Finance General
Industry
Figure 4.1. Standards categories.
4. CYBERSECURITY STRATEGIC ERM STANDARDS
All firms should have an ERM framework policy that defines the
structure with which they will manage the diversity of risks, both within
and external to their business, in a manner that is consistent with the
industry and firm enterprise risk management approach. Strategic ERM is
premised on risk governance that defines the overarching risk standards,
policies, practices, and processes to steer a corporation. The risk
management strategy represents the company's risk governance
requirements by providing an organized and cohesive approach to risk
management. The popular strategic ERM standards as they apply to CRM
are discussed in this section. The standards relevant to the planning and
implementation of the overarching strategic ERM/SRM framework as
shown in Figure 4.2 (adapted from Figure 3.6).
Figure 4.2. ERM/SRM related standards.
4.1. ISO 31000
The ISO standards consist of codified risk management standards by

the International Organization for Standardization (ISO). The ISO
standards are internationally agreed upon by experts for describing the best
way to achieving quality management across the organization. The ISO
standards for cybersecurity guide the organization on how to keep sensitive
information secure. The relevant standards in the family of ISO standards
on ERM and cyber risk management are ISO 31000 and ISO 27000 series,
respectively. This tutorial discusses the significance and relevance of ISO
31000:2018 Risk management - Guidelines to Strategic Risk Management
(SRM) as a component of the ERM process.
A management system is a set of guiding policies, processes, and
procedures about a subject used by a company to ensure that it can
complete the activities necessary to meet its goals and objectives. ISO
31000 provides foundation guidance for designing and implementing an
enterprise risk management system (ERM) using a systematic approach. It
outlines a generic approach to risk management that can be utilized by any
type of company and may be applied to many categories of risks (financial,
safety, and project risks). It focuses on both setting the standard and
implementing how all levels of an organization across its various business

units may structure and integrate risk management. The design approach
is that "risk management should be embedded into the policy development,
business, and strategic planning and review, and change management
processes" (Standards Australia 2009, p. 11). Alongside this is an emphasis
on internal accountability, communication, reporting, recording, and risk
posture review.
Figure 4.3. ISO 31000 - framework, principles, and process.
The original version of International Standard Organization 31000

(Risk Management – Principles and Guidelines) was published in 2009 and
it was updated in February 2018. The structure of ISO 31000 consists of 3
components to provide the principles, a framework, and a process for
managing risk (Figure 4.3). ISO 31000 offers a universally applicable

outline for organizations to adopt an organization-wide approach for
enterprise risk management. The ISO 31000 is a flexible framework that
allows organizations to apply the principles and components that are most
suited to their specific circumstances, as well as change other principles
and components as needed. Therefore, it can be used by any organization
regardless of its size, activity, or sector and as an international standard, it
would be appropriate for those organizations with international operations.
The organization’s ERM can be based on the ISO 31000 risk
principles, serving as a guideline, method, rationale, design, and execution
to underpin the implementation of its framework and processes. According
to ISO 31000, these principles are not prescriptive and organizations
should adopt and tailor these principles to their specific circumstances.
Figure 4.3 depicts the ISO 31000 proposed structure that comprises the
strategic risk management (SRM) and operational risk management
(ORM) components. As a high-level guideline for the management of risk,
it is a valuable tool for guiding the strategic planning activities for defining
the actions needed in both these functions. These activities include
formulating risk strategies per business vision, goals, and objectives,
appointing key risk officers, defining the enterprise risk philosophy and
culture, setting the risk tolerance threshold, allocating budgets for
resources to implement the ERM function, and developing ERM
implementation policies and processes.23
ISO 31000’s “Principles” highlights the underlying rudiments of an
effective and efficient enterprise risk management program for creating
value and protecting the organization. The underlying philosophy of the
ISO 31000’s “principles” postulates risk management as a value
proposition for organizations where an integrated risk management
program that is structured, comprehensive, customized, inclusive, and
dynamic permeates all business activities is capable of creating enterprise
value for its shareholders. The risk management function is an important
component of decision-making that is based on open discussion about
23
In the context of cybersecurity risk management, this involves preparing the Cybersecurity
Strategic Plan (CSP) and Enterprise Information Security Policy (EISP).
threats and the best available information. The risk management processes
are systematic, organized, and integrated and are capable of identifying
and mitigating the organization’s assets at risk and their vulnerabilities in
a timely and dynamic way. The organization recognizes humans and
culture as important factors in the risk equation that must be considered
and leveraged upon in all ERM initiatives. In addition, the organization's
risk landscape, particularly cybersecurity due to rapidly evolving
technology, is constantly changing so the ERM framework has to be
flexible and adaptive to accommodate new knowledge and information for
continual improvement.
The “Framework” describes the elements of the enterprise risk
management functions that reflect the organization's risk principles. The
framework fosters leadership and commitment to ensure it is capable of
integrating the ERM activities at the SRM and ORM levels of the
organization in risk architecture, strategy, and protocols (IRM, 2018) or
the design and implementation of policies and processes. In design, the
framework must observe legal and regulatory compliance. The framework
articulates the risk management principles and aligns with ERM objectives
of the organization in offering an integrated practical and dynamic
framework inclusive of evaluative and improvement mechanisms.
An organization is ready to develop the “Process” after creating the
risk management Framework. The process is “multi-step and iterative;
aimed to identify and analyze risks in the organizational context,”
according to ISO 31000. The “Process” outlines the steps (SRM & ORM)
to be undertaken in the ERM function. They include studying the “scope,
context and criteria” of managing the enterprise’s risk as well as
conducting risk assessment, risk evaluation, risk treatment and,
documentation and reporting (ISO 31000). The SRM and ORM processes
are iterative for incessant vigilance and informed protection cycle against
threats through communication and interaction among management, CRO
risk manager, risk owners, participants, and stakeholders.
4.2. COSO Enterprise Risk Management
The Committee of Sponsoring Organizations of the Treadway

Commission (COSO) published the Enterprise Risk Management (ERM)
standard in 2004, "COSO ERM Integrated Framework: Application
Techniques (2004).” The original 2004 version was updated to the
“Enterprise Risk Management – Integrating with Strategy & Performance”
in 2017. The COSO ERM cube is well known to risk management
practitioners and it is used by many organizations that are required to
comply with Section 404 - Internal Controls over Financial Reporting
(ICFR) requirement of the Sarbanes-Oxley Public Company Accounting
Reform and Investor Protection Act (SOX).
5. CYBERSECURITY OPERATIONAL STANDARDS
Operational standards are used as a reference to design and implement

an enterprise cybersecurity framework.
Operational Standards
NIST/CSF
ISO 27000/27001/27002
COBIT 5
GDPR
Basel III
Figure 4.4. ERM/ORM related standards.

The standards offer insight into recommended guidelines, processes,

and controls relating to security measures to plan and establish the actions
of the ERM operational framework. Some of the more popular operational
cyber risk management standards are, namely, NIST/CSF, ISO27000
series, COBIT5, GDPR, and Basel III (Figure 4.4).
5.1. NIST Cybersecurity Framework
The NIST framework for improving critical infrastructure

cybersecurity (NIST/CSF) consists of “standards, guidelines, and best
practices to manage cybersecurity-related risk”24 is in response to
President Obama's issued Executive Order 13636, on February 12, 2013.
Originally developed and commissioned to serve as the primary
communications tool and cybersecurity measure for US organizations that
own, operate, or supply critical infrastructure. The NIST/CSF guides
establish the necessary processes and fundamental controls for optimal
cybersecurity for organizations in all sectors and of all sizes (i.e., large
companies and SMEs). It is used by many multinational corporations and
international governments and organizations around the world. The
objective of the framework is to “develop an organizational understanding
to manage cybersecurity risk to systems, people, assets, data, and
capabilities.”
The NIST/CSF has an implementation focus that is easy to understand
making it a practical and useful tool for cyber risk management. It provides
a structured and systematic approach for organizations to apply risk
management principles and best practices. The framework enables
organizations an oversight of their security strategies and to build, maintain
and upgrade their cybersecurity operations to mitigate cyber risks. It is
flexible and technology-neutral and can be used by any business to
formally manage cyber risks.
24
The US National Institute of Standards and Technology (NIST)’s latest version 1.1 of the
Cybersecurity Framework has been around since April 2018.
The NIST/CSF structure consists of three parts: Framework Core,

Framework Profile, and Framework Implementation Tiers. According to
NIST, “they aid organizations in easily expressing their management of
cybersecurity risk at a high level and enabling risk management decisions”
by aligning business objectives and drivers with cybersecurity activities.
The functions in the Framework Core are aligned with the phases of the
ORM model (Figure 3.7) to form the cybersecurity operational risk control
framework proposed in this book (Figure 3.10). Figure 4.5 depicts the
alignment between NIST/CSF Framework Core functions with the
ERM/ORM phases.
Figure 4.5. NIST/CSF Framework core & ERM/ORM alignment.
5.1.1. Framework Core

The Framework Core comprises five interdependent core functions
and their associated secondary functions that organizations can adopt for
mitigating cyber threats and risks posed to the business operations25. The
five core functions (code) are “Identify (ID), Protect (PR), Detect (DE),
Respond (RS) & Recover (RC)” (see Figure 4.6) and together they form
the backbone of the framework for a successful and holistic cybersecurity
infrastructure. The five interdependent functions and categories all work
continuously and concurrently, around which all other important
25
Source: National Institute of Technology & Science, Cybersecurity Framework.
https://www.nist.gov/cyberframework/online-learning/five-functions.
cybersecurity elements are organized. The NIST/CSF's helpful references

provide a direct link between its functions, categories, subcategories, and
other frameworks' specific security measures.
Identify function refers to defending the company against cyberattacks
where the cybersecurity team must have a detailed awareness of the
organization's most valuable assets and resources. The categories under
this function are asset management, business environment, governance,
risk assessment, risk management strategy, and supply chain risk
management.
Figure 4.6. NIST/CSF Framework Core.

The key technological and physical security controls for establishing

and executing suitable safeguards and protecting critical infrastructure are
covered by the protect function. Identity management and access control,
data security, information protection processes and procedures,
maintenance, and protective technology are the categories.
The detect function implements countermeasures in the event of a
cyberattack. The categories are anomalies and events, security continuous
monitoring, and detection processes.
The respond function categories ensure that cyberattacks and other
cybersecurity situations are dealt with promptly and appropriately.
Response planning, communications, analysis, mitigation, and
enhancements are some of the specific areas.
In the case of a cyberattack, security breach, or other cybersecurity
event, recovery efforts implement plans for cyber resilience and maintain
business continuity. Improvements in recovery planning and
communications are among the recovery tasks.
The NIST/CSF only gives a checklist of actions to be conducted, not
instructions on how to inventory physical devices and systems or software
platforms and applications. A company can use whatever technique it
wants to document its inventory. If a company requires additional
direction, it can consult the helpful references to similar controls in other
complimentary standards. The NIST/CSF gives companies a lot of
flexibility in selecting the technologies that best suit their cybersecurity
risk management needs.
5.1.2. Framework Profile

The Framework Profile (also known as the "Profile") is the alignment
of the Functions, Categories, and Subcategories with the organization's
business needs, risk tolerance, and resources. A Profile enables firms to
create a cybersecurity risk reduction plan that is closely connected with
organizational and sector goals, takes into account legal/regulatory
requirements and industry best practices, and reflects risk management
priorities. Framework Profiles can be used to characterize the existing state
of various cybersecurity activities, as well as the desired objective state or
target profile. The outcomes required to meet the targeted cybersecurity

risk management objectives are listed in the Target Profile. Therefore,
profiles help organizations communicate business/mission requirements to
all stakeholders, as well as risk communication between business units and
companies.
5.1.3. Framework Implementation Tiers

The Framework Implementation proposes four implementation stages
to help firms track their progress towards implementing the NIST/CSF.
 Tier 1 (partial) – Implies the organization is familiar with the

NIST/CSF, and some components of control may have been
applied in some portions of the infrastructure. Cybersecurity
actions and protocols have been implemented in a reactive rather
than planned manner. The company has a poor understanding of
cybersecurity issues and lacks the processes and resources needed
to ensure data protection.
 Tier 2 (risk-informed) - The company is increasingly conscious of
cybersecurity threats, and information is shared informally. It
lacks a well-thought-out, repeatable, and proactive cybersecurity
risk management methodology across the board.
 Tier 3 (repeatable) - The company and its senior management are
well aware of the dangers of cybercrime. They've put in place a
repeatable, company-wide cybersecurity risk management
strategy. The cybersecurity team has devised a strategy for
successfully monitoring and responding to intrusions.
 Tier 4 (adaptive) - The company is prepared and cyber-resilient,
and it uses lessons learned and predictive indicators to avoid
cyber-attacks. The cybersecurity team works to develop and
advance the organization's cybersecurity technology and
procedures, as well as swiftly and effectively adjust to threats.
Risk-informed decision-making, policies, procedures, and
processes are all part of an organization-wide approach to
information security risk management. Cybersecurity risk
management is incorporated into budget decisions and

organizational culture in adaptive enterprises.
5.2. ISO 27000 Series
The ISO 27000 series standards offer a guide to assist companies in

managing cyber-attack risks and data security threats26. The ISO27000
series standards are risk-aligned, which means that businesses are urged to
assess the security threats to their information before managing them in
various ways, dealing with the largest risks first. The ISO 270001 family
of standards, often known as the ISO 27000 series, is a set of best practices
designed to assist businesses in improving their information security.
ISO 27003
ISO 27002 ISO 27004
Implementation
Code of Practice Measurements
Guide
ISO 27000 Overview & Vocabulary
ISO 27006
ISO 27005 ISO 27001
Certification
Risk Management Requirements
Requirements
ISO 27032 ISO 27103

ISO 27033 Using an ISMS for
Guidelines for
Network Security Cybersecurity
Cybersecurity
Figure 4.7. ISO 27000 series standards (selected).
The ISO 27000 standard is one of 46 in the series, and it serves as an

introduction to the family as well as a glossary of keywords and concepts,
some of the standards are presented in Figure 4.7. ISO 27000 standard
26
ISO 27005:2011 is aligned with the risk management standard ISO31000 to enable easier
integration of enterprise risk management approaches with information security risk
management. It provides practical guidance on carrying out the risk assessment required by
ISO27001, together with clear guidance on risk scales. It has good guidance on threats,
vulnerabilities, likelihoods, and impacts.
'provides guidelines for information security risk management and

'supports the general concepts specified in ISO 27001 and is designed to
assist the satisfactory implementation of information security based on a
risk management approach.
The following sections introduce selected ISO standards to illustrate
the types of contents that are in them. The standards covered are ISO 27000
(Overview & Vocabulary), ISO 27001 (Requirements), ISO 27002 (Code
of Practice), ISO 27003 (Implementation), and ISO 27005 (Risk
Management).
5.2.1. ISO 27000 – Overview and Vocabulary

ISO 27000 provides a summary of the Information Security
Management Systems (ISMS). It also includes a glossary of words and
meanings that are frequently used in the ISMS family of standards. This
text is useful to companies of all types and sizes (e.g., commercial
enterprises, government agencies, not-for-profit organizations).
5.2.2. ISO 27001:2005 - Requirements

ISO 27001 is the standard for ISMS, and it includes standards for the
risk management process, which should be consulted for selecting security
solutions that are appropriate for the threats faced by a company. ISO
27001 provides a methodology on how to implement information security
or cybersecurity in an organization and is an internationally recognized
best-practice standard for an ISMS. It highlights the requirements for an
ISMS system. The goal is to create commercial benefits while adhering to
legal and regulatory obligations as well as the expectations of all parties
involved. It is technology-neutral and applicable to any type of
organization with broad application. It helps companies identify risks and
puts in place security measures to manage or reduce risks to business
digital systems, networks and data. By being ISO 27001 compliant, a
company demonstrates it meets the ISMS international best-practice and
shows customers, suppliers, and other stakeholders that it is capable of
handling the information securely. Table 4.1 aligns the ERM with the
elements in the ISP 27001:2005 standard.
Table 4.1. ERM-ISO 27001 alignment
ERM IEC/ISO27001:2005
Strategic RM Formulate risk Establish a structure, processes & risk tolerance for
strategy & policy coordinating ISMS through the appropriate policy for
+ managing informational assets.
Evaluate & align
information assets
to business strategy
Operational Identify risk to These processes result in a constant review & updating of
RM critical assets information asset inventory and answer the question,
"what needs to be protected?"
Assess risk Once the critical assets have been identified, the
organization performs risk assessment according to an
agreed methodology (to answer the question ("what are the
threats to the assets?"). This results in a list of risks that are
then ranked according to their level of criticality.
+Crisis Mitigate risk Taking into account the risk acceptance criteria, the
Management organization decides whether to accept each risk, avoid it,
transfer it or mitigate it by implementing the appropriate
measures.
Monitor & report The ISMS has a set of improvement processes: all
risk procedures within its scope are subject to regular internal
+ audits and corrective and preventive actions, and the
Crisis response & characteristics of the system and the risks are analyzed
recovery during periodic management reviews.
Source: Adapted from “Risk management in regulatory frameworks: towards a better management of
risks,” UNECE, p.10 & https://www.iso.org/standard/42103.html.
5.2.3. ISO 27002 - Code of Practice

ISO 27002 is a guideline document that outlines best practices for
implementing the risk controls contained in Annex A of ISO 27001. It
complements ISO 27001 and should be read in conjunction with it.
ISO/IEC 27002 provides the best practices on information security
controls for establishing, implementing, or maintaining ISMS. ISO 27002
is a "code of practice," not a formal specification like ISO/IEC 27001. It is
a broad, advising document, which suggests information security controls
to address information security control objectives coming from threats to
information's confidentiality, integrity, and availability.
5.2.4. ISO 27003 – Implementation Guide

ISO 27003 covers ISMS implementation guidance. It guides
implementing the ISO 27000 series standards, covering the management
system aspects in particular. Its scope is simply to provide a practical guide
for implementing an Information Security Management System (ISMS) in
an organization based on ISO 27001. The process outlined in this
international Standard for assisting in the implementation of ISO 27001
includes preparing an ISMS implementation strategy in an organization,
defining the business's organizational structure, and securing management
approval. It also provides a list of the critical ISMS activities and examples
of how to fulfill the ISO 27001 requirements.
5.2.5. ISO 27005 – Risk Management

One of the most significant aspects of an organization's ISO 27001
compliance effort is risk assessments. ISO 27005 explains how to conduct
an information security risk assessment that meets ISO 27001's standards.
It is a set of principles for establishing a systematic approach to
information security risk management, which is required to identify
organizational information security needs and construct an effective
information security management system. Even though ISO 27005 does
not provide a specific risk management methodology, it does suggest a
continuous information risk management strategy based on six critical
components: Establishing the context; Assessment of the dangers;
Treatment for risk factors; Acceptance of risk, Risk communication and,
Review and monitoring of risks.
5.3. Control Objectives for Information

and Related Technology (COBIT 5)
Since 2012, COBIT 5 has been playing a crucial role as a business

framework for the governance and risk management of enterprise IT. This
framework also emphasizes a strategic integration of enterprise and IT
security. In 2019 it was updated in response to the changes brought by new

technologies and business practices. COBIT 5 is a generic and overarching
framework that may be used on businesses of all sizes, whether they are
for-profit, non-profit, or government. It is a business framework for
enterprise IT governance and management based on a single language for
all stakeholders to express goals, objectives, and expected outcomes. The
framework provides a set of tools to manage the risks of organization IT
to assure that is functioning properly. It is based on and incorporates
industry standards and best practices in the following areas: IT should be
strategically aligned with business objectives; service delivery and new
project development are valued; risk management function is performed
throughout the organization, and risk control performance is reviewed and
measured periodically.
The goal of COBIT 5 is to assist enterprises in maximizing the value
of their intellectual property by ensuring compliance and managing risk
and security through effective IT governance and management.
5.4. General Data Protection Regulation (GDPR)
There is greater attention towards tougher data protection regimes

globally with countries in Asia, Europe, and North America considering or
have already enforced new laws relating to data protection rules. These
laws are rigorous in terms of the threat of significant fines in the event of
a breach. There are tougher guidelines on data protection in the pipeline in
Australia, Hong Kong, Singapore, and China and more countries are
expected to join the bandwagon.
The principles for handling and security of personal data shall be
lawful, fairness and transparency, purpose limitation, data minimization,
accuracy, storage limitation, integrity and confidentiality, and
accountability. The European Data Protection Regulation introduced as of
May 25th, 2018 applies to all member states to harmonize data privacy
laws across Europe.
The purpose of the GDPR is to ensure there is accountability in the

management of data. Data protection must be considered early in the
design phase, with control measures in place for the type of data, data
source, and data minimization strategies, and data security is built-in and
is enabled by default. GDPR requires those who collect, utilize and retain
data will be assigned data protection responsibilities by the organization,
and when necessary, a data protection officer should be appointed. When
collaborating with third parties, data processing agreement contracts must
be in place. To ensure data security, the business will employ technical and
operational safeguards such as two-factor authentication and end-to-end
encryption. Staff training, a data privacy policy, and limited access
privileges to personal data are examples of operational measures. Under
GDPR, processing personal data is typically banned unless the processing
is expressly permitted by law or the data subject has given his or her
consent.
5.5. Basel III
The Basel Committee on Banking Supervision designed Basel III as a

set of internationally agreed-upon policies in response to the financial
crisis of 2007-09. The reforms are intended to improve bank regulation,
oversight, and risk management. Its purpose is to fortify global capital by
reinforcing liquidity rules to build a more resilient banking sector to
prevent financial and economic instabilities. Basel III encompasses crucial
issues of banking sectors regarding minimum capital requirements and
buffers, risk coverage, capital conservation buffer, countercyclical buffer,
and leverage ratio.
The level of technology investment necessary to comply with Basel III
requirements will be primarily determined by a bank's investment to
comply with Basel II regulations. If a bank already has fully operational
and auditable risk management and measurement system, it will only need
to make incremental investments to meet Basel III's 'solvency'
requirements.
CONCLUSION
To improve enterprise cyber risk management, more efforts and

cooperation are needed to standardize frameworks and terminology to
provide for a consistent or universal approach to addressing cybersecurity
issues.
There is greater attention towards tougher data protection regimes
globally with countries in Asia, Europe, and North America considering or
have already enforced new laws relating to data protection rules. These
laws are rigorous in terms of the threat of significant fines in the event of
a breach. There are tougher guidelines on data protection in the pipeline in
Australia, Hong Kong, Singapore, and China and more countries are
expected to join the bandwagon.
Chapter 5
CYBER RISK IDENTIFICATION
1. INTRODUCTION
The first phase of the operational risk control process is risk

identification, which lays the foundation for building the organization’s
risk profile. Cyber risk is another kind of operational risk that a firm faces
in its daily business activities. The cyber risk management function
requires the organization to design and implement risk mitigation measures
at both the strategic and operational levels. There are different aspects of
risk mitigation for protecting the security of an organization’s critical
information assets and this chapter discusses the first step in the
operational risk management (ORM) process for cybersecurity. This step
is one relating to identifying cyber risks in the company. As input to the
enterprise risk management process, it is an important function because if
a risk cannot be identified, the subsequent phases of the risk management
process cannot be implemented for that risk. Most large enterprises have
risk management systems that identify risks associated with a given set of
assets. Typically, these systems collect data from throughout the business
to indicate where risks may lie and then communicate that information to
the risk team to be analyzed. The systems operate to notify businesses (or
specifically, the owner of a particular risk issue) of the risk exposures,

including any security breaches.
This chapter introduces some of the tools and techniques used to scan
the enterprise informational assets to identify cyber threats. This function
requires an understanding of the company’s business, business objectives,
and environments. It is only through this knowledge that we can identify
the inherent risks and appreciate the nature of the risk exposure it poses to
the organization. Typically, in an enterprise risk management context, the
goal of this function is to identify all the firm’s risk factors, including
financial, social, economic, political, legal, and cyber risks that can have a
significant adverse effect separately, or in combination, on its cash flows,
earnings, and financial position.
2. RISK IDENTIFICATION
Risk identification is about collaboration, data collection, analysis, and

brainstorming involving relevant stakeholders in an environment that
encourages free and open risk disclosure and debate. The enterprise risk
management operational framework is a four-step process (Figure 5.1) that
starts with risk identification and requires an understanding of the firm’s
operations and objectives. This first step of the ORM process requires a
company to identify its critical assets and the greatest vulnerabilities that
may prevent it from realizing its business objectives.
The purpose of risk identification is to prepare a listing of all the
relevant risks that might affect the company. It allows a visual and an
insight into the primary areas of uncertainty by detecting and categorizing
as many of the company’s risk factors as possible. The process of
identifying risk can happen as initial risk identification for a new company
or as a continuous assessment (Robin et al. 2002) function to identify
emerging risks necessitated by changes in the operating environment. Risk
identification is also conducted in the SRM process as an initial risk
assessment for establishing risk strategies, action plans, policies &
procedures (see Figure 3.9: SRM process for cybersecurity in Chapter 3).
Cyber Risk Identification 95
The emerging cyber threats are a result of a rapidly changing technological

environment as systems become more interconnected. Some of these
threats are likely to emanate from cloud computing, artificial intelligence-
enabled attacks, deepfakes, blockchain, machine learning poisoning, and
smart contract hacking (Belani, 2020).
Figure 5.1. Risk identification phase in the ERM/ORM cycle.
As discussed in Chapter 1, it is worth reiterating that uncertainty

(threat) is an abstract concept and “risk” is quantifiable uncertainty in
terms of its outcome (impact) and probable frequency of occurrence
(vulnerability). It is only through an understanding of the business
objectives and its operations that we can appreciate the complexities of its
risk exposure (Oh et al., 2018). For example, a cyber-attack may result in
reputational damage to the firm that may cause liability losses and future
revenue losses27. Therefore, the purpose of risk identification is to discover
as many of the threat events that may result in risk exposure. It is not
possible to identify all the potential cyber threats nor are all cyber risks
critical to the extent that they may cause substantial harm to the company.
27
Yahoo data breaches in 2013 and 2014 (reported in 2016) illustrate how cyberattacks caused
the firm to suffer losses due to reputational damage. Yahoo became a regulatory
enforcement target and incurred costs from an ongoing government investigation.
Nevertheless, the risk identification focus must be deliberately expansive

(Robin et al., 2002) and the risk manager should identify as many potential
threats as possible.
It is the management's responsibility to identify risks and the chief risk
officer should take the lead and responsibility to perform risk identification
on strategic objectives. An alpha-beta risk approach in risk analysis is
needed to consider the risks inherent in the market, industry, and the unique
risks of the firm's operations. Some industries are more susceptible to
cyber-attacks (Ettridge, Guo & Li, 2020; Kamiya et al., 2020). This
approach must take into account the firm’s entire risk environments, both
internal and external risk factors.
3. IDENTIFYING CYBER THREATS
Identifying cyber threats faced by a firm requires an understanding of

the company's business, business objectives, and threat environments. The
risk strategy has to be consistent with the company’s objectives starting
with the risk identification step to make sure that the key business
assumptions made by management are understood to capture as many
cyber risk factors as possible. Assumptions vary according to the
company’s business, where a utility company fears a power outage28 and a
healthcare business is concerned about electronic health record (EHR)
downtime29. This knowledge will help in associating the company’s
vulnerabilities with the potential cyber threats to its business systems,
networks, and data. Therefore, the risk identification process should start
with a view of the business and its value chain to identify critical
information assets (McKinsey, 2017). Gregersen (2018) suggests that
asking questions about a subject is a good technique for achieving results
28
On 23 December 2015, the information systems of three Ukrainian energy distribution
companies were compromised by hackers disrupting the electricity supply to consumers. It
is the first known successful cyberattack on a power grid.
29
On 27 September 2020, a ransomware attack on 400 UHS care sites that caused a three-week
HER downtime resulted in $67 million in lost operating income, labor expenses, and overall
recovery costs.
in brainstorming sessions. In Table 5.1, the threat identification questions

based on “what, why, who, when, and where" of the cybersecurity of
digital assets throughout the business value chain can help to discover
potential risk factors in terms of how they create and destroy value in a
firm.
Table 5.1. Threat identification questions
Questions Implications NIST/CSF category

What do we do to create  What are the digital ID:AM; ID:BE; ID:SC
value? resources we cannot do
without?
 What are the organization’s
critical digital assets?
What can happen to destroy  What digital assets should be ID:AM; ID:BE; ID:SC
value? Why? When? Who? & protected?
Where?  What are the potential cyber
threats or harm to our
infrastructures (networks,
systems & data), employees,
customers, partners, and
visitors?
What is the impact on value  What are the potential ID:RA
from a threat based on the losses?
probability and the estimated  What priority and quantity of
distribution of risk outcomes? resources need to be
assigned and allocated to
minimize negative risk
impact?
The impact or loss to the firm from cybersecurity risk is largely a result
of a compromise on the confidentiality, integrity, and availability of a
firm’s critical systems, networks, and data. The usual consequences from
such risks can be categorized as denial of service, information corruption,
and data theft. Proactive and early identification of threats is essential
components of effective risk management. The screening for risk covers
all digital infrastructures and applications of a company where business
SND assets reside. The risk identification methodologies should define,
categorize the vulnerabilities or weaknesses as to how they can pose a
threat to the organization. A clear, unambiguous, consensus description of

the risks captured is the minimum outcome from the risk identification
processes (Robin et al., 2002). At the micro-level, an effective
identification function requires the systematic listing, classification, and
risk assessment of all value-creating information assets used by the
organization. Likewise, the macro risk factors or market risk factors are
also listed, classified, and assessed for their impact on the organization.
Once the value-creating SND processes and vulnerable assets are
recognized, a thorough identification of associated threats or dependencies
is conducted.
If companies are to understand the various types of threats, they are
likely to face and the types of countermeasures that need to be
implemented, it is particularly important to define the objectives of
different criminals or perpetrators and their motivations. Threats can be
categorized by motivations into four different categories as discussed in
Chapter 2. The vectors of attack, threat actors, and motivations are
presented in Table 5.2 below:
Table 5.2. Vectors, threat actors, and objectives
Vector of attack Threat actor/Cause, motivation & objectives

Unintentional external  Third-party partners/Human error, negligence, or accidental
threats act
Unintentional internal  Employee or third parties (suppliers, sub-contractors, or
threats partners) /Human error, negligence, or accidental act
Malicious external threats  Hackers/Financial gain
 Hacktivists/Sabotage to express political, social, or religious
views
 Criminal syndicates/Financial gain
 Nation-states/Sabotage, cyberwar, or data theft
Malicious internal threats  Employee or third parties/Emotion or data theft for financial
gain
There are generally three forms of financial gains for cybercriminals

who carry out cyber-attacks, being extortion, ransom, or sale of stolen data
(Fowler, 2016). On the other hand, cybercriminals driven by political or
ideological motivations commit crimes to enforce their philosophical
convictions. Employees who pose a malicious internal cyber threat to the

company are those who steal sensitive data for financial gain. Another type
of malicious internal threat comes from employees who commit
cybercrime to vent their frustrations by destroying a company's networks.
Malicious external threats that are state-sanctioned or sponsored are
carried out by nation-states for economic, political, and military objectives.
The impacts from such cyberattacks can be data theft, intelligence-
gathering, and destructive attacks on critical assets.
The output of the risk identification process is a set of risk statements
(Robin et al., 2002) that report the results explaining the profile and causal
relationship of threats recognized by the risk identification participants.
This information should be documented in the risk register.
4. NIST/CSF – IDENTIFY FUNCTION
“Identify” is the first core function of NIST/CSF Framework Core that

assists in “developing an organizational understanding to managing
cybersecurity risk to systems, people, assets, data, and capabilities.” It is
important to identify as many of the potential risks that may cause harm to
the organization's systems, networks, and data to protect the CIA security
triad for the organization to operate normally. This function provides the
foundation for the subsequent NIST/CSF functions to be built upon. To do
this, organizations must conduct a comprehensive inventory of potential
cyber risks that must be documented for quantification of their potential
impacts on business.
Each NIST framework function comprises outcome categories and
subcategory activities that describe the kinds of processes and tasks
organizations should carry out for that framework level. The Identify
function contains six outcome categories and their respective subcategory
activities (Table 5.3).
Table 5.3. Identify function – outcome categories/sub-categories
Identify (ID)
Category Sub-category
Asset management  Asset inventory (ID:AM1)
(ID:AM)  Software inventory (ID:AM2)
 Organization ICT map (ID:AM3)
 External ICT catalog (ID:AM4)
 Resources priority list (ID:AM5)
 Cybersecurity roles & responsibilities (ID:AM6)
Business Environment  Supply chain role (ID:BE1)
(ID:BE)  Organization IT & Industry position (ID:BE2)
 Organizational mission, objectives & activities (ID:BE3)
 Dependencies & critical functions for service delivery
(ID:BE4)
 Resilience requirements for service delivery (ID:BE5)
Governance (ID:GV)  Information security policy (ID:GV1)
 Information security roles & responsibilities coordination
(ID:GV2)
 Legal and regulatory requirements (ID:GV3)
 Governance and risk management processes (ID:GV4)
Risk assessment (ID:RA)  Critical assets identified & documented (ID:RA1)
 Shared information on threats & vulnerabilities (ID:RA2)
 Internal and external threats are documented (ID:RA3)
 Likelihoods & impacts analysis (ID:RA4)
 Threats, vulnerabilities, likelihoods, and impacts are used to
determine risk (ID:RA5)
 Risk responses identified and prioritized (ID:RA6)
Risk management strategy  Risk management processes (ID:RM1)
(ID:RM)  Risk tolerance (ID:RM2)
 Informed risk tolerance (ID:RM3)
Supply chain (ID:SC)  Cyber supply chain RM processes defined and agreed upon
by organization stakeholders (ID:SC1)
 Suppliers and third-party partners of information systems,
components, and services are assessed & documented
(ID:SC2)
 Supplier and third-party contracts implement measures to
meet the organization’s cybersecurity objectives & plan
(ID:SC3)
 Suppliers and third-party partners are routinely assessed to
confirm satisfactory contractual obligations (ID:SC4)
 Recovery planning and testing and response are conducted
with both suppliers and third-party providers (ID:SC5)
The shaded sub-categories in Table 5.x are those that pertain to the
Risk Identification function (Step One) in the ERM/ORM process. The
actions reflected in these sub-categories are also considered to be
consistent with the SRM initiatives of the “risk assessment” phase of the
ERM model (see Figure 3.9: SRM process for cybersecurity ERM in
Chapter 3). The remaining categories/sub-categories are more closely
aligned with other components of the TRMM. The categories business
environment (ID:BE), governance (ID:GV), and risk management strategy
(ID:RM) are activities that are consistent with the SRM process (The
strategic aspects of these categories are discussed in Chapter 10). Whilst
some of the sub-categories (ID:RA4; ID:RA5 & ID:RA6) in the “Risk
Assessment” category would match the Assessment phase activities in the
ORM process.
The threat identification question of estimating the “probability and
distribution of risk outcomes” to estimate the impact on firm value (Table
5.3) corresponds with sub-category items “likelihoods and impacts
analysis” (ID:RA4), “utilizing threats, vulnerabilities, likelihoods &
impacts to determine risk” (ID:RA5) and “risk responses identified and
prioritized” (ID:RA6), which are also activities conducted in the
“assessment” phase (Step 2) in the ERM/ORM process. These activities
are discussed in detail on risk assessment in Chapter 6.
In Table 5.3 above, the sub-categories that are highlighted in asset
management (ID:AM) and risk assessment (ID:RA) categories (and supply
chain (ID:SC)) of the NIST/CSF’s Identify function are actions (see Figure
5.2 below) that are aligned with the Identify stage of the ERM/ORM. The
following section discusses these sub-categories vis-à-vis the Risk
Identification phase.
Asset inventory (ID:AM1) pertains to the identification and
documentation of all critical SND or digital assets, including “software
platforms and applications,” (ID:AM2) that are required to facilitate the
company in fulfilling its business strategies and business objectives. A
network diagram is prepared to shows how the company’s information
network works (ID:AM3). It depicts the various components that make up
a network, including external systems (ID:AM4), as well as how they
interact, such as routers, devices, hubs, firewalls, and the Internet to help
identify threats and vulnerabilities. The critical information assets are then
documented (ID:RA1), including that of suppliers and third-party partners
(ID:SC1), for analysis to protect against cyber-attacks. Cybersecurity
threat information is shared with different sources (ID:RA2) to
communicate and heighten awareness of internal and external threats
(ID:RA3).
NIST/CSF
Core function: Identify

Category: AM & RA
Sub-category:
 Asset inventory (ID:AM1)
 Software inventory (ID:AM2)
ERM/ORM  Organization ICT map (ID:AM3)
 Catalogue external ICT (ID:AM4)
Risk identification  Critical assets identified &
(Step 1) documented (ID:RA1)
 Shared information on threats &
vulnerabilities (ID:RA2)
 Internal and external threats are
documented (ID:RA3)
 Cyber supply chain RM processes
defined and agreed by organization
stakeholders (ID:SC1)
Figure 5.2. ERM/ORM & NIST/CSF alignment.
5. RISK IDENTIFICATION, THREATS, AND CIA TRIAD
The CIA cyber security triad (Rouse, 2014) as referred to earlier

consists of the three cybersecurity attributes of confidentiality, integrity,
and availability for an organization's digital infrastructure. It provides a
useful dimension to complement the traditional risk management
framework in cybersecurity analysis (Gerber & Von Solms, 2005). It is
used to identify and classify cyber risks to better understand the types or
methods of cyber-attacks and how they compromise each of these three

elements (Biener, Eling & Wirfs, 2015; McShane & Nguyen, 2020).
5.1. Confidentiality
A data breach is likely to affect confidentiality, which is about keeping

sensitive information private and only accessible by those who are
authorized to do so. Restrictions must be put in place to control those who
have authorized access. Data should be categorized according to their
levels of sensitivity and different restrictions are implemented according
to the degree of sensitivity. Sensitivity refers to the damage or disruption
to the organization if the data is compromised.
The types of threats to the confidentiality of systems are when
encrypted data are cracked, man-in-the-middle attack, a data breach, or
unauthorized copying of sensitive data and installing malware or spyware
on a server.
5.2. Integrity
Integrity relates to maintaining consistency, accuracy, and reliability

over the lifecycle of the data. Controls include file permissions and user
access control. Controls over data changes are also necessary by using data
checksums or cryptography. Graphic checksums for verification and
integrity backup must be available to restore data to its original state.
A web intrusion for malware insertion or a malicious malware attack
would compromise the integrity of the organization’s data. A malicious
unauthorized database scan or a modification (such as a website
defacement) could cause the loss of integrity of key data. A ransomware
attack or a denial of service, to install spam and viruses to a company’s
computers on the Internet can also result in loss of integrity of computer
systems and data.
5.3. Availability
Availability requires the rigorous maintenance of all hardware to

ensure they remain functional and always available. An efficient functional
operating environment without software conflicts is important for the
optimal functionality of the systems and networks. Systems updates must
be actioned immediately and there must be enough bandwidth to cater to
digital traffic that is expected.
Availability of systems can be lost from denial of service (D/DDOS)
attacks, ransomware attacks such as the WannaCry ransomware attacks,
forced data encryption, and malicious internal disruption of power supply
to server rooms.
Donn B. Parker proposed the Parkerian hexad, a set of six information
security factors, in 1998. The Parkerian Hexad (PH) is based on the CIA
model. The Parkerian hexad adds three more security features to the three
fundamental security features of the CIA triad. The three additional
features are possession or control, authenticity, and utility. Humans are the
greatest threat to information security. The additions to the CIA triad can
be used to provide a more detailed description or dimension of a security
situation, including the vulnerability of people, to facilitate cyber threat
identification, assessment, and mitigation (Falco et al., 2019). The
additional features make the CIA triad a more comprehensive and
complete model for data security today.
6. RISK IDENTIFICATION TOOLS AND TECHNIQUES
Risk identification is all about trying to determine and characterize

threats to “systems, people, assets, data, and capabilities” (NIST/CSF) and
finding techniques, tools, and models to carry out the task. There is no
universal or uniform approach in ERM in the use of tools or techniques for
identifying risks that could cause an organization's strategy and objectives
to fail. The risk identification task involves determining the types of
problems that could jeopardize the company’s ability to do business.
Sometimes companies bring in cybersecurity consultants to advise

management on how to identify the threats. The problems identified are
listed and are further explained and categorized into more detailed
scenarios. For example, a problem could be identified as a cyber threat
caused by a data breach and malware attack as the specific type of risk
within the category. Information about those problems is captured in the
organization’s risk register with the actors, vectors of attack, and inherent
risks explained in detail. The problems and risks can be categorized
according to risk types such as financial, operational (including cyber risk),
or regulatory in the register.
If a phenomenon has not been studied substantially in the literature, it
warrants a qualitative approach to explore and understand the key factors,
i.e., unknowns (Pham & Oh, 2021). There is still only a paucity of
knowledge especially about the human behavioral aspects of cybersecurity
(Hurst, Merabti & Fergus, 2014; Gisladottir, Ganin, Keisler, Kepner &
Linkov, 2017), which requires further qualitative research into human
behavior of attackers and victims of cyber events. Identifying cyber threats
essentially uses a qualitative approach with the prerequisite technical
knowledge of the interdependences and interactions between business
processes and information system components. The qualitative methods
can include expert judgment or questionnaires to identify cyber threats.
The qualitative evaluation aims to decompose risk to identify the exposure
of a system or network to cyber threats and to assess the impact on potential
performance relative to management criteria. Therefore, it is important to
reiterate that before beginning the identification, the analyst must
understand the business model, business system or network and its
functions, the IT architecture, and management philosophy.
The common approaches for identifying risk are SWOT analysis,
information gathering techniques, root cause analysis, checklist analysis,
assumption analysis, document review, expert judgment, factor analysis of
information risk, and penetration testing. They are discussed in detail in
the following sections.
6.1. SWOT Analysis (Strengths, Weaknesses,

Opportunities, and Threats)
SWOT (Strengths-Weaknesses-Opportunities-Threats) analysis is a

structured management approach with well-established techniques
frequently employed for strategy formulation. SWOT analysis is a study
undertaken to identify an organization’s strengths and weaknesses, as well
as its external opportunities and threats, and from which risks are
determined. SWOT is a kind of situation analysis approach in management
science: S is Strength which refers to the advantages of a corporation; W
is Weakness refers to the disadvantages of a corporation; O is Opportunity
meaning market opportunities of the firm; T is Threat which means
external threats and risks of the firm. S (Strength) and W (Weakness) are
the internal elements of a corporation including structure, culture, systems,
networks, databases, financial and human resources. O (Opportunity) and
T (Threat) refer to factors in the external environment (e.g., the Internet,
third party systems & networks, political risks, competitors, and market
risks) that a corporation does not control.
To identify cyber risks using SWOT, the primary focus should be on
analyzing and debating the corporation's weaknesses and threats. However,
in a rapidly-changing digital landscape, opportunity and threat may
converge and matters that are regarded as opportunities may pose some
threats for the company, such as the adoption of eCommerce or information
technology. On the contrary, threats may have opportunities such as a
potential data breach and outsourcing of data storage to a cloud provider.
Therefore, management must focus on studying market conditions to
identify opportunities from risks as well as analyze and understand the
strengths and weaknesses within the organization to gain advantages (Ho,
Oh, Durden & Slade, 2010). However, the rigidity of SWOT may restrict
creative thinking and as a result, some risks may not be identified.
6.2. Information Gathering Techniques
Three techniques are addressed.
1. Brainstorming or workshopping is a group information gathering

technique with a focus on the identification of risk for the
enterprise. Firstly, all participants must have the same
understanding of the risk (Robin et al., 2002) and are informed
clearly of the objectives of the brainstorming session before being
left to create a list of risks. It may take several iterations of
brainstorming to narrow down the initial list of risks to those that
are considered critical. Based on their different backgrounds and
shared knowledge, participants work as a team to facilitate and
contribute to the task in a brainstorming session. For
brainstorming to be effective as a risk identification technique,
participants in each session need to collectively possess a cross-
section of knowledge of enterprise risk management and the
relevant risk environment to help explain how risks and objectives
are linked and how they can affect different businesses and
divisions. The disadvantages of this approach are senior
management domination and some risks are missed because
wrong people are involved.
2. The Delphi Method is a structured communication technique that
relies on a panel of experts. For ERM key managers or personnel
are considered the "experts" in their areas of operation and are
consulted in a systematic and interactive forecasting process to
identify enterprise risks. The experts answer questionnaires in two
or more rounds and their responses are compiled, and results are
sent back to them for further review until a consensus is reached.
3. ‘Survey’ or ‘Interviewing’ for information gathering involves
conducting interviews with operational managers, employees,
participants, experts, stakeholders, etc. to identify risks. A risk
questionnaire can be used to identify risks by asking a series of
questions on threats and vulnerabilities in both internal and
external digital landscapes. Typical questions are those asking

employees to list the significant cyber/information risks relating to
attaining strategic business goals or objectives. The collated
information from surveys can be used in brainstorming sessions to
further define, refine, and narrow the list to only the critical risks.
This technique garners greater involvement than workshops but
may be disadvantaged because it relies on historical knowledge.
6.3. Bow-Tie Analysis
It is crucial to evaluate the relationships between different assumptions

while modeling cyber threats and vulnerabilities. A bow-tie diagram is a
useful tool for in-depth risk analysis and identifying interdependencies.
The Bow-tie method forms the basis of risk analysis to identify and analyze
threats and vulnerabilities to determine where risk controls may be
necessary. This type of study aids in determining the causes and effects of
each risk, as well as improving risk modeling and detecting correlations
between various strategic business objectives, management assumptions,
and scenarios.
It graphically depicts the pathways of risks in a simple qualitative
cause-consequence diagram. The left-hand side of the diagram analyses
the cause of an event or risk (the fault tree) and the right-hand side analyses
the consequences (the event tree). Diagrammatically, the bow tie is
constructed from fault and event trees where the knot of the bow tie is at
the point where on the left the fault tree paths converge and, on the right,
the event tree spans out (Figure 5.3). The information for the construction
of the bow tie diagram is collected from brainstorming sessions on risk
exploration and discovery. The causes on the left side of the bow tie need
to be aligned to the business objectives, critical assets, and vulnerabilities
to identify the threats to the organization.
Vision, Mission, Strategy & Objectives
Systems, Networks & Data
Confidentiality, Integrity & Availability
Causes Consequences
Risk Management Strategy
Figure 5.3. Bow tie risk analysis.
From the causes and consequences identified, the threats are examined
and quantified in the assessment step to help design the risk management
strategy for mitigating the vulnerabilities (causes) and/or consequences
(risks) by changing the likelihood of the event or circumstance, or
changing its consequences, respectively. For example, antivirus software
may protect a system from a malware attack or prevent a cause from
happening while network segmentation may prevent an attack from
spreading to other parts of a network by limiting the consequences. The
bow-tie method is also useful for reviewing risk mitigation controls or
measures to monitor and gauge their effectiveness as part of the operational
risk management cycle.
6.4. Business Impact Analysis
The Business Impact Analysis (BIA) aligns information system

elements (systems, networks, and data) with the organization's stated
objective, identifying the most significant information system elements
based on the cost of business disruption. A business impact analysis (BIA)
is a systematic procedure for identifying critical SND by evaluating the
possible impact and implications of a cyber breach or risk incident based
on their criticality to business operations. Hence, the BIA’s function

overlaps risk identification (Step 1) and risk assessment (Step 2). It is a
viable tool for risk identification as well as risk assessment for ranking
risks for the subsequent phase of the risk control process (i.e., Step 3 - risk
mitigation) to plan and develop strategies for minimizing risk. The BIA, as
a risk assessment tool, is vital to the risk control process because it assesses
the possible consequences and implications of a cyber-attack on critical
business systems, networks, and data by quantifying the financial and non-
financial costs.
The first stage of BIA is to define the business operations that the
system or network under consideration support and determining the
maximum amount of time the system or network can be disrupted while
still completing its objective (i.e., costs or impact). Next, the resources
necessary to resume business operations are identified. Based on
information collected in these two stages, we can align the systems or
networks to business objectives and important processes. Priority levels
can then be assigned to rank these systems and networks.
6.5. Network Diagram and Flowchart
A network diagram is a visual representation of a network’s

architecture and data flow to identify critical components that are key to
success from analyzing where data is processed, where it is utilized and
stored. It is used as a risk identification tool to gain a better understanding
of a network to conduct a more effective evaluation of the vulnerabilities
or weaknesses that pose a risk to the organization.
The Flowchart Method uses graphs to depicts the systematic flow of
data to portray the activities of a system or network to identify threats and
weaknesses. Some of the techniques that can be applied in the
identification process to assess flowcharts for risks are dependency
analysis, site analysis, decision analysis, and critical path analysis. These
techniques can be used to demonstrate dependencies within an
organization to identify critical systems and networks. However, the flow
chart method is very much process-driven and does not reflect frequency
or severity, but merely for determining systems with the potential for
threats and substantial losses.
6.6. Document Reviews (Historical Data) & Expert Judgment
Reviewing related documents such as academic literature, research,

experiences, articles, SOPs, data, and so on is a frequent approach for
detecting threats or risks linked with a process, an asset, or an event. This
is because many risk situations typically have a high level of similarity and
consistency over time across different asset classes. However, depending
just on historical data is insufficient, therefore it's critical to also seek the
wisdom of expert judgment to help identity, characterize and validate
threats in light of rapidly changing technology, risk landscapes, and market
conditions.
6.7. Vulnerability Assessment (“Pen Test”) & Footprinting
The penetration testing process starts with footprinting. It is the first

step performed in vulnerability assessment or “pen test” processes to
observe and review an enterprise’s information infrastructure to identify
weaknesses. Footprinting tools are used to collect basic information about
the target systems for observing and reviewing an enterprise’s computer
systems or networks to identify weaknesses. Footprinting can adopt a
passive or an active approach to reviewing an enterprise's information
system. For example, analyzing a website or analyzing a system activity
log is passive footprinting, while trying to gain access through war games,
social engineering, or phishing is an active approach.
Penetration testing or "pen test" is another way of identifying security
weaknesses in the systems, networks, and database servers in an
enterprise's information infrastructure. A pen test is a deliberate attempt to
gain access to a company's systems or data to methodically test the
robustness of their cyber and security to identify vulnerabilities that

hackers can exploit. They are conducted by specialist firms who are experts
in testing for vulnerable infrastructure for cyber threats. These tests
frequently uncover misconfigured equipment to reveal software that
permits unfiltered database access and the use of manufacturer default
passwords. Pen tests are also conducted on employees and supply chain
suppliers to check on compliance with phishing or social engineering
procedures. Tests are also conducted on physical security procedures and
safeguards.
By allowing the risk team to assess the enterprise's cyber risk profile,
a pen test is an important technique for identifying cybersecurity threats in
systems and networks to prevent an attack before it happens.
Penetration test results are documented as a risk identification
technique, and threats are subsequently reviewed and prioritized as part of
the operational risk control process. The findings of pen tests are
documented in the risk register and used to formulate strategies for the risk
control plan.
7. RISK REGISTER
The Risk Register is a master and living document that is used to

organize the findings from the risk identification process. The risk register
is updated regularly with the comprehensive qualitative and quantitative
risk information of the organization. It becomes a part of the ERM
documentation process within the context of the organization’s risk
management strategy. A Cyber Risk Register identifies the most serious
threats to a company as well as any opportunities that can be exploited.
The risk register includes information about:
 Network diagram or flowchart to show the surface area

 List of risks & opportunities
 Sources or root causes of risks
 Assumptions made in the risk identification process
 Risk categories (i.e., internal/external, system/network/data,

cybersecurity/finance/HR)
 Probabilities and impacts in quantitative risk analysis
 Prioritized list of quantified risks (criticality)
 List of potential mitigations or responses
 Resources required for specific risk mitigation options
A risk register helps an enterprise in monitoring issues and addressing

problems as they arise and allocating security resources more rationally
and cost-effectively. A comprehensive cyber risk register is also an
effective method for facilitating the activities in the ORM process and also
to show external stakeholders that the organization understands cyber risk
and is taking steps to effectively manage its consequences.
CONCLUSION
The risk identification and analysis outcome aids in determining the

risk-adjusted likelihood of achieving strategic objectives, as well as the
significant risks that may negatively or positively affect the achievement
of these strategic objectives. To improve the quality of the identification
process Hurst et al. (2014) suggest the use of big data analysis techniques
and behavioral studies to detect risks. Risk identification in the ERM
process allows an organization to assess, review and define the
organization's current state of cybersecurity and to identify any gaps in the
ERM processes for rectification. It helps to prepare the organization for the
next step in the ERM process, which is the risk assessment phase.
Chapter 6
CYBER RISK ASSESSMENT
1. INTRODUCTION
It is important to analyze all the business systems, networks, and data

of an organization that are vulnerable to cyberattacks. Once the cyber
threats have been identified, the Board and senior management will need
to assess the threats to estimate their criticality according to the
probabilities associated with various possible outcomes or losses. This
estimation allows cyber threats to be evaluated for their riskiness profile
for ease of management. Doing this requires quantifying risks for a
definitive assessment of the relative impacts and likelihoods to enable the
risk manager to be in a position to form strategies and structure effective
risk mitigation programs that protect the enterprise from the effects of risk.
President Obama in his speech, “On Securing our Nation’s Infrastructure,”
at the White House on May 29, 2009, said:
“It is not enough for the information technology workforce to

understand the importance of cybersecurity; leaders at all levels of
government and industry need to be able to make business and
investment decisions based on knowledge of risks and potential impacts.”
The cyber risk landscape poses an increasing challenge to the

organization in terms of business disruption and the need to allocate
resources to control it. The assessment function involves quantifying and
ranking cyber risks. Risk quantification of a cyber event enables the risk
manager to evaluate and analyze the impact of the event on the
organization and its operations. Analyzing the impact of a cyber event will
help to determine the criticality of the breach concerning the harm it causes
and whether its impact is within the organization's risk tolerance.
Quantifying the business impact of cybersecurity poses a challenge to
the company and quantifying the likelihood of such an event is an even
greater challenge. Hence, quantifying the financial impact of a
cybersecurity event is very difficult and requires a certain amount of
tact and ingenuity. The monetary impact of some cybersecurity events or
incidents can be measured, such as the costs of remediation, security
investment, business interruption, legal fees, litigation damages, fines for
non-compliance, incident response, and recovery. Other costs are
qualitative and are more difficult to quantify. These include loss of
reputation, goodwill, and intellectual property, which lead to a negative
perception of the firm resulting in losing competitive advantage and
market share. However, it is also necessary to convert qualitative risk
analysis into quantitative terms, i.e., probability and impact, to enable risks
to be managed.
This Chapter discusses the second step in the enterprise risk
management process relating to assessment or evaluation that involves the
quantification of cyber risk for incorporating a cyber risk program into the
ERM process. This Chapter discusses this step in the enterprise risk
management process in the context of risk quantification. It explains the
tools, techniques, and procedures for measuring cyber risk impact on the
organization. Risk assessment involves the quantification of individual
risks and then ranking them on a risk map based on impact and likelihood
to evaluate their criticality. The goal is to evaluate all the firm's risk
exposures, including financial, social, economic, political, and legal risks,
to determine their monetary impact on the enterprise.
Cyber Risk Assessment 117
2. CYBER RISK ASSESSMENT
The President’s Cyber Space Policy Review drafted by the National

Security Agency identified the challenge and need for robust assessment
of cyber threats and what would have to be done to address the growing
problem with enterprise cybersecurity30:
"If the risks and consequences can be assigned a monetary value,

organizations will have greater ability and incentive to address
cybersecurity. In particular, the private sector often seeks a business case
to justify the resource expenditures needed for integrating information
and communications system security into corporate risk management and
for engaging partnerships to mitigate collective risk."
The operational ERM process is a four-step model that starts with risk
identification. The risk assessment function discussed in this chapter is the
second step in this process (Figure 6.1). During the risk assessment stage,
the potential cyber threats identified in the preceding step are quantified
and ranked according to criticality against other threat scenarios or
potential disruptions based on the threat's frequency probability and the
possible adverse impact on business operations. Therefore, risk
quantification constitutes an important basis of risk assessment, which is
an essential capability for companies to form risk mitigation strategies.
Risk quantification allows management to prioritize investment
decisions within the broader ERM framework to achieve the goal of
managing identified risks according to the company’s risk strategy and to
help it achieve its business objectives. After the potential risks are
quantified, the board and management rank the risks according to their
likelihood of occurrence and potential impact. Ranking ensures that only
the most critical risks are addressed and resources are prioritized to
addressing these risks. It is only with a definitive assessment of the relative
scales and likelihoods involved; can the risk manager be in a position to
30
Obama Administration, Cyberspace Policy Review – Assuring a Trusted and Resilient
Information and Communications Infrastructure, May 2009.
structure effective risk mitigation programs that protect the corporation

from the effects of risk. Management uses the list of prioritized cyber risks
in the assessment stage to justify investments in risk mitigation to reduce
the probability of an attack or that a breach will have a significant impact
on business operations to reduce enterprise risk.
Figure 6.1. Risk assessment phase in the ERM/ORM cycle.
The primary risk assessment methods are qualitative analysis and

quantitative analysis. Both qualitative and quantitative evaluations have
inherent problems linked to data and/or information content from the
analytical models. So, it may be necessary to combine the two for the risk
and opportunity projections to be as accurate as possible. A mixed-method
approach which is a combination of these two methods is used to enhance
the assessment can take the form of two distinct evaluations or a hybrid
method in which qualities from both methods are included throughout the
assessment process (Pham & Oh, 2021). These methods and the tools and
techniques used are discussed in the following sections.
3. NIST/CSF –RISK ASSESSMENT (IDENTIFY FUNCTION)
The NIST Cybersecurity Framework comprises five interdependent

core functions and their associated secondary functions. There are three
outcome categories in the NIST/CSF Identify function that contain
outcomes and activities that align with the “Assessment” phase (Step 2) of
the operational ERM (ORM). The risk assessment actions in the normal
ERM process are reflected in the NIST/CSF "Identify" function under the
“Asset Management” (ID:AM), “Risk Assessment” (ID.RA) and “Supply
Chain” (ID:SC) as outcomes and their respective activities (Table 6.1).
Table 6.1. Risk aassessment activities & outcomes

(per “Identify” function)
Identify (ID) - Assess

Asset management (ID:AM)  Resources priority list (ID:AM5)
Risk assessment (ID:RA)  Critical assets identified & documented (ID:RA1)
 Shared information on threats & vulnerabilities
(ID:RA2)
 Internal and external threats are documented
(ID:RA3)
Supply chain (ID:SC)  Suppliers and third-party partners of information
systems, components, and services are assessed &
documented (ID:SC2)
Table 6.1, highlights the relevant risk assessment categories and sub-
categories (i.e., activities & outcomes) of the NIST/CSF “Identify”
function. The outcome categories Asset Management (ID:AM), Risk
Assessment (ID:RA), and Supply Chain (ID:SC) all contain activities that
apply to actions in the risk assessment phase of the ERM/ORM process.
The following section discuss these sub-categories vis-à-vis the
ERM/ORM Risk Assessment task.
NIST/CSF
Core function: Identify

Category: AM, RA & SC
Sub-category:
 Resources priority list
(ID:AM5)
 Critical assets identified &
documented (ID:RA1)
ERM/ORM  Shared information on threats &
vulnerabilities (ID:RA2)
Risk Assessment  Internal and external threats are
(Step 2) documented (ID:RA3)
 Likelihoods & impacts analysis
(ID:RA4)
 Risk responses identified and
prioritized (ID:RA5)
 Suppliers and third-party
partners of information systems,
components and services are
assessed & documented
(ID:SC2)
Figure 6.2. Risk assessment – ERM/ORM & NIST/CSF alignment.
Figure 6.2 summarizes the sub-categories relevant to the ORM

process. The outcome category ID:RA defines risk assessment as a process
for the organization to understand the relative cybersecurity risk associated
with organization operations, operational assets, and individuals.
Information about cyber threats and vulnerabilities identified (ID:RA1) in
Step One is shared (ID:RA2), documented (ID:RA3), and assessed for
their potential business impacts, and likelihoods to determine the quantum
of the risk exposure (ID:RA4). The same actions are conducted for
suppliers and third-party partners (ID:SC2). Based on threats,
vulnerabilities, likelihoods, and impacts to determine risk, critical assets
are recognized and prioritized according to their degree of risk or severity
(ID:RA1) and resources are allocated according to criticality (ID:AM5).
All this information should be captured in a risk map and the risk register.
4. QUALITATIVE RISK ASSESSMENT
The qualitative assessment is usually the first step in determining the

risk effect of the organization's threats that are considered relevant to its
strategic objectives and initiatives. The qualitative assessment aims to
describe the threat scenario (Rot, 2008). The qualitative approach
generally assesses by measuring the level of severity of a cyber threat on
the organization's systems, network, and data. Typically, descriptive scales
such as "Low, Moderate, Serious and Critical" (Table 6.2) are used to
achieve this. While qualitative evaluations are less accurate, when used
correctly, they may provide useful direction in the first identification of
risk throughout an organization. A qualitative evaluation of an
organization’s risk environment will be able to direct attention to those
areas of risk impact that demand a deeper understanding.
Access to reliable data is a prerequisite to qualitative risk analysis and
it is always a challenge to gather good data for qualitative analysis. It
conducts an easy and subjective risk evaluation of cyber threats and
vulnerabilities for identifying and prioritizing risks. The qualitative
assessment uses questionnaires in which people are asked to rank risk on a
risk scale (Peltier, 2001), for example of low, moderate, serious, or critical
(Table 6.2), or on a heat map (Figure 6.4) to evaluate risk. Where
numerical data are not used, qualitative analysis “presents results in the
form of descriptions, recommendations” where there is only “a qualitative
description of assets’ value, determination of qualitative scales for the
frequency of threat occurrence and susceptibility for a given threat” (Rot,
2008). Qualitative assessment does not provide a “tangible” quantum of
losses as a consequence of the threat over time. Without knowing the cost
associated with the threat, it is difficult to decide on an appropriate risk
management strategy.
When using the qualitative risk assessment method, it may be
necessary to quantify risks using their probabilities and impacts to enable
the risks to be managed objectively and effectively. The qualitative
approach allows for a better understanding of the phenomenon and
improves validity (Creswell, 2008), especially the business process and IT
function of cybersecurity, which is often the weakness of a quantitative

model. On the other hand, due to potential subjectivity biases of the
qualitative approach, the quantitative approach is strong (Babbie, 2008) in
terms of reliability and generalizability (Brewer & Hunter, 2006). A
mixed-method approach is useful when neither the qualitative nor
quantitative approach in itself is sufficiently adequate to answer the
research question (Corbin & Strauss, 2008).
The qualitative risk assessment techniques and tools for collecting data
to determine the likelihood and impact of risks are brainstorming, Delphi
technique, bow-tie analysis, surveys or interviews, historical data, and
SWOT analysis (these methods are explained in Chapter 6 – Risk
Identification). The qualitative data collected can be used to determine
cyber threats emanating from systems and assets using a risk scale to
provide a visual scenario of a threat situation. We explain the procedures
for preparing a heat map method and the technique for evaluating the
quality of the data (i.e., RDQA) used for developing the organization’s risk
map in the following sections.
4.1. Heat Map
The heat map is a tool to provide a visual representation of the results

from the risk likelihood and potential impact assessments for
characterizing and prioritizing risks. It is presented in the form of a matrix
that shows the relationship between the impact and likelihood of a risk.
The matrix helps in identifying those risks which require an immediate
response. It may be customized according to the needs of the subject or
project under review. Most companies would usually have a standardized
template for this matrix but would modify it to makes the matrix list more
suitable for different risk evaluations.
The likelihood of the risk occurring and the impact relates to the
adverse effect of the risk on the organization. According to the literature
(Nifakos et al., 2021; Higgsetal, 2016; Ettredge et al., 2018; Kamiya et al. 2020;
Boasiako & Keefe, 2020)., firm age, R&D investment, workload, intangible
assets, business worth, profitability, capital expenditures, acquisitions, and

growth potential have positive a correlated with the probability of a
successful cyber-attack. After the likelihood-impact assessment, a risk
would fall within one of the four quadrants shown in Figure 6.3.
High
III IV
Impact
Low
I II
Low High
Likelihood
Figure 6.3. Risk likelihood and impact matrix.
Each risk is assessed using a risk scale based on a likelihood score and
an impact score such as high = 10, medium = 5, or low = 1. Risks that fall
within the range of 1 to 5 are classified as low and those in the range
between 5 and 10 are classified as high. Hence, a risk with a likelihood
score of 3 and an impact score of 4 would fall in quadrant I and be
considered low risk. Table 6.x shows the classification of risks according
to their severity based on their scores.
Table 6.2. Probability, impact, severity and action
Quadrant Likelihood Impact Severity Action

I Low Low Low (L) Action needed
II High Low Moderate (M) Action within a particular
timeframe
III Low High Serious (S) Action within a short
timeframe
IV High High Critical (C) Immediate action
Using the scoring method in the risk assessment and identification

process allows risks to be ranked according to low, moderate, serious, or
critical Table 6.2. The results are then summarized into a heat map, which
reflects an x-y scatter plot of likelihood versus impact with a colored

background to differentiate group risks into threat levels (Figure 6.4). The
heat map provides a visual ranking of risks into various risk groups
displaying the top risks faced by the company. A risk that falls in the
“critical” quadrant (IV or C) would be ranked among the most severe risk
exposure and would have priority in attention and resource allocation.
S C C
Serious Critical
Impact
Impact
M S C
Low Moderate
L M S
Likelihood Likelihood
Figure 6.4. Heat maps showing severity levels of risks.
Classifying a risk event as low severity with low impact and low
likelihood of occurrence necessitates immediate actions by the company
such as a new contingency plan as well as corrective activities. A moderate
risk level denotes that the risk has a low to a medium negative impact but
a relatively high likelihood of occurrence, thus requiring the organization
to implement effective actions within a particular time frame. A risk
classified as serious suggests that it has a significant negative impact on
the business but a relatively low likelihood of occurrence necessitates the
quick deployment of risk-mitigation measures within a short time frame.
When the risk event's likelihood and/or impact are extreme and/or high,
the risk impact is extremely important. Expected to have a significant
negative influence on the company's reputation. When risks are classified
as critical the risk level is exceedingly high, necessitating the deployment
of risk-mitigation controls almost quickly. When both the likelihood and
the impact of a risk occurrence are great, the risk could cause significant
damage and disrupt the organization's operations.
4.2. Risk Data Quality Assessment (RDQA)
The risk data quality evaluation technique is used to determine the

extent to which data regarding hazards is required and collected for risk
management purposes. The technique addresses the extent to which the
risk is understood and also examines the data's accuracy, dependability,
quality, and integrity concerning the risk. The risk manager will try to
determine the reliability or precision of the data that must be analyzed for
completing the qualitative analysis of risks. For qualitative cyber risk
analysis, the data or information must be reliable to get an accurate picture
of the potential threats or vulnerabilities associated with the business
systems or networks. Low-quality data is unreliable and inaccurate for
assessing cyber risk exposure.
In Risk Data Quality Assessment, to determine the reliability of the
information provided the risk manager must determine the person's
expertise or knowledge of the company’s SND and associated
vulnerabilities. Due to the frequent changes in the IT and cybersecurity
landscapes, data timeliness, or the degree to which data is current, is
critical and the extent to which data is relevant and suitable for the purpose
intended. It is important to validate that it is sufficiently inclusive to ensure
all essential data elements are collected to confirm data availability.
Finally, the risk manager must be assured that the data's quality and
reliability are suitable for the intended application without bias, error, or
omission and the data's integrity is unaffected by bias or manipulation.
This risk assessment tool focuses on ensuring that the data or
information is used in performing the risk analysis is robust, credible, and
unbiased. It works on the premise that only quality and credible
information can provide reliable findings. Not questioning the credibility
of the information or data can often lead to incorrect analysis and making
the wrong decisions, thereby exposing the organization to more risks (i.e.,
addressing or fixing the unreliable information is far less costly compared
to the impact of risks if it materializes).
5. QUANTITATIVE RISK ASSESSMENT
The quantitative assessment is usually done on areas of threats that

have been identified as needing additional investigation during the
qualitative assessment phase. A quantitative assessment gives a greater
degree of information and knowledge of impact by determining the impact
of identified risks on overall business objectives. The traditional approach
to risk quantification in ERM relies on numerical characterizations of
operational risk and financial risk. It is a formal and systematic risk
analysis approach that requires data to sufficiently quantify the threats
associated with business activities and the effect of identified risks on
overall business objectives. Quantification enables risks and risk
investment decisions to be prioritized to fulfill one of ERM's major goals,
which is to manage recognized risks to acceptable levels to maximize the
possibility of an enterprise achieving its goals.
Quantitative risk assessment of cybersecurity is based on the
likelihood that particular threats will manifest from a monetary dimension
that measures losses associated with those threats under different threat
scenarios. Other than measuring the effects of cyber threats on business
objectives, quantification of cyber risk allows companies to estimate the
impact or exposure of companies for decision-making, allocating resources
to prioritize their cybersecurity capabilities, and obtaining sufficient
cybersecurity insurance protection. Thus, the objectives of quantitative risk
assessment are to estimate the impact of risk on the enterprise's goals and
objectives by estimating the cost of risk mitigation and potential losses if
a risk happens and to prioritize risks and allocate resources to the response
that requires immediate attention.
Some of the basic financial estimates needed for ERM-related decision
making are: the severity of any risk exposure to the strategic business
goals; the monetary exposure from SND risks or business entities; the risk
exposure of external parties (service providers, contractors, suppliers); the
adequacy of budget and insurance cover for risk exposure; the cost-
effectiveness of the risk treatment; the best risk-reward balance for risk
mitigation; and the value at risk (VaR)31 of the firm from the identified
risks.
Quantitative cyber risk assessments are sometimes challenging because
of insufficient data available to perform the assessment. Quantifying cyber
risk is very similar in degree of difficulty to valuing technology. An attempt
to value information risk faces the same challenges as in technology
valuation in terms of rapid evolution, lack of historical data, and
intangibility (Burch et al., 1979; Oh & Ho, 2010). Rapid evolution because
the cyber threat landscape is fast-changing as we embrace a digital world
with heightened risk from ever-increasing Internet of Things connectivity
with mobile applications and devices, all of which is driven by rapid
technological advancement. The intangibility of cyber threats that lurk in
the virtual world of systems, networks, and servers lacks visibility making
it difficult to predict and estimate the scope and scale of potential losses.
A paucity of data, particularly historical data, makes quantitative
modeling of cyber exposure difficult. Many traditional quantitative risk
models such as EMV, decision tree, regression analysis, factor analysis,
and value at risk are difficult to apply due to a lack of data. The challenge
to risk assessment is on how to assign a monetary value to the rapidly
evolving cyber risks with access to limited data. Not all relevant data will be
available and it will be necessary to use a combination of historical data as
well as proxy data to represent data that are difficult to access for predicting
a cyber event. Even if exact information were available, it would quickly
become obsolete owing to rapid technological advancements and variables
such as advances in the tools accessible to would-be attackers (Miller,
Wagner, Aickelin & Garibaldi, 2016). Data collection should be from both
internal and externals sources based on which companies should be able to
forecast the impact of a cyber event over the short- to medium-term.
The relevant information that is usually needed in cyber breach
modeling includes that of customer behavior due to a cyber event, network
externalities, stock market reaction to a cyberattack on company shares,
likelihood of an attack, costs of damage loss or disruption, and
31
Value at Risk (VaR) is a statistic that quantifies the maximum financial losses within a firm
over a specific time frame.
cybercriminal motivation behind an attack. According to Chacko, Sekeris

& Herbolzheimer (2016) companies should differentiate cyber threats and
other business risks in their risk models by considering three perspectives
when it comes to assessing and quantifying cyber risk. They are “foregone
revenue & ancillary payments, liability losses, and reputational damage
because a company can still suffer losses even if the perpetrators do not
benefit from the cyber-attacks.
To make estimates, discover new information or get a better
knowledge of cybersecurity, various methods are used in the collecting of
data or evidence for analysis. Some of the quantitative risk tools and
techniques used to collect data to help with quantitatively determining the
probability and impact of risk are presented in the following sections.
5.1. Expected Monetary Value Analysis (EMV)
Calculating the EMV is a risk management methodology to determine

risk impact. EMV helps to quantify and compare risks that exist in different
operations in the organization. The risk contingency is calculated by
multiplying the probability by the impact. EMV is a good tool for
measuring the overall ranking of risks. The formula is:
EMV = P X I
where,
P = Probability (the measurement of the likelihood of the occurrence
of the risk or event)
I = Impact (the amount to be spent or loss sustained if the risk occurs)
EMV = Expected Monetary Value
5.1.1. Steps to Calculate Expected Monetary Value (EMV)

To calculate the Expected Monetary Value in risk management:
1. Assign a probability of occurrence for each risk.

2. Assign a monetary value for the impact of the risk when it occurs.
3. Multiply Step 1 and Step 2 and the value obtained in performing
this step is the Expected Monetary Value. This value is positive
for opportunities (positive risks) and negative for threats (negative
risks).
4. Risk management requires that a firm addresses both positive and
negative risks.
The EMV calculates the potential impact of an event and multiplies

it by the probability of that event happening (Figure 4.x). Low impact
and low probability events are those in Quadrant I. If they fall within
the risk tolerance of the firm, they would not require any immediate
action but will need to need monitored for changes. Those low-impact
events with a high probability of occurrence (Quadrant II) won't have a
huge impact on the firm's total risk exposure but high-impact events,
even a low probability of occurrence (Quadrant III) can be potentially
devastating. The most critical events are those that have a high impact
and high probability (Quadrant IV).
High
III IV
Impact
I II
Low
Probability High
Figure 6.5. EMV based on potential impact and probability of events.
In summary:
Table 6.3. Severity scale
Quadrant Probability Impact Severity

I Low Low Low
II High Low Moderate
III Low High Serious
IV High High Critical
5.2. Monte Carlo Analysis (SIMULATION Technique)
Monte Carlo simulation, or probability simulation, is a scenario

analysis technique for estimating the impact of risk in cybersecurity, cost,
financial, project management, and other forecasting models. The Monte
Carlo analysis can be used to assess the effect of uncertainty on the
company’s strategic objectives by simulating the outcomes or impact to
evaluate a specific or the overall risk. A Monte Carlo analysis requires a
computer-based program.
Monte Carlo simulation is the quantitative risk analysis technique that
allows a firm to model the future value of a variable, in this case, an
enterprise risk, by simulating its behavior over time. The Monte Carlo
technique has been used to model information security investments
(Conrad, 2005; Burtescu, 2012; Fagade, Maraslis, & Tryfonas, 2017), ICT
risk (Baiardi & Sgandurra, 2013), information security management
system (Bamakan & Dehghanimohammadabadi, 2015), cyber insurance
(Woods & Simpson, 2020) and cyber-attack simulation. The Monte Carlo
technique is similar to running a series of "what-if" scenarios on the model.
The uncertain input variables in a Monte Carlo model are represented by
probability distributions of possible values and the results are distributions
of the range of possible outcomes that could occur and the likelihood of
any outcome occurring. These results are generated by recalculating the
model over and over again, by using different randomly selected sets of
values from the probability distributions each time.
Monte Carlo simulation allows a corporation to calculate all valid

combinations of inputs to simulate all possible outcomes of particular risk
exposure. The results are probability distributions of possible outcomes
that the firm can use to determine the likelihood of certain events occurring
(Oh, et al., 2018).
The steps involved in building a Monte Carlo model are (see Watsham
& Parramor, 1997) for a detailed description of the process):
1. Determine the stochastic character of the input variables, which is

the physical (or mathematical) system described by a set of
probability distribution functions (PDF);
2. Draw random numbers that are modeled to represent the same
probability distribution as the underlying variables to mimic the
movement of the input variables;
3. Simulate the underlying variables by simulating the stochastic
character of the original variables with the input variables;
4. Repeat the process and score (or tally) the mean of all the results,
where the mean reflects the predicted value of the simulated
variable, and
5. To improve accuracy and cut down on processing time for Monte
Carlo simulation, variance reduction techniques are used.
For each uncertain variable (i.e., attempts) the method simulates the
random process governing its value. The model is based on the assumption
of possible outcomes within a probability distribution and the type of
distribution selected is based on the historical patterns of the variable. By
repeating these simulations, the simulated distribution of the values is
expected to come close to the “real” distribution of the variable. The Monte
Carlo approach can be used on virtually any type of portfolio, non-linear
positions, and complex derivatives. The complexity of this approach
makes it less user-friendly (Oh, et al., 2018).
5.3. Decision Tree
A decision tree is a decision support tool that uses a tree in which each
branch node represents a choice between several alternatives, and each leaf
node represents a classification or decision. A decision tree helps to
analyze many alternatives at one single point in time. The decision tree
approach takes into account future events or implications from making the
decision today. It is used to calculate Expected Monetary Value in complex
situations and it also accounts for mutual exclusivity.
The criterion of measurability is a central feature of proactive risk
management as the effective management of risk is only possible if it is
economically quantifiable. For instance, a risk manager has to quantify the
risk exposure of a transaction to determine the amount to hedge as a buffer
against unexpected losses. On the same token, the clearinghouse of an
exchange sets margin requirements for investors trading on the exchange.
The economic concept of risk is usually presented as the “basic risk
paradigm” (Rescher 1983, Ansell & Wharton, 1992), a variant of which is
presented in Figure 6.6.
X
A
P
X1
B
1-P
X2
Source: Oh, et al., 2018.
Figure 6.6. Economic risk paradigm. A

In Figure 6.6, A and B represent options such as whether or not a firm
should invest in cybersecurity technology, and X, X1, X2 are potential
outcomes. The risk situation is defined as one in which a decision must be
made between at least two different options, A and B, and each has a
distinct outcome, either X, X1, and X2. The outcomes are described as
possible benefits and possible losses with some that are unpredictable and
have correlated probabilities. The fundamental structure of the problem is
one of economic optimization, regarding certain value scales which
minimize loss and maximize utility. The risk behavior of the firm's choice
is represented by one of the branches in the decision tree in Figure 6.6.
Open framing using decision trees allows values and probabilities to
be assigned, providing alternate scenarios. This process enables each phase
of the process to be broken down into a series of decisions and the size and
characteristics of the process can change at each decision point, depending
on the decision taken. The advantage of this technique is the ability to
scope out available options at each decision point (Oh, et al., 2018).
5.4. VaR
The concept of VaR was first conceived in 1994 by Dennis

Weatherstone32 at J. P. Morgan when he wanted to present the board of
directors with a simple estimate of maximum expected losses, without the
complex statistics33. The VaR methodology is also applied in large non-
financial corporations like Microsoft and Unocal Corporation. The value-
at-Risk (VaR) model is an important part of the ERM process for
measuring and managing risk exposure. VaR is a comprehensive risk
measure that has generated a heightened interest in its use as a corporate
risk management tool especially in the integral role it plays in enterprise
risk management (oh, et al., 2018). A VaR calculation conveys a monetary
amount at risk over a period at a given confidence interval. VaR is a model
that is used to predict the worst-case loss with a specific confidence level
(e.g., 95%) over a period of time (e.g., 1 day, 1 week, or 1 month, etc.).
For example, a VaR of $10 million with a 95% level of confidence suggests
that potential loss will exceed $10 million with a 5% probability over the
32
Dennis Weatherstone was at one time the Chairman of J. P. Morgan.
33
J. P. Morgan’s product RiskMetricsTM calculates VaR (Website: http://www.jpmorgan.com).
given period. The VaR method is traditionally used to quantify the risks
that originate from assets like bond portfolios, stock portfolios, or raw
material resources. Lately, there has been a lot of interest in discussing the
adoption of VaR to frame enterprise cyber risk exposure. Similar to a
financial VaR, a cyber VaR model can be used to calculate the potential
losses of an organization from a cyber incident over a given period. Using
the same example given above, we can reframe the hypothesis in a
cybersecurity context to state that with a VaR of $10 million with a 95%
level of confidence, the potential loss from a successful cyberattack will
exceed $10 million with a 5% probability over the given period.
Monte Carlo simulation is the quantitative risk analysis technique that
allows a firm to model the future value of a variable by simulating its
behavior over time. The Monte Carlo simulation method estimates the VaR
using a randomly generated set of values for uncertain variables to simulate
the risk factors. The World Economic Forum34 suggested specific
properties or variables "that industries and individual companies should
incorporate into their models" for estimating cyber risk (Reagan, Raghavan
& Thomas, 2015). According to Regan et al. (2015), the VaR component
variables are categorized into three groups, namely, “vulnerability, assets,
and profile of attackers” (see Table 6.4 below). It is similar to running a
series of "what-if" scenarios on the model. Cyber risk factors that affect
the entire organization can be measured for their impact on the
organization using scenario analysis in the context of “extreme scenarios”
(Dowd, 1998) in the VaR model. For example, Monte Carlo simulation can
be used to estimate cyber risk based on the risk variables, and the VaR
measure is scaled as the percentile relevant to the desired confidence level
(Jorion 1997; Duffie and Pan 1997) to assess enterprise risk.
There is still no consensus as to the most appropriate VaR estimation
procedure. The current research on VaR estimation is mainly focused on
testing the various parametric and simulation procedures over alternative
data sets, confidence levels, portfolios, and holding periods. Due to the
diversity, the complexity of risks, and information needs, it is always
34
World Economic Forum, “Partnering for cyber resilience: Towards the quantification of cyber
threats,” January 2015.
difficult to develop VaR estimates that capture all the demands and risks
faced by corporate risk managers.
Table 6.4. WEF recommended VaR cyber risk variables
Vulnerability Assets Profile of Attackers

 Existing vulnerabilities  Tangible assets  Type of attackers
 The maturity level of  Intangible assets  Type of attacks
defending systems  Tactics and motivations
 Number of successful
breaches
Source: Adapted from Reagan, Raghavan & Thomas, 2015.
5.5. Business Impact Analysis (BIA)
To be consistent with the ORM process adopted in this book, we define

risk identification as a process to establish what kind of risk events a firm
could encounter, while risk assessment refers to gaining an understanding
of the financial impact of a risk event may have on a business. The BIS
framework overlaps both these activities in the ORM process as one is an
extension of the other. In Chapter 5 on risk identification, the BIA method
is used to identify risk factors and it can also be adopted for risk
assessment, quantification, and ranking of risks since a business impact
analysis study aims to predict how any identified risks will impact the firm
if they materialize and produce information that can be used for the
development of mitigation and recovery strategies.
6. RISK MAPPING
Risk mapping is a tool for identifying, controlling and managing risk.

The main objective of the risk mapping process is to describe and structure
the organization’s risk environment to assess and rank the importance of
cyber threats in terms of likelihood (frequency) and impact, define risk-
mitigating actions and assign risk owners. It can be used as the primary
risk management process for firms who are conducting the first pass at risk
assessment without a full ERM system in place or as the initial threat
identification technique in an SRM process.
The first step to an integrated risk control process is by mapping the
full spectrum of risks a firm faces to understand the opportunities and
manage these risks. This involves the firm identifying and quantifying the
impact of the various risks it faces, or essentially the first two stages of the
ERM process. Once a list of exposures is compiled, a theoretical value is
placed on each exposure, i.e., a severity value and a frequency value. Using
those values, the exposures should then be placed on the risk map. Risk
mapping is a helpful tool for companies to visualize the key exposures
according to their severity. It also enables management to be better aware
of all the risks the firm faces in the light of the demands of shareholders,
stakeholders, regulatory and market scrutiny. The heat map in Section 4.1
and risk map in Section 5.1 are examples of risk mapping employed in
qualitative and quantitative risk analysis, respectively.
CONCLUSION
The advantages of using the qualitative approach in risk assessment

are its ability to prioritizing risks, simple and cost-effective and provide a
quick risk calculation. However, the drawbacks of this method are broad
characterization and estimation of risk, no numerical data, and difficulty to
carry out a cost-benefit analysis. The benefits of the quantitative approach
are a quantitative description of the impact and an improved risk profile.
The drawbacks are a model risk that may cause inaccurate results and
higher costs of implementation.
There are other risk quantification tools and techniques that are
covered in this chapter but are also valuable instruments for performing
the same task. One particular method that targets information security is
the Factor Analysis of Information Risk (FAIR) approach for cybersecurity
and operational risk is a Value at Risk (VaR) framework. FAIR examines
and analyses the factors that influence risk, as well as how they interact.
It's a methodical approach to identifying, assessing, and quantifying cyber
risk and operational risk in monetary terms through accurately estimating
probability for the frequency and impact of loss events.
Chapter 7
CYBER RISK MITIGATION
1. INTRODUCTION
It is unrealistic in today’s technology-driven business environment to

avoid cyber risk. As a driving force behind long-term growth, a digital
transformation is a strategic option for modern firms because technology
helps to optimize business processes. The integration of technology into
business can be seen in marketing, human resource management,
production, supply chain, finance, and communications. The reason why
cyber risks should be managed or controlled is predicated on the risk
impact of the risk exposure on business (operations) and financial (market
value & funding) strategies.
The risk mitigation objective pertains to anticipating potential risks
and mitigating those risks before they threaten the company’s strategic
objectives. The objectives of cybersecurity are realized in risk mitigation.
Risk mitigation can also mean the reactions implemented in the event of
an attack to minimize or neutralize an attack. This objective normally
refers to a proactive response (Zhao et al. 2013) or stance in cyber risk
management to counter the impacts of a cyber-attack. Risk mitigation is
the third step in the operational risk management process. Risk mitigating
options available to a firm include taking on, transferring, treating, or
terminating a firm’s critical risks, which is also known as the 4Ts of risk
management. Effective mitigation for cybersecurity requires technical
capabilities in ERM, information infrastructure, risk assessment, and risk
protection tools and techniques.
The areas covered in this chapter include describing and explaining the
basic concept of risk mitigation in the ERM framework, the use of
insurance, 4-Ts, hedging and, the cyber and physical tool-kits for risk
mitigation.
2. MITIGATING RISK
The purpose of risk identification and assessment phases is to prepare

for risk mitigation. Mitigation includes activities designed to reduce the
likelihood of a risk event occurring and/or reduce or optimize the effect of
a risk event if it does occur. Planning at the strategic risk management level
of the organization plays an important role in ensuring the success of the
operational risk management process. The planning that goes into
managing risk is an important aspect of risk mitigation. Planning includes
the ongoing maintenance of the risk log that contains up-to-date
information about the sources and dimensions of the risk, its exposure and
the alternative mitigation strategies and tools, and budgets for mitigation
actions. The planned mitigation strategies and actions will need to be
communicated to all relevant participants for implementation. The CISO
should corroborate the mitigation outcomes with c-suite executives that the
results meet corporate risk tolerance, expectations, and objectives.
Risk mitigation is the third phase in the ORM process (Figure7.1). The
best mitigation against a cyber threat is to have an effective enterprise risk
management framework in the organization that incorporates a cyber risk
control program. The ERM comprises the strategic and operational levels
in providing a comprehensive and holistic framework for controlling
enterprise risk, including cyber risk. At the operational level, the
operationalization of the corporate risk management policy uses either
mitigation or insurance to address risk exposure. Mitigation involves
Cyber Risk Mitigation 141
taking measures to minimize the possibility of adversity by adopting either

one or more of the “4-Ts” risk mitigation techniques explained below. One
way would be to implement a strategy to minimize the damage or loss if
the adverse event occurs by implementing contingent measures that can be
developed to reduce the impact of an event once it has occurred.
Figure 7.1. Risk mitigation phase in the ERM/ORM cycle.
Mitigation actions are based on the conditions of the risk landscape

and assumptions used in the risk strategy including the correlation between
cyber and other types of risks. Changing the strategy may require different
approaches and result in different outcomes. Mitigating risks can be
exogenous involving third parties (Gordon et al., 2003; Marotta &
McShane, 2018) through the use of outsourcing, hedging, or insurance
mechanisms to reduce residual risk to an acceptable level. Endogenous
mitigation includes improving security protocols in operating processes or
implementing appropriate risk control measures. Firms should consider all
types of security measures in their cyber risk mitigation “whether they are
physical, digital, or related to people, processes or technologies involved
in the activities” (OECD, 2015). To obtain the best result, the firm needs
to embrace the optimal mix between and within exogenous and
endogenous mitigating measures to achieve the desired level of residual
risk. Therefore, it is important for management to conduct a regular review

of the effectiveness of the mitigation function to maintain an effective risk
strategy and for assurance purposes.
The endogenous approach to risk mitigation is to reduce the incidence
of adverse events where business decisions are determined by corporate
policy measures. This may happen when a corporation makes a decision to
avoid investing in a project or market perceived to be high risk. Kaplan and
Mikes (2012) identified three categories of risks, being “preventable,”
“strategy” and “external,” and accordingly, each category requires a different
risk mitigation strategy. Kaplan and Mikes (2012) suggest that preventable
risks are “best managed through active prevention: monitoring operational
processes and guiding people's behaviors and decisions toward desired
norms." Strategy risks require mitigation actions to minimize the
probability of the risks occurring and to improve the company's ability to
respond and recover from the occurrence of the risk events. As external
risks emanating from "natural and political disasters and major
macroeconomic shifts" cannot be “influenced or controlled by the
organization,” the best strategy is to identify these potential risks and be
prepared to mitigate their impact (Kaplan and Mikes, 2012).
Operations management for enhancing cybersecurity requires both
cybersecurity and physical security to protect against breaches in security.
According to Siponen and Oinas-Kukkonen (2007), the four cybersecurity
challenges are “access to information systems, secure communication,
security management, and secure information system development” and
the recommended risk mitigation techniques for treating these risks are to
employ password, biometrical authentication; encryption; key
management, virtual private networks, and security language coding.
3. FOUR TS’ MITIGATION TECHNIQUES
As organizations become concerned about risks that might obstruct the

achievement of the objectives, risk control measures are implemented to
mitigate the risks. The Four-Ts approach describes the techniques to
reduce or avoid risks. Four-Ts risk mitigation refers to the risk-mitigating

strategies of tolerating, transferring, treating, and transferring risks. The
explanations of the four-T’s strategies are as follows:
3.1. Transferring Risk
The risk transfer method does not reduce total risk, but it does shift
risk ownership to another party. The strategy of transferring cyber risk is
predominantly predicated on the use of insurance as a risk mitigation
instrument (Gordon, Loeb & Sohail, 2003). Transferring risk to another
party can be achieved through the use of insurance or payment to third
parties who are prepared to assume the risk on behalf of the organization.
While purchasing insurance for traditional risks is very simple, doing so
for cyber risk might be difficult owing to its novelty and dynamics.
However, insurance remains a popular risk transfer instrument for
cybersecurity risk (Falco et al., 2019a). Transferring risk requires a
quantitative risk assessment. For a counter-party to assume risks, it is
necessary to quantify risks to assess that there is an adequate reward in the
exchange for assuming risks, i.e., the risk-return relationship
consideration. The ability to determine a fair and equitable return/price to
be paid by the firm to the "risk-taker" provides both parties with an idea of
the risk-return balance to bear the risks associated with specific
uncertainties.
Risk transfer strategy may be applied to business partners (such as
contractors or suppliers), derivatives, or insurance firms primarily to limit
the financial effect on the organizations’ critical infrastructure or the
responsibility for deploying mitigation mechanisms. The counter-party
that assuming the risk is willing to do so because it has the experience,
knowledge, long positions, skills, or other attributes to optimize or reduce
the risk. This is a win-win arrangement as each party believes itself to be
better off by the risk transfer. An example of transferring cyber risk to a
third party is to engage cloud computing for data storage. By outsourcing
a firm's data management, the risk of a data breach is transferred to the
professional cloud service provider who is an expert in data security,

storage, and warehousing. A cloud data warehouse is a database delivered
in a public cloud provider as a managed service that optimizes costs,
capacity, security, availability, and analytics. On the other hand, storing
corporate data in the cloud has attracted the attention of cybercriminals for
malicious attacks, and therefore cloud technology does not only help to
mitigate risk but poses new cybersecurity issues to both users and cloud
service providers. As a general rule, the risk transfer approach can be
effective for low-probability but high-impact hazards.
3.2. Treating Risk
Treating risk refers to taking on a risk by the business but at the same
time taking measures to mitigate or control the risk to reduce the
probability of the risk occurring or minimize its impact before its
occurrence. An example of risk treatment is to hedge a financial risk by
purchasing an investment (a financial derivative or security) to reduce the
risk of adverse price movements in an asset. In project risk management
the establishment of a reserve or buffer is an example of risk hedging for
mitigating the effects of project risks. A contingency is one example of a
buffer where a large allocated contingency will reduce the risk of the
project running out of money before a project’s completion. Other than
cash reserves, buffering can also include the allocation of additional
resources (inventory, machines, labor, or time) to allow for uncertainties
in future requirements. Firewalls, antivirus, intrusion detection and
prevention systems, policies, and incident response management are all
common cybersecurity measures.
After treating the unacceptable risk there is likely to be some residual
risk leftover unless there is a perfect hedge. It is impossible to eliminate all
risks connected with a given risk exposure; residual risk refers to any risk
that persists after controls have been implemented. The residual risk is
what the organizations have to tolerate as long as it is within its risk
tolerance level.
3.3. Tolerating Risk
Tolerating risk is similar to accepting risk where no action is taken to

mitigate risk but a firm continues with the risky activity despite the absence
of mitigations. This could be due to the high costs of instituting risk
mitigation activity or the risks of impact are negligibly low that they can
be tolerated by the business. This strategy is most effective when the cost
of managing the risk using one of the other techniques is more than the
cost of assuming the risk. Alternatively, a risk could have been treated and
is reduced to an acceptable level in which an organization would tolerate
the residual risk. These risks should continue to be monitored even when
they are tolerated because they may change in the future to make them no
longer tolerable. A decision to tolerate risk is only made after it is informed
by assessing the many components of the risk.
3.4. Terminating Risk
This risk strategy deals with a risk situation by not engaging in an

activity that would expose a firm to risk. This is the simplest method, but
it's also the most expensive because by avoiding it the firm forgoes all of
the activity's benefits. As mentioned earlier risk termination is not a viable
option in today's digital world that depends on technology for business
growth. Risk termination or avoidance is the elimination of some risk by
changing the perimeters of the risk environment. This can be done by
altering an inherently risky environment, process, or practice to eliminate
the risk. Using hardware and software with a robust security design for
connecting to the internet might be considered a type of avoidance (Falco
et al., 2019a & 2019b) to mitigate cyber risk.
It is generally believed that risk avoidance is underutilized as a strategy
for risk mitigation because if something presents a risk and can be removed
without it affecting the business, and then removing the risk should be the
first option considered, rather than attempting the treat, tolerate or transfer
it. The same strategy can be used for reviewing practices and processes in
all areas of the business. This strategy can be effective for risks that would
result in catastrophic failure if they were to occur and that none of the other
strategies can adequately handle.
4. NIST/CSF – PROTECT FUNCTION
The Protect function helps an organization develop and implement

necessary mitigating measures so that it can continue to provide critical
services while limiting or containing the impact of a cybersecurity
incident.
All the categories and sub-categories (Table 7.1; Figure 7.2) under the
NIST/CSF Protect function apply to the Risk Mitigation phase in the
ERM/ORM process. The following section discusses these sub-categories
and categories as they apply to the Risk Mitigation phase (Step 3) of the
TRMM.
NIST/CSF
ERM/ORM
Core Function: Protect
Risk Mitigation Category: All
(Step 3) Sub-category: All those in “Protect” +
Risk responses identified and prioritized
(ID:RA5)
Figure 7.2. Risk mitigation – ERM/ORM & NIST/CSF alignment.
During the risk assessment task, all identified risks are quantified and
ranked and, the risk responses are identified and resources are prioritized
(ID:AM5) for treating the most critical risks first. The ERM/ORM risk
mitigation phase is equivalent to the Protect function in the NIST/CSF
framework, which is concerned with the implementation of mitigating
measures to protect the organization’s critical assets from cyber-attacks.
The categories and sub-categories with their respective key protective
measures are summarized below.
Table 7.1. Protect function – outcome categories/sub-categories
Protect (PR)
Access Control (PR:AC)  Identities and credentials are managed for authorized
devices and users (PR:AC1)
 Physical access to assets is managed and protected
(PR:AC2)
 Remote access is managed (PR:AC3)
 Access permissions are managed, incorporating the
principles of least privilege and separation of duties
(PR:AC4)
 Network integrity is protected, incorporating network
segregation where appropriate (PR:AC5)
Awareness and Training  All users are informed and trained (PR:AT1)
(PR.AT)  Privileged users understand roles & responsibilities
(PR:AT2)
 Third-party stakeholders (e.g., suppliers, customers,
partners) understand roles & responsibilities (PR:AT3)
 Senior executives understand roles & responsibilities
(PR:AT4)
 Physical and information security personnel understand
roles & responsibilities (PR:AT5)
Data Security (PR.DS)  Data-at-rest is protected (PR:DS1)
 Data-in-transit is protected (PR:DS2)
 Assets are formally managed throughout removal,
transfers, and disposition (PR:DS3)
 Adequate capacity to ensure availability is maintained
(PR:DS4)
 Protections against data leaks are implemented (PR:DS5)
 Integrity checking mechanisms are used to verify software,
firmware, and information integrity (PR:DS6)
 The development and testing environment(s) are separate
from the production environment (PR:DS7)
Information Protection  A baseline configuration of information
Processes and Procedures technology/industrial control systems is created and
(PR.IP) maintained (PR:IP1)
 A System Development Life Cycle to manage systems is
implemented (PR:IP2)
 Configuration change control processes are in place
(PR:IP3)
 Backups of information are conducted, maintained, and
tested periodically (PR:IP4)
 Policy and regulations regarding the physical operating
environment for organizational assets are met (PR:IP5)
Table 7.1. (Continued)
Protect (PR)
 Data is destroyed according to policy (PR:IP6)
 Protection processes are continuously improved (PR:IP7)
 Effectiveness of protection technologies is shared with
appropriate parties (PR:IP8)
 Response plans (Incident Response and Business
Continuity) and recovery plans (Incident Recovery and
Disaster Recovery) are in place and managed (PR:IP9)
 Response and recovery plans are tested (PR:IP10)
 Cybersecurity is included in human resources practices
[e.g., de-provisioning, personnel screening] (PR:IP11)
 A vulnerability management plan is developed and
implemented (PR:IP12)
Maintenance (PR.MA)  Maintenance and repair of organizational assets is
performed and logged promptly, with approved and
controlled tools (PR:MA1)
 Remote maintenance of organizational assets is approved,
logged, and performed in a manner that prevents
unauthorized access (PR:MA2)
Protective Technology  Audit/log records are determined, documented,
(PR.PT) implemented, and reviewed following policy (PR:PT1)
 Removable media is protected and its use restricted
according to policy (PR:PT2)
 Access to systems and assets is controlled, incorporating
the principle of least functionality (PR:PT3)
 Communications and control networks are protected
(PR:PT4)
The access control (PR:AC) category requires the restriction of only

authorized people, processes, or devices, as well as authorized activities
and transactions, to have access to the organization’s assets and associated
facilities. The use of mitigating security measures and internal controls are
essential to regulate this type of restriction. For access to devices and users,
the identities and credentials are managed to allow access to approved
devices and users only. Physical access to assets as well as remote access
must be monitored, secured, and controlled. Access permissions are
controlled using the least privilege and separation of duties concepts and
network integrity is safeguarded, with a suitable network segregation

strategy to limit the impact of a network intrusion.
In the awareness and training (PR:AT) category, all employees and
partners of the business receive cybersecurity awareness training and are
taught to conduct their information security-related duties and
responsibilities following relevant policies, procedures, and agreements.
To ensure the confidentiality, integrity, and availability of information, all
information and records (data) are handled following the organization's
risk plan. Assets are properly recorded, controlled, and protected at all
times to ensure adequate capacity and prevention against data leaks.
Information protection processes and procedures (PR:IP) are
implemented to manage the protection of information systems and assets
with the maintenance and use of security policies, protocols, and
procedures. At the minimum, a basic configuration of industrial control
systems incorporating information technology is available. The physical
working environment for organizational assets complies with policy and
regulations. Data management is regulated including policy for data
destruction. To facilitate business continuity, response (Incident Response
Plan) and recovery (Incident Recovery Plan) plans have been implemented
and are being managed. Human resources management should include
cybersecurity considerations for such practices as training and personnel
screening.
Maintenance (PR:MA) addresses the maintenance and repair of
industrial control and information system components by highlighting the
need for compliance with formal policies and procedures. Maintenance
and repair should be carried out by approved parties and controlled tools
and logged, including remote asset maintenance which should be
conducted securely to avoid unauthorized access.
Protective technology or technical security solutions (PR:PT) should
be managed according to applicable policies, procedures, and agreements
to ensure the security and resilience of systems and assets. Audit/log
records must be documented, managed, and maintained according to
policy. Likewise, removable media is regulated, protected and its use is
limited. Access to communications and control networks are restricted and
protected and the principle of least functionality is used to control access

to systems and assets.
5. CYBERSECURITY INSURANCE
Insurance is an important cyber risk mitigation tool in the cyber risk

management framework (Gordon, et al., 2003). However, the stand-alone
cyber insurance market remains a fraction of the scale of other commercial
property and liability insurance markets with a penetration rate at 30% of
enterprises in almost all countries (OECD, 2017). Insurance involves a
firm paying (premium) the insurance company to assume risk, while
hedging involves taking a market position in the form of an investment in
derivatives to offset risk. Using insurance is a common risk mitigation
strategy relating to risk transfer, one of the 4-Ts of risk mitigation, that
involves entering into a contractual arrangement to pass on a pure risk from
one party to a counter-party. The purchase of a cyber insurance policy is
an example of this arrangement whereby the risk of loss from a
cybersecurity breach or incident is passed from the firm to the insurer.
Insurance is a well-established industry and it possesses a huge amount of
risk mitigation knowledge and experience that can be applied to cyber risk
mitigation. The insurance market comprises firms that provide services in
financial protection to individuals and corporations. An insurance policy
taken out by a customer is a financial contract that transfers risk from the
insured to the insurer. Under the arrangement in the insurance contract, the
insurer promises to pay the insured an amount of money if the insured
suffers financial loss due to the occurrence of the event covered by the
policy.
Generally, speculative risks are uninsurable risks. They are risks that
very few insurance companies are willing to cover. Other uninsurable risks
include those that are the result of general economic conditions and
government actions.
Insurable risks are those pure risks that cannot be predicted or avoided.
They are those which insurance companies will cover and they should
generally meet the conditions that losses must be quantifiable, there are a
significant number of similar risk cases, the risk is unlikely to affect all
insured simultaneously and the risk is beyond the control of the insured.
For instance, the causal factors affecting cyber risk may change or evolve
rapidly to render an insurance policy obsolete within the cover period,
making it challenging for both the insurer and the insured parties (Falco et
al., 2019a). Losses involving reputational damage or intellectual property
theft are rarely covered by cyber insurance policies (OECD, 2017).
To ensure that sufficient revenue is generated from the premiums
charged, an insurance company needs to predict the probable amount of
claims it has to pay in a given period. However, the cyber-insurance sector
faces an issue of information asymmetry between buyers and sellers, as
well as a paucity of historical data that insurers may use to calculate risk,
leading to underestimation of future losses from cyber risks (Gordon et al.,
2003; Pandey & Snekkenes, 2014; Biener, Eling & Wirfs, 2015). This
situation poses a major challenge to insurance companies as to succeed as
a business they must cover their costs that include sales, administration,
and general expenses (SGAs), payments to meet the claims of
policyholders, and dividends. The amount of premium for a specific type
of risk is estimated based on the probability of loss eventuating from that
risk. Thus, the insurance premium places a cost on firms’ cyber risk
exposure ahead of potential losses and would be considered an effective
and convenient mitigating tool in an uncertain and challenging cyber risk
environment. The coverage limits for cyber insurance are typically
substantially smaller than those available for conventional risks and
therefore come at a much higher price (OECD, 2017). AGCS (2015)
forecasts that cyber insurance premiums will grow globally at a compound
annual growth rate of over 20% over the next decade.
While cyber insurance will not abrogate the need for robust
cybersecurity measures, “insurance can contribute to improving the
management of cyber risk and should be considered an essential
component of countries' strategies for addressing digital security risks”
(OECD, 2017) by creating a second line of defense to mitigate the financial
loss from a cyber-attack. The increase in cyber threat awareness and cyber
incidents as well as regulatory changes in many countries and industries is
driving the rapid growth of cyber insurance (AGCS, 2015). A recent
survey of 3,000 companies in the United States, Germany, and the United
Kingdom found that 55%, 30%, and 36% of those surveyed, respectively,
have taken up cyber insurance (Hiscox, 2017).
There are limitations and challenges to using insurance as an
instrument for cyber risk management. The rapidly changing cyber threat
landscape is not only the issue that cyber insurance underwriters must deal
with but also the lack of reported cybersecurity incidents making it more
difficult to accurately estimate the cost of such occurrences. Therefore,
cyber threat is not a well-defined risk in insurance and the lack of data for
pricing (Gordon, Loeb & Soghail, 2003), therefore insurance pricing and
products are still evolving (Mukhopadhyay, 2013) as the commercial, legal
and technical ramifications of cybersecurity become clearer. The lack of
data on cyber incidents makes it challenging for insurers to assess and
cover cyber exposures (OECD, 2107). In addition, there are challenges
relating to adverse selection and moral hazard (Gordon, et al., 2003) in
using insurance to manage cyber risk. The types of incidents and their
losses related to the cyber risk that are insurable are categorized as data
confidentiality, system malfunction or issue, data integrity and availability,
and malicious activity (OECD 2017)35.
35
This categorization approach is developed by the CRO Forum by the OECD based on
questionnaire responses received from the re/insurance companies and brokers active in
this market globally and the ministries of finance and insurance regulators responsible for
overseeing that market.
Finally, it should also be noted that a cyber security incident may be

covered by a cyber insurance policy but damages such as compromised
data leading to loss of reputation, stolen intellectual property resulting in
loss of competitive advantages and lost customer loyalty from business
disruption are consequences that may not be recovered by insurance.
Nevertheless, there is cyber insurance available to cover a relatively wide
range of cyber-related issues (HM Government & Marsh, 2015).
6. HEDGING CYBER RISK
Hedging is a risk control method used for treating risks. The concept
of hedging is to take an equal and opposite position to the risk exposure to
offset any loss from the exposure by an equal profit from the hedge. A
hedge position consists of a party taking an offsetting position in related
security or asset, such as an option, futures contract, or commodity. The
primary goal of hedging is to allow corporations to proactively manage
their risk to achieve the optimal risk profile taking into consideration the
risk-return relationship of each corporation. Invariably, the process will
involve analyzing the benefits of protection against the costs of hedging as
well as the level of risk tolerance that a firm may possess. Therefore, an
effective hedging position is commensurate with the degree of corporate
risk aversion given a certain state of risk exposure. As such hedging is not
necessarily an attempt to eliminate all risks but rather to transform
unacceptable risks into more manageable or controllable risks.
One of the key challenges for the corporate risk manager is to ascertain
the behavior and impact of cyber risk to determine the types and magnitude
of risk the company is willing to bear and the ones it can transform by
hedging. The degree of controllability will depend very much on the
availability of risk management instruments and the market phenomenon
of basis risk. A perfect hedge does not result in any residual risk and can
eliminate all risk in a position or portfolio.
The basic idea of setting up a hedge is to first identify and measure the
exposure the organization faces and then construct another position with
the opposite exposure. The literature suggests four basic steps to hedging
and they are shown in Table 7.2.
The first step of identifying the source of the risk exposure is to locate
and document the vulnerabilities and weaknesses for assessing the likely
economic impact from the exposure. The source could be business
systems, networks or data, or any combination of them. Once the source
and nature of the exposure have been established a quantitative assessment
of the financial significance of the risk exposure needs to be conducted.
This requires an appreciation of the characteristics of the source of risk by
conducting impact and frequency studies and forecasts. When all this is
done then the risk manager can decide on the appropriate hedge that needs
to be put in place. Some common digital security procedures such as data
backup or making a mirror of a website may be considered as a risk
treatment or hedging technique.
Table 7.2. Four steps of hedging
Steps Functions
Identifying the source of risk Identify business systems and networks & data for
exposure vulnerabilities or weaknesses
Quantifying the exposure Estimate financial impacts or losses from disruption to
operations
Assessing the impact of exposure Analyze risks and rank them by criticality
Selecting the appropriate hedge Allocate resources to mitigate and manage critical risks
The company needs to measure the sensitivity of the company's

performance to the source of risk to understand the benefit (security or
positive risk) and impact (cost or negative risk) that arise from the
exposure. This analysis will help establish the criticality of exposure to the
business and allows the company to offset the negative risk against positive
risk to balance the risk-reward trade-off. There is also a need to establish
whether the exposure is contingent upon the outcome of another event,
such as investments in technology. If so, hedging such exposure may need
an option-based strategy. However, the cost of risk management in
cybersecurity is still often not fully understood, including the cost of
business downtime or recovery time.
The overall impact of a risk can be evaluated by studying the costs and
benefits to the company and its shareholders of a particular hedging
strategy. The prospect of losses that a company may be inflicted with can
cause disruptions to the execution of the company’s business strategy.
Therefore, one of the benefits that emerge from risk management is that it
allows managers to focus directly on shareholder value as an objective in
decision making. The next step is to determine the type of risk management
product (derivatives) to use in the hedge. Derivatives are financial
instruments whose value is based on the value of the underlying assets.
Generally, there are two types of derivatives being exchange-traded and
over-the-counter (OTC) derivatives. Exchange-traded derivatives (ETDs)
are standardized instruments exchanged on a licensed exchange, with the
clearinghouse acting as a middleman on each contract. Over-the-counter
derivatives are custom-made contracts that are traded directly between two
counter-parties without an intermediary. While derivatives are one of the
most traded financial instruments on the market the same cannot be said
about cyber-financial instruments. At the moment only cyber-insurance
products are the only viable option available to companies to hedge their
information security risks and there is a need to establish a cyber-financial
derivatives trading market offering a broader set of novel risk-mitigating
financial instruments (Pandey & Snekkenes, 2014).
7. CYBERSECURITY MITIGATION TOOLS & TECHNIQUES
Cybersecurity relates to protecting information systems from

cyberattacks using technologies that are applied to systems, networks, and
data. Trying to keep up with the rapid evolution of algorithms, commercial
applications and software makes mitigating cyber risk that much more
challenging. The following Table 7.3 presents some of the cyber threats,
their attack methods, and risk mitigation tools and techniques.
Table 7.3. Cyberthreat mitigation tools
Threat Attack method Mitigation

Malware Use of computer viruses,  Install firewalls to screen attachments
adware, spyware, trojan for malware
horse, and worm to steal data  Avoid opening suspicious attachments
or damage systems. Malware  Check the authenticity of URL links
is planted using email  Operating system software maintenance
attachments, software to check for weaknesses
downloads, and exploiting  Regular updating of patches on firewalls
operating system and operating systems
vulnerabilities.
Social Acquiring and exploiting user  Check to confirm the email address of
Engineering/ passwords typically through the sender is genuine
Phishing emails by redirecting the  Staff training
users to counterfeit websites.  Implement technical measures such as
Phishing is exploited for firewall, rigid data classification,
stealing banking/login strong/unique passwords, regular review
credentials & data and of access record &
impersonating users.  Regular updating of patches on firewalls
and operating systems
Denial of A sub-category of denial of  Use of scrubbing or filtering centers to
Service/ service (DOS) requires the analyze traffic to a website to remove
Distributed use of multiple connected malicious traffic
Denial of devices, called botnets, to  Content delivery networks to minimize
Service inundate targeted websites the distance between resources and users
(DOS/DDOS) with massive fake traffic. The  Firewall
purpose of the attack is to  Strong password
disable a system and make a
service unavailable.
Man in the By impersonating the person  VPN - A remote-access VPN for mobile
middle or entity on the other end. users to establish secure connections to
an organization's network.
 Use encrypted wireless access point
(WAP)
 Ensure the security of HTTP connection
 HTTP Strict Transport Security (HSTS)
security policy mechanism
Drive-by Where computers are infected  Avoid visiting malicious websites
downloads by visiting websites.  Use strong passwords and usernames for
admin accounts
 Install and keep anti-virus software up to
date
 Remove outdated or unsupported
components on websites
Threat Attack method Mitigation

Malvertising Advertisements that are  Install adblocker
criminals use to infect  Regular updating of patches
businesses by redirecting a  Avoid websites that make unbelievable
computer to be injected with offers
malware.
Password An attempt to steal or decrypt  Strict password policy including
attack a password. This is usually frequent changes to passwords,
done by using brute force, minimum length, and unrecognized
password sniffers, cracking words.
programs, keylogger attacks,  Use a multitude of alpha-numeric
and dictionary attacks. characters in passwords.
Rogue Also referred to as smitfraud  Use anti-virus protection
software or scareware. It is essentially  Regularly update firewalls
malware designed to cause  Keep up to date with software
disruptions to a computer information and do not trust individual
system and by tricking the websites that offer security products
user into purchasing anti-
virus software. Once the
scareware is downloaded the
user's computer is infected.
SQL attacks SQL is a hack using  Firewall
malicious code injection to  Reduce attack surface
steal, modify and destroy data  Regular update of patches
SQL attacks. It can be used to  Use principle of least privilege
elevate privileges at the  Do not share database accounts between
application or database or as applications
a base to attack other
systems.
8. NETWORK PROTECTION TECHNIQUES
The network is central to cybersecurity as reducing the attack surface

of a network, known as network protection or security, is to prevent
employees from accessing harmful domains while using devices connected
to it. Dangerous domains are those that house phishing scams, exploits,
and other malicious content on the internet. The network protection system
is made up of both hardware and software that protects the underlying
networking infrastructure from unauthorized and malicious intrusions.
8.1. Perimeter Network
A demilitarized zone (DMZ), also known as a perimeter network or

screened subnet in cybersecurity, is a physical or logical subnetwork that
contains an organization's external-facing services to networks such as the
Internet. The purpose of the DMZ is to provide a buffer zone and a gateway
to external networks thus limiting the internal network’s exposure to the
public Internet and its threats. The perimeter network is secured by devices
such as firewalls, some forms of IDPs, and antivirus systems to protect
itself and the internal network it surrounds. The internal network that is
secured by the perimeter network is known as a “trusted” network.
8.2. Firewalls
A firewall is a network security hardware or software application that

analyses packet headers in incoming and outgoing network traffic to
determine whether specific traffic should be rejected, accepted, or flagged
on a set of security policies and specifications. Firewalls reject packets that
do not conform to protocol types such as Simple Mail Transfer Protocol
(SMTP) and predefined source or destination addresses, or source or
destination ports. By creating a perimeter around an organization's internal
networks, firewalls protect them from malicious intrusion, unwanted
access, and untrusted connections. As a result, the perimeter-protected
network is considered "trusted."
8.3. Intrusion Detection Systems (IDS)

and Intrusion Prevention Systems (IPS)
Intrusion detection and prevention systems (IDPSs) are software or

applications that detect and prevent intrusions. IDPSs are programmed to
inform the network of any intrusions or attempted attacks for measures to
be taken to prevent intrusions and reduce their impact on the network.
Host-based IDPSs (HIDSs) are those that protect servers and host data
assets. HIDSs are software programs that reside on a single computer or
device and monitor it for changes. HIDSs can be employed on mission-
critical systems like servers that require just minor configuration changes.
Antivirus software, which works directly on the host device, can also be
categorized as a sort of HIDS. This software scans files for malware
signatures, which are patterns of known malware and infections. The
software may also use control of some critical directories to prevent
malware from being installed in the first place, thus making it more of an
integrated intrusion detection and prevention system if set to do so.
Network-based IDPSs or NIDSs are not installed on the hosts but rely
on discrete devices known as sensors that are strategically positioned
throughout the network. NIDS monitor network traffic and identify or act
on packets that may be considered a threat. These systems keep track of all
data that passes via a specific network point, which may include many
devices.
8.4. Access Control
Access control is a security protocol that keeps unauthorized users and

devices out of a private network. It limits access to just those devices that
have been allowed and are compliant with security policies. The two most
common types of network access controls used by businesses are logical
access control and physical access control. Logical access control systems
such as firewalls and IDPSs protect important cyber assets like systems,
networks, and data from unwanted access. Mandatory access control
(MAC) is a logical access control system that restricts users' access to
specified information assets based on their jobs. Physical access control
systems (PACS) are a form of physical security system that restricts or
enables entry to a specific area or facility. Fobs and key card entry systems,
encrypted badges, mobile credentials, PIN codes, and passwords are all
different forms of credentials used in physical access control.
Authentication, authorization, and accounting (AAA) refers to a

network administration and security framework for intelligently restricting
physical access to computer resources by enforcing policies and auditing
usage. Authentication is the process of identifying a user by having the
user enter a valid user name, valid password, valid code, or fingerprint
before access is granted. Multifactor authentication refers to the use of
more than one of these types. Authorization refers to granting the
appropriate level of access to a user based on their privileges or credentials.
It is the process for enforcing policies that determine what the user is
permitted to access in terms of resources, activities, resources, or services.
This method is related to the “principle of least privilege,” which means
enforcing the minimal level of user rights, or lowest clearance level to the
user to allow a user to perform essential functions only. Any authorization
beyond that will opens up the chance to either unintentional or intentional
malpractices. Accounting involves keeping track of what users do while
signed into a system. This can involve the time spent on the system or the
quantity of data sent and/or received by a user during a session. It's critical
to keep track of users and their activity and accounting oversight is
conducted by logging session statistics and usage data, and the information
captured is used for authorization control, resource utilization, trend
analysis, and capacity planning. In addition, accounting can help with
tracing back to events leading up to a cybersecurity problem, which will
be useful in forensics for identifying culprits and also to learn from the
incident.
Physical access control is another layer of access security to limit
unauthorized access to premises, workstations, and physical IT assets like
servers and routers. It refers to the application of security measures inside
a defined structure to restrict or prohibit access to sensitive information
systems or networks. To ensure the continuing operation of information
systems, physical security control is a safeguard to prevent illegal physical
access and physical harm. Physical security control is just as vital as
cybersecurity, and the two work together in the cyber risk management
process. Policies and procedures that limit users' access to vital systems,
networks, and data are among the physical control measures.
9. EMERGING CYBERSECURITY TECHNOLOGIES
When it comes to managing the risk of cyber-attacks, cybersecurity

remains a serious concern for many enterprises. on the other hand, various
developing technologies can provide important tools for countering cyber-
attacks. Some of these cutting-edge technologies are Cloud Computing,
Artificial Intelligence, Blockchain, the Internet of Things, and Big Data.
9.1. Cloud Computing
Many firms can now outsource their data storage to cloud service
providers who are data security experts, resulting in improved CIA from
better dependability and performance. Cost savings, scalability, higher
processing speed, and the flexibility for management to devote more time
to core company tasks are some of the advantages of cloud computing.
Firms that use cloud storage have the option to scale up or down their cloud
services while maintaining a comparable degree of security in response to
varying data flow volumes, all while saving money. Data stored in the
cloud decreases the risk of internal hostile attacks and business
interruptions caused by power failures, human error, and natural
catastrophes. Employees have access to all cloud data, which are
encrypted, but subject to needs restrictions and security protocols.
Cloud computing solutions include security mechanisms to protect
critical transactions and information from third-party data breaches. By
integrating mitigation measures at many levels to prevent massive amounts
of traffic intended for a business's cloud server thereby limiting the
possibility of a distributed-denial-of-service attack to protect enterprises.
Outsourced data storage has advantages, but it also exposes businesses to
cyber hazards. For example, cloud service providers are high-value targets
for cyber-attacks, and a data breach at a cloud service provider is likely to
cause severe business disruption to their clients.
9.2. Artificial Intelligence
Artificial intelligence (AI) has become a useful tool for facilitating

cybersecurity. The potential of Natural Language Processing is one of the
most compelling arguments to use AI for cybersecurity (NLP). By
analyzing news, articles, and research on cyber threats, AI-powered
systems can automatically collect data. These AI systems employ NLP to
extract valuable information from scanned data, resulting in insights
suggesting cyber-attacks, mitigation, and abnormalities, for developing
risk control measures.
AI can also assist businesses in developing multi-factor authentication
systems to protect against cyber threats. Multi-factor authentication track
user data to assess user behavior, device usage, network activity, location,
and application data. This information is processed and used to validate a
user's credentials and the system will immediately modify any user's access
rights to ensure data security. Thus, multifactor authentication makes it
difficult to pretend to be someone else. As it operates in real-time and on
a worldwide basis, the system can monitor and modify access rights based
on network or location.
9.3. Blockchain
As peer-to-peer network technology, Blockchain records all data

transfers across different networks using a shared and distributed ledger.
Blockchain is a decentralized network that takes advantage of encryption
advances and employs complex algorithms to authenticate data ownership
and accuracy and they are different elements of a comprehensive
cybersecurity strategy. The main advantage of Blockchain is that it allows
anyone to make secure transactions regardless of their sector. Data
breaches, cyberattacks, identity theft, and transaction fraud can all be
avoided using blockchain technology36. To guarantee transparency,

blockchain ensures that data remains private and secure in all the blocks it
creates. Therefore, Blockchain can offer significant changes to the identity
and access management process.
9.4. Big Data
Big Data is a game-changer in our modern world. Big Data involves

using a large amount of data to analyze irregularities in systems and
networks. Using relevant and verifiable data in their growth strategy means
that firms have to utilize big data analytics. Big data analytics works hand-
in-hand with artificial intelligence to collect and collate vast amounts of
data from different sources to evaluate the cyber risk for decision making.
The cybersecurity-related information from Big Data can cut down on the
time it takes to identify and resolve a problem. Real-time Analytics and
Predictive Analytics are used to assess network vulnerabilities and dangers
as well as to predict and avoid network disruptions. Hurst, Merabti and
Fergus (2014) suggest big data analysis techniques detect anomalies that
could pose as threats to cyberinfrastructures.
CONCLUSION
In addition to adopting software as a cybersecurity mitigation

approach, organizations must also have a thorough set of policies and
procedures for regulating personal devices and software applications
connected to company networks. Organizations should keep their systems
up to date with the most recent updates, regularly backup their data, and
monitor system logs and security alerts.
36
NASA is a recent example of a company that has decided to use Blockchain technology to
improve its cybersecurity and avoid denial of service and other assaults on air traffic
services (Security Today, 15th January 2019). https://securitytoday.com/articles/
2019/01/15/nasa-to-boost-data-security-with-blockchain-technology.aspx.
Cybersecurity has become a major concern for businesses, devising

new ways to protect against cyber-attacks has become a preoccupation for
c-suite, regulators, and other stakeholders. This has spurred increased
research and development around the world into developing new
technologies against cybercrime. Emerging cybersecurity technologies
include quantum computing, hypervisors, edge computing, and anti-
malware detection systems.
Chapter 8
CYBER RISK MONITORING,

DETECTION AND REPORTING
1. INTRODUCTION
This chapter discusses the monitor, detect & report phase (Step Four)
of the operational ERM process. It covers monitoring, detecting the risk
conditions, and reporting them to the relevant stakeholders. In other words,
this step covers the surveillance of the cyber risk status and conditions and
reporting them to the relevant parties. Companies have put more focus on
both internal and external risk reporting in recent years as they have
become an important corporate governance mechanism in ERM for
accountability, efficiency, and transparency in the business world. Risk
reports disclose information about the company's status of risk exposures,
mitigation actions, and risk control processes. The focus is on existing
critical or severe risks that have an immediate impact on the company, as
well as emerging risks that must be monitored to avoid future losses.
As a result of internal risk reporting, it may be necessary to repeat a
partial or full cycle of the risk control process to properly address a risk.
Some of the benefits of risk reporting are: improve strategic risk planning
as more up-to-date relevant information about the risk situation is made
available for timely and confident decision making; help to heighten risk
awareness and reinforce the corporate risk culture through pro-active and
continuous communication; allow better and up-to-date risk monitoring
and detection; reduce the probability and risk impact from risk
management weaknesses due to information gap and information
asymmetry; ensure growth opportunities are taken up; a good risk
reporting regime will reduce information overload and help to detect any
breach of the information infrastructure, and aid strategy setting and
operational planning.
Most firms provide a general statement of risk (Linsley & Shrives,
2006) comprising of mainly qualitative content in their annual reports
(Beretta & Bozzolan, 2004). The Australian Stock Exchange’s (ASX)
external disclosure guidelines published in 2014, the “Corporate
Governance Council Principles & Recommendations (3rd Edition),” and
taking effect from 1 July 2014, includes a new recommendation that
explicitly requires that:
“A listed entity should disclose whether it has any material exposure

to economic, environmental and social sustainability risks and, if it does,
how it manages or intends to manage those risks.”
Some countries have a better record than others of encouraging

companies to report on risk. Most of the guidance and regulatory
requirements for mandatory risk reporting were developed after financial
crises (e.g., Sarbanes-Oxley Act 2002). The United States requires
companies listed with the Securities and Exchange Commission (SEC) to
describe the risks faced by the business since the 1970s. In the European
Union (EU), the “EU Accounts Modernisation Directive” of 2003 requires
companies to describe the risks they face, in both annual and interim
reports. The EU’s “General Data Protection Regulation” (GDPR) requires
a breach that compromises the rights of individuals’ data to report it within
72 hours of the organization becoming aware of the breach. The UK
Financial Reporting Council in November 2013 published a consultation
Cyber Risk Monitoring, Detection and Reporting 167
paper37 that proposed a more integrated approach to risk reporting, linking

risk management to internal controls and going-concern.
2. MONITORING, DETECTION, AND REPORTING RISK
After risks are identified, assessed, and mitigated the organization

needs to constantly monitor and detect risks, and report risk at regular
intervals about the state of the exposure as well as the effectiveness of the
measures to ensure the inherent nature of the risk (i.e., frequency and/or
impact) has not changed and the measures are sufficient. These actions
constitute the fourth phase in the ERM/ORM process (Figure 8.1). In this
phase, corrective actions are necessary if the severity of the reported risk
has increased and/or the measures put in place are no longer sufficient to
protect the organization from potential losses within its risk tolerance or
any untoward activities on the enterprise's systems, networks, and servers
that may result in a breach or compromise of the CIA triad. Risk disclosure
also improves communication between management and external
stakeholders by mitigating information asymmetry, which results in better
knowledge about the company and its risk control activity.
The detection activities are facilitated by a combination of cyber and
physical tools. These tools include the use of up-to-date IDPS and
surveillance equipment to help detect potential security breaches and
cyber-attacks. Figure 8.2 outlines the monitor and detect relationships to
the reporting stage of the ERM/ORM framework.
As a continuous process, the monitoring and detection tasks are likely
to discover new risks that will be added to the list of critical risks and others
removed. All risks on this list will need to be regularly reviewed and
reprioritized to determine whether the current plans are sufficient or what
new actions are required. Critical risks should be reported regularly to
appropriate stakeholders as part of effective enterprise risk management
37
The UK’s Financial Reporting Council (November 2013) consultation paper on amending
Actuarial Standard Technical Memorandum 1 (AS TM1) for revised disclosure regulations.
practice. On-going and effective communication and reporting between the

risk management team and management on existent and potential risks are
essential for it enables the sharing of all information and is the cornerstone
of effective risk management.
Figure 8.1. Monitor, detect & report risk in the ERM/ORM cycle.
Internal Stakeholders
External Stakeholders
Figure 8.2. Monitoring, detecting, and reporting cyber risks.

2.1. Monitor Risk
The main information security goals of an organization are protecting

confidentiality, integrity, availability of systems and data, and reputation.
Monitoring risk entails oversight of the implementation of the accepted
risk response plans, tracking identified risks, identifying and analyzing
new risks, and evaluating the effectiveness of risk management processes.
The purpose is to provide a real-time view of cybersecurity risk status and
triggering events to facilitate updating risk measurements whenever
relevant changes occur. Corrective actions are necessary if the severity of
the risk has increased and/or the measures put in place are no longer
sufficient to protect the organization from potential losses within the limit
of its risk tolerance.
Risk monitoring requires tracking risk measurements key performance
indicators (KPIs) to ensure that the risk actions are effective and being
carried out as planned. Therefore, part of the risk monitoring process
involves establishing KPIs or risk metrics to measure results. KPIs play an
integral role in ERM as they are the organization's targets or goals that
must be met to reap benefits. The best risk metrics offer valuable hints to
the risk levers the company can pull to improve them. The main KPIs that
information security should monitor are CIA triad performance and firm
reputation. The Confidentiality KPI addresses sensitive data disclosure to
unauthorized users by imposing mitigating actions to prevent data leakage.
Availability KPI refers to making key infrastructure assets available and
accessible to authorized end-users and potential breaches are mitigated by
IT and management policies and procedures, tools, and technologies to
protect availability. The Integrity KPI monitors an organization's assets'
capacity to perform their expected tasks effectively and efficiently without
disruptions. Mitigating factors include ensuring the appropriate
architecture and utilization of any asset that stores, processes, and retrieves
data are restricted to only authorized users and not permitting an
unauthorized user to alter the stored data on the systems or communicate
data over the network. The purpose of Reputation KPI is to ensure the
public's trust and confidence in an organization remains intact. It should
also be noted that while KPIs are used to measure past performance, they
also act as a useful tool for identifying emerging risks.
2.2. Detect Risk
NIST Cybersecurity Framework defines the detect function as one for

identifying the “occurrence of a cybersecurity event.” Detection refers to
tracking a network, applications, or other assets within the network to
identify threats. Early detection of any threats is crucial to minimize “dwell
time” and prevent lateral movement or preventing attacks from moving
from one system or department to another within an organization. The
rapid pace of today's business innovation means that some threats will
inevitably evade even the most stringent security safeguards, therefore
requiring a shift from reactive cybersecurity detection to proactive cyber
risk management to enable a more effective threat detection function
(Amjad et al., 2016).
Companies invest a lot of money into the latest detection technologies
and automated intelligence to generate and sift through the huge amount
of network security data to detect threats. Some of the technologies for
detecting cyber-attacks are intrusion detection and prevention systems
(IDPS) that automatically generated alerts in the event of an attack; anti-
virus software prevents, detects, and removes software viruses and anti-
spam software blocks spam from entering a system; firewalls protect a
network or system from unauthorized access; system and application log
capture all actions on a network or system to keep track of its activity or
traffic to see how they generally work, and vulnerability scanners identify
and fix vulnerabilities in systems or networks and any anomalous network
traffic is detected by network analyzers. The detection of a risk event may
also be a trigger for activating the risk response and recovery process if the
risk poses a significant threat to the firm.
Detection activities are normally located in a Security Operations
Centre (SOC) which is a centralized function within an organization
responsible for both internal and external cyberattacks. SOC houses an
organization's IT security monitoring and incident response efforts in a

single location to continually monitor and enhance the security position of
an organization while preventing, detecting, analyzing, and responding to
cybersecurity incidents.
2.3. Report Risk
Organizations report risks for strategic and operational reasons, as well

as for compliance. The risk reporting function involves disclosure to both
internal and external stakeholders (Figure 8.2) for different reasons. The
impact of risk actions on individual business units and corporate risk
profiles should be the focus of effective risk reporting (PwC, 2011) and
reports should be precise, business-focused, and pragmatic so that those
who receive them feel well-informed enough to take action (Epstein &
Buhovac, 2006). Therefore, reporting mechanisms should also be in place
to ensure that a cyber-attack is communicated as quickly and precisely as
practical to the relevant person or authority in the incident response plan
structure for action. This type of specific reporting is discussed in Chapter
9 as part of the incident response process.
2.3.1. Internal Reporting

Enterprise risk management (ERM) frameworks include the reporting
of risk information as a component element. While compliance risk
reporting is regulated and adequate, the integration and communication of
identified risks and risk performance into the internal reporting system
poses a challenge to firms that wish for a reporting regime that will
facilitate strategic and operational decision-making. Thus, internal risk
reporting must be given more attention to providing relevant information
to internal users as decision-makers need to be aware of the various
organizational risks, to avoid making decisions or non-decisions, that can
cause significant organizational costs. Internal audiences of cyber risk
reports include the board of directors, risk committee, c-suite officers,
incident response team members, internal auditors, business unit
managers, employees, business partners and, suppliers and contractors. At

the SRM level, the information providing an overview of critical business
risks and function-specific risk management actions are critical for
management oversight, review, planning, and formulating strategy. For
example, the American Institute of Certified Public Accountants (AICPA)
new cybersecurity risk management assessment reporting structure offers
organizations, particularly boards in their oversight function with valuable
information (Deliotte, 2017). According to Lam (2006), this type of
reporting may contain qualitative data like at-risk objectives and escalation
of specific events, as well as quantitative data like key performance
indicators (KPIs) or risk metrics and key risk indicators (KRIs). At the
operational level information about the ORM cycle and crisis management
processes are communicated and shared with functional process owners to
conduct and maintain daily risk control activities as well as for learning
and improvement initiatives. The ORM policies and procedures should
spell out the type of information to be disclosed, to which party, and the
purpose.
Internally, companies must provide regular integrated reporting on the
results of continuous monitoring and detection to gauge performance and
mitigate risks as they arise. Robin et al. (2002) refer to this reporting
regime as the “risk status report” and recommend that it should disclose
four possible risk control scenarios for each risk, as follows:
 A risk is resolved according to the action plan and no further action

is needed.
 Risk actions comply with the risk management plan and they
continue as planned.
 Some risk activities conflict with the risk management plan,
remedial steps should be taken.
 Re-analyzing the risks or re-planning an activity due to changes in
the risk situation.
Reporting includes using performance metrics such as impact

measures (return on investment - ROI) to effectiveness and efficiency
measures (i.e., the number of system-level controls that are implemented
according to the cybersecurity policy), to reporting whether goals and
objectives have been achieved successfully to provide management with
the information necessary to make decisions, and aid in holding
stakeholders accountable.
2.3.2. External Reporting

Reporting to external stakeholders, such as regulators for compliance,
brings benefits not only to users but adds value to a firm’s organizational
reputation as “high-quality risk reporting increases investor confidence
and also in the overall quality of management.”38 The need for external
disclosure of risk is growing with the introduction of regulations governing
information security. External stakeholders like regulators, investors,
financial analysts are becoming increasingly aware of the critical role of
proper cyber risk management in today’s technology-driven business
environment and they want better information on cyber risk exposures and
how the organizations manage them. Therefore, the scope of corporate risk
reporting has gone beyond the traditional scope of just reporting financial
risks. External stakeholders like shareholders and investors need risk
disclosure reporting for assurance that a sound system and process is in
place to identify, assess, and manage cyber risks so that they can better
evaluate corporate performance to make better-informed decisions. The
external stakeholders who are interested in risk disclosure are regulators,
external auditors, shareholders, creditors, financial analysts, customers,
suppliers, non-profit organizations (NGOs), and investors. Management
and stakeholders consider annual reports to be a significant and influential
source of corporate information (Beretta and Bozzolan, 2004). Company
annual reports are important communication tools for management to
communicate with both external stakeholders about business performance.
38
Simon Constant-Glemas of Shell.
3. NIST/CSF – DETECT FUNCTION
The detect function is an important part of a strong cyber program

because the quicker a cybersecurity incident is discovered, the faster the
firm can minimize its consequences. The NIST “Detect” function
encompasses the generic monitoring and reporting step of the generic
ERM framework in performing the relevant actions to detect the existence
of a cybersecurity event (see Figure 8.1). The Detect Function enables the
timely discovery of cybersecurity events. Examples of outcome
Categories39 within this function are to implement security continuous
monitoring capabilities to observe cybersecurity events and assess the
efficiency of protective measures, including network and physical
activities, ensure anomalies and events are discovered and their potential
impact is understood, and maintain detection processes to ensure that
abnormal cyber activities are detected. Table 8.1 provides a list of
outcomes and associated activities under the detect function.
The NIST/CSF’s Detect function’s Anomalies and Events, Security
Continuous Monitoring, and Detection Processes categories align with the
operational process of the ERM as shown in Figure 8.3.
NIST/CSF
Function: Detect
ERM/ORM Category:
 Anomalies and Events (DE:AE)
Monitor, Detect &  Security Continuous Monitoring
Report Risk (DE:CM)
(Step 4)  Detection Processes (DE:DP)
Sub-categories: All
Figure 8.3. Risk monitoring & reporting - ERM & NIST CSF alignment.
39
National Institute of Science & Technology (NIST).
Table 8.1. Detect – Outcome categories and sub-categories
Detect (DE)
Anomalies and Events  A baseline of network operations and expected data flows for
(DE:AE) users and systems is established and managed (DE:AE1)
 Detected events are analyzed to understand attack targets and
methods (DE:AE2)
 Event data are aggregated and correlated from multiple sources
and sensors (DE:AE3)
 Impact of events is determined (DE:AE4)
 Incident alert thresholds are established (DE:AE5)
Security Continuous  The network is monitored to detect potential cybersecurity
Monitoring (DE:CM) events (DE:CM1)
 The physical environment is monitored to detect potential
cybersecurity events (DE:CM2)
 Personnel activity is monitored to detect potential
cybersecurity events (DE:CM3)
 Malicious code is detected (DE:CM4)
 Unauthorized mobile code is detected (DE:CM5)
 External service provider activity is monitored to detect
potential cybersecurity events (DE:CM6)
 Monitoring for unauthorized personnel, connections, devices,
and software is performed (DE:CM7)
 Vulnerability scans are performed (DE:CM8)
Detection Processes  Roles and responsibilities for detection are well defined to
(DE:DP) ensure accountability (DE:DP1)
 Detection activities comply with all applicable requirements
(DE:DP2)
 Detection processes are tested (DE:DP3)
 Event detection information is communicated to appropriate
parties (DE:DP4)
 Detection processes are continuously improved (DE:DP5)
The outcome of the Anomalies and Events (DE:AE) category is the

timely identification of unusual activity and an assessment of the event’s
potential impact on the firm. For users and systems, a baseline of network
operations and expected data flow is built and managed. Thresholds for
incident alerts must be established and implemented and event data from
different sources and sensors are consolidated and correlated for all
detected events for an investigation to determine attack targets and
techniques and for analysis and calculation of the impact from the events.
The goals of the detect function are to monitor and detect for malicious
code, unauthorized mobile code, unusual activity of external service
providers and, any access by unauthorized individuals, connections,
devices, and software to the organization's systems are monitored to detect
potential cybersecurity incidents. The category on security continuous
monitoring (DE:CM) requires organizations to monitor their information
system and assets, including the physical environment, at regular intervals
to identify potential cyber-attacks and check the efficiency of protective
measures. Human behavior and activity are also tracked to detect potential
cyber-attacks, errors, or omissions.
The detection processes (DE:DP) category recommends the
maintenance and regularly testing of detection systems and procedures to
provide a timely and adequate awareness of abnormal events. The team
will need to be trained and prepared to gather and evaluate data from
numerous sources in order to detect an incident. The program will detect
unusual behaviour or pattern and alert the risk team and everyone in the
team will be aware of the consequences.
The detect function is one of the most critical, since detecting a breach
or incident early will allow a company to take the necessary actions to
minimize its losses or in the worst case scenario, to ensure its survival.
Following these best practices and adopting these solutions will
undoubtedly assist a company in mitigating cybersecurity risk. The
successful implementation of this activity requires an organization to
ensure accountability, roles, and duties for detection are specified,
detection efforts meet all necessary standards, regularly test the detection
processes, and information about event detection is shared with the
appropriate parties to help improve the detection processes.
CONCLUSION
Risk transparency, both in terms of internal risk reporting and external

disclosure, is a core aspect of successful risk management (Lam, 2007).
Managers require effective risk reporting systems to incorporate risk
assessment into operational decisions and performance evaluation. Risk

information is used by external users to assess the company's performance
and make investment, compliance, or commercial decisions. With the
diversity, magnitude, and complexity or interdependency of risks in the
business environment, risk information users have become more
sophisticated and demanding. Inadequate risk reporting has led to a failure
to adequately incorporate identified risks into strategic and operational
decisions in some businesses (Epstein & Buhovac, 2006). For instance,
businesses need more inclusive, timely, precise, and regular reports to
effectively manage risk but many firms still find this a challenging task.
There is a need to find ways to integrate risk performance into a high-
standard internal risk reporting framework for more timely, informed, and
effective risk management decision-making.
Organizations are under a lot more scrutiny and pressure from both
internal and external stakeholders for their cybersecurity risk management
programs to be upgraded and made more transparent (Deliotte, 2017).
According to Deliotte (2017), the AICPA'S cybersecurity risk
management examination reporting framework is a step in that direction
as it can cater to a wide range of users' information needs by adopting just
a single reporting mechanism.
Chapter 9
CYBER ATTACK RESPONSE

AND RECOVERY
1. INTRODUCTION
An effective risk management process does not guarantee a firm with

full immunity from losses as risk events are difficult to predict and mitigate
fully. There is a need to take ERM to the next level to align the ERM
function to the crisis management programs. In the context of
cybersecurity, it is essential to understand how crisis management
dovetails with the ERM function before, during, and after a cyber breach
and how the two can leverage off each other in terms of preparedness and
education to prevent a similar incident from happening again in the future.
An effective crisis management policy should define what constitutes a
crisis, address issues such as the authority to declare an event is of crisis
proportion, and convene the crisis management team (Ho, Oh, Durden &
Slade, 2010). A cyber crisis management plan (CCMP) will help the
enterprise respond more effectively to cyberattacks. The benefits of a
CCMP are that it deals with crisis management preparation, incident
response, recovery, and business continuity.
The source of a crisis comes from the risk exposure of a company when
that risk is not properly addressed or managed. A crisis could be the result
of a cyber-attack, a failure of an internal process, an internal or systemic
financial meltdown, product or environmental contamination, destruction
from natural disasters, an act of terrorism, or explosion and fire.
Management of a critical risk requires planning, evaluation, prevention,
testing, and monitoring to mitigate and minimize potential losses from the
exposure. The effectiveness of the risk management process used by a
company will determine the company's preparedness in preventing the risk
from turning into a crisis, affecting employees, the company, and the
community (Ho, et al., 2010). In this chapter, we will explore the
importance of developing the CCMP and its elements for mitigating
cybersecurity incidents.
2. CYBERSECURITY CRISIS MANAGEMENT PLAN
A crisis ensues when a risk is realized, which has the potential to cause
extensive damage to the organization if it is not effectively managed and
on time (Ho, et al., 2010). The CCMP is an action plan that instructs the
incident response team members about a comprehensive approach to
managing cyber-attacks during and after the incidents to minimize
disruptions to business operations. Creating a crisis response strategy
ahead of time increases a company's alertness of cyber events and chances
of surviving a cyber incident or breach. These occurrences are normally
unpredictable and can happen quickly, often require a large number of
people to manage, can deplete a company's resources, and unless handled
properly they can have long-term reputational and financial consequences
for a firm.
A CCMP can apply to any size company and is essential for
establishing the operational plan, structure, instructions, and resources for
dealing with crises and managing the business during a crisis. Therefore,
the CCMP outlines a series of interrelated activities and processes that
Cyber Attack Response and Recovery 181
form the organization-wide crisis management plan for use in the event of
a crisis (Figure 9.1).
Cyber Crisis Management Plan
Pre-crisis Preparation
Crisis Response Plan
Post-crisis Recovery
Figure 9.1. Cyber crisis management cycle.
According to Perry and Lindell (2003), an organization's crisis

preparedness is evaluated based on four criteria: a risk assessment
(vulnerability assessment), a capacity assessment of the organization's
ability to cope with crises (capacity assessment), the training and retention
of qualified staff, and a flexible system that can be deployed quickly during
a crisis. The three basic attributes for an effective CCM process are
preparation (pre-crisis phase), response (crisis-response phase), and
recovery (post-crisis phase). Cyber crisis management is a proactive
approach to plan and implement the policies and processes on how to
respond, react to and recover from an attack. The cyber crisis management
plan should be a reference tool that is clearly expressed and easy to read to
avoid having to read a step multiple times to understand what exactly to
do.
The CCMP defines what constitutes a “cyber crisis” or “cyber
incident” that is consistent with the Enterprise Information Security Policy
(EISP). It describes how a security incident would pose a potential crisis
to the organization. It spells out the severity in terms of the loss of the CIA
triad, vis-à-vis the risk tolerance of the organization, to classify an incident
as a crisis. For instance, loss of CIA attributes, loss of reputation, adverse
financial consequences, and compliance or regulatory breaches are

potential security incidents that can escalate to a crisis.
The CCMP should outline the initial response, continued
management/monitoring of the crisis, and loss minimization measures.
The policy should identify the authority vested in the crisis management
team leader and, pre-assign the role and responsibilities of each team
member. The details of the CCMP should also be covered by the written
policy and communicated throughout the corporation40 and make available
relevant information for reference by team members and stakeholders.
The CCMP should address and explain the remedial measures for
existing as well as new cyber threats as reflected in the risk register. The
risk register should be kept up-to-date when a new cyber threat is
acknowledged. Copies of the plan should be kept in a secure yet easily
accessible place by all business unit managers, employees, and
stakeholders.
Finally, the CCMP should be reviewed and updated to incorporate
changes to organizational conditions as well as for improvement where
necessary at least every quarter in a rapidly evolving cyber risk
environment.
3. NIST/CSF – RESPOND & RECOVER FUNCTIONS
The NIST/CSF Respond function’s goal helps organizations create and

implement procedures that allow the response team members to "take
action in response to a detected cybersecurity occurrence." The Recover
function's main purpose is to build, maintain, and improve a company's
resilience after a cybersecurity incident. It will assist the company in
defining recovery and restoration plans as well as successfully
communicating with important parties. The NIST/CSF Respond and
Recover functions provide a road map for how to react to a crisis to
40
Adapted from Ho, Oh, Durden & Slade 2010, Crisis Decision Making, Nova Science
Publishers, New York (p.236).
minimize its impact on the business and for getting back to normal and
minimizing the effect of a cybersecurity incident. The categories and sub-
categories specifying the activities and outcomes of these functions are
summarized in Table 9.1.
Table 9.1. Respond and recover – outcome categories/sub-categories
Respond (RS)
Response Planning (RS:RP)  A response plan is executed during or after an event
(RS:RP1)
Communications (RS:CO)  Personnel know their roles and order of operations when a
response is needed (RS:CO1)
 Events are reported consistent with established criteria
(RS:CO2)
 Information is shared consistent with response plans
(RS:CO3)
 Coordination with stakeholders occurs consistent with
response plans (RS:CO4)
 Voluntary information sharing occurs with external
stakeholders to achieve broader cybersecurity situational
awareness (RS:CO5)
Analysis (RS:AN)  Notifications from detection systems are investigated
(RS:AN1)
 The impact of the incident is understood (RS:AN2)
 Forensics are performed (RS:AN3)
 Incidents are categorized consistent with response plans
(RS:AN4)
Mitigation (RS:MI)  Incidents are contained (RS:MI1)
 Incidents are mitigated (RS:MI2)
 Newly identified vulnerabilities are mitigated or
documented as accepted risks (RS:MI3)
Improvements (RS:IM)  Response plans incorporate lessons learned (RS:IM1)
 Response strategies are updated (RS:IM2)
Recover (RC)
Recovery Planning (RC:RP) A recovery plan is executed during or after an event (RC:RP1)
Improvements (RC:IM) Recovery plans incorporate lessons learned (RC:IM1)
Recovery strategies are updated (RC:IM2)
Communications (RC:CO) Public relations are managed (RC:CO1)
Reputation after an event is repaired (RC:CO2)
Recovery activities are communicated to internal stakeholders
and executive and management teams (RC:CO3)
3.1. Respond Function
The Respond planning category refers to crisis response preparedness

before a crisis to limit harm during a crisis, and provide for post-crisis
feedback for improvement to the process (RS:RP1; RS:IM1), if necessary.
Response team members must be appropriately briefed, trained, and role-
played to effectively react to a crisis (RS:CO1). Events are reported
according to established guidelines and information is coordinated and
disseminated to all internal stakeholders according to the crisis
management plans (RS:CO2; RS:CO3; RS:CO4). Information is shared
with external stakeholders like the media to provide accurate information
for a better understanding of the cybersecurity situation and to avoid
untoward speculations that might cause market confusion or panic
(RS:CO5).
On analysis of detection system notifications, warnings are closely
studied to confirm an attack has in fact taken place (RS:AN1), and, if so,
forensics are carried out to identify the method of the cyber-attack, the
motivation of the hacker, and the ramifications (RS:AN2; RS:AN3). The
incident is then classified following response strategies for carrying out the
appropriate response according to the CCMP (RS:AN4).
The response mitigation should ensure that the incident is fully
contained and neutralized, and the damage to the organization is kept to a
minimum (RS:MI1; RS:MI2). New vulnerabilities are recognized as
existent risks in the organization’s business operations and documented in
the risk register as risks that must be mitigated as part of the enterprise risk
management process (RS:MI3).
Lastly, lessons are drawn from recent crisis response incidents for
review, revision of, and integration into the enterprise response strategies
for updating and improvement (RSIM1 & RS:IM2).
3.2. Recover Function
The crisis recovery process can begin during or after the crisis
depending on the criticality of the systems to the business operation and
whether it is safe to do so (RC:RP1). Crisis recovery relates to actions
normally taken in the aftermath of a crisis to restore organizational
operations to pre-crisis levels and mitigate the effects of future crises from
lessons drawn from the experience. Therefore, the lessons learned are
incorporated into the recovery plan for updating the recovery strategies
with the improvement (RC:IM1 & RC:IM2).
Information regarding recovery actions and progress is disseminated
to leadership and management teams to inform them of the recovery efforts
(RC:CO3) and to external stakeholders (including the media) as necessary
to avoid misinformation and speculations (RC:CO1). After a crisis, a firm
needs to prepare a strategy to re-establish its business reputation and to
respond to media reports by developing a communication strategy
(RC:CO3).
4. PRE-CRISIS
Pre-crisis management relates to the proactive approach taken in

preparation by the company in readiness for a crisis. Preparedness entails
acquiring knowledge and capabilities in advance of a disaster to effectively
foresee, respond to, and recover from a crisis. The CCMP is part of the
overall enterprise risk management strategy and requires the support and
approval of senior management and the board of directors. The support
includes a budget for the essential resources required to implement the
CCMP.
The first step of CCMP implementation is carried out by first putting
in place a comprehensive CCMP that includes essential resources, crisis
management teams, vigilance and monitoring capabilities, a crisis
communication plan, an incident response plan, and a recovery roadmap.
Some of the benefits of CCM planning are a state of readiness and
familiarity with the process, a coordinated and systematic response during

an attack to minimize human mistakes, and the adoption of a well-thought-
out plan that may lower the organization's losses and minimize downtime.
Crisis planning starts with risk assessment, which entails identifying and
analyzing important risks, hazards, and related vulnerabilities. An
appropriate organizational structure, accompanied by explicit policies and
procedures supported sufficient budget allocations for resources are all
essential for thorough disaster preparedness. Organizing resources such as
technology, people, and equipment are also all requisites and part of the
preparation process. For instance, early warning systems that detect these
risks would trigger the activation of pre-determined crisis plans (“Detect”
function). Response team members are trained and, participate in war
games and role-play based on possible business scenarios to familiarize
themselves with the response and recovery systems, which are all part of
the preparation process. Stockpiling and maintaining appropriate
equipment and supplies are also necessary for preparing for readiness to
handle a crisis emergency.
Firms need to be prepared to deal with a crisis event and take prompt
action by identifying and assessing the issues and options, including
seeking expert advice. Staff must be trained to ensure that all people
concerned understand the process, in particular, which are the decision-
makers and the roles and responsibilities of participants. The maintenance
of the plan is critical and staff involved in managing a crisis must be
assigned their roles and be ready to respond effectively. The best chance
for minimizing loss is in the early stages of a crisis or even before the crisis
itself.
The enterprise CCM function will require a core team of relevant
‘experts’ for the sole purpose of determining what the potential ‘crises’ are
in the corporation. In this context, crisis refers to the circumstances that
would not ordinarily occur and need to be prudently dealt with in the
ordinary course of a business. A crisis management team should have a
senior manager, who has the authority to make decisions, to lead the crisis
management team. The team should also include other members who
possess legal, public relations, finance, human resources, and technical

skills (Ho, et al., 2010).
5. CRISIS RESPONSE
As it is impossible to completely avoid cyberattacks, the increase in

the number of cyber breaches and the magnitude of attacks is posing an
even greater challenge to businesses to avoid the adverse consequences of
these incidents. One measure to mitigate this situation is to create an
effective response plan for the incident response team to follow in reaction
to an attack. The Incident Response Plan (IRP) delivers clear and
consistent communication to instruct internal and external stakeholders on
how to respond to the attacks, and take timely remedial actions. The IRP
is also a mitigation against the legal liability and reputational harm caused
by a cyberattack. The incident response process is shown in Figure 9.2.
Figure 9.2. Incident response process.
The important goals of crisis response are to protect assets, restore

critical business processes and systems, reduce the length of the
interruption of business, minimize reputation damage, and maintain
customer relations.
5.1. Incident Response Plan
The Incident Response Plan (IRP) is a key component of an

organization’s cyber risk mitigation strategy. It provides a roadmap for the
implementation of the incident response process and the responsible unit

for each task. An incident response plan is relevant in both ex-ante and ex-
post contexts of the organization’s ERM. It includes the ability of the
organization to plan and allocate resources for implementing processes in
anticipation of risk events (ex-ante) and to be able to react once a risk event
takes place (ex-post). The focus is on the ex-post process in this chapter as
the ex-ante functions are addressed in the preceding chapters of this book
including the detection activity, which is explained in Chapter 8. The IRP
is a structured plan to define the different processes for managing cyber
incidents to protect critical information assets. A high-level network
diagram and a list of critical assets are useful tools for the crisis
management team to see how the various systems are linked and how an
attack can jeopardize these systems and networks.
The incident response process includes going through the following
actions. The enterprise should first establish and implement a
cybersecurity control plan in the form of an enterprise risk management
framework to deal with cyber risk and also its ramifications. Next, it should
be proactive in implementing the policies and processes to detect and
protect against an attack on its systems, networks, and data. This requires
preparing and training employees to implement the plan to protect the
organization. Detection is to monitor to identify potential cyber events.
Preparation and training involve scenario building and conducting war
games. The preceding steps form part of the incident response process but
are conducted in the pre-crisis stage (Figure 9.2). After detecting a possible
cyber event, it is necessary to analyze the event to determine its impact on
the company. If it is confirmed as a critical risk then the incident response
process should consist of measures to contain and eradicate the attack by
limiting the damage done and prevent it from spreading to another network
in the organization. It is important to have separate processes for
employees to respond to different types (i.e., MiM, DDOS, phishing, IoT
attacks) of cyber incidents for a more targeted response as not all attack
vectors or methods are similar. Remedial actions include monitoring and
coordinating the process by senior management (i.e., CEOs, CISOs, CRO
& CIOs) taking steps to neutralize and contain the incident,
communicating with media and other stakeholders, and the legal team
informing regulators of the incident. The final step of the CCMP is to
activate those actions that will recover and restore systems to their full
working state.
5.2. Incident Response Team
The CCMP specifies the need for a cybersecurity Incident Response

Team (IRT) to manage and supervise emergency activities in the event of
a cybersecurity incident. The IRP begins with the formation of an IRT and
contains reporting mechanisms to ensure that an attack is managed and
communicated as quickly as possible to the right person or authority. The
composition of the IRT will vary based on organization structure, available
employee resources, and the nature and configuration of the information
systems and networks. The CCMP must identify a pre-selected IRT
consisting of a multi-disciplinary composition of personnel who can bring
to bear skills in at least the following disciplines: finance, management,
legal, human resources, public relations, insurance management, insurance
claims, and relevant technical and operational skills (Ho, et al., 2010).
The roles that different employees will need to take up are information
owners. This role is normally taken up by chief information officers (CIOs)
or chief information security officers (CISOs) in larger organizations. At
the operating level, business unit leaders or managers lead the response
actions. While human resources (HR) are responsible for informing
employees, legal staff communicate with regulatory authorities on
compliance matters. IT personnel provide the technical support needed to
helps fix IT needs or manage security service providers (MSSP). The IPT
will lead the organization by following the defined crisis management
processes in responding to a cyber event and reporting and communicating
the progress of the incident response efforts to different stakeholders.
A responsibility assignment matrix, also known as a RACI chart,41

helps provide personal details to internal and external stakeholders of the
people responsible for managing a crisis. Listing their names, roles,
responsibilities, and contact information help stakeholders to determine
whom to contact or get approval from during different stages of a CCMP.
Checklists are also available for use by the IR team during attacks to
ensure that actions can be taken swiftly, that no tasks are duplicated or
missed.
5.3. Security Operations Center & Incident Response Platform
Once an incident response plan is in place, the organization needs to

select an incident response platform to help it execute the plan. The
security operations centers check for unusual activity that could indicate a
security incident or compromise by monitoring and analyzing networks,
servers, endpoints, databases, apps, websites, and other systems. The
incident response platform or core technology of a security operations
center collects event data from a variety of the organization's infrastructure
and threat detection components, such as the firewall, IDPS, database
server, email, web server, file server, endpoint monitoring software, active
directory, etc. The purpose of an incident response platform is for
monitoring an incident from the start to the resolution in which data or a
system may be compromised. Choosing a platform that features security
automation and orchestration facilitates analysis and investigation of every
threat event. Security automation is the mechanism that allows
components of the response plan to be automated to avoid tedious and
time-consuming manual tasks, while security orchestration allows the
platform to coordinate and integrate all existing security solutions and
systems. By centralizing security operations, the incident response
41
RACI stands for Responsible: who is responsible for executing & completing the task;
Accountable: who owns, approves, and is the final decision-maker for the task; Consulted:
who will be consulted regarding decisions or task, and Informed: who will be updated or
informed about the task's progress or status.
platform increases efficiency in dealing with cyber incidents by

automating a time-consuming task, gathering comprehensive data for
intelligence analysis, standardizing and scaling processes, and improving
mean time to resolution.
5.4. Testing the IRP
The organization's incident response team should undertake regular

exercises simulating a cyberattack, allowing the team to identify steps that
need to be taken, test their strategy, and make modifications to the
processes as needed. Regular war games based on a simulated business
scenario allow members of the incident response team to put their
knowledge and skills in resolving a security event to the test. Penetration
testing by a third party could also help to identify vulnerabilities and
weaknesses in the systems for improvement. The IRP should be tested
regularly to reassure the readiness of the team and the effectiveness of the
cyber crisis management plan (Augustine, 1995; Coombs, 2007). The IRP
should be continually tested, rehearsed, and updated to ensure it remains
relevant and the team is familiar with the incident plans. This will also
ensure that employees are familiar with the processes by responding
quickly and take immediate reactive steps to minimize disruptions and
losses to the business.
5.5. Managing the Crisis
The three common elements addressed in any corporate crisis response

and recovery plan are how the corporation is going to manage the crisis,
manage the business and manage the fallout.42
42
Section 5.5 is adapted from Ho, Oh, Durden & Slade 2010, Crisis Decision Making, Nova
Science Publishers, New York.
5.5.1. Managing the Crisis

The incident response team must first determine the nature of the issue,
as well as the scale of the interruption and the harm it may create. The
Incident Response Team (IRT) must identify and manage crisis responses
and resources, as well as maintain continuous communication with top
business management, relevant regulators, and other stakeholders. When
interacting with the news media during a crisis, a spokesperson with good
communication skills is crucial (Argenti, 2002). In addition, people with
experience in cybersecurity, IT, customer service, supply chain
management, law and regulations, and human resource management are
all essential elements of effective crisis management. A well-documented
review and evaluation of the causes of and extent of the damage or losses
from the crisis and the corporate response to the crisis is also important to
appreciate the effectiveness of the incident response plan. The process of
reviewing and evaluating crisis response is essential to ensure the CCMP
remains relevant and effective.
5.5.2. Managing the Business

A crisis can divert a company's attention, time, and resources away
from its core business, causing it to neglect its operations and, as a result,
deepening the crisis. As a result, it is critical to guarantee that the company
is not destabilized by the crisis as a result of a lack of managerial attention
and corporate resources. This can be avoided by delegating primary
responsibility for the day-to-day management of a crisis to specialized
managers while the business is actively managed by others. The emphasis
on "business as usual" reduces the risk of corporate paralysis as a result of
the crisis and instills confidence both within and externally. This ensures
continued customer service, employee retention, and the maintenance of
regulatory and financial obligations during the crisis period.
5.5.3. Managing the Fallout

A significant function of an IRT is to gather evidence about the crisis's
roots and repercussions, particularly the damages and losses it has
incurred. This would make it easier to file insurance claims and receive
payments on time. To achieve the best potential outcome throughout the

crisis management period, it is also critical to ensure that the right risk
management systems stay functional during the crisis occurrence.
6. POST-CRISIS
Recovery refers to the steps taken for the enterprise to return to normal
operations after neutralizing or eliminating a cyber-attack. In the post-
crisis phase of recovery, the response team and those parties involved in
the incident will also be responsible for reviewing and updating the CCMP
from the experiences gained in the recent incident. This review should be
conducted immediately after the attack occurred. The steps involved
are an analysis of the causes leading to the events and reviews of the
effectiveness of the management of the incident or crisis. The purpose of
recovery activities is to learn from how the incident or crisis has been
handled in the detection and eradication of the attack to implement more
robust defenses or responses to enhance the organization’s readiness in
confronting a similar crisis in the future. Responses include measures that
should be taken to regain trust with employees, customers, suppliers, and
regulators.
6.1. Impact Analysis
The business impact analysis (BIA) method is a useful tool to identify

and estimate the monetary losses or costs inflicted by a crisis as part of the
post-crisis action plan. Such cost or loss estimates could include those
relating to the loss of revenue or profits, replacement of assets, staffing,
and SND recovery. A BIA assessment report could recognize the critical
information assets in a digital failure crisis and direct the allocation of
resources to protect them. Business areas that the BIA could focus on in a
post-crisis cost analysis include the financial impacts of SND recovery,
compliance, public relations, earnings, reputational liability, and capital.
The BIA-based crisis impact study will help to enhance the CCMP in terms
of pre-crisis response and post-crisis strategies as well as prioritizing the
allocation of resources.
6.2. Incident Report
The information from the lessons learned meetings together with the
BIA assessment should be incorporated into an Incident Report (IR), which
is a post-mortem report that is prepared after systems have been fully
recovered. The report should contain information about the type and nature
of the incident; how and when the incident was detected; the digital assets
affected by the attack; whether the incident was preventable; the
organization’s response and recommendations to improve the response
process including the use of better detection tools and what could have
been done better during the incident response process.
The purpose of the IR is to document the experiences and effectiveness
of the general recovery process for the organization to implement the
recommendations to enhance its cyber operational resilience and use as a
reference for future attacks and training. Changes to rules, processes, and
procedures, as well as tools and equipment, and even the behavior of the
individuals participating in the process, are all examples of
implementation. Information on responsible parties, due dates, and
deliverables should be recorded for both short- and long-term changes.
Before being sent out, the updated and improved incident response plan
should be tested to see if the improvements made are adequate.
CONCLUSION
The digital world is fraught with ever-changing threats from

technology and the management challenge is to have in place the
appropriate preparations needed to manage situations that may affect the
organization’s future. The introduction of a cyber crisis management
process is an important measure to minimize the organization’s cyber risk

exposure. This chapter emphasizes the importance of planning what to do
in the case of a cyberattack is just as crucial as preventing one from
occurring because all companies are likely to be victims of a cyberattack
at some point. Several actions as described in this chapter need to be taken
to ensure that an organization can respond to and recover from a
cyberattack as rapidly as feasible to limit the damage caused by an attack.
Chapter 10
STRATEGIC CYBERSECURITY
RISK MANAGEMENT
1. INTRODUCTION
The enterprise risk management strategy is aimed at identifying,

measuring, reducing, and reporting the risks to which the organization is
exposed. It outlines a comprehensive approach to protecting the
corporation’s people and assets from all sources of risk, be it internal or
external. The corporate risk manager would work out the different risk
exposures of the corporation. The nature of risk exposures depends on the
corporation’s business and industry (Ho et al., 2010). This book defines
strategic risk management as the strategy measures taken by a company to
reduce the risks associated with uncertainties by focusing on its written
strategic plan and how policies, processes, and execution influence the
firm's value. This chapter explains and summarizes the organizational
framework to deal with cyber threats from a strategic cybersecurity risk
management perspective.
Enterprise risk management is a key component of corporate
governance responsibility and it comprises strategies and processes that
firms use to manage the risk that is consistent with expected returns and
organizational goals. As we become more dependent on information

technology, the risks related to these technologies increase. Implementing
an efficient cyber risk management system that aligns with organizational
strategy within an ERM framework is always challenging to most
organizations. The emphasis will be on establishing a holistic framework
that incorporates strategic and operational cyber risk control mechanisms
consistent with the organization’s vision, mission, strategy, and objectives.
In this chapter, we highlight the need to prioritize strategic planning as a
critical component for dealing with cybersecurity risk exposure to enable
the right strategy and focus on protecting the security of related digital
investment and resources.
Firms with strategic response and renewal capabilities are better
equipped to adjust and adapt to abrupt environmental changes (Agarwal &
Helfat, 2009). A risk mitigation strategy helps an organization set the
underpinning philosophy for managing enterprise risk that helps to instill
a strong corporate risk culture, formulate clear policies and processes and
establish a risk tolerance threshold for prioritizing its risks so it can allocate
resources efficiently. The most important aspects that need to be addressed
are to identify the potential threats and, the method and target of the attack
to recognize and evaluate the valuable data assets in the corporate
environment. Next is on how to mitigate the cybersecurity exposure of
these assets and provide for continuous monitoring and detection to
safeguard corporate interests employing both physical security and
cybersecurity measures and protective technologies. There is a need for
cooperation and communication across functions during cybersecurity
planning and operations to address considerations around effective
leadership and governance structures, legal compliance, and preparing an
incident response strategy for cyber-attack mitigation and recovery.
As an integral part of enterprise risk management, managing cyber risk
is the responsibility of a corporate risk management team consists of
representatives from different functions of the organization. Strategic
cyber risk management requires the management and other employees in
an organization to work together to mitigate and neutralize cyber threats
and protect business value. Companies in different industries are bound by
Strategic Cybersecurity Risk Management 199
different corporate objectives and operating conditions so they are likely

to experience different cyber threats. Hence, companies need to design a
specific cyber risk management plan that suits their business conditions.
This chapter highlights the need to prioritize and customize the strategic
cyber plan as a critical component for dealing with cybersecurity risk
exposure. First, there is the need to identify and evaluate valuable digital
assets in the corporate environment. Next is how to mitigate the
cybersecurity exposure of these assets and provide for continuous
monitoring to safeguard corporate interests. Emphasis will be on planning
and operations management to enable the right strategy and focus on
protecting the security of related investment. The need for cooperation and
communication across functions during cybersecurity planning and cyber-
attack recovery is also discussed.
ISO 31000 provides a high-level overview of risk management, its
components, and how to implement risk management in an enterprise, we
follow the International Organization for Standardization’s ISO
31000:2009, Risk Management, Principles, and Guidelines, for guiding the
cybersecurity SRM initiatives in our proposed framework. The National
Institute of Standards and Technology (NIST) Cybersecurity Framework
is used as a reference benchmark for ORM as it is pragmatic, operative,
and functional. Both standards allow flexibility and adaptability in their
processes to customize unique and precise frameworks that consider
different organizational conditions. Even with a standard framework like
the NIST/CSF, with its proposed structure and comprehensive details of
cybersecurity, it is still recommended for companies to tailor their security
controls and processes to the specific needs of their businesses or
industries. For example, the education sector is vulnerable to cyber-attacks
as universities possess valuable intellectual property from their research
and also a large pool of personally identifiable information (PII) of their
employees and students that a hacker can steal and sell on the online black
market. The healthcare business is another that faces specific threats such
as cyber-attacks on computer-controlled medical devices (e.g.,
pacemakers, insulin pumps, continuous blood pressure, and glucose
monitors, etc.) and protected health information (PHI). Medical devices
that require network connectivity to function expose them to network

vulnerability. This is why the cybersecurity framework must be tailor-fit
to every specific need of an industry or a business, so that critical concerns
or provisions like these will be addressed.
2. A HOLISTIC & STRATEGIC ERM
The ERM framework consists of three processes, which are strategic

risk management (ERM planning), operational risk management (risk
awareness & risk reduction), and crisis management (crisis management
readiness & crisis response & recovery) that constitute a holistic ERM for
managing cybersecurity risk (Figure 10.1). The ISO 31000 standard
consists of three components, principles, framework, and process.
Principles outline the features of effective and efficient risk management,
as well as communicating its value and risk protection attributes to
stakeholders. The principles specify what must be accomplished, whereas
the framework explains how to accomplish an integrated risk management
structure. The structure should support an organization's risk management
actions. This is also known as the organization's risk architecture, strategy,
and protocols (IRM, 2018). The risk management process is defined as a
series of iterative processes that are carried out in a coordinated but not
necessarily sequential manner. The SRM function is akin to the elements
in the ISO 31000's Principles and Framework, whereas the activities in the
Process match those in the ORM and CCM, albeit from a strategic
perspective.
As a high-level guideline for the management of risk, the ISO 31000
standard is a valuable tool for guiding the strategic planning phase on the
activities needed in the ERM. As discussed in Chapter 4, these activities
include formulating risk strategies according to business vision, goals, and
objectives, appointing key risk officers, defining the enterprise risk
philosophy and culture, setting the risk tolerance threshold, allocating
budgets for resources to implement the ERM function, and developing
ERM implementation policies and processes. The ERM is a process of
planning the control of any risk that affects a company's business strategy,
strategic objectives, and strategy execution. It involves oversight,
identifying, assessing, and managing the risk in the organization's business
strategy. At the strategic level, it includes establishing the Cybersecurity
Strategic Plan and Enterprise Information Security Policy, planning and
establishing budgets, and risk tolerance for implementing the operational
risk program. This is conducted at the board and senior management (c-
suite) level, in conjunction with the risk committee or the CRO.
The proposed integrated cybersecurity ERM model consists of three
distinct layers consisting the strategic process (SRM), operational process
(ORM), and crisis management process (CM) as depicted in Figure 10.1.
The SRM is a high-level planning function for establishing the CSP and
EISP for a company's cybersecurity risk management program guided by
the ISO 31000's Principles, Framework, and Process constructs. At the
ORM level, the day-to-day activities relating to the operational cyber risk
functions are implemented and maintained. The ORM structure is based
on the conventional ERM approach with cyber risk control measures that
draw on the constructs from the NIST/CSF’s Framework Core. The CCM
function encompasses pre-crisis management planning and preparation for
responding to an attack and, crisis response and recovery. Similar to ORM,
the CCM function in our proposed model is guided by the relevant
functions in NIST/CSF.
The proposed model adopts a risk-based approach that identifies,
assesses, and prioritizes the cybersecurity threats to an organization's
vision, goals, and objectives. It's a flexible approach that allows businesses
to adjust their cybersecurity strategy based on their knowledge of their
individual organizational needs and operational vulnerabilities and
weaknesses. To reduce enterprise risk, an organization’s leadership and
governance effort should focus on identifying and targeting those elements
of cyber risk that pose the greatest risk to its business objectives. A
definitive risk tolerance policy is important for pursuing a set of risk-based
objectives. It describes the amount of variability that can be tolerated in
terms of how much of a loss an organization is ready to accept in light of
its current assets and other risks. Finally, a strong risk-based culture is
necessary for the success of ERM and corporate risk culture describes the
shared values, knowledge, practices, and awareness of cybersecurity risk
in an organization. These ERM imperatives are discussed in the following
sections and constitute crucial elements of our proposed cybersecurity
model.
ERM
SRM –
CSP & EISP
31000
ISO
planning
Identification
Risk
awareness
ORM – NIST/CSF
Assessment
Mitigation
Risk
reduction &
monitoring
Monitor, Detect & report
Cyber Crisis Management
 Planning & preparation

 Consider all crises
Crisis  Identify critical crises
CCM – NIST/CSF
management  Prioritize crises

readiness  Plan preventive &
response measures
 Implement measures
 Managing the crisis

Crisis
 Managing the business
response &
recovery  Managing the fallout
 Managing the recovery
Figure 10.1. Integrated cybersecurity ERM43.
43
Adapted from Ho, Oh, Durden, & Slade, 2010, Crisis Decision Making, Nova Science
Publishers, New York and Oh, Ho, Pham, Huang & Wang 2018, The Process of Enterprise
Risk Management, Nova Science Publishers, New York.
3. VISION, GOALS, AND OBJECTIVES
The Cybersecurity Strategic Plan defines the vision, goals, and

objectives of the organization's cybersecurity program and how the vision
of the strategy links to the overarching corporate mission and vision
(Figure 10.2). The vision statement sets out what the organization wants to
achieve or the ideal state of affairs with the implementation of the risk
mitigation strategy (e.g., to develop a mature and effective cybersecurity
practice that fosters a secure and resilient cybersecurity environment to
support all company operations and mitigate all attempts at cyber-attack or
data leak).
Figure 10.2. Cybersecurity strategic plan, vision, goals, and objectives.
After the organization has identified its critical risks, the strategic
goals are framed in which to articulate and prioritize the key goals that
must be achieved to reduce its risks to an acceptable level or within the
organization's risk tolerance. These goals are high-level descriptions of the
activities to be undertaken by the organization to mitigate the risks it is

exposed to, such as improving employees' knowledge of cybersecurity or
creating a culture of cybersecurity awareness in the organization. The CIA
triad is a good reference to frame goals to include more specific elements
in the CSP.
Once the strategic goals are identified and prioritized, objectives for
each goal are set. The objectives are the specific items that must be
accomplished to achieve the overarching strategic goals. For example, an
objective of a strategic goal of an organization to protect its systems using
technology could be to implement an intrusion detection and prevention
system or a strategic goal to restrict onsite access to servers using physical
security by implementing strict access security protocol such as personal
verification code and close circuit television monitor.
4. LEADERSHIP AND GOVERNANCE
Managing risk is an integral part of leadership and governance (IRM,

2018). The board of directors and management are tasked with providing
leadership in aligning risk management with the organization's strategy,
objectives, and culture; establishing an effective cybersecurity strategic
plan and enterprise information security policy, setting the risk tolerance
threshold, and allocating essential resources for risk management.
Integration of risk management into corporate governance is a key ERM
principle where the board of directors and senior management are
responsible for ensuring consistency in strategic initiatives and day-to-day
operational performances.
For corporate governance and performance, the board should place a
high priority on cyber risk management in today’s highly business-
dependent and rapidly changing technological environment (Weill, &
Ross, 2004). It entails factoring cyber risk consideration into decision-
making when implementing a company's strategy to meet its goals.
Risk governance refers to the decisions on the overall standards,
policies, practices, and processes about risks to be established and
implemented at the strategic ERM level to guide a business. The risk

management strategy provides a structured and coherent approach to
manage the risk that reflects the company's risk governance spirit and
expectations.
The strategic risk management process entails the formulation of an
overall corporate risk strategy encompassing policies and budgets for
implementation. To ensure the continuity of the firm, an effective risk
management strategy must be incorporated into all functions within the
organization where risk exists (Ho, et al. 2010). The recognition that cyber
risk management is a key component of the organization’s enterprise risk
management system and is a precursor to its successful implementation.
As discussed in Chapter 5, the risk management strategy represents the
company's structured and integrated approach to risk management
representing the company's risk governance requirements. The NIST/CSF
framework core recognizes the nexus between governance (ID:GV) and
risk management strategy (ID:RM) in the identify (ID) function and
emphasizes that risk management and governance processes cover
cybersecurity risks (ID:GV4).
Organizations need to understand that many determinants will
influence the implementation of the ERM function. They include board
implications, leadership, corporate culture, technology, business model,
regulatory environment, industry-specific standards, internal control, and
shareholders’ influence. The management of a firm is primarily
responsible for its cyber risk management process but the board must also
be informed about and appreciate the cyber risks facing the firm and
maintain oversight of the risk management process. The chief executive
officer (CEO) is ultimately responsible for a firm’s business success and
must ensure that adequate cyber risk management policies are in place at
the firm. The firm has numerous and varied digital resources that it relies
on to generate its earnings. They are prone to cyber-attacks resulting in
losses to the firm. A prudent, comprehensive, and integrated risk
management program can help to stabilize earnings (Ho, et al., 2010).
Adopting a risk-based approach provides a strong foundation for
effective cyber risk management. Cybersecurity requires a ‘multi-tiered
approach’ (Ernst and Young, 2014). Organizations are increasingly

becoming aware of the threats posed by cyber risk in today’s digital world.
Many have started to treat cybersecurity as part of a strategic enterprise-
wide risk management function, under the purview of the chief executive
officer, the chief information security officer, the chief information officer
(CIO), the chief risk officer (CRO), and the chief information security
officer working together with the business units as a team to gain
knowledge and a complete profile of the corporate cyber landscape.
Invariably, they need to work together to manage the multidimensional
challenges of cyber threats, from both internal and external environments,
in a complex and dynamic cyber landscape.
Every organization should have a Cybersecurity Strategic Plan (CSP)
that outlines the goals and objectives of the organization’s cyber security
program for protecting its digital assets. The CSP is a high-level document
written by senior management for guiding the EISP in setting the
operational policies and procedures for the implementation of the
organization's security activities. While the CSP provides a tactical setting
for cybersecurity, the EISP is operative in nature and as they are
complementary, information is likely to overlap (Figure 10.1). The
important components in a cybersecurity strategic plan (CSP)44 are:
Explain the organization's cybersecurity program's vision, aims, and
objectives for safeguarding information assets and ensuring the
confidentiality, integrity, and availability (CIA) of vital information to
execute its missions; Describe how the organization communicates
information, responds to emerging and growing risks, and develops new
techniques for protecting information and information systems, which will
aid in the development and definition of policies; Cybersecurity aims and
strategic objectives are clearly stated with each strategic objective
classified into near-term, mid-term, and long-term elements, and
44
Adapted from “Cyber Security Strategic Plan - 2007,” Department of Energy, USA & “Cyber
Security Strategic Plan 2018-2021,” South Australian Government,
https://www.dpc.sa.gov.au/__data/assets/pdf_file/0006/47535/Cyber-Security-Strategic-
Plan2018-21_FINAL-RELEASED-Feb2018.pdf (accessed 19/9/2021).
Compliant with one or more of the industry's standards and complies with
all applicable laws and regulations.
5. RISK CULTURE & TOLERANCE
An efficient ERM relies on strong leadership to communicate and

instill a clear risk strategy, corporate culture, and risk appetite with
alignment to business objectives and strategy. The alignment of corporate
strategy with RM and culture remains a current challenge (PwC, 2018).
The increase and sophistication of cyberattacks require organizations to
adopt an integrated approach of risk strategy and culture (Ernst and Young,
2018). Shao (2019) argues that a well-defined and flexibility-oriented
corporate culture is an important moderator between strategic leadership
behaviors and information-system business strategic alignment for the
successful implementation of enterprise systems.
One of the most important aspects of creating a strong corporate risk
culture is effective leadership. A leader is anyone with influence or power,
and leaders can inculcate corporate culture by reinforcing values while also
holding others accountable. Leaders should be purposeful in developing a
risk culture that allows people to thrive (Shao, 2019) and failure to
establish a strong risk culture is harmful to both employees and the
company's performance. A strong corporate risk culture that fosters a risk-
based approach fortifies employees' commitment to observing risk appetite
philosophy and practice. Risk appetite represents the risk parameters the
board and senior management are willing to tolerate and a risk appetite
statement formally articulates, clarifies, and communicates the
organization's acceptable risk parameters. Risk appetite is aligned with
business objectives and exposure to determine the organization's strategic
directions. Cyber risk appetite and strategy are closely related concepts in
enterprise risk management because the risk tolerance threshold an
enterprise is willing to accept determines how achievable the strategic
goals and objectives are. A cyber risk appetite statement outlines the
organization's risk profile, capacity, tolerance, and oversight. Therefore,
organizations should align their strategic cyber vision to their cyber risk
tolerance policy as the established risk tolerance defines the strategic goals
and objectives. Adherence to corporate risk tolerance policy in setting
strategy and operating procedures assures staff that a coherent risk control
process is in place that is consistent throughout the organization. Risk
tolerance should be reviewed regularly to ensure it remains relevant by
keeping up with changing dynamics in the rapidly evolving cyber risk
environment. All employees should acknowledge the risk appetite
statement.
Regulators keep a close check on a formal cyber risk tolerance
statement, especially in organizations operating in highly regulated
industries, like healthcare, education, and financial services, to ensure
these organizations have in place a set of comprehensive policies and
procedures that can effectively safeguard confidential and personal
information.
6. RISK-BASED APPROACH
Cyber risk is an inalienable part of modern organizations and senior

management should focus on the importance of risk mitigation and the
value companies can derive from implementing a risk mitigation strategy
to improve organizational resilience and manage risks effectively.
Therefore, corporate cyber risk leadership and governance should ensure
that cyber threats and their multiple components are identified, understood,
managed, and communicated. A cybersecurity program can be developed
and managed in a variety of ways. The two key options businesses can
choose are maturity-based or risk-based approaches.
The traditional method to managing cyber risk is the maturity-based
approach, in which businesses deploy certain risk management capabilities
and controls to reach a desired level of maturity. Hillson (1997) suggests a
risk maturity model that helps organizations enhance their risk
management approach by allowing them to assess their current degree of
maturity, set realistic improvement goals, and develop action plans to
improve their risk capability. The model is divided into four stages, which
are labeled as "naive," "novice," "normalized," and "natural" in progressive
order. The naive risk organization is unaware of the importance of risk
management and lacks a well-defined strategy for coping with uncertainty.
The novice risk organization is aware of the potential benefits of risk
management but is still experimenting with risk management, usually
through a small group of nominated persons, but it lacks a formal or
structured generic approach. Risk management is built into ordinary
business processes and applied extensively in the normalized risk
organization. The organization recognizes the benefits of risk
management. The natural risk company has a risk-aware culture and takes
a proactive approach in applying risk management best practices across the
organization. One of the disadvantages of this method is the focus on
building a multi-layer of security against everything, which may need a
significant financial commitment for some firms. However, the "maturity-
based" approach remains a popular choice as it helps an organization to
evaluate and monitor the effectiveness and adequacy of its enterprise risk
management program for improvement. It is a useful assessment and
monitoring tool. Some of the metrics adopted for measuring maturity
include the appointment of CISO, risk committee, existence of a security
operations center (SOC), integration with strategic planning, and measure
performance of ERM effectiveness.
Alternatively, the "risk-based" approach aligns the organization's
business objectives with a cyber risk strategy to target risk reduction
through definitive policies and pragmatic implementation programs.
Therefore, it is geared towards identifying and mitigating the critical risks
in the business's most critical systems, networks and data. Risk-based
approaches are significantly more cost-effective than maturity models
because they allow the risk manager to allocate more resources in defenses
for the vulnerabilities that affect the business's most critical systems.
Collier, Linkov, & Lambert (2013) recommend that firms should adopt a
risk-based systems approach that integrates the “physical, information,
cognitive, and social domains” to better understand and manage
cybersecurity. A risk-based approach recognizes risk-taking as
fundamental to a business to achieve a return from an investment. For

cybersecurity, this means investing in technology, with its implicit danger,
and leveraging it in key business activities to increase productivity with
the sight of balancing the risk.
McKinsey (2019) suggests that a maturity-based approach is still
essential as a foundation to build a risk-based strategy. Instead of maturity,
management should focus on identifying and mitigating those gaps and
vulnerabilities that pose a critical risk to the business consistent with a risk-
based approach.
7. A STRATEGIC CRM USING NIST/CSF
When setting up an information security program a company should

refer to the relevant RM standards to provide a useful guide for
incorporating best practices into the CRM framework. A standard offers a
set of technical rules or specifications that apply to a given system and are
usually documented to represent dependable practices, criteria,
methodologies, and processes. The rules and specifications are intended to
be applied consistently as a guideline or definition for establishing a
reliable and effective system. The following describes the elements and
actions for establishing a strategic cybersecurity ERM structure based on
the NIST/CSF standards.
7.1. Framework Core
The enterprise cybersecurity program starts with the framework core

to establish the firm’s vision, goals, and objectives (ID:BE3) by
conducting those activities in the ERM/SRM (see Figure 4.2 & Table
10.1). The cyber risk strategy and policy (ID:GV1; ID:GV4 & ID:RM1)
should complement the business strategy, business requirements, and the
firm’s risk tolerance (ID:RM2 & ID:RM3).
Table 10.1. Identify – outcome categories/subcategories
Asset management  Asset inventory (ID:AM1)
(ID:AM)  Software inventory (ID:AM2)
 Organization ICT map (ID:AM3)
 External ICT catalog (ID:AM4)
 Resources priority list (ID:AM5)
 Cybersecurity roles & responsibilities (ID:AM6)
Business Environment  Supply chain role (ID:BE1)
(ID:BE)  Organization IT & Industry position (ID:BE2)
 Organizational mission, objectives & activities (ID:BE3)
 Dependencies & critical functions for service delivery (ID:BE4)
 Resilience requirements for service delivery (ID:BE5)
Governance (ID:GV)  Information security policy (ID:GV1)
 Information security roles & responsibilities coordination
(ID:GV2)
 Legal and regulatory requirements (ID:GV3)
 Governance and risk management processes (ID:GV4)
Risk assessment  Critical assets identified & documented (ID:RA1)
(ID:RA)  Shared information on threats & vulnerabilities (ID:RA2)
 Internal and external threats are documented (ID:RA3)
 Threats, vulnerabilities, likelihoods, and impacts are used to
determine risk (ID:RA5)
Risk management  Risk management processes (ID:RM1)
strategy (ID:RM)  Risk tolerance (ID:RM2)
 Informed risk tolerance (ID:RM3)
Supply chain (ID:SC)  Cyber supply chain RM processes defined and agreed upon by
organization stakeholders (ID:SC1)
 Suppliers and third-party partners of information systems,
components, and services are assessed & documented (ID:SC2)
 Supplier and third-party contracts implement measures to meet
the organization’s cybersecurity objectives & plan (ID:SC3)
 Suppliers and third-party partners are routinely assessed to
confirm satisfactory contractual obligations (ID:SC4)
 Recovery planning and testing and response are conducted with
both suppliers and third-party providers (ID:SC5)
As we alluded to in Chapter 6 (“Risk Identification”), many of the sub-

categories under the Identify function in the business environment
(ID:BE), governance (ID:GV), and risk management strategy (ID:RM)
categories are activities that are more closely aligned to the strategic
initiatives (i.e., strategic level) of the ERM model. As the supply chain
plays a strategic role in modern businesses for growth and sustainability
by linking a company with its suppliers and customers, concerns about
cybersecurity risk in the supply chain have become a top management
priority. Table 10.1 shows NIST/CSF’s Identify function’s categories and
sub-categories that reflect the actions relevant to the organization's
initiatives for establishing the strategic cybersecurity program. The
following sections discuss the alignment of the NIST/CSF actions vis-à-
vis the initiatives for developing an enterprise cybersecurity strategic plan
that is consistent with the ERM model.
7.1.1. Asset Management

Cybersecurity asset management is the act of identifying an
organization's IT assets and the possible security threats or gaps that each
one poses on a continuous, real-time basis. Conducting documentation and
assessment of the firm's information assets and systems (ID:AM1 &
ID:AM2) to identify any threats, vulnerabilities, or gaps to which the
organization may be vulnerable (ID:AM1 to ID:AM5) are necessary for
formulating risk management strategies and processes (ID:RM1). The
focus of such an exercise should be on the operational environment
(ID:BE1; ID:BE2; ID:BE4; ID:BE5 & ID:RA3) and cybersecurity threat
information (ID:RA1 to ID:RA3) to determine the likelihood and severity
of a cybersecurity event (ID:RA4) that could affect the firm.
7.1.2. Business Environment

The ability of an organization to inform its cybersecurity roles,
responsibilities, and risk management decisions with a thorough
understanding and prioritization of its corporate mission, objectives,
stakeholders, and business is referred to as the business environment.
Concerning the business environment, employees must understand and
prioritize the organization's mission, objectives, activities, and
stakeholders and their underlying implications in terms of decisions, roles,
and duties involved in managing cybersecurity risk (ID:BE). The actions
for completing this are to determine and communicate to relevant

stakeholders the organization's involvement in its supply chain (ID:BE1),
role in its industry sector and key infrastructure (ID:BE2), and its mission,
objectives, and activities (ID:BE3) to establish resilience benchmarks and
practices for all operational functions that support critical service delivery
(ID:BE4; ID:BE5).
7.1.3. Governance
The policies and practices that dictate how businesses identify,
prevent, and respond to cyber incidents are referred to as governance in
cybersecurity. They constitute the means through which an organization
regulates and directs its approach to information security. Cybersecurity
governance enables an organization's security initiatives aimed at allowing
the uninterrupted flow of information throughout an organization.
Organizational governance for the cybersecurity risk management function
necessitates all organizational risk, legal, regulatory, operational, and
environmental requirements to be monitored and managed (ID:GV) using
policies, processes, and procedures (as spelled out in the CSP & EISP) that
are precise and well-understood (ID:GV1). This process entails alignment
and coordination of cybersecurity duties and responsibilities with internal
strategic and operational functions (ID:GV2), the establishment and
communication of the organization's cybersecurity policy to all employees
including external partners (ID:GV2), and cybersecurity legal and
regulatory standards are observed, complied and managed, including
privacy and civil liberties (ID:GV3). This process must include risk
management and governance mechanisms in the organizational structure
or hierarchy to complement and support cybersecurity risk mitigation
(ID:GV4).
7.1.4. Risk Management Strategy

A cybersecurity strategy is a set of actions aimed at enhancing the
security and resiliency of information infrastructure and services. It's a top-
down, high-level approach to cybersecurity that identifies a set of business
objectives and priorities that must be met. Risk management strategy
relates to developing the priorities, risk tolerances, restrictions, and

assumptions to aid operational risk decisions (ID:RM). A cybersecurity
strategic plan (CSP) and an enterprise information security policy (EISP)
should be made available at the strategic level, as agreed on by the board
and senior management, to guide the establishment of risk management
processes that are controlled (ID:RM1), that are agreed upon by all
organizational stakeholders. Subject to an industry-specific risk analysis
and its position in critical infrastructure as a business tool (ID:RM3), the
risk tolerance level for the organization is established and, precise and
explicit (ID:RM2).
7.1.5. Supply Chain Cyber Risk Management

Cyber supply chain risk management ensures that a company's
products and services are delivered on time. As a result, cyber supply chain
risk management, which includes design, research & development,
logistics, manufacturing, warehousing, distribution, and maintenance, is an
important part of any company's entire cyber security strategy. To support
decisions related to managing supply chain risk, organizational priorities,
limits, risk tolerances, and assumptions about the supply chain are defined
and applied (ID:SC). This information is used to devise and implement the
company's processes for identifying, assessing, and managing supply chain
risks that organization stakeholders agree on (ID:SC1). The processes
include a cyber supply chain risk assessment function which is used to
identify, prioritize, and assess suppliers and third-party partners of their
information systems, components, and services (ID:SC2). Contractual
arrangements are made between the organization and suppliers, and third-
party partners, to put in place appropriate measures that comply with the
organization's cybersecurity program objectives and Cyber Supply Chain
Risk Management Plan - CSCRMP (ID:SC 3). The organization will
routinely evaluate suppliers and third-party partners using test results,
audits, and other evaluation methods to ensure they are meeting their
contractual commitments (IB:SC4). Finally, it is important to conduct
recovery planning, testing, and reaction with both suppliers and third-party
providers for readiness and effectiveness of the CSCRMP (ID:SC5).
7.2. Framework Profile
The current profile of the organization’s risk management capability

is prepared by adopting NIST/CSF’s Framework Profile (FP) process for
indicating the current cybersecurity outcomes by the “unique alignment”
of these outcomes with an organization's business requirements, vision,
objectives, goals, risk tolerance, risk landscape and resources (ID:AM;
ID:BE; ID:GV; ID:RA; ID:RM; & ID:SC). The objective of the FP is to
demonstrate how cybersecurity initiatives help the firm achieve its
business vision, goals, and objectives while also meeting cybersecurity
standards and mitigating threats in the organization’s risk environment
(ID; PR; DE; RS & RC). The primary objective of the risk profile is to
identify and prioritize opportunities, and review for implementing risk
responses for improvement based on identified weaknesses to achieve a
target profile.
7.3. Framework Tiers
The Framework Tiers (FT) help enterprises put their perspective on

cybersecurity risk management into context. The Tiers categorize
companies based on how thoroughly risk management procedures are
implemented in an organization. The Tiers are a set of guidelines that help
organizations choose the proper amount of rigor for their cybersecurity
program. The following is a list of the four Tiers:
 Tier 1 – Firms are ineffective in their approaches to risk

management. Their risk management programs and processes are
fragmented and unreliable, unsystematic, and lack management
participation (“Naive” – Hillson, 1997).
 Tier 2 – Firms use ad hoc risk management techniques that are
inadequate and, based on poorly design and implemented risk
management policies and procedures (“Novice” – Hillson, 1997).
 Tier 3 – Firms have a structured risk management program with

effective risk management programs and systems with continuous
management oversight and participation (“Normalized” – Hillson,
1997).
 Tier 4 – Firms use dynamic and sophisticated proactive risk
management approaches, with frequent communication about
strategic objectives, culture, risk appetite, and funding (“Natural”
– Hillson 1997).
The Tiers are consistent with Hillson’s Risk Maturity Model of

"naive," "novice," "normalized," and "natural." Like the Risk Maturity
Model, an organization can use the NIST/CSF’s Tiers system to monitor
and evaluate the performance of its enterprise risk management strategies
for improvement.
The process for using the Tiers system is to determine an
organization’s “Current Tier” from the four groups, i.e., one which best
describes an organization's current risk management processes. The next
step is to identify the “Target Tier” that best defines the risk management
techniques that the organization wishes to implement. Management may
opt to select aspects from all of the Tiers or incorporate its items to provide
accurate descriptions of the present or preferred target risk management
practices. The design of the target Tier requires consideration of the
organization’s vision, goal, business objectives, threat environment
(ID:BE), risk tolerance, legal and regulatory requirements (ID:GV),
information sharing protocol (ID:RA), supply chain cybersecurity
deliverables ID:SC), and budgets (ID:AM). The purpose of the target Tier
is to provide a road map to how an organization can reduce its aggregate
risk exposure. The gap between the current state of risk management
(current Tier) and the target risk management position (target Tier)
identifies the risk management gaps that need to be addressed to reach the
target.
CONCLUSION
We proposed a strategic framework based on ISO 31000 and NIST

Cybersecurity Framework in this chapter for managing cybersecurity
performance. As a summary of the framework, we highlight some strategic
cybersecurity risk management dimensions that we consider are important
for organizations to include in their CSP and EISP to develop an effective
enterprise cyber risk control process. The CSP should be tailored to
individual organizations and deliberate in design and development to
effectively deal with the CIA triad attributes in their specific risk
environment. That entails optimizing the cyber risk exposure by
employing state-of-the-art technology to reduce the attack surface and
vulnerabilities of SND. Cybersecurity SRM activities and ORM policies
and procedures must be guided by industry standards and best practices to
precisely target the intrinsic risks of the organization, augmented by
quality protection and controls. Companies should keep up-to-date on the
latest cyber threats, the threat agents, and their motivations to execute
timely and effective mitigation measures to protect their digital assets. This
requires pertinent cyber threat information gathered from a diversity of
sources such as regulators, analysts, experts, media, industry peak bodies,
professional organizations, and government cybersecurity organizations. It
is imperative that all relevant stakeholders, both internal and external, must
be consulted and participants must agree with the strategic and operational
framework design and implementation plan for the cybersecurity program
for effective and efficient rollout. Roles and responsibilities must be
assigned to risk owners who shall be held responsible and accountable for
the efficient execution and operation of the policies and procedure.
The organization should implement an effective crisis response and
recovery plan whose processes are familiar to all employees and tested
regularly to reinforce corporate resilience for business continuity in the
event of an attack. The company should adopt the principles of a learning
organization when it comes to cybersecurity where lessons are derived
from cybersecurity incidents or events for continuous improvement
(Garvin, 1993).
Finally, we acknowledge the importance of continuing and growing

trend in research on the technical aspect of cyber risk relating to software
protocol design (Ryan, Schneider, Goldsmith, Lowe, & Roscoe, 2000;
Roscoe and Goldsmith, 1997), risk identification, and temporal element of
attack motivations (Howard and Longstaff, 1998), cyber kill chain
(Hutchins, Cloppert, & Amin, 2011), event-driven response model (Happa,
Fairclough, Nurse, Agrafiotis, Goldsmith, & Creese, 2016) and cyber-
attack modeling (Happa & Fairclough, 2017). The results from these areas
of study will undoubtedly contribute to the pool of knowledge on
cybersecurity and enable more effective cyber risk management.
REFERENCES
ACSC (Australian Cyber Security Centre) 2020. ACSC Annual Cyber

Threat Report: July 2019 to June 2020. http://www.cyber.gov.au/
sites/default/files/2020-09/ACSC-Annual-Cyber-Threat-Report-
2019-20.pdf.
AFR - Australian Financial Review (Dunn, J.) 2015. Business risks are
getting bigger and faster: KPMG Australia. 13 April 2015.
https://www.afr.com/companies/business-risks-are-getting-bigger-
and-faster-kpmg-australia-20150409-1mhr4n#ixzz4ki1TyCfa.
Agarwal, R., & Ansell, J. 2016. “Strategic change in enterprise risk
management.” Strategic Change, 25(4), pp. 427-439.
Agarwal, R, & Helfat, C. 2009. “Strategic renewal of organizations.”
Organization Science, No. 20, pp.281–293.
AGCS - Allianz Global Corporate & Specialty 2015. A Guide to Cyber
Risk: Managing the Impact of Increasing Interconnectivity.
London/New York/Munich. Released on 9 September 2015.
https://www.agcs.allianz.com/news-and-insights/reports/a-guide-to-
cyber-risk.html.
Ahmad, S., Ng, C., & McManus, L. A. 2014. “Enterprise risk management
(ERM) implementation: Some empirical evidence from large
Australian companies.” Procedia-Social and Behavioral Sciences,
164, pp. 541-547.
220 References
Altenbach, T. 1995. A Comparison of Risk Assessment Techniques from

Qualitative to Quantitative. Lawrence Livermore National
Laboratory. https://www.osti.gov/scitech/servlets/purl/67753/.
Amjad, A., Nicholson, M., Stevenson, C. & Douglas, A. 2016. “From
security monitoring to cyber risk monitoring.” Enabling business-
aligned cybersecurity. Deloitte Review, Issue 19.
Ammar, J., & Xu, S. 2018. “Extreme groups and the militarization of social
media.” in When Jihadi Ideology Meets Social Media, Springer, pp.
25-59.
Anderson, R., & Moore, T. 2006. “The economics of information
security.” Science, 314(5799), pp. 610–613.
Andersen, T. and Roggi, O. 2012. “Strategic Risk Management and
Corporate Value Creation.” Proceedings of the Strategic Management
Society. 32nd Annual International Conference Prague. October 7-9,
2012.
Ansell, J. and Wharton, F. 1992. Risk: Analysis, Assessment and
Management. Wiley, New York.
Aon Corporation 2017. Global Risk Management Survey 2017. (Accessed
15/10/2020). http://www.aon.com/2017-global-risk-management-
survey/pdfs/2017-Aon-Global-Risk-Management-Survey-Full-
Report-062617.pdf (accessed 15/10/2020).
Argenti, P. 2002. ‘Crisis communication: Lessons from 9/11.’ Harvard
Business Review, 80(12), (December), pp. 103-109.
Augustine, N. R. 1995. ‘Managing the crisis you tried to prevent.’ Harvard
Business Review, 73(6), November/December, pp. 147-158.
Babbie, E. R. 2008. The Basics of Social Research. Belmont, Thompson
Wadsworth.
Baiardi, F. and D. Sgandurra 2013. "Assessing ICT risk through a Monte
Carlo method." Environment Systems and Decisions, 33(4), pp. 486-
499.
Bamakan, S. M. & Dehghanimohammadabadi, M. 2015. ‘A weighted
Monte Carlo simulation approach to risk assessment of information
security management system.’ International Journal of Enterprise
Information Systems, 11(4), pp. 63-78.
References 221
Bashir, M. A. and Christin, N. Three Case Studies in Quantitative

Information Risk Analysis. Carnegie Mellon University, INI/CyLab
Japan. https://www.andrew.cmu.edu/user/nicolasc/publications/ash.
pdf.
Beasley, M. S., Pagach, D. P., & Warr, R. S. 2008. “Information conveyed
in hiring announcements of senior executives overseeing enterprise-
wide risk management processes.” Journal of Accounting, Auditing, &
Finance, 23, pp. 311–332.
Beasley, M., Branson, B. and Hancock, B. 2020. The State of Risk
Oversight: An Overview of Enterprise Risk Management Practices.
AICPA. Available at: 2020 The Current State of Enterprise Risk
Oversight | Professional Insights | AICPA (Accessed: 30 June 2021).
Belani, G. 2020. Cybersecurity Threats to be Aware of in 2020. IEEE
Computer Society (online). https://www.computer.org/publications/
tech-news/trends/ 5-cybersecurity-threats-to-be-aware-of-in-2020.
Beretta, S. and Bozzolan, S. 2004. “A framework for the analysis of firm
risk communication.” The International Journal of Accounting, 39(3),
pp. 265-288.
Biener, C., Eling, M. & Wirfs, J. H 2015. “Insurabiity of cyber risk: An
empirical analysis.” The Geneva Papers on Risks and Insurance Issues
and Practice, 40(1), pp. 131-158.
Black, F. 1995. “Hedging, Speculation, and Systemic Risk.” Journal of
Derivatives, 2, (Summer), pp. 6-8.
Borker, D. R. & Vyatkin, V. N. 2012. “Toward a general holistic theory of
risk.” Journal of American Academy of Business, Cambridge, 18(1),
pp. 33-38.
Bose, I., & Leung, A. C. M. 2014. “Do phishing alerts impact global
corporations? A firm value analysis.” Decision Support Systems, 64,
pp. 67-78. Support Systems, 64, 67–78.
Brewer, J., & Hunter, A. 2006. Foundations of Multi-method Research:
Synthesizing Styles. Thousand Oaks, Sage.
Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. 2015.
“Enterprise risk management: Review, critique and research
directions.” Long Range Planning, 48(4), pp.265-276.
222 References
Burch, J. G., Strater, F. R., & Grudnitski, G. 1979. Information Systems:

Theory and Practice. 2nd Edition,Canada: John Wiley & Sons, Inc.
Burtescu, E. 2012. ‘Decision assistance in risk assessment – Monte Carlo
simulations.’ Informatica Economică, vol. 16, no. 4/2012, pp. 86-92.
Cambridge Centre for Risk Studies, 2016. Cambridge Global Risk Index
2017. Cambridge Centre for Risk Studies. University of Cambridge.
https://www.jbs.cam.ac.uk/fileadmin/user_upload/research/centres/ris
k/downloads/cambridgeglobalriskindex2017.pdf.
Cavusoglu, H., Mishra, B., and Raghunathan, S. 2004. “A model for
evaluating it security investments.” Communications of the ACM,
47(7), pp. 87-92.
Cayirci, E. & Ghergherehchi, R. 2011. “Modelling cyber-attacks and their
effects on decision process.” Proceedings of the 2011 Winter
Simulation Conference, S. Jain, R.R. Creasey, J. Himmelspach, K.P.
White, and M. Fu, eds.
Chacko, L., Sekeris, E., & Herbolzheimer, C. 2016. “Can You Put a Dollar
Amount on Your Company’s Cyber Risk?” Harvard Business Review.
(Accessed 5/8/2021) Can You Put a Dollar Amount on Your
Company’s Cyber Risk? (hbr.org).
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H.,
Stoddart, K. 2016. “A Review of Cyber Security Risk Assessment
Methods for SCADA Systems.” Computers & Security, 56 (2016),
pp.1–27. http://ac.els-cdn.com/S0167404815001388/1-s2.0-S016740
4815001388-main.pdf?_tid=f39f116e-6c51-11e7-99ec-00000aab0f01
&acdnat=1500448669_023f9d43f76e51f0114302e65ae4f19f.
Chileshe, N. & Kikwasi, G. J. 2014. “Critical success factors for
implementation of risk assessment and management practices within
the Tanzanian construction industry.” Engineering, Construction and
Architectural Management, 21(3), pp. 291-319.
Collier, Z. A., Linkov, I., & Lambert, J. H. 2013. “Four domains of
cybersecurity: A risk-based systems approach to cyber decisions.”
Environment Systems and Decisions, 4(33), pp. 469–470.
References 223
Conrad, J. R. 2005. Analyzing the risks of information security investments

with Monte-Carlo simulations. http://infosecon.net/workshop/pdf/
13.pdf.
Coombs, W. 2007. Ongoing Crisis Communication: Planning, Managing
and Responding. (2nd ed.), Sage, Los Angeles.
Corbin, Juliet M., & Strauss, A. 2008. Basics of Qualitative Research:
Techniques and Procedures for Developing Grounded Theory.
Thousand Oaks, CA, Sage.
COSO (Committee of Sponsoring Organizations of the Treadway
Commission) 2009. Effective ERM Oversight: The Role of the Board
of Directors. https://www.coso.org/Documents/COSOBoardsERM4
pager-FINALRELEASEVERSION82409_001.pdf.
Commission) 2012. Enterprise risk management: Understanding and
communicating risk appetite. https://www.coso.org/Documents/
ERM-Understanding-and-Communicating-Risk-Appetite.pdf.
Commission) 2009. Strengthening ERM for Strategic Advantage.
https://www.coso.org/documents/COSO_09_board_position_final10
2309PRINTandWEBFINAL_000.pdf.
Creswell, John W. 2008. Qualitative Inquiry and Research Design:
Choosing Among Five Traditions. Thousand Oaks, California, SAGE.
Crouchy, M., Galai, D. & Marck, R. 2006. The Essentials of Risk
Management. McGraw Hill, New York.
D'Arcy, S. P. 2001. “Enterprise risk management.” Journal of Risk
Management of Korea, 12(1), pp. 207-228.
Dawkins, R. 1998. Unweaving the Rainbow. New York: Penguin.
De Jong, M. 2008. Survival of the institutionally fittest concepts. A
Memetics Compendium, 394.
Deliotte, 2013. “Exploring Strategic Risk 300 executives around the world
say their view of strategic risk is changing.” Deloitte and Forbes
Insights.
224 References
Deliotte, 2013. Risk Culture: Three Stages of Continuous Improvement.

http://deloitte.wsj.com/riskandcompliance/2013/05/21/risk-culture-
three-stages-of-continuous-improvement/.
Deliotte, 2017. Cybersecurity Risk Management Oversight and Reporting.
Deloitte Development LLC. https://www2.deloitte.com/content/dam/
Deloitte/us/Documents/risk/us-cybersecurity-risk-management-
oversight-and-reporting.pdf (accessed 19/9/2021).
Didraga, O. 2013. “The role and effects of risk management in IT project
success.” Informatica Economica, 17(1), pp.86-98.
Dodel, M. & Mesch, G. 2019. “An integrated model for assessing cyber-
safety behaviours: How cognitive, socio economic and digital
determinants affect diverse safety practices.” Computers & Security,
86, pp. 75-91.
Dowd, K. 1998. Beyond Value at Risk: The New Science of Risk
Management. Wiley.
Duffie, D, & Pan, J. 1997. “An Overview of Value at Risk.” The Journal
of Derivatives, Spring, 4 (3), pp. 7-49; DOI: https://doi.org/10.
3905/jod.1997.407971
Elliott, M. W. 2019. Risk in an Evolving World. 1st edition. The Institutes.
Epstein, M. J. & Buhovac, A. R. 2006. The Reporting of Organizational
Risks for Internal and External Decision-Making. The Society of
Management Accountants of Canada and The American Institute of
Certified Public Accountants.
Ernst and Young 2014. Cyber Program Management: Identifying Ways to
Get Ahead of Cybercrime. 0055f20160429_009_Studie_2014_EY
_cyber-program-management.pdf (acfe.de) (Accessed: 3 March
2020).
Ernst and Young 2018. Cybersecurity for industry 4.0: Cybersecurity
implications for government, industry and homeland security.
Ettredge, M., Guo, F., & Li, Y. 2018. “Trade secrets and cyber security
breaches.” Journal of Accounting and Public Policy, 37(6), pp. 564–
585.
Fagade, T., Maraslis, K., & Tryfonas, T. 2017. “Towards effective
cybersecurity resource allocation: the Monte Carlo predictive
References 225
modelling approach.” International Journal of Critical

Infrastructures, 13(2-3), pp. 152-167. https://doi.org/10.1504/
IJCIS.2017.088235.
Falco, G., Eling, M., Jablanski, D., Weber, M., Miller, V., Gordon, L.,
Wang, S., Schmit, J., Thomas, R., Elvedi, M., Maillart, T., Donavan,
E., Dejung, S., Durand, E., Nutter, F., Scheffer, U., Arazi, G., Ohana,
G. & Lin, H. 2019a. A research agenda for Cyber risk and cyber
insurance. (Accessed 27 July 2021). ResearchAgendaforCyber
RiskandCyberInsurance.pdf.
Falco, G., Eling, M., Jablanski, D., Weber, M., Miller, V., Gordon, L.,
Wang, S., Schmit, J., Thomas, R., Elvedi, M., Maillart, T., Donavan,
E., Dejung, S., Durand, E., Nutter, F., Scheffer, U., Arazi, G., Faris, C.
Gilbert, B, LeBlanc, B., Ballou, B. & Heitger, D. L. 2013.
Demystifying Sustainability Risk – Integrating Triple Bottom Line into
A ERM Program. https://www.coso.org/documents/COSO-
ERM%20Demystifying%20Sustainability%20Risk_Full%20WEB.
pdf.
Feurer, R., and Chaharbaghi, K., 1995. “Performance Measurement in
Strategic Change.” Benchmarking for Quality Management &
Technology. 2(2), pp. 64-83.
Frosdick, S. 1997. “The techniques of risk analysis are insufficient in
themselves.” Disaster Prevention and Management, 6(3), pp.165-177.
Management, 6(3), 165–177.
Froot, K. A., Scharfstein, D. S., Stein J. C. 1993. “Risk management:
coordinating corporate investment and financing policies.” Journal of
Finance, 48, pp.1629-1658.
Foltz, C. B. 2004. “Cyberterrorism, computer crime, and reality.”
Information Management & Computer Security, 12, no. 2, 154-166.
Fowler, K. 2016. Data Breach Preparation and Response: Breaches are
Certain, Impact is Not. 1st Edition. Syngress/Elsevier.
Frigo, M. and Anderson, R. 2011. Embracing ERM: A Practical Approach
for Getting Started. https://www.coso.org/Documents/Embracing-
ERM-Getting-Started.pdf.
226 References
Garvin, D, 1993. “Building a learning organization” Harvard Business

Review, Organisational Learning Series, July-August 1993.
Gerber, M., & Von Solms, R. 2005. “Management of risk in the
information age.” Computers & Security, (24), pp. 16–30.
Gregersen, H. 2018. “Better brainstorming.” Harvard Business Review,
(March–April 2018). https://hbr.org/2018/03/better-brainstorming.
George, T. 2017. Cyber Risk, Cyber Threats, and Cyber Security:
Synonyms or Oxymorons? https://www.securityweek.com/cyber-risk-
cyber-threats-and-cyber-security-synomyms-or-
oxymorons%20[2017,%20August%2029].
Gisladottir, V., Ganin, A. A., Keisler, J. M., Kepner, J. & Linkov, I. 2017.
“Resilience of cyber systems with over- and underregulation.” Risk
Analysis, 37(9), pp. 1644-1651.
Gordon, L. A., & Loeb, M. P. 2002. “The economics of information
security investment.” ACM Transactions on Information and System
Security (TISSEC), 5(4), pp. 438–457.
Gordon, L. A., Loeb, M. P., & Sohail, T. 2003. “A framework for using
insurance for cyber risk management.” Communications of the ACM,
46(3), pp. 81–85.
Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Zhou, L. 2015a. “The
impact of information sharing on cybersecurity underinvestment: A
real options perspective.” Journal of Accounting and Public Policy,
34(5), pp. 509–519.
Gordon, L. A., Loeb, M. P., Lucyshyn, W. & Zhou, L. 2015b.
“Externalities and the magnitude of cyber security underinvestment by
private sector firms: A modification of the Gordon-Loeb Model.”
Journal of Information Security, 6, pp. 24-30.
Grabowski, M. and Roberts, K.H. 1999. “Risk mitigation in virtual
organizations.” Organization Science, 1999, pp.704-721.
Crouchy, Galai, & Marck, 2006. The Essentials of Risk Management.
McGraw-Hill, New York.
Hadlington, L. 2017. “Human factors in cybersecurity; examining the link
between Internet addiction, impulsivity, attitudes towards
References 227
cybersecurity, and risky cybersecurity behaviours.” Heliyon, 3, Article

No~e00346.
Hansel, M. 2018. “Cyber-attacks and psychological IR perspectives:
explaining misperceptions and escalation risks.” Journal of
International Relations and Development, 21(3), 523-551. doi:10.
1057/s41268-016-0075-8.
Happa, J. and Fairclough, G. 2017. “A model to facilitate discussions about
cyber attacks.” Ethics and Policies for Cyber Operations, Springer
International Publishing, pp. 169-185.
Happa, J., Fairclough, G., Nurse, J.R., Agrafiotis, I., Goldsmith, M. and
Creese, S. 2016. “A pragmatic system-failure assessment and response
model.” International Conference on Information Systems Security
and Privacy, SCITEPRESS Digital Library.
Hectus, J. 2016. Cybersecurity beyond traditional risk management. Inside
Counsel, New York (Sep 15, 2016). http://www.kyl.com/wp-
content/uploads/2016/12/Inside-Counsel-Article-Hectus.pdf
(accessed 22/10/2020).
Henshel, D., Sample, C., Cains, M. & Hoffman, B. 2016. “Integrating
cultural factors into human factors framework and ontology for cyber
attackers.” in Advances in Human Factors in Cybersecurity, Advances
in Intelligent Systems and Computing, ed. D. Nicholson. Cham:
Springer International Publishing, pp. 123-137.
Higgs, J. L., Pinsker, R. E., Smith, T. J., & Young, G. R. 2016. “The
relationship between board-level technology committees and reported
security breaches.” Journal of Information Systems, 30(3), pp. 79-98.
Hillson, D. 1997. “Towards a risk maturity model.” International Journal
of Project and Business Risk Management, 1 (Spring), pp. 35–45.
Hiscox 2017. The Hiscox Cyber Readiness Report 2017, Hiscox, London.
https://www.hiscox.com/documents/brokers/cyber-readiness-
report.pdf (accessed 17/10/2020).
HM Government & Marsh 2015. The Role of Insurance in Managing and
Mitigating the Risk. UK Cyber Security, London.
Ho, B. C., Oh, K. B., Durden, G. & Slade, B. 2010. Crisis Decision
Making. Nova Science Publishers, New York.
228 References
Hofstede, G. 2001. Culture's Consequences: Comparing Values,

Behaviors, Institutions and Organizations across Nations. Sage
publications.
Hollmann, J. K. 2012. “Estimate accuracy: Dealing with reality.” Cost
Engineering, 54(6), 17.
Holt, T. J. 2012. “Exploring the Intersections of Technology, Crime, and
Terror.” Terrorism and Political Violence, 24, no. 2, pp. 337-354.
Holton, G. A. 2004. “Defining Risk.” Financial Analysts Journal, Volume
60, Number 6, CFA Institute. https://www.glynholton.com/wp-
content/uploads/papers/risk.pdf (accessed 22/10/2020).
Howard, J. D. and Longstaff, T. A. 1998. A Common Language for
Computer Security Incidents. Sandia National Laboratories.
Hoyt, R. E., & Liebenberg, A. P. 2011. “The value of enterprise risk
management: Evidence from the U.S. insurance industry.” Journal of
Risk and Insurance, 78(4), pp. 795–822.
Hurst, W., Merabti, M. & Fergus, P. 2014. “Big data analysis techniques
for cyber threat detection in critical infrastructures.” In Proceedings of
the 2014 28th International Conference Advanced Information
Networking and Applications Workshops, pp. 916-921, IEEE.
Hutchins, E. M., Cloppert, M. J. and Amin, R. M. 2011. “Intelligence-
driven computer network defense informed by analysis of adversary
campaigns and intrusion kill chains.” Leading Issues in Information
Warfare & Security Research.
IRM (Institute of Risk Management) 2018. A Risk Practitioners Guide to
ISO 31000: 2018. London.
ISO/IEC Guide 73:2002. Risk Management – Vocabulary – Guidelines for
use in Standards. International Organization for Standardization/
International Electrotechnical Commission (ISO/ IEC), Geneva.
ISO 31000:2009. Risk Management, Principles and Guidelines.
International Organization for Standardization, Geneva, 2009.
ISO 27000:2014. Information Technology - Security Techniques –
Information Security Management Systems - Overview and
Vocabulary. International Organization for Standardization/
International Electrotechnical Commission, Geneva.
References 229
James DeLoach and Jeff Thomson 2014. “Improving Organisational

Performance and Governance: How the COSO Framework Can
Help?” COSO (Committee of Sponsoring Organizations of the
Treadway Commission). https://www.coso.org/Documents/2014-2-
10-COSO-Thought-Paper.pdf.
Jasper, S. 2020. Russian Cyber Operations: Coding the Boundaries of
Conflict. Georgetown University Press.
Jorion, P. 1997. Value at Risk: The Benchmark for Controlling Market
Risk. McGraw-Hill, Chicago.
Jorion, P. & Khoury, S. 1996. Financial Risk Management: Domestic and
International Dimensions. Cambridge, Mass.: Blackwell Business.
Kamiya, S., Kang, J., Kim, J., Milidonis, A. & Stulz, R. 2021. “Risk
management, firm reputation, and the impact of successful
cyberattacks on target firms.” Journal of Financial Economics, 139,
pp. 717-749.
Kaplan, R. S. and Mikes, A. 2012. “Managing Risks: A new framework.”
Harvard Business Review, June (2012). https://hbr.org/2012/
06/managing-risks-a-new-framework (accessed 23/10/2020).
Kardile, A. B. 2017. Crypto Ransomware Analysis and Detection Using
Process Monitor. Thesis. University of Texas, Arlington.
Kerzner, H. 2009. Project Management Systems Approach Planning,
Scheduling, and Controlling (10th ed.). Hoboken, NJ: John Wiley.
Kleffner, A. E., Lee, R. B. & McGannon, B. 2003. “The effect of corporate
governance on the use of ERM: Evidence from Canada.” Risk
Management and Insurance Review, 6(1), pp. 53-73.
Klimoski, R. 2016. "Critical success factors for cybersecurity leaders: Not
just technical competence." People and Strategy, vol. 39, no. 1, pp. 14.
Knight, F. H. 1921. Risk, Uncertainty and Profit. New York: Harper.
Koski, A. & Mikkonen, T. 2015. Requirements, Architecture, and Quality
in a Mission Critical System: 12 Lessons Learned. T. ESEC/FSE’15,
August 30 – September 4, 2015, Bergamo, Italy. http://dx.doi.org/
10.1145/2786805.2804436.
KPMG, Glover, S. and Prawitt, D. 2012. Enhancing Board Oversight:
Avoiding Judgment Traps and Biases. COSO (Committee of
230 References
Sponsoring Organizations of the Treadway Commission).

https://www.coso.org/documents/COSO-EnhancingBoardOversight_
r8_Webready%20%282%29.pdf.
Kwak, Y. H., & Ingall, L. 2007. “Exploring Monte Carlo simulation
applications for project management.” Risk Management, 9(1), pp. 44–
57.
Lam, J., 2001. “The CRO is here to stay.” Risk Management, April, pp. 16-
20.
Lam, J. 2006. Emerging Best Practices in Developing Key Risk Indicators
and ERM Reporting. James Lam & Associates, Inc.
Lam, J. 2007. Enterprise risk management at Asian banks: From
challenges to strategies. Executive White Paper, Asia Risk
Management Institute (ARMI).
Lau, N., Pastel, R., Chapman, M. R., Minarik, J., Petit, J. & Hale, D. 2018.
"Human Factors in Cybersecurity – Perspectives from Industries."
Proceedings of the Human Factors and Ergonomics Society Annual
Meeting, vol. 62, no. 1, pp. 139-143.
Lerbinger, O. 1997. “The crisis manager: Facing risk and responsibility.”
in Mahwah, N. J., Lawrence Erlbaum Associates, NY.
Les Coleman 2009. Risk Strategies: Dialing up Optimum Firm Risk.
Gower e-Book Publishing, Burlington, USA.
Lewis, J. 2002. Assessing the Risks of Cyber Terrorism, Cyber War and
Other Cyber Threats. Center for Strategic and International Studies,
Washington D. C. Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats (csis-website-prod.s3.amazonaws.com)
(Accessed 8 July 2021).
Liebenberg, A. P., & Hoyt, R. E. 2003. “The determinants of ERM:
Evidence from the appointment of CRO.” Risk Management and
Insurance Review, 6(1), pp. 37-52.
Linsley, P. M. & Shrives, P. J. 2006. “Risk reporting: A study of risk
disclosures in the annual reports of UK companies.” British
Accounting Review, 38(4) pp. 387-387.
References 231
Lowe, D. J., Emsley, M. W., & Harding, A. 2006. “Predicting construction

cost using multiple regression techniques.” Journal of Construction
Engineering and Management.
Madnick, S. E. 1978. “Management policies and procedures needed for
effective computer security.” Sloan Management Review, 20(1), pp.
61-74.
Maia, I. & Chaves, G. 2016. “Integration of Risk Management into
Strategic Planning: A New Comprehensive Approach.” Society of
Actuaries 2016 Enterprise Risk Management Symposium April 6–8,
2016, Arlington, Virginia.
Mak, S., Wong, J., & Picken, D. 1998. “The effect on contingency
allowances of using risk analysis in capital cost estimating: A Hong
Kong case study.” Construction Management & Economics, 16(6),
615–619.
Markowitz, H. 1952 “Portfolio Theory.” The Journal of Finance, Vol. 7,
No. 1. (Mar., 1952), pp. 77-91.
Marotta, A., & McShane, M. 2018. “Integrating a proactive technique into
a holistic cyber risk management approach.” Risk Management and
Insurance Review, 21(3), pp. 435–452.
Marsh, 2015. UK Cyber Security: The Role of Insurance in Managing and
Mitigating the Risk. Marsh LLC,” Marsh.
McKinsey & Company 2017. Protecting your critical digital assets: Not
All Data and Systems are Created Equal. | McKinsey (accessed
11/9/2021).
McKinsey & Company 2019. The Risk-based Approach to Cybersecurity.
| McKinsey.
McShane, M. 2018. “Enterprise risk management: History and a design
science proposal.” The Journal of Risk Finance, 19(2), pp. 137–153.
McShane, M., & Nguyen, T. 2020. “Time varying effects of cyberattacks
on firm value.” The Geneva Papers on Risk and Insurance – Issues &
Practice, 45(4), pp. 580-615.
Meulbroek, L. K. 2002. "Integrated Risk Management for the Firm: A
Senior Manager's Guide." Harvard Business School Working Paper,
No. 02-046, March 2002.
232 References
Miller, K. D. 1992. “A Framework for integrated risk management in

international business.” Journal of International Business Studies, vol.
23, issue 2, pp. 311- 331.
Miller, S., Wagner, C., Aickelin, U. & Garibaldi, J. 2016. “Modelling
cyber-security experts’ decision making processes using aggregation
operators.” SSRN Electronic Journal, January 2016.
Modi, S. B., Wiles, M. A., & Mishra, S. 2015. “Shareholder value
implications of service failures in triads: The case of customer
information security breaches.” Journal of Operations Management,
35, pp. 21-39.
Modigliani, F. and Pogue, G. 1973. An Introduction to Risk and Return:
Concepts and Evidence.
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan,
S. K. 2013. “Cyber-risk decision models: To insure IT or not?”
Decision Support Systems, 56, pp.11-26.
Nifakos, S.; Chandramouli, K.; Nikolaou, C. K.; Papachristou, P.; Koch,
S.; Panaousis, E.; Bonacina, S. 2021. “Influence of Human Factors on
Cyber Security within Healthcare Organisations: A Systematic
Review.” Sensors, 21, 5119. https:// doi.org/10.3390/s21155119.
NIST 2002. Risk Management Guide for Information Technology Systems.
Technical Report, National Institute of Standards and Technology
(NIST).
NIST 2014. Framework for Improving Critical Infrastructure
Cybersecurity. Technical Report, National Institute of Standards and
Technology (NIST).
Nocco, B. W., & Stulz, R. M. 2006. “Enterprise risk management: Theory
and practice.” Journal of Applied Corporate Finance, 18(4), pp.8-20.
OECD 2015. Digital Security Risk Management for Economic and Social
Prosperity OECD Recommendation and Companion Document.
Digital Economy Policy Legal Instruments. digital-security-risk-
management.pdf (oecd.org) (Accessed 29/7/2021).
OECD 2017. Enhancing the Role of Insurance in Cyber Risk Management.
OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264282148-
en.
References 233
OECD 2014. Risk Management and Corporate Governance, Corporate

Governance. OECD Publishing. http://dx.doi.org/10.1787/978926420
8636-en; http://www.oecd.org/daf/ca/risk-management-corporate-
governance.pdf.
Oh, K. B. & Ho, B. C. T. 2010. Innovation and Technology Finance. Nova
Science, New York.
Oh, K., Ho, C., Pham, L., Huang, Y. and Wang, J. 2018. The Process of
Enterprise Risk Management. Nova Science, New York.
Ohana, G. & Lin, H. 2019b. “Cyber risk research impeded by disciplinary
barriers.” Science, 366(6469), pp. 1066-1069.
Olsen, R. (Accessed 29/9/2021). “Is Your Business Ready for the
Changing Cybersecurity Landscape?” CIO Review. https://cyber
security.cioreview.com/cxoinsight/is-your-business-ready-for-the-
changing-cybersecurity-landscape-nid-27270-cid-145.html.
Oracle.com 2020. The Oracle and KPMG Cloud Threat Report 2020.
Oracle (online). https://www.oracle.com/cloud/cloud-threat-report.
html.
Pandey, P. & Snekkenes, E. 2014. “Using Prediction Markets to Hedge
Information Security Risks.” Conference: 10th International
Workshop on Security and Trust Management, Wroclaw, Poland
Volume: Springer Lecture Notes in Computer Science 8743.
Peltier T. R. 2001. Information Security Analysis. Auerbach, New York.
Perry, R. and Lindell, M. K. 2003. “Preparedness for emergency response:
Guidelines for the emergency planning process.” Disasters, 27(4), pp.
336–350.
Pfleeger, S. L., Predd, J., Hunker, J. & Bulford, C. 2010. “Insiders
behaving badly: Addressing bad actors and their actions.” IEEE
Transactions on Information Forensics and Security, 5(2), March.
Pham, L. & Oh, K. B. 2021. State on Board! Navigating Corporate
Governance in Emerging Market Business. Palgrave MacMillan,
London.
Predd, J., Pfleeger, S. L., Hunker, J. & Bulford, C. 2008. “Insiders
Behaving Badly.” IEEE Security and Privacy, 6(4), July/August, pp.
66-70.
234 References
PricewaterhouseCoopers 2018. Enterprise Risk Management. Available

at: https://www.pwc.co.uk/audit-assurance/assets/pdf/enterprise-risk-
management.pdf (Accessed 30 June 2021).
PwC 2011. In Times of Uncertainty: An Insight into Effective Risk
Reporting in a Changing Market. PwC Australia. https://www.
pwc.com.au/industry/banking-capital-markets/assets/insight-into-
effective-risk-reporting-sep11.pdf (accessed 19/9/2021).
Quarantelli, E. L. 1988. “Disaster crisis management: A summary of
research findings.” Journal of Management Studies, 25(4), pp. 373–
385.
Quintana, P. G. 2012. “Risk and Uncertainty.” Business Review, Q1 2012.
https://www.phil.frb.org/-/media/research-and-data/publica-
tions/business-review/2012/q1/brq112_risk-and-uncertainty.pdf.
Reagan, J. R., Raghavan, A. & Thomas, A. 2015. “Quantifying risk: What
can cyber risk management learn from the financial services
industry?” In New Perspectives on How Cyber Risk Can Power
Performance. Delloitte University Press.
Rescher N. 1983. Risk: A Philosophical Introduction to the Theory of Risk
Evaluation and Management. University Press of America.
Robin, A., Campbell, D., Preedy, D. Paschino, E., Born, M., Haynes, P.,
Kazmi, P. Oikawa, R. & Getchell, S. 2002. “Microsoft Solutions
Framework Risk Management Discipline.” Researchgate. (5) (PDF)
Microsoft Solutions Framework Risk Management Discipline
(researchgate.net).
Roscoe, B. and Goldsmith, M. 1997. The Perfect Spy for Model–Checking
Crypto–Protocols. Rutgers University, Piscataway, NJ.
Rot, A. 2008. “IT Risk Assessment: Quantitative and Qualitative
Approach.” Proceedings of the World Congress on Engineering and
Computer Science 2008, October 22 - 24, 2008, San Francisco, USA.
Rouse, M., 2014. What is confidentiality, integrity, and availability (CIA
triad)? Definition from WhatIs.com. [online] WhatIs.com. Available
at: <http://whatis.techtarget.com/definition/Confidentiality-integrity-
and-availability-CIA>.
References 235
RSA Security 2016. Cyber risk appetite: Defining and understanding risk
in the modern enterprise. White Paper. https://www.rsa.com/
content/dam/en/white-paper/cyber-risk-appetite.pdf.
Rubino, M. 2018. “A Comparison of the main ERM frameworks: How
limitations and weaknesses can be overcome implementing IT
governance.” International Journal of Business and Management,
13(12), pp. 203-214.
Ryan, P., Schneider, S.A., Goldsmith, M., Lowe, G. and Roscoe, A. 2000.
The Modelling and Analysis of Security Protocols: The CSP Approach.
Addison-Wesley Professional, Boston, MA.
Sasse, M., & Flechais, I. 2005. “Usable Security: Why Do We Need It?
How Do We Get It?” In L. F. Cranor and S. Garfinkel (Eds.), Security
and Usability. O’Reilly Publishing, pp. 13–30.
Segal, S. 2011. Corporate Value of Enterprise Risk Management. Wiley.
Siegel, C. A., Sagalow, T. R., & Serritella, P. 2002. “Cyber risk
management: Technical and insurance controls for enterprise level
security.” Information Systems Security, 11(4), pp. 33–49.
Shao, Z. 2019. “Interaction effect of strategic leadership behaviors and
organizational culture on IS-Business strategic alignment and
Enterprise Systems assimilation.” International Journal of
Information Management, 44, pp. 96-108.
Singer, P.W. & Friedman, A. 2014. Cybersecurity and Cyber War: What
Everybody Needs to Know. New York, Oxford University Press.
Siponen, M. & Oinas-Kukkonen, H. 2007. “A review of information
security issues and respective research contributions.” ACM SIGMIS
Database: The database for Advances in Information Systems, 38(1),
pp. 60-80.
Slagmulder, R. and Devoldere, B. 2018. “Transforming under deep
uncertainty: A strategic perspective on risk management.” Business
Horizons, 61(5), pp. 733-743.
Standards Australia and Standards New Zealand 2009. AS/NZS ISO
31000:2009: Risk management - Principles and guidelines, 20
November 2009.
236 References
Starr, R., Newfrock, J., & Delurey, M. 2003. “Enterprise resilience:

managing risk in the networked economy.” Strategy and Business, 30,
pp. 70–79.
Stavrou, A., Fleck, D., & Kolias, C. 2016. “On the Move: Evading
Distributed Denial-of-Service Attacks.” IEEE Annals of the History of
Computing, 49(03), 104-107.
Stine, K., Quinn, S., Witte, G., Scarfone, K., & Gardner, R. 2020.
“Integrating Cybersecurity and Enterprise Risk Management (ERM).”
NIST Internal or Interagency Report (NISTIR) 8286 (Draft), National
Institute of Standards and Technology.
Taveras, P. 2019. “Cyber risk management, procedures and considerations
to address the threats of a cyber-attack.” Proceedings of the
ForenSecure: Cybersecurity and Forensics Conference, Chicago,
Illinois April 12th, 2019. https://www.researchgate.net/
publication/332411201_Cyber_Risk_Management_Procedures_and_
Considerations_to_Address_the_Threats_of_a_Cyber_Attack
(accessed 19/10/2020).
Toma, S. & Alexa, I. 2012. “Different Categories of Business Risk.”
Annals of Dunarea de Jos. University of Galati Fascicle I. Economics
and Applied Informatics Years XVIII – no2/2012. http://www.ann.
ugal.ro/eco/Doc2012.2/Toma_Alexa.pdf.
UNECE 2012. Risk Management in Regulatory Frameworks: Towards a
Better Management of Risks. UN New York & Geneva.
https://www.unece.org/fileadmin/DAM/trade/Publications/WP6_EC
E_TRADE_390.pdf.
Von Solms, R. and Van Niekerk, J. 2013. “From information security to
cyber security.” Computers and Security, 38, pp. 97–102.
Watsham, T. J. & Parramore, K. 1997. Quantitative Methods in Finance.
Volume 1, International Thomson Business Press.
Weick, K. and Suncliffe, K. 2007. Managing the Unexpected: Resilient
Performance in an Age of Uncertainty. Jossey-Bass Publishers, San
Francisco, CA.
References 237
Weill, P., & Ross, J. W. 2004. IT Governance: How Top Performers

Manage IT Decision Rights for Superior Results. Harvard Business
School Press.
Woods, D. W. & Simpson, A. C. 2020. Monte Carlo methods to investigate
how aggregated cyber insurance claims data impacts security
investments. Department of Computer Science, University of Oxford.
Monte-Carlo-methods-to-investigate-how-aggregated-cyber-
insurance-claims-data-impacts-security-investments.pdf
(researchgate.net) (Accessed 16/8/2021).
World Economic Forum (WEF) 2017. The Global Risks Report 2017. 12th
Edition, Geneva.
Young, S. D. & O'Byrne, S.F. 2000. EVA and Value-Based Management:
A Practical Guide to Implementation. McGraw-Hill.
Zhao, X., Hwang, B. -G., & Low, S. P. 2013. “Critical success factors for
enterprise risk management in Chinese construction companies.”
Construction Management and Economics, 31(12), pp. 1199-1214.
ABOUT THE AUTHORS
Kok-Boon Oh is a director of eGalaxy Proprietary Limited in

Melbourne, Australia. He is a CPA member of Certified Practising
Accountants (Australia) and Chartered Accountant of the Malaysian
Institute of Accountants (MIA). KB taught enterprise cyber risk
management at the undergraduate and postgraduate levels in the
cybersecurity program at La Trobe University, Australia. He was
responsible for developing the cybersecurity ERM subjects for both the
Bachelor of Cybersecurity and Master of Cybersecurity courses at La
Trobe University. He has extensive industry experience in risk
management, both through his work as a corporate executive, academic
and, through his regular conference presentations and publications. He has
co-published over 70 peer-reviewed papers and 12 reference books in the
areas of finance and management, including books on crisis management
and enterprise risk management. He completed the Harvard’s VPAL
Cybersecurity: Managing Risk in the Information Age program in 2018.
240 About the Authors
Bruce Chien-Ta Ho is a professor in the Institute of Technology

Management at National Chung Hsing University in Taiwan. He is also a
director of Electronic Commerce & Knowledge Economics Research
Center. His current research interests include E-Commerce and
performance evaluation. Bruce has over 150 publications in the forms of
journal papers, books, edited books, edited proceedings, edited special
issues, and conference papers. Sample of his work could be found in
Computers & Operations Research, Journal of the Operational Research
Society, International Journal of Production Research, Online
Information Review, Industrial Management and Data System, Production
Planning and Control. He is also the Editor of the International Journal of
Electronic Customer Relationship Management.
Bret Slade taught at La Trobe University, Australia and has experience

in organisational headquarters and strategic management consulting roles.
His areas of expertise are leadership, strategy, decision making, emergency
management and security. He has worked extensively in management with
Australian national and state government organisations, including the
Australian Defence Force, the Australian Securities and Investment
Commission, and the Victoria Country Fire Authority. Bret also has
experience working in Asia, including China, Vietnam and Malaysia. Bret
has a PhD in Strategic Management. His doctorate focused on national
defence within a diagnostic framework designed to identify organisational
effectiveness in high tempo, mission critical environments.
INDEX
# C
4Ts, 5, 140 chief information security officer (CISO),

xv, 20, 21, 57, 62, 64, 66, 140, 189, 206,
209
A
chief risk officer (CRO), xv, 20, 45, 57, 63,
66, 78, 96, 152, 188, 201, 206, 230
artificial intelligence (AI), 28, 95, 161,
cloud computing, 29, 95, 143, 161
162, 163
COBIT, 73, 88, 89
confidentiality, integrity, and availability
B (CIA), xv, xvi, 6, 7, 11, 12, 29, 33, 49,
57, 87, 97, 99, 102, 104, 149, 161, 167,
Basel Committee on Banking Supervision, 169, 181, 204, 206, 217, 234
65, 90 conventional risks, 50, 151
Basel III, 73, 80, 90 convergence, vii, 49, 50, 51
big data, 29, 113, 161, 163, 228 corporate cyber risk, 25, 208
blockchain, 95, 161, 162, 163 corporate risk environment, v, vii, 23, 24,
board and senior management, 50, 56, 115, 25, 26
201, 207, 214 corporate vision, goals, and objectives, 4,
botnet, 35, 38 49
bow-tie method, 108, 109 COSO ERM, 9, 73, 79
business impact analysis (BIA), xv, 30, crisis management function, 54, 67
109, 110, 135, 193, 194
business-critical system, 30
242 Index
crisis response, xv, 87, 180, 184, 187, 191,

D
192, 194, 200, 201, 217
critical data, 31
decision tree, 127, 132, 133
critical information assets, 2, 29, 93, 96,
digital economy, 5, 23, 33, 232
102, 188, 193
digital world, 13, 28, 72, 127, 145, 194,
cyber crisis management plan (CCMP), xv,
206
179, 180, 181, 182, 184, 185, 189, 190,
191, 192, 193, 194
cyber insurance, 130, 150, 151, 152, 153, E
225, 237
cyber insurance market, 150 effective enterprise risk management, 4,
cyber risk, v, vii, viii, ix, xi, xii, xvi, 1, 2, 23, 140, 167
3, 5, 6, 7, 11, 12, 15, 16, 17, 18, 20, 21, effective identification function, 98
23, 25, 27, 28, 29, 32, 33, 34, 44, 46, 50, EMV, viii, xvi, 127, 128, 129
51, 55, 57, 58, 59, 61, 62, 63, 65, 66, 68, endogenous mitigation, 141
69, 70, 72, 75, 80, 91, 93, 94, 95, 96, 99, enforceable cybersecurity regulations, 71
102, 105, 106, 112, 113, 115, 116, 117, enterprise Information Security Policy
118, 125, 126, 127, 128, 134, 135, 137, (EISP), xvi, 57, 60, 77, 181, 201, 206,
139, 140, 141, 143, 145, 150, 151, 152, 213, 214, 217
153, 155, 160, 163, 165, 168, 170, 171, enterprise risk, v, xi, xii, xiii, xvi, 1, 2, 5, 6,
173, 182, 187, 188, 195, 198, 201, 204, 8, 9, 10, 13, 18, 19, 21, 24, 43, 44, 45,
205, 207, 208, 209, 210, 214, 217, 218, 46, 47, 49, 50, 51, 52, 53, 54, 58, 59, 63,
219, 220, 221, 222, 225, 226, 231, 232, 66, 68, 69, 73, 74, 75, 77, 78, 79, 85, 93,
233, 234, 235, 236, 239 94, 107, 116, 118, 130, 133, 134, 140,
cyber risk management standards, 70, 80 171, 184, 185, 188, 197, 198, 200, 201,
cyber threats, v, ix, xii, xviii, 1, 2, 11, 12, 202, 205, 207, 209, 216, 219, 221, 223,
13, 23, 24, 26, 28, 33, 35, 36, 37, 42, 44, 228, 230, 231, 232, 233, 234, 235, 236,
45, 49, 50, 55, 62, 65, 66, 73, 81, 94, 95, 237, 239
96, 97, 105, 108, 112, 115, 117, 120, enterprise risk management strategy, 185,
121, 122, 126, 127, 128, 134, 135, 155, 197
162, 182, 197, 198, 206, 208, 217, 226, equity market, 45
230 European Data Protection Regulation, 89
cybercrime and cyber-terrorism, 7
cybercriminals, 33, 36, 39, 40, 41, 98, 144 F
cybersecurity frameworks, 73
cybersecurity investment, 16 framework implementation, 81, 84
cybersecurity risk and return, 16 framework profile, 81, 83, 215
cybersecurity standards, xvi, 72, 73, 215
cyber-terrorist attacks, 8
G
global economy, 28
Index 243
H N
heat map, viii, 121, 122, 123, 124, 136 network diagram, 101, 110, 112, 188
hedging, ix, 140, 141, 144, 150, 153, 154, NIST (2002), 35
155, 221 NIST framework, 71, 80, 99
holistic approach, 9, 10, 44, 49, 51, 64 NIST/CSF, viii, xvii, 27, 32, 71, 80, 81, 82,
human factors, 6, 7, 24, 32, 226, 227, 230, 83, 84, 97, 99, 101, 102, 104, 119, 120,
232 146, 174, 182, 199, 201, 205, 210, 212,
215, 216
NIST/CSF framework core, viii, 81, 82, 99,
I
205
NIST/CSF functions, 99
ICT processes, 25
non-human factors, 6, 32
industries, 20, 29, 31, 40, 41, 96, 134, 152,
198, 199, 208, 230
information network, 31, 101, 228 O
intrusion detection and prevention systems
(IDPS), 144, 158, 167, 170, 190 operational risk management (ORM), vii,
IoT devices, 35 viii, xii, xvii, 2, 4, 43, 47, 52, 53, 54, 55,
ISO 27000 series, viii, 75, 85, 88 60, 63, 64, 65, 66, 67, 71, 77, 78, 79, 81,
ISO 31000, vii, 2, 8, 12, 52, 65, 73, 75, 76, 93, 94, 95, 101, 102, 109, 113, 118, 119,
77, 78, 199, 200, 201, 217, 228, 235 120, 135, 139, 140, 141, 146, 167, 168,
172, 199, 200, 201, 217
K
P
key performance indicators (KPIs), xvii,
19, 53, 60, 169, 172 penetration testing, 105, 111, 191
portfolio risk, vii, 18, 46
portfolio theory approach, 45
L
post-crisis phase, 181, 193
pre-crisis management, 185, 201
leadership and governance, 63, 198, 201,
predictive risk control, 54
204, 208
pre-emptive steps, 54
leveraging technology, 29
M Q
qualitative assessment, 121, 126

malicious external threat, 36, 98, 99
quantification, xvii, 55, 99, 116, 117, 126,
malicious internal threats, 36, 98
134, 135, 136
mission-critical systems, 30, 159
quantitative assessment, 126, 154
Monte Carlo simulation, 130, 131, 134,
220, 222, 230
244 Index
security incident, ix, 35, 36, 39, 41, 153,

R
181, 190, 228
self-regulation, 71
ransomware software, 41
social engineering, 29, 33, 37, 39, 42, 111,
reactive actions, 54
112, 156
regulatory compliance, 21, 71, 78
standalone risk, 18
risk assessment, viii, xii, xvii, xviii, 47, 49,
strategic cyber risk management, 46, 198
52, 56, 66, 78, 82, 85, 87, 88, 94, 98,
strategic objectives, xviii, 47, 52, 53, 56,
100, 101, 110, 113, 116, 117, 118, 119,
57, 96, 113, 121, 130, 139, 201, 206,
120, 121, 122, 123, 125, 126, 127, 135,
216
136, 140, 143, 146, 177, 181, 186, 211,
strategic risk management (SRM), vii, xvii,
214, 220, 222, 234
xviii, 2, 4, 43, 47, 52, 53, 54, 60, 63, 64,
risk culture, 47, 59, 166, 198, 202, 207,
65, 71, 74, 75, 77, 78, 94, 101, 136, 140,
224
172, 197, 199, 200, 201, 205, 210, 217,
risk data quality assessment, 125
220
risk entity or committee, 63
supply chain risk management, 82, 214
risk identification, viii, xii, xvii, xviii, 4,
SWOT (strengths-weaknesses-
13, 47, 66, 93, 94, 95, 96, 97, 99, 101,
opportunities-threats) analysis, 105,
102, 104, 107, 110, 112, 113, 117, 122,
106, 122
135, 140, 211, 218
systematic risk, 17, 18, 24, 25, 126
risk mapping, 135, 136
risk mitigation objective, 139
risk monitoring, viii, xvii, xviii, 62, 70, T
166, 169, 174
risk register, 99, 105, 112, 113, 120, 182, threat actors, ix, 36, 39, 98
184 threat identification questions, ix, 97
risk reporting, xviii, 165, 166, 171, 173, traditional risk management (TRM), xviii,
176, 230, 234 3, 8, 9, 102, 227
risk tolerance, 9, 18, 19, 20, 47, 51, 68, 77,
83, 87, 100, 116, 129, 140, 144, 153,
U
167, 169, 181, 198, 200, 201, 203, 204,
207, 210, 211, 214, 215, 216
unsystematic risk, 17, 18, 24, 25
risk-based approach, 65, 201, 205, 207,
208, 209, 210
V
S VaR methodology, 133
safety-critical system, 30, 31

Cybersecurity Risk Management - An ERM Approach-Nova Science Publishers (2022)

Uploaded by

Copyright:

Available Formats

Cybersecurity Risk Management - An ERM Approach-Nova Science Publishers (2022)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybersecurity Risk Management - An ERM Approach-Nova Science Publishers (2022)

Uploaded by

Copyright:

Available Formats

CYBERCRIME AND CYBERSECURITY RESEARCH

Additional books and e-books in this series can be found

NOTICE TO THE READER

Library of Congress Cataloging-in-Publication Data

ISBN:  H%RRN

Published by Nova Science Publishers, Inc. † New York

List of Figures ....................................................................................... vii

Figure 1.1. Business strategy and risk management alignment. 5

Figure 4.4. ERM/ORM related standards. 79

Table 2.1. Top 10 risks in 2017 & 2020 27

Table 9.1. Respond and recover –

The motivation for writing this book is to share our knowledge,

BIA Business impact analysis.

Cyber incident A cyber security event, both accidental and

ERM/ORM Operational risk management in the ERM

Risk evaluation The process of comparing the estimated risk against

CYBER THREATS AND ENTERPRISE RISK

Cyber risk management is becoming an essential aspect of an

organization. As the two types of enterprise risk functions cannot be

2. WHY IS RISK MANAGEMENT IMPORTANT?

Under Modigliani and Miller's (1958) perfect market conditions,

Risk management practice ensures that organizations understand and

a risk-return trade-off balance for it to undertake informed risk mitigation

Organisational Risk Strategy

Identification Assessment Mitigation Reporting

Risk Awareness Risk Reduction

Figure 1.1. Business strategy and risk management alignment.

3. CYBER RISK AND CYBERSECURITY

information security as protecting information assets that reside inside or

Generally, cybersecurity is about protecting an enterprise's internet-

4. CYBERCRIME AND CYBER-TERRORISM

Both cybercrime and cyber-terrorism are similar in that the

having an additional human dimension “as potential targets of cyber-attacks or even

Foltz (2004) defines cyber-terrorist attacks if they are intended to "interfere

5. WHAT IS ENTERPRISE RISK MANAGEMENT?

Enterprise Risk Management (ERM) is defined by the word enterprise,

compliance process, holistic approach, control structure, strategic

 “Enterprise risk management is an enigma.” (Corporate

 “… the state of development of ERM in non-financial companies

While ERM is a relatively immature practice (Slagmulder &

6. UNCERTAINTY, THREAT & RISK

Risk is a multidimensional concept and, essentially, enterprise risk is

growing stockholder value. It is a business tenet business that the greater

Figure 1.2. Cybersecurity uncertainty and risk.

Risk is the probability of an adverse event occurring with the potential

associated with their roles in the use of computers to prevent compromise

7. RISK TYPES AND DIMENSIONS

Companies typically categorize enterprise risk into financial risks,

 Range of possible outcomes – potential loss or benefit from a risk

 Time and duration of risk event – length of time a risk remains a

Figure 1.3. Risk types.

For cyber risk, the specific dimensions are interconnectivity,

8. RISK AND RETURN

Risk is a combination of danger and opportunity. It is not possible to

benefits of security to avoid the cost of cybercrime. Thus, in the context of

Figure 1.5. Cyber risk and opportunity nexus.

Every investment in technology or cybersecurity needs to be justified

9. SYSTEMATIC AND UNSYSTEMATIC RISKS

We can perceive corporate risk as alpha risk or unsystematic risk (the

ISBN: H%RRN