CYB2203:

CYBERSECURITY IN
BUSINESS AND
INDUSTRY

A.U. Suleiman
Department of Cybersecurity,
YUMSUK

2023/2024
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

DISCLAIMER
THIS DOCUMENT DOES NOT CLAIM ANY ORIGINALITY AND CANNOT BE USED AS
A SUBSTITUTE FOR PRESCRIBED TEXTBOOKS. THE INFORMATION PRESENTED
HERE IS MERELY A COLLECTION BY THE COURSE LECTURER FOR TEACHING
ASSIGNMENTS. VARIOUS TEXT BOOKS AS WELL AS FREELY AVAILABLE
MATERIAL FROM INTERNET WERE CONSULTED FOR PREPARING THIS
DOCUMENT. THE OWNERSHIP OF THE INFORMATION LIES WITH THE RESPECTIVE
AUTHORS OR INSTITUTIONS.

2|Page
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

COURSE OUTLINE
A study of the application and integration of cybersecurity principle, frameworks, standards and
best practices to the management, governance and policy development processes for business.

Discussion covers the organization, management and governance of cybersecurity for enterprise IT
in business settings; risk and risk management practices; and development and implementation of
industry-wide cybersecurity initiatives and programs.

3|Page
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Chapter 1: Basic Concepts of

Cybersecurity
This chapter presents an introduction to cybersecurity from a strategic, or business, point of view.
It is geared towards future managers, to give them an outlook on the meaning of the concepts of
cybersecurity that they need to be aware of, many of them being non-IT practitioners, but who will
obviously be involved in dealing with information technology and the security aspects related to
these. As part of the new reality of the business landscape, managers need to understand the basic
tenants of information security and cybersecurity. Cybersecurity being information security applied
to cyberspace, the connected world that organizations all live in.
Cybersecurity is a critical concern for organizations of all sizes across all industries. Fundamentally,
it refers to the protection of information and systems from unauthorized access, use, disclosure,
disruption, modification, or destruction. Today, with the increasing use of information technology
(IT) and the overwhelming reliance on the digital world, cybersecurity has become an essential
component of modern business operations. From personal information of employees and
customers, financial data, trade secrets and critical infrastructure, organizations need to take
proactive measures to safeguard their sensitive information and the information systems that
manipulation this information from cyber threats.
Cybersecurity involves a combination of technologies, practices, and policies aimed at preventing,
detecting, and responding to cyber-attacks. It requires organizations to stay informed about
emerging cyber threats, implement robust security measures, and have a well-planned response in
place in the event of a breach. By investing in cybersecurity at an appropriate level, considering
their risk appetite but also available human and finance resources, organizations can reduce the
risk of financial loss, damage to their reputation, and the compromise of sensitive information.
Organizations need to minimize, or ideally eliminate, unacceptable risks.

THE CIA TRIANGLE

The first thing that organizations must define is their cybersecurity objectives. They must
determine their requirements in relation to the assets that they are trying to protect. These assets
can be data, also called information when it has structure and context, business technologies,
business processes and other related assets. For this book, we prefer talking about business
technologies, which we define as information technologies used in a business environment,
combining business processes, information used in the business processes, and software, hardware,
and networks.
Business technologies contribute to create value to the organization, more today than ever before.
But from a cybersecurity point of view, organizations measure this value in terms of the CIA
triangle, presented in figure 1.

4|Page
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Figure 1: CIA Triad/Triangle

The CIA triangle is a fundamental concept in the field of cybersecurity that refers to the three key
aspects of information security: confidentiality, integrity, and availability.
• Confidentiality refers to the protection of sensitive information from unauthorized disclosure. It
is concerned with ensuring that sensitive information is only accessible to authorized individuals in
an authorized context. Should information that should be confidential be disclosed, its value
creation contribution could be significant reduced. As well, it could lead to penalties, fines or other
losses.
• Integrity refers to the protection of information from unauthorized or accidental modification or
destruction. It is concerned with ensuring that information remains accurate and unaltered, even if
it is in transit or stored on a system. Inaccurate information will most likely contribute less to value
creation or could event result in a reduction of value.
• Availability refers to the ability of authorized individuals to access information when they need
to. It is concerned with ensuring that information and systems are always accessible and
functioning as intended so that they can contribute to the value creation.

The CIA triangle is used as a framework for evaluating and prioritizing the security measures that
organizations need to implement. For example, organizations might need to prioritize the
protection of confidential information over the protection of information availability in some cases,
while in other cases they might need to prioritize the availability of information over its
confidentiality. By understanding and balancing the three aspects of the CIA triangle, organizations
can create a comprehensive and effective cybersecurity program that protects their information
and systems from cyber threats.
In an organizational setting, information has value because it is available at the opportune time to
authorized users to do their job to fulfill their role in the organization, which contributes to the
creation of value for customers and other stakeholders, perhaps by creating or maintaining a
competitive advantage. Users in organizations need data to be available at the appropriate time. But
data can be unavailable, destroyed, or even encrypted, maybe because of a ransomware attack,
therefore becoming unavailable. That unavailability is a problem in relation to security objectives.
Organizations need the data to stay confidential, because there is value to control who has access to
the information. Maybe there are privacy issues that, contractually or legally, require an
organization to keep the information confidential. If the private information is divulged without
authorization, leaked to people who are not authorized to access it, or stolen by a cybercriminal,
then a violation of confidentiality occurs because of the privacy requirement. Organizations need
data to stay the way that it is to be usable, the information needs to be correct to be valuable. If

5|Page
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

there's an accidental or a voluntary alteration of this information or of the data, this is a violation of
integrity. These are the three basic security objectives, from a cybersecurity point of view. Of
course, there may be other sources of security objectives, depending on the context of a specific
organization.

THE FRAUD TRIANGLE

Another concept that organizations must be aware of in cybersecurity is the fraud triangle.
Cybersecurity decision makers need to understand why otherwise good people sometimes do bad
things. Why do people commit crimes? Why do people commit a fraud? The fraud triangle is a
theoretical model that explains the three key elements that are present in most frauds. The three
elements of the fraud triangle are: opportunity, rationalization, and need.
The fraud triangle is used in the field of forensic accounting and fraud examination and is a useful
framework for understanding the motivations and circumstances that lead individuals to commit
fraud. In cybersecurity this is important because, as we will discuss later, humans are a critical
element. Individuals, such as our staff, and our customers, as well as cybercriminals are potentially
our biggest cybersecurity problem. They are much more difficult to control than technology. These
we need some tools to help us understand how they affect cybersecurity.
In looking at this model, keep in mind that fraud is something different than an accident. The main
difference between a fraud and an accident or an incident is the criminal intent hence, the
importance of the concept of Mens Rea, Latin for criminal intent. If I make a mistake that's not
fraudulent, but if I purposely do a bad thing to cause damages or to unduly acquire money, there is
criminal intent, potentially there is fraud. Obviously, if I'm trying to steal your money, more
specifically purposefully trying to steal your money, there is a clear criminal intent. Of course, as
there should always be a presumption of innocence, proving the intent beyond a reasonable doubt
will always be a challenge. For fraud to happen there needs to be a combination of these three
elements, which brings us to another triangle to helps us understand fraud, presented in figure 2.

Figure 2: The Fraud Triangle

 Opportunity: The first component of the fraud triangle is the opportunity. Opportunity
refers to the presence of a situation in which a person has access to valuable information or
resources and the ability to use that access for personal gain. This is about the opportunity
to commit a crime, to commit a fraud, which may be caused by a lack of control or lack of
internal control, lack of surveillance, lack of adequate security mechanisms or processes
that are in place. There is this opportunity to do something nefarious, and the eventual
perpetrator is aware of this opportunity.

6|Page
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

 Pressure: The second component is need or pressure. Pressure refers to the existence of
some form of pressure, such as financial difficulties or job dissatisfaction, which drives a
person to commit fraud. It concerns what makes it tempting to take advantage of the
opportunity. Perhaps I owe people money, have a debt, or really hate this company and
want to get my revenge on them. Maybe I have addiction or other issues that push me
towards a criminal behaviour.
 Rationalization: The third and final component of the fraud triangle is rationalization.
Rationalization refers to the justification that a person uses to convince themselves that
their actions are acceptable. This may involve minimizing the harm caused by their actions
or convincing themselves that they are entitled to what they are taking. It is the idea that
somehow, in my mind, I can find it morally acceptable justification for my actions. This
makes it OK for me to commit this act, to do this thing. Maybe it is because I'm a
cybercriminal, a criminal that uses computers to commit crimes. Then it is all right because
this is how I make a living, how I feed my family. Maybe I just hate a particular company and
consider that they are bad people. For me then it is all right to attack them or to steal from
them.
The presence of all three elements of the fraud triangle is believed to be necessary for fraud to
occur. By reducing the opportunities for fraud, addressing the underlying pressures that drive
fraud, and challenging the rationalizations that individuals use to justify their actions, organizations
can reduce the risk of fraud.
Perhaps I’m a former employee and I know how that I can take advantage of me of their
weaknesses or me of a lack of something that they have. And I know how to do it and you know, and
I think it is all right. I've got a good reason because they really didn't treat me very well and they
didn't pay me what I deserved. Then, to me, it is all right to do it. Maybe it's a family pressure,
maybe you know, or I owe somebody a favor, or I owe somebody money. To pay them back they
have me do something and I feel like I do not have a choice. There are just too many examples on
different TV shows and movies where you can see this happening to mention them all. As a
manager making cybersecurity decisions, understanding how normal individuals can become
cybercriminals may help you make better decisions when considering cybersecurity risks and how
to best manage them.

THE RISK TRIANGLE

The third triangle that is presented in this book is the risk triangle, shown in figure 3.

Figure 3: The Risk Triangle

7|Page
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

This model can help you understand risk. To better understand risk, it must be put in context. In a
general sense, security can be defined as the absence of unacceptable risks. This signifies that there
is a relationship between security and risk. Basically, security is the opposite of risk. The more risk
is there, the less security and the more security there is, the less risk there is. Seems
straightforward as a general principle but as mentioned earlier, the two concepts of security and
risk are closely related. As well as the fraud triangle and the CIA triangle, the security objectives
that were mentioned previously, are all connecting to the risk triangle, as is described further in the
next paragraph.
The risk triangle can be used to help organizations identify, assess, and prioritize risks, and to make
informed decisions about how to manage those risks. By understanding the relationship between
likelihood, impact, and risk, organizations can allocate their resources to the areas that are most
important and have the greatest potential to reduce the overall level of risk. The risk triangle is
often used in combination with other risk management tools and techniques, such as SWOT
analysis, root cause analysis, and scenario planning, to provide a comprehensive understanding of
risks facing an organization.
Let’s look at the risk triangle.
 Threat: On one side of the triangle there is the presence of a potential threat. These are the
hazards, accidents, attackers, viruses, cybercriminals, and other threats agents. These are
the potentially bad things that might happen or bad people that may cause problems, such
as in the case of a cybercriminals seeking to attack your business technologies. This is
where you can find disgruntled employee who contribute to creating risk, as per what was
presented in the fraud triangle. The fraud triangle helps understands how a disgruntled
employee can self-justify what they are able to do and become a threat.
 Vulnerability: On the other side of the risk triangle there is the vulnerability, or
vulnerabilities, as it is often more than just one isolated thing. Vulnerabilities are
weaknesses, such as the different bug, configuration errors, and other things that may be
found and eventually be exploited by a threat. In the fraud triangle, the knowledge that
vulnerabilities are there, contribute to creating an opportunity for the cybercriminal or the
disgruntled employee.
 Risk Exposure: Finally, on the third side of the risk triangle you will find risk exposure.
This refers to how an organization is exposed to a potential risk. It has to do with the
potential impacts or potential damages that could occur, should the risk materialize. The
impacts are connected to the CIA triangle, as the impacts relate to the security objectives,
expressed in reference to confidentiality, integrity, and availability. This is connected
because the impact is basically a negation of these security objectives. If information needs
to stay confidential, then if it becomes known, there is an impact on confidentiality. In the
same manner, integrity and availability can be impacted. Of course, there's another
potential impact as well that often needs to be considered, the potential of financial loss
should the risk materialize.

The washing machine is shown in figure 3 to illustrate the connection between cybercrime, fraud,
and money laundering. Once a fraud is done, the cybercriminal will want to extract money or
convert somehow what he's stolen to into a form of fiat currency, which then the cybercriminal will
launder funds and then try to make it into clean money, perhaps by using multiple transactions and
use cryptocurrency. For example, confidential data could be stolen, and then be resold on the dark
web for bitcoin, which this is how the cybercriminal make their money in this example. The
cybercriminal may then launder this bitcoin by transferring it around the globe to hide the true
origin of funds, before converting them back to legitimate fiat currency. All these are connected and
many organizations, particularly in the financial sector, should see this as a continuum. Managers
must keep in mind that it is not always about money. It is often about money, but not always.

8|Page
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Sometimes the link to money is a distant one. As an example, a disgruntled employee might want to
get revenge and would want to create havoc, without a financial gain. The same can be said about
hacktivists, terrorists, or state sponsored agents motivated by ideals that are legitimate to them. It
may be an oversimplification to say that it's always money. It's not always money, but most of the
time the goal is to steal money, or to steal something that can be converted into money.
As mentioned previously, risk happens through the exploitation of the vulnerability by a threat
agent. This is where the threat will exploit, or take advantage, of a vulnerability, resulting in the
potential risk exposure becoming an actual, materialized, negative outcomes, such as a financial
losses or material damages. Risk is achieved through this process of exploitation, where something
bad happens. In Cybercrime it is linked the Mens Rea. The criminal intent must play a role in taking
advantage of a vulnerability. When the exploitation of the vulnerability by the threat agent occurs,
the result is risk.
When risk is being managed, what is being done is illustrated by the big red arrows in figure 4. In
managing cybersecurity risks, managers are fundamentally trying to do two things:
1. Reduce the probability that the threat will exploit the vulnerability, or
2. Reduce the impact, should the exploitation happen.

Figure 4: Managing Risk

Those are the two main areas that cybersecurity professionals and managers are going to be
looking into to manage risk. In later chapters, this book will present some of the tools, techniques,
and processes that organizations can use to help them manage risks.
Managers must always keep in mind that in many cases, about 71% of the time according to studies,
cybercrimes are motivated by money. It's not always money, as was discussed, but most of the time
cybercriminals attack technology and business technology in two different ways:
1. In some cases, technology is the target, threat agents are attacking an IT infrastructure or an
organizations business technology. They're attacking an organizations hardware or software, and
that's their principal objective. Maybe they want to stop the organization from doing business, but
more often the criminals want to use the IT infrastructure as part of a larger tactical goal, such as a
staging ground for a distributed denial of service or even for cryptocurrency mining.
2. In other cases, technology is an instrument that is used as part of a crime. For example, in cyber
bullying on social media; in this example, technology is the instrument, just another tool that

9|Page
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

criminals use to commit their crime. Another example is data theft; this use of technology in
cybercrime is the most common of the two different categories of cybercrime.

CYBER KILL CHAIN

Again, most cybercrime is about making money, but it may also have other motivations, such as
affecting the reputation of an organization, which can also often be a secondary effect of the actual
financial crime that is taking place. While this book about cybersecurity governance focuses more
on fraud and cyber-related crimes than other potential threats, understanding how cybercrimes
occur is useful. Here a model is used, called the cyber kill chain, to help us. There are other excellent
models out there, such as the MITRE ATT&CK model, a choice was made by the authors to use this
model, but other models are presented and used in other chapters.
The cyber kill chain is a seven-step model that describes the stages of a typical cyber-attack. Some
versions of this model may have a different number of steps. The model provides a framework for
understanding the different stages of a cyber-attack and helps organizations to identify and
respond to cyber threats more effectively. It is presented in figure 5 below.

Figure 5: Cyber Kill Chain

The cyber kill chain model is an adaptation of something the military has been using, which is
known as the kill chain. It serves as a reference model to help understand how an attack occurs in a
military scenario. This military model was transposed to cybercrime by the defense industry firm
Lockheed-Martin. What the kill chain mode shows is that a cybercriminal will start with the Recon
phase, short for reconnaissance, or information gathering, when the future attacker gathers
information about the target, such as its network topology, systems, and vulnerabilities. In this
phase of an attack, a cybercriminal will go through social media, web sites and Google search to find
out as much as they can about the target company. Going through online records, public filings, web
hosting data, Internet domain name records, and any other information they can find will provide
useful. This is done to get as much information as they can about a potential target. This will be
gradually expanded to try to find information about the technical environment, servers,
infrastructure, or forward-facing services. It is typically a pretty long process. It can be short, but it
would be typically long, often the longest of the whole chain. Once this is done cybercriminals and
potential attackers should have identified potential weaknesses, vulnerabilities that they can take
advantage of, or potential ways that they can get into the network. Then they are going to get ready
to go to war. However, they may decide not to attack and move on to a more vulnerable target. This

10 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

is mentioned to remind managers that, everything else being equal, if little information is available,
their organizations will be less vulnerable, at least to external threat agents.
Preparing for battle is what the Weaponization phase is about, at this phase, the attacker creates a
means of delivering the attack, such as a malware payload or an exploit. It could be a Trojan horse, a
virus, an e-mail for a phishing attack, or social engineering through phone calls or phishing attack.
Whatever is the most appropriate weapon that can be made, found online, stolen, or acquired is
what would be used, based on what was identified in Recon. The next step is to deliver that payload
to the target system, the Delivery phase. This is when the attacker delivers the weaponized attack
to the target, such as by sending an email with a malicious attachment or by exploiting a
vulnerability in a website. Once the weapon is delivered, then the Exploitation phase may be
triggered once an opportune time to start the actual attack has been reached. This is when the
attacker leverages the weaponized attack to gain access to the target's systems or data.
Maybe somebody inside the target organization was convinced, or tricked, to click on an e-mail or
an attachment, which allowed the attacker to install nefarious software, also called a malware,
inside the network, on the other side of the firewall. This is the Installation phase, when the attack
payload can get ready to start doing its thing, installing what it needs to install, malware, backdoors,
or other malicious software on the target's systems. Once this is done, the attacker can take control
and execute the planned attack in the Command and control phase. In this phase, the attacker
establishes a means of communicating with the malware or other malicious software that was
installed on the target's systems. Once control has been established, the actual attack occurs, and
the weapon does its thing. The attacker carries out their desired actions, such as stealing data,
disrupting systems, or altering information. There are many possible scenarios here, such as to take
control of the computer network, transfer confidential data, encrypt, or destroy data, and many
others. Once the mission is completed to an acceptable level of success, the last phase is
Exfiltration, getting out or ending the attack. In many cases this would be done in a manner that
would minimize any footprint of what was done, unless making a big splash is part of the tactical
objectives.
As mentioned, the cyber kill chain, is a tool that organizations can use to help them understand, in
the case of an attack, how is it done, what is the process. Managers are going to want to try to
understand this process and try to see what they can do to prevent attacks or minimize their
impact.
By understanding the different stages of a cyber-attack and the methods that attackers use to carry
out each stage, organizations can identify potential threats and implement appropriate
countermeasures to mitigate the risk of a successful attack. For example, organizations can
implement network segmentation, access controls, and intrusion detection systems to prevent
attackers from moving laterally within their networks and can implement incident response
procedures to quickly detect and respond to successful attacks.
The cyber kill chain is a useful tool for organizations to understand the different stages of a
cyberattack and to help them prioritize their security efforts. However, it is important to note that
the cyber kill chain is not a one-size-fits-all model, and that different types of attacks may have
different stages or proceed in a different order. Nevertheless, the cyber kill chain provides a useful
starting point for organizations to understand the different stages of a typical cyber-attack and to
develop a comprehensive security strategy to mitigate the risk of a successful attack.

The Human Factor

The human factor has a significant impact on cybersecurity. People are the weakest link in an
organization's security chain, both through intentional malicious acts and through unintentional
actions, such as mistakes. The following are some examples of how the human factor can influence
cybersecurity:

11 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

• Social engineering: Attackers can manipulate individuals into disclosing sensitive information or
providing access to systems. For example, an attacker might send an email that appears to be from
a trusted source, asking the recipient to enter their password or click on a link that leads to a
malware-infected website.
• Phishing attacks: Phishing attacks rely on social engineering tactics to trick individuals into
disclosing sensitive information or installing malware. For example, an attacker might send an
email that appears to be from a legitimate company, asking the recipient to update their account
information.
• Poor security practices: Individuals can inadvertently put an organization's security at risk by
using weak passwords, leaving confidential information unsecured, or neglecting to follow security
policies and procedures.
• Insider threats: Insider threats can come from employees, contractors, or other individuals who
have access to an organization's systems and data. Insiders may act maliciously, such as by stealing
sensitive information or disrupting systems, or may act inadvertently, such as by falling for a
phishing attack or exposing sensitive information.
• Lack of training: Individuals who are not trained in cybersecurity best practices may be more
likely to make mistakes that put an organization's security at risk.

To mitigate the impact of the human factor on cybersecurity, organizations can implement
employee training programs that educate employees on the importance of cybersecurity and best
practices for keeping systems and data secure. Organizations can also implement technical controls,
such as multi-factor authentication and encryption, to reduce the risk of unauthorized access to
systems and data. Additionally, organizations can implement policies and procedures that outline
acceptable use of systems and data and establish clear guidelines for responding to security
incidents. By addressing the human factor in cybersecurity, organizations can reduce the risk of
successful attacks and ensure the security of their systems and data.
At a high level, when managers are looking to prevent attacks, there are really two areas that they
can investigate, the human factor and the technical arena. The first one, the human factor, is where
organizations need to start because it is most likely the bigger problem area of the two. Not to say
that technical challenges are simple, but in many aspects, managers are probably better at dealing
with it. The biggest weakness and the most difficult variable to control is the human factor. Not that
the technical issues are without challenges, but the more objective nature of technology makes it
less chaotic than human nature. How can organizations best deal with the human factor? Hopefully,
the next few pages can provide some general guidance and recommendations in this section of the
book that will be expanded on in later chapters.
1. Implementing human-centred security policies. Cybersecurity teams need to be writing and
enforcing security policies that make sense to actual, living, intelligent people working in our
organizations. Organizations want to put in place something that makes sense to our stakeholders.
That is, a security policy that is usable at a human level, not a 100-page security policy full of legal
mumbo-jumbo. What is needed is a short, well-written, easy to understand security policy that
normal people can understand and abide by. A long, unintelligible policy with not be usable and will
increase risks rather that help control it.
2. Making sure that key management are leading by example. Individual at the top of the
pyramid, the highest-level management of the organization must take ownership and be seen
actively taking ownership of cybersecurity. This, including the CEO, CFO, and a role called the CISO
or Chief Information Security Officer, who is the top cybersecurity executive.
3. Have a Chief Information Security Officer with real authority and powers. The CISO must
have real power and real influence in the organization, and this must be known and seen.
You don't want to have a puppet figure in that position, just because you need to have somebody in
charge of information security. It can't be the same person as your head of Information Technology,

12 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

because then you have the fox in charge of guarding the chicken coop. You want to have separate
responsibilities here. There is a technical side and a business side to information technology, and
this is also very true in cybersecurity. But you don't want to have the technical IT people in control,
at the top level of managing your cybersecurity.
4. Operate a cybersecurity awareness program. This is a continuous education, ongoing,
awareness program. You need to put in place a formal process throughout your organization that
includes cybersecurity training activities from when people first get hired and throughout their
whole passage in the organization, as well as when they leave.
5. Do phishing and penetration testing. Phishing, Vishing (on the phone) and many other
techniques must be part of an actual program to test your cybersecurity actively and continuously.
It’s much better to identify a potential weakness and have an opportunity to better train our users
or improve our risk mitigation portfolio then to have to deal with the aftermath of an incident.
6. Have a zero-trust mindset. In all information system related activities, through your business
processes or access management and all other related activities, segregation of networks and
organization boundaries of your networks need to be guarded. The Zero-trust architecture or Zero-
Trust mindset is about having gates and border controls in place, not just from a technical point of
view, but as a mindset, to become part of the overall IT culture.
7. Make sure that users have minimal privileges. Along the lines of the zero-trust mindset is
making sure that access privileges you assign are just what people need to do their legitimate job
and nothing more. Also, all the duties must be segregated. You don't want somebody to be able to
print checks, sign them and handle your books because you know that when you do something like
that you are creating an opportunity. Remember the fraud triangle. You don't want to create that
opportunity. If people to know that they can do it, then they might, if the develop a need which they
can somehow rationalize.
8. Continuously increase the organizational cybersecurity maturity and create a culture of
security. The organization wants to create and nurture this culture of security in general, including
a strong culture of cybersecurity. They want to gradually improve the level of understanding of the
value of cybersecurity by all. This is done by raising the level of maturity of all the different
stakeholders of the organization in matters of cybersecurity.

Defense In Depth
Although we insisted on the importance of the human aspects of cybersecurity, organizations must
not minimize the importance of the technical components, both are important and need to be
managed coherently. From the more technical point of view, one approach that works is to
implement something called defence in depth. Defense in depth is a security strategy that involves
implementing multiple layers of security controls to protect against cyber threats. The idea behind
defense in depth is to create a multilayered security architecture that provides multiple lines of
defense against cyber-attacks, reducing the risk of a successful breach. The following are some
examples of security controls that can be used as part of a defense in depth strategy:
• Firewalls: Firewalls are devices that control incoming and outgoing network traffic based on
predetermined security rules. Firewalls can be used to prevent unauthorized access to an
organization's systems and data, as well as to restrict the flow of sensitive data.
• Intrusion detection and prevention systems: Intrusion detection and prevention systems
(IDPS) monitor network traffic for signs of attack and can take automated actions to prevent or
block attacks.
• Access controls: Access controls are security measures that are used to regulate who has access
to specific systems, data, or applications, and what actions they can perform. Access controls can be
implemented through technologies such as passwords, biometrics, and smart cards.

13 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

• Encryption: Encryption is the process of transforming sensitive data into a coded form to prevent
unauthorized access or tampering. Encryption can be used to protect data at rest, in transit, and in
use.
• Network segmentation: Network segmentation is the process of dividing an organization's
network into smaller, separate segments, each of which has different security requirements.
Network segmentation can be used to restrict the spread of malware, reduce the risk of
unauthorized access, and improve the overall security of an organization's network.

By implementing multiple layers of security controls, organizations can create a defense in depth
security architecture that provides multiple lines of defense against cyber-attacks. This approach
can help organizations to detect and respond to attacks more effectively, and to reduce the risk of a
successful breach. However, it is important to remember that no single security control can provide
complete protection against cyber threats, and that defense in depth should be used in conjunction
with other security strategies, such as incident response planning and employee training, to ensure
the overall security of an organization's systems and data.
This is a concept where basically we have multiple layers; a series of layers that an attacker would
need to get through to be able to get to our data and to our systems. This strategy makes use of
several layers of safeguards. These layers may vary in number and name, but we propose a list that
includes things like physical security verification, password controls, antivirus software, firewalls,
DMZ, demilitarized zones, intrusion detection systems, intrusion prevention systems, packet filters,
access control lists in the routers and switches, proxy servers segregating your networks, virtual
private networks, logging and auditing controls and many others. The general idea is to have, as
illustrated on figure 6, multiple layers that the cybercriminals or the people attempting to commit
cybercrime would need to go through. A threat to your organization would have to go through all
these layers, just like you know in the movie Die Hard, when the criminals are trying to drill
through the eight different levels of protection before reaching the safe, as John McClane is trying to
stop them. Having all these layers gives you time to react and opportunities to stop the attack. You
have time to react and implement your incident management plan to prevent the risk from
materializing.

Figure 6: Defense-In-Depth Model

14 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Framework to Spur Cybersecurity Success.

A cybersecurity framework is needed to help organizations implement best practices for
cybersecurity management. What is proposed is to start by working on three elements, which are
described in this section:
1. Set your intent with a cybersecurity governance strategy.
2. Position your cybersecurity leadership to have real influence.
3. Get the right cybersecurity leader for your organization.
One of the tools that organizations can use to manage information security is cybersecurity
governance. From a strategic point of view, cybersecurity governance starts with setting the intent
and putting in place a reliable framework that can help them. Organizations need to create a
security mindset. It is really a big issue, relating the governance of cybersecurity to the overall
business goals of the organization. To this goal, organizations need to make sure there is somebody
in charge who has the influence to positively affect change in the organization while maintaining
credibility and respect. What leaders are going to be talking about and what organizations are going
to be doing will have an impact on users. It is the individual actions of users that will affect the
quality of cybersecurity. An example is multi factor authentication (MFA). While it is an excellent
solution, MFA is a big change to how users connect to information systems. However, this means
that there's an extra step to do their work. A few extra minutes of work that is required every time
they want to login. It is pretty much assured that users are going to resist. If anything, they will
resist just because people resist. But if you have an influential leader who will influence the
stakeholders to go along with the proposed change, then real change can occur. Then organizations
will be able to do things or propose measures that will be implementable in your organization. This
can be achieved by looking at the mindset and prioritizing the mindset over the technical skills. It is
not that the technical component is not important, but the framework helps to frame the intent and
the governance. It supports how risk is assessed and then how cybersecurity decisions are made.
On the foundations that have been laid down, the technical side puts in place the mechanisms and
operate the technologies that are required to mitigate risks. The mitigation measures need to work
together with the business and governance. Governance, risks, and compliance (GRC) is about
providing direction to the technical cybersecurity teams so they can manage the real-world aspects
of security, configuring, operating, and supporting all the different technologies that are needed in
organizations. Perhaps this is oversimplifying things from the point of view of those in technical
roles, but here we are focussing on the strategic aspects of governance and risk, so the choice to put
more weight on this aspect is voluntary. Of course, one side is not more important than the other.
They're both as important. It's just that, the strategic needs to happen first. That is why it is
prioritized here.
Very often, the level of maturity of organizations, how ready they are to do security, is much lower
that it should be and much lower than they think it is. Getting organizations ready to face
cybersecurity challenges must start with the business side. It must be driven by the business side.
Only then can cybersecurity teams execute the plan and put in place, manage, and operate the
technical solutions. Cybersecurity governance and technical solutions both need to work together.
However, one must happen before the other.
Threats hunters, vulnerabilities analysts, penetration testers all have an important cybersecurity
role but what about accountants and auditors? Maybe they measure the impact of incidents, but the
impact affects the whole organization that affects everyone. And typically assessing the impact
you're going to have on somebody who has the equivalent role of an actuary is insurance.
Network and Operation Engineers see threat hunters are there to identify threats. And pen testers
are identifying potential vulnerabilities mostly, right? But well, impact is really a more of a business
aspect, the impact for the business you'd be doing something like a risk assessment or a business
impact assessment. That's really a business activity, identify the potential impacts would be more of

15 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

a business slash management level type of discussion. Well, who will act is everyone? Right, but the
people acting may be in the IT department, maybe in network operations, maybe in physical
security, maybe in many other branches of the organization, and not necessarily all connected to
one branch, they’ll be all over the place.
Final recommendations
As was already mentioned several times, leading by example, and making sure that security is
understood as being everyone's responsibility are the top priorities of any cybersecurity manager.
In doing this, managers need to acknowledge, understand, and accept the fact that organization’s
biggest problem and biggest vulnerability is humans, it's all the people in organization but also
outside that we interact with during our activities. This said, there are additional recommendations
for cybersecurity manager from a governance point of view:
• Have a balanced approach.
• Manage risk appropriately.
• Develop metrics and scorecards and use them.
• Work towards increasing the organizations cybersecurity maturity.
Organizations don't want to do too much, often looking at the costs, and technical people are often
perceived as wanting to do too much. They don't want to do too much, they want to do just enough,
and that's this whole idea of balance. The goal is to try to find the sweet spot where we are
allocating just enough resources to cybersecurity. But to do a balanced approach, we need to
develop metrics. We need scorecards, we need measurements, and we do.
These measurements need to be objective, and that's a problem. Most of the ways that we measure
risk is subjective, not objective. Organizations need to assess risk and need to use recognized
methodologies to do this. But sometimes they end up using an approach that a consultant came up
with in their garage, not something that came out of scientific inquiry that has been validated by
peers. Managers need to be very attentive to how metrics and scorecards are selected and used in
their organizations. If they select the wrong tools, then everything they build afterwards will be
based on a weak and unreliable foundation. This book will be expanding, in a later section, on the
requirements for risk assessment, but at this point, we propose to end the chapter with one last
thing, organizations need to figure out what is their appetite for risk. They need to answer to
answer a simple question:
As an organization, how much risk are we willing to take?
It is a simple question that is a big deal. Managers need to know what the real answer to this is. The
answer to this question will set the tone for every cybersecurity decision that need to be made. To
illustrate the importance of this point, we present a short story:
I need to get insurance for your car because I might get into an accident. Where I live, which is
downtown Montreal, there are a lot of bad drivers. This is most likely true of any large city. Of
course, I think I’m a pretty good driver, as most of us probably think of themselves, even if it is
probably not true. If I’m going to drive around town every day, I am going to have an accident. It’s
100%. It is sure I will eventually have an accident, it’s only a matter of time. And I’m going to lose
your car. Worst case scenario, it might be a total loss. It could be even worse. I can accidentally kill
people and then get sued for millions of dollars. But let's say let's say that I just damage my car. We
know a nice car can easily cost 50,000 at least one nice enough for a fancy professor like me. So
potentially am I willing to lose $50,000? I know that in my case the answer is NO. Because of this
I’m going to get insurance. But then, how much am I willing to pay for insurance, how much risk am
I willing to take? Let’s say I want 100% insurance. I contact an insurance company that then look at
my risk profile. They come back and they say OK, if you want to insure this car for total loss you will
have to pay a $10,000 a year insurance premium. In my case, I would refuse, it would be too much
for me on compared to the value of the car. So here, I have some idea that I am willing to take some
risks, but how much. Another solution maybe gets less insurance, maybe just sell the car, and get
another one. In my case, 3000$ per year with a 1000$ deductible and a 2M$ cap on damages would

16 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

be a number that I can live with. It is my answer. That's really the difference between what I think
my risk appetite is and what it is.
What we are concerned about in cybersecurity risk management is reality, not what people say.
People always say they're not willing to take any risk for their business or for their cybersecurity.
They say they are risk averse. But then when you come up with a price it is often a different story,
just like for the car insurance story. As cybersecurity managers, we want to minimize risk to an
acceptable level. But if we're going to need to spend 100 million Dollars a year well, most
companies are going to say that they are willing to take a little bit more risk. Eventually, we will be
able to identify a good balance between the risk we are willing to take and how much money, and
other resources, we are willing to allocate to this goal. There is no magic formula, to figure out what
is the answer to this.
The amount a company should spend on cybersecurity depends on several factors, such as the size
of the company, the industry it operates in, the value of its assets, and the potential cost of a breach.
There is no one-size-fits-all answer, but as a rule of thumb, it is recommended that companies
allocate between 3-5% of their overall IT budget for cybersecurity. Industry best practices suggest
that organizations should be spending 4% to 12% of their IT budget, the median value being 7.8%.
What this tells us is that if we are willing to take a lot of risk, we have what is called a risk seeking
behavior, we will spend less. In this case, for us, maybe 6%, maybe less, If we are risk averse than
we should be spending more, maybe 8% or 9%. Some experts suggest that companies should
allocate an amount proportional to the potential damage that could result from a successful attack.
Ultimately, the right amount to spend on cybersecurity is the amount that adequately protects the
company's assets and data. Organizations have an IT budget that can be used as a baseline to
determine what a good answer might be.
Thus, organizations must determine their real risk appetite is. In the next chapters, we are going to
be looking at best practices, methodologies and frameworks that can help organizations to manage
risk. We will try to give managers tools to help them spend money wisely and prepare their
organizations. Keep in mind that if we want peace, we need to prepare for war. We will worst case
scenarios, but we're going to hope things work out right.

17 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Chapter 2: Cybersecurity Governance

In this chapter, we examine cybersecurity governance. Chapter 1 discussed cybersecurity
fundamentals, which are expanded in this chapter to examine how organizations can plan
cybersecurity based on strategic needs. Strategic perspective will apply cybersecurity risk
management to Business Technology Management. This allows for a variety of solutions selected
and implemented to deal with unacceptable risks based on this information. An organization's
governance consists of the processes and systems that are put in place to make decisions, allocate
resources, direct, and manage its actions and affairs within its organization. In other words, it refers
to the mechanisms, processes, and activities through which authority and power are appropriately
exercised. The characteristics of good governance include normative ethical values such as
transparency, accountability, participation, and responsiveness, which can all be regarded as
normative ethical values. As well as being essential for organizations to function effectively, it also
has a significant impact on society. In a broader sense, governance can also refer to the ways in
which power is exercised at various levels in society, including the relationship between different
branches of government, the relationship between the state and civil society, as well as how
international organizations play a part in global governance. It can be about the way in which
decision makers guide society through rough seas, as if a captain was steering his ship through
rough waters. As a result of governance, organizations can utilize resources efficiently, make
decisions in their collective best interests, and resolve conflicts in an equitable manner.
Organizations that engage in cybersecurity activities often have several governance structures.
Enterprise governance, at its core, provides a framework for global governance for the entire
organization. This chapter discusses IT governance and cybersecurity governance, two more
focused areas within enterprise governance.

Applied Ethics
Governance can be understood from many perspectives. Here, in this book's context, cybersecurity
governance is defined as ethics applied to cybersecurity. Ethics has to do with normative codes of
conduct. It provides guidelines for individuals on how to behave in society, a group, or an
organization. Individual actors can use ethics as moral guidelines to make the right decisions. As
defined by the collective, normative behavior describes acceptable behavior. The act of doing what
is considered right by the collective is moral, virtuous, or ethical. For many, ethical behavior is
learned from their parents, who teach their children the difference between right and wrong. For
others, strong moral values are learned through religious practice. As an example, Islam,
Christianity, and Judaism emphasize doing what is right and good in their teachings. There are
differences in application, perspective or point of view that have to do with the history, culture of
the founders and Prophets. These differences influence the construction of these shared beliefs, but
the overall message of promoting good, or fighting evil, is present in all of them. The book does not
discuss theological issues, so this can be seen as an oversimplification of religion's role in
promoting collective values. However, this is intended to illustrate that enterprise governance
fosters shared moral values in an enterprise setting. This is like one of the roles religions may serve
in a community. As well, societies have a long ethics tradition that can be traced back to numerous
sources. These include philosophers and thinkers such as Socrates, Plato, Aristotle, and many
others. Philosophy is more involved in establishing shared ethical and moral values that can be
used by members of a group to determine what is acceptable than business is. The way in which
this applies in the real world depends on many factors. Besides religion and parents, there are other
social mechanisms as well, such as laws. Normative ethics and codes of acceptable conduct have
existed in some societies since their founding. Despite this, individual actors still behaved in a

18 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

deviant manner. Consequently, society instituted a formal framework to stop deviant behavior. To
accomplish this, laws were passed that made deviant behavior illegal and imposed penalties on
those who violated them. It is impossible to imagine an Eden without unethical or immoral
behavior without laws, but that is not the reality we live in. Murder is an example. Everyone, from
the dawn of time, has considered murder a bad thing. As a result, at some point in history, people in
power, whether kings, governments, or some formal authority, stepped in and created a law that
stated, in some form, "You shall not kill anyone". Even though it's obvious that you can't go around
killing people, it still had to be written down, demonstrating some of the limits of ethics.
Professional associations are another aspect of applied ethics. This is what is commonly referred to
as deontology or a code of conduct for professionals. In this scenario, if you are a member of a
professional association formally recognized by a Nation-State, like an engineer, lawyer, doctor,
nurse, or one of many professional orders that are officially recognized in your country, then you
have a code of deontology. It is an official, legally binding document that identifies what you can and
cannot do as a member of this professional association. Depending on the severity of the deviant
behaviour, the sanctions may go as far as removing a person from the ranks of the association,
removing their right to practice, perhaps for a short time or for life. A code of ethics may also be
established by non-recognized associations, clubs, and other groups. The agreements between all
the members are usually more of an agreement than a legal framework, so they are not always
legally binding. It's basically saying that you need to follow our rules if you want to be a member of
this group. It's a bit like the previous examples of applied ethics, but it's more informal. This type of
code of ethics is more of a social contract between the members of the group. It serves as a
reminder to all members to act in an ethical manner and to respect each other's rights. This code of
ethics can also be seen as a promise to maintain the group's standards and values.

Governance
Governance is a form of applied ethics that has become one of the hottest topics in business in the
past 20 years. Governance is a form of applied ethics that has been gaining popularity in the past
few decades. There have been key moments that have helped make this topic more popular over
the years. The call for stronger ethical frameworks in business has been prompted not only by
financial crimes and other scandals, but also by the rise of cybercrime. As part of this chapter,
different definitions of governance will be presented to further help explain the concept of
governance in the context of mechanisms and business processes. Different regulations and
standards will also be discussed, as well as the importance of governance in the context of
organizations and businesses. The chapter will also explore the implications of governance for
companies and their stakeholders. We also define a hierarchy of governance, as presented in figure
7, shown below.

19 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Fig 7: Governance Structure

Enterprise governance is about governing within an organization by utilizing multiple sources,

including ethical standards, the mission of the organization, its culture, contractual obligations and
applicable laws and regulations. Individual actors' behavior within an organization is governed by
the rules that govern their roles. Because everything that can happen during daily activities cannot
be covered in formal rules, it helps define the discretionary space of actors. Individual actors can be
helped when something happens that the organization does not have a rule for by creating a moral
ethical climate supported by guidelines that can help them. They then determine how to act
accordingly. This is like religious values that have been presented previously, intended to provide
guidance on how followers should run their lives, how they should act, how to behave in society.
This is also like the way communities establish a normative framework for doing things. This
provides a sense of security and consistency, allowing people to know what to expect and how to
act in different scenarios. It also helps to create a sense of belonging and community. Furthermore,
it allows for people to take accountability for their actions. Just as enterprise governance
frameworks are customized to match the culture and circumstances of a particular organization,
ethical norms will vary from one culture to another. It is important to be aware and respectful of
different ethical norms when working in a cross-cultural environment. It is also important to
recognize that ethical norms can evolve over time, and that organizations must be willing to adjust
their own ethical norms to reflect changes in social values. For instance, in recent years, many
organizations have updated their ethical frameworks to include greater emphasis on environmental
sustainability and human rights issues. It is important for organizations to create mechanisms and
business processes that define an ethical space that promotes virtuous behavior. These formal and
informal rules provide guidance to all stakeholders. The principles of governance should help
individual actors know what to do when making an important decision, even when there is no
specific written guideline. Using it, actors can determine what is right for the organization, in
accordance with its culture, for their stakeholders' benefit. Creating a mindset about how we're
going to do the right thing is what governance is all about. Ultimately, it is the responsibility of the
board of directors to ensure that the organization is adhering to its principles of governance. They

20 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

must ensure that all actors are held accountable and that the rules are adhered to. This ensures that
the organization can achieve its objectives in a responsible manner. At the top of the governance
framework is enterprise governance. Enterprise governance is intended to help the people in a
formal organizational setting. Whether a corporation, business, or non-profit organization is having
problems figuring out what is the best course of action, enterprise governance can help. The
enterprise governance framework provides structures and processes for guiding and controlling
businesses and companies. It is for the whole organization. The enterprise governance approach
examines activities from a high-level perspective, including how management, the Board of
Directors, shareholders, and other stakeholders share power, as illustrated on figure 8. It
contributes to short-term performance as well as to the development of sustainable performance
by defining how value is created in the organization in an ethical manner at the top level. This
approach ensures that all decision-makers are working together to create value for the organization
and its stakeholders in a responsible and ethical manner. It also helps to ensure that the
organization is making decisions that are in line with its values and that will benefit the
organization in the long-term. For instance, an organization might use this approach to decide
whether to invest in a new technology that may improve customer service, but also carries a risk of
potential data security issues.

21 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Although there may be subtle differences between corporate governance and enterprise
governance, in this book we are not distinguishing between them. When discussing enterprise
governance in a corporate, or for-profit business setting, we prefer to limit the use of the term
corporate governance. As part of enterprise governance, actors build a common, shared
understanding of ethics, business values, and social responsibility. This can be a very wide playing
field as it includes issues related to human relations, the environment, suppliers, subcontractors,
and many more. In addition to the areas that are addressed in this book, which is IT governance and
cybersecurity governance, enterprise governance contributes to the construction of a shared reality
for the enterprise. It helps them to do so. As a result, it facilitates the implementation of consensual
solutions, even when there is no precedent. Governance is a process. By taking a succession of
actions, many actors will gradually build a common understanding of this reality as they deal with
the same problem. As a result, it contributes to defining a plan of action without determining
anything in advance. IT governance and cybersecurity governance are derived from the enterprise
governance framework. They find application to specific problems in IT and cybersecurity, as
described in the following paragraphs of this chapter. The IT governance and cybersecurity
governance frameworks are designed to improve the performance of the organization in terms of
cybersecurity risk management, IT service delivery, compliance, and other areas. They provide a
structure to ensure that IT and cybersecurity initiatives are properly managed and monitored while
considering the organization's objectives and goals. As a result, they help organizations ensure
cyber resiliency and respond quickly to the ever-changing security landscape.

IT governance
In this book, cybersecurity governance takes center stage, but it is positioned within enterprise
governance and is closely related to IT governance. After presenting an overview of corporate
governance, we move on to IT governance before discussing cybersecurity. The concept of IT
governance focuses on applying enterprise governance principles to the information technology
and business technologies that contribute to sustaining a competitive advantage and innovation for
a business. As a strategic concern, IT governance is the responsibility of the Board of Directors and
of the executive management. To support the ethical mindset presented previously towards IT's
contribution to the organization, IT governance provides a strategic framework. Governance of
information technology and information systems focuses on how they interact with stakeholders.
For IT investments to yield the maximum value, IT governance helps with decision rights and
accountability frameworks. Organizations are encouraged to adopt desirable behaviors about
selecting, acquiring, using, maintaining, and disposing of IT. IT governance also deals with aligning
IT with the business, essentially asking how information systems, IT, and information can be
utilized to help the business succeed. Managing IT for business value begins by asking basic
questions about IT's contribution to the organization. Here are some examples:
• What is the role of IT in creating value?
• What role can IT play in creating or maintaining a competitive advantage?
By answering these questions, organizations can optimize IT-related investments and maximize
their return on investment. When compared to all the other cost centers in many modern
organizations, IT investments can become quite significant. Although this topic can become quite
complex, this book does not cover it extensively. Again, we remind the reader that our focus is
cybersecurity governance, so we covered what students need to know about IT governance to
understand what will be discussed in the next section. In the end, we have enterprise governance,
which entails governing all aspects of the organization, IT governance principles, which help
organizations manage their information technology and information systems, and cybersecurity
governance at a high level. All these form part of a continuum, which also includes other equally
important governance domains not covered here, such as Corporate Social Responsibility. This
continuum ensures that organizations have the tools and capabilities to remain competitive, secure,

22 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

and compliant in the digital age. It is an essential part of any successful and sustainable business
model. For instance, proper risk management strategies are essential to protect digital assets from
cyber-attacks, while also maintaining customer privacy and trust.

Cybersecurity Governance
IT governance supports the development and operation of information technology, while
enterprise governance provides a global framework for the entire organization. In cybersecurity
governance, processes, policies, and structures are put in place to manage the risks associated with
the secure use of information technology and to ensure the security of connected information
systems. An enterprise's governance occurs at a strategic level, while a cybersecurity's governance
occurs at a tactical level. It involves the mechanisms by which organizations ensure that their
cybersecurity risks are appropriately managed, their information assets are protected, and their
compliance with laws and regulations is maintained. Enterprise governance inherits many of its
characteristics, but it also provides more specific guidance and processes. Generally, cybersecurity
governance is achieved through Governance, Risk Management, and Compliance (GRC), as
discussed in this chapter. Setting a cybersecurity strategy within an organization and ensuring that
appropriate resources are allocated to meet cybersecurity goals are part of cybersecurity
governance. The management of cybersecurity risks requires defining the roles and responsibilities
of individuals and teams within the organization, as well as establishing clear policies, procedures,
and guidelines. Using this foundation, organizations will be able to assess cybersecurity risks and
make appropriate decisions. In addition to monitoring and reporting on the effectiveness of
cybersecurity controls, cybersecurity governance also involves conducting regular assessments to
identify improvements to the organization's cybersecurity posture and compliance. All levels of the
organization need to be engaged in cybersecurity governance. It's important for different functional
areas and support areas to collaborate on a regular basis, like IT, Legal, Human Resources,
Accounting, Compliance, etc. Good cybersecurity governance is typically enabled by four things:
culture, leadership, processes, and mechanisms. These four areas should work together to ensure
that the organization is compliant with all applicable laws and regulations, has the necessary
technical controls in place, and is continuously monitoring and improving its security posture.
Regular reviews should be conducted to ensure that all areas of the organization are adhering to
the cybersecurity governance framework. Even though cybersecurity focuses a great deal on
mechanisms, there is much more needed to adequately meet this organizational challenge than
tools. We'll talk a lot about culture and leadership in this chapter. Cybersecurity business processes
are what will be put in place, or how things will be conducted in this chapter. The different
cybersecurity mechanisms should only be considered once culture and leadership are in place,
along with business processes. As an aftereffect, the mechanisms must be justified by everything
else that has been done and by a thorough risk assessment. If organizations do not have the right
leadership, if they do not have a security culture, and if they do not integrate that into their DNA,
whatever mechanisms and processes they have will be worthless. All these need to work together
for them to be effective. In cybersecurity, many self-proclaimed experts misuse the term holistic,
and the authors of this book disagree, but it is important to understand how culture, leadership,
processes, and mechanisms are interconnected. There is a lot of knowledge about what to do if
decision makers are willing to listen. The holistic approach is a little esoteric, or "magic", but the
business problem isn't. The interconnection of the enablers has a scientific basis. The link may be
difficult to explain scientifically, which is why some think of it as mysterious. Our brains are made
of a complex interconnected system of phenomena, so sometimes they must skip some steps and
simplify. The basic notion is that they all work together, that they are all important. It is hard to
determine which is more important, since it depends on the situation, context, and organization,
but they are all needed. It is for this reason that enablers need to be understood holistically, to
comprehend their full impact. This interconnectedness creates a dynamic environment, one that is

23 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

constantly changing and evolving. As a result, creativity, and innovation flourish. Organizational
culture and leadership, for instance, can determine whether a business succeeds or fails by enabling
or hindering its ability to adjust to changing customer needs. It is also more likely for a company
with a culture that values risk-taking and encourages experimentation to innovate and develop new
products that better meet the needs of customers. If not supported by strong governance principles,
this can lead to an increase in unacceptable risks. Like a tapestry, each thread and section play a
critical role in maintaining its integrity. If one section is removed, the entire work is weakened. To
create an innovative and creative tapestry, the weaver needs to be able to adjust and shift according
to his or her whims. Answering these questions will help organizations get started:
• What is the need for cybersecurity governance in an organization?
• What problem does the organization want to solve?
• Who are the key stakeholders?
• What is the current state of the organization?
• What are its ambitions?
• What can the organization do to close the gap between its current situation and its
ambitions?
• How can the organization select, implement, and use tactics and mechanisms?
• Is the organization able to do things in a balanced way?
• To embed cybersecurity governance at all levels, how does the organization need to
change?
• What can it do to ensure good cybersecurity governance and evaluate compliance?
Organizations must also understand that change management is a critical part of cybersecurity
governance. Without change management, organizations cannot conduct cybersecurity governance
and risk management. In the absence of effective change management practices, along with strong
communication, awareness, and training capabilities, all their efforts will be in vain, and all the
resources allocated to the project will be wasted. There will always be a failure in cybersecurity
governance if organizations lack a catalyst for change. There is going to be denial of a problem,
often until there is a major cybersecurity crisis. Resistance to change is a critical point of failure.
Organizations need to realize that the human factor in this equation is hard to control and they
can't force individuals to change. It is not possible for organizations to impose good cybersecurity
governance by using threats of disciplinary measures. While this might work for the short term, it is
not likely to drive sustained compliance and lasting change. Most IT and cybersecurity projects fail
due to resistance to change. As much of cybersecurity governance relies on individual actors acting
naturally to defend the status quo, managing change effectively is a key success factor. Changing
beliefs, understanding changes, or forcing changes can be difficult for people. It is inevitable that
people will resist change, which is why we need to consider this and plan to deal with the inevitable
resistance in cybersecurity governance. While we cannot avoid them, they are the core of every
organization. There might be bigger problems if there is no resistance to change, such as a lack of
engagement with the mission or organizational fatigue. There have been many developments in
cybersecurity governance over the years, and it continues to do so very rapidly. As opposed to what
some might think, cybersecurity governance isn't just a technical domain. It takes in new
knowledge from a wide range of fields such as sociology, psychology, law, and many others. While
practitioners have a practical understanding of what cybersecurity governance means, academics
present proposals on how they should govern based on recent scientific research. Nevertheless, it is
constantly evolving, and there will be many changes to come, including globalization, sustainability
issues, quantum computing and AI. AI in cybersecurity detects threats and anomalies otherwise
missed. It can also automate certain processes, such as patching and incident response. AI can also
be applied to governance, for example to improve risk assessments and better understand
malicious actors' threats. By using AI to detect threats and anomalies, security teams can identify
security issues before they become a problem. AI can also be used to automate mundane tasks that

24 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

would otherwise consume a lot of time and resources, allowing teams to focus more on higher-
value activities. AI can also be used to analyze risk more accurately, allowing teams to make better-
informed decisions about security investments.

Implementing a Governance Framework

It is possible for organizations to use a wide variety of governance frameworks and best practices.
For instance, ITIL, COBIT, ISO 27001, 27002, NIST SP800-53, and other recognized standards are
already used. Based on ISO 38500, a standard developed by the International Organization for
Standardization (ISO), we propose a strategy in this section. The purpose of this standard is to
provide some basic tools that organizations can use to implement IT governance. What is proposed
here is to extend this to cybersecurity governance as well. By collaborating between these two
domains, a coherent framework can be created that can benefit from cooperation.
ISO 38500 provides guidelines for corporate governance of information technology (IT). Originally
published in 2008, the standard has been updated and revised several times. By managing their IT
governance practices and ensuring that their IT strategies are aligned with their business goals,
organizations can ensure that their IT governance practices are aligned. The document outlines the
roles and responsibilities of stakeholders involved in IT governance, such as the board of directors,
executive management, and IT professionals. Additionally, the standard stresses the importance of
managing risks associated with IT as well as ensuring that IT investments provide value to the
organization. An evaluation and measurement of IT governance practices, along with continuous
improvement, is provided in this document.
A broad range of organizations, including government agencies, non-profit organizations, and
public sector organizations, can apply this proposed approach based on ISO 38500. As well as
providing a benchmark for measuring IT governance effectiveness, it can be used to assess an
organization's IT governance practices, develop IT governance policies, and develop IT governance
procedures. In addition to its use for cybersecurity governance, it is also proposed here. What is
proposed is a good tool for organizations to use to ensure the effective and efficient use of their IT
resources and to ensure compliance with applicable laws, regulations, and standards. It can help
organizations to better manage their IT systems and to identify potential risks and vulnerabilities.
For instance, our approach can be used to identify and manage areas such as strategy, architecture,
cybersecurity, risk management, and governance.
ISO 38500 defines six domains of IT governance:
1. Responsibility and accountability
2. IT strategy and IT governance strategy
3. IT Acquisition management
4. IT Performance monitoring
5. Compliance management
6. Human-centered approach
Responsibility and Accountability: Despite being related, responsibility and accountability are
two distinct concepts. Responsibility refers to the tasks and duties a person is expected to
accomplish. Consequently, you are responsible for completing certain tasks, meeting certain
standards, or achieving certain results. While responsibility can be delegated or assigned,
ultimately it remains with the individual responsible. What constitutes accountability, however, is
the obligation to answer for one's actions, decisions, and performance. The act of being accountable
involves being held accountable for the consequences of one's actions, whether positive or negative
in nature. If a person fails to fulfill their responsibilities, they will be held to account or face
consequences. Accountability also involves taking ownership of the outcome of one's actions and
being willing to accept the consequences of those actions, good or bad. It is about having a sense of
ownership and a commitment to achieving results.

25 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Responsibility is basically about doing what is expected of a person, while accountability is about
accepting the consequences of one's actions. Essentially, responsibility is the obligation to perform
tasks, whereas accountability refers to accepting the consequences of one's actions. In governance,
responsibility and accountability are important. Responsibility means doing something, while
accountability means answering for what one has done or failed to do. As a result, it is important for
leaders to ensure that everyone is responsible and accountable for their actions. This means setting
clear expectations and holding people accountable for their results. This also creates an
environment of trust and accountability, which is essential for successful governance.
An organization's governing body is ultimately responsible for governance, as it is a strategic tool.
The governing body may include a board of directors or another governing body that operates at
the highest strategic level. They must ensure that governance duties and tasks are carried out. The
governing body should ensure that the organization's IT strategy and operations are aligned with
its overall business goals. It is essential that individuals and groups involved in IT services
understand and accept their responsibilities. Additionally, managers need to have the authority and
means to intervene appropriately. While responsibility can be shared, and to a certain extent
delegated for certain specific areas, such as IT or cybersecurity, ultimately accountability and
responsibility are still with the organization's governing body. Consequently, cybersecurity
governance involves all stakeholders, but the responsibility and accountability rest at the top levels,
with those who are accountable to others. As a result, managers need to have the capability and
authority to take decisive action to ensure the security of the organization. This can involve
assigning tasks to others, yet the ultimate responsibility lies with the leadership team. This means
that cybersecurity governance must involve all stakeholders, but the ultimate accountability rests
with the organization's governing body.
IT strategy IT strategies are comprehensive plans or approaches that organizations use to
maximize the impact of technology on their objectives. It is an important component of the IT
governance strategy, proving guidance. The organization should have a clear IT strategy that aligns
with its overall business strategy. To ensure that technology is used effectively to support business
objectives, an organization needs to align its technology initiatives with its overall business strategy
when developing an IT strategy. It is important to communicate the organization's IT strategy and
evaluate IT investments based on their alignment with it. It is imperative that an organization's IT
strategic plans meet the organization's current and future needs, taking into consideration both
existing and future IT capacity.
The following elements should be included in an IT strategy:
• Vision and goals: A clear articulation of the organization's vision for how technology can
support its business objectives and a set of specific goals for achieving that vision.
• Assessment of current technology landscape: An analysis of the current state of the
organization's technology infrastructure, applications, systems, and processes.
• Gap analysis: Identification of gaps between the organization's current state and its
desired future state.
• Roadmap: A comprehensive plan or roadmap for achieving the desired future state,
which may include upgrading or replacing technology infrastructure, improving processes,
and developing new applications.
• Resource allocation: An evaluation of the resources required to implement the IT
strategy, including budget, staffing, and infrastructure.
• Governance and risk management: A plan for governance and risk management of IT
assets, which may include policies and procedures for security, compliance, and disaster
recovery.
• Metrics and measurement: A set of metrics and measurement criteria to evaluate the
success of the IT strategy and ensure ongoing alignment with the organization's business
goals.

26 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

An effective IT strategy can help an organization achieve its goals more efficiently and effectively,
improve business processes, and create a competitive advantage using technology. For an
organization's IT strategy to remain aligned with changing business needs and technology trends, it
is important to review and update it regularly. This can help ensure that the IT strategy is up-to-
date and able to effectively support the organization's changing needs. Regular reviews can also
uncover potential risks and weaknesses that can be addressed before they become an issue.
Consequently, regular reviews of the IT strategy can help the organization stay ahead of the curve
and be better prepared for the future. For instance, the review process can be used to identify
emerging technologies that could potentially improve the organization's operations and ensure the
IT strategy is adequately prepared to take advantage of them.
IT governance strategy An organization's IT strategy must include governance and risk
management as integral components. To implement this strategy successfully, the organization
must develop a cybersecurity and risk management strategy. To ensure that IT assets and activities
are aligned with a company's overall business objectives and goals, an organization must develop a
comprehensive plan or approach that ensures that these assets and activities are aligned with the
company's overall business objectives. To ensure that IT investments are made in such a way that
maximizes value and minimizes risk, organizations need to establish the right decision-making and
accountability structures within the organization to effectively manage their IT initiatives.
An IT governance strategy typically includes the following elements:
• Governance structure: A clear governance structure is established, which defines the
roles, responsibilities, and decision-making processes for IT activities within the
organization. This may include an IT steering committee, IT governance board, or other
similar governance body. This governance structure should be designed to ensure that the
organization's IT activities align with its business objectives and are following relevant laws
and regulations. It should also ensure that IT investments are made in a cost-effective and
timely manner.
• IT policies and procedures: Policies and procedures are established that outline the
standards and guidelines for IT activities within the organization. This includes policies
related to cybersecurity, risk management, compliance, and other key areas. These policies
must be reviewed and updated regularly to ensure that they are relevant and up to date
with the latest technology and industry standards. It is also important to ensure that
everyone in the organization is aware of and understands the policies and procedures.
• IT investment management: A process is established for prioritizing, selecting, and
managing IT investments. This involves evaluating the costs, benefits, and risks of potential
investments, and ensuring that they align with the organization's overall business strategy.
IT investment management also includes tracking IT investments over time to ensure that
they remain beneficial and cost-effective. In addition, it involves adjusting if the investments
fail to meet the organization's expectations.
• Performance management: A system is established to measure and monitor IT
performance, including the effectiveness of IT investments and the alignment of IT activities
with business objectives. This system is used to identify areas for improvement, prioritize
IT investments, and develop plans and strategies to improve IT performance. It also helps to
ensure that IT investments are aligned with business goals and objectives. For example,
performance metrics can be used to compare the cost of IT services with the amount of
value they provide to the organization.
• Risk management: A process is established for identifying, assessing, and managing IT-
related risks, including cybersecurity and compliance. It should also include other
components, such as technology obsolescence. This process should be regularly reviewed
and updated to ensure that risks are identified and addressed in a timely manner. The risk
management process should be documented, and its implementation should be regularly

27 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

reviewed to ensure that it is effective. For example, the process should include the
identification of potential vulnerabilities and implementation of measures to mitigate the
associated risks, as well as the development of response plans in the event of a security
breach.
• Communication and engagement: Communication and engagement strategies are
developed to ensure stakeholders are informed and engaged in IT decision-making
processes. These strategies can include newsletters, surveys, and meetings to ensure that
stakeholders have a voice in the decision-making process. These strategies can also help to
ensure that stakeholders are aware of any changes or developments that may affect them.
Additionally, these strategies can help to build trust between stakeholders and IT staff.
As a result of implementing a comprehensive IT governance strategy, an organization can maximize
the effectiveness and efficiency of its IT assets and activities while minimizing the risks that it might
face. For organizations to ensure that their IT governance strategy remains aligned with changing
business needs and technology trends, organizations need to review and update it regularly. IT
governance processes should also be regularly monitored and evaluated to ensure compliance and
effectiveness. Additionally, organizations should ensure they are taking advantage of any new
technology developments that could improve their IT governance strategy. To remain effective and
compliant, organizations should not just review and update their IT governance strategy regularly,
but also monitor and evaluate their IT governance processes. Furthermore, they should take
advantage of any available opportunities to leverage new technologies to their advantage. For
instance, cloud computing has enabled organizations to not only reduce costs but also to improve
the flexibility of their IT governance processes. Organizations should also pay attention to the
security implications of using cloud computing and ensure that they have the necessary measures
in place to protect their data. Additionally, they should ensure that their IT governance processes
keep up with the changes in technology and regulations.
IT Acquisition Management: The acquisition and management of IT resources, including
hardware, software, and services, must be carried out by an organization in a structured and
transparent manner. In addition to ensuring that IT resources are acquired in a cost-effective and
secure manner, any associated risks should also be identified and managed as part of this process.
As a result, there is a need for mechanisms in place to ensure that IT acquisitions are made for good
reasons, based on due diligence, with a transparent and clear decision-making process, as well as
being made for good reasons. In addition, it is very important to balance the opportunity, benefits,
costs, and risks associated with IT acquisitions over the short and long term. It is also necessary to
ensure that the IT acquisitions are aligned with the organization's strategic goals and objectives.
Finally, it is important to create a structure that allows for continuous monitoring of the IT
acquisitions and their performance.
IT Performance Monitoring: Organizations need to monitor and measure IT investments and
operational performance. The organization should establish performance metrics, evaluate
performance regularly, and improve performance as necessary. It needs to be clear that IT supports
the organization by providing services at a level of performance and quality that meets current and
future needs. IT should also aim to reduce costs and improve efficiency throughout the
organization. Performance metrics should be tracked and reported to verify that the IT
organization meets its goals. IT should establish a culture of continuous improvement and make
sure that employees have the resources needed to achieve these goals. Regular review of
performance metrics should be conducted to ensure that the organization is on track to meet its
goals. Finally, regular feedback should be provided to employees to ensure that they are performing
to the best of their ability.
Compliance Management: Organizations must comply with all applicable laws, regulations, and
industry standards related to IT governance and security. The organization should establish
policies and procedures to ensure compliance and regularly assess compliance with all regulations

28 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

and legal obligations. There needs to be clear, published, and enforced IT governance guidelines
within the organization. The organization must also have a process in place to ensure compliance
with those guidelines. In addition, the organization should review the guidelines regularly to ensure
that they are up to date and remain compliant. Compliance is presented in more detail in a
subsequent chapter.
Human-Centered Approach: IT governance is influenced by human behavior, including IT
professionals' behavior and organizational culture. The organization should establish policies and
procedures that promote ethical behavior, transparency, and accountability. IT professionals
should be trained on IT governance policies and procedures, and their behavior should be
monitored and evaluated. IT professionals should be encouraged to speak up when they observe
any unethical behavior. The organization should also have a whistleblower policy in place to
protect those who report unethical practices. Regular audits should be conducted to ensure that IT
governance policies and procedures are being followed.

Cybersecurity Governance
While enterprise governance provides a global framework for the whole organization and IT
governance helps set the tone for managing IT, cybersecurity governance refers to the processes,
policies, and structures that are put in place to manage the risks associated with the use of
information technology and ensure the security of information systems. It encompasses the
mechanisms by which organizations ensure that their cybersecurity risks are properly managed,
their information assets are protected, and their compliance with laws and regulations is
maintained. It is a part of enterprise governance that inherits many of its characteristics but
provides more specific guidance and processes. This is achieved in a three-prong approach
involving Governance, Risk Management and Compliance (GRC), as further discussed in this
chapter.
Cybersecurity governance is concerned with setting the strategic direction for cybersecurity within
an organization and ensuring that appropriate resources are allocated to meet cybersecurity
objectives. It involves defining the roles and responsibilities of individuals and teams within the
organization, as well as establishing clear policies, procedures, and guidelines for the management
of cybersecurity risks. On this foundation, the organizations will be able to assess risks and make
appropriated decisions about risks, as presented in detail in a later chapter. Cybersecurity
governance also involves monitoring and reporting on the effectiveness of the organization's
cybersecurity controls, as well as conducting regular assessments of the organization's
cybersecurity posture and compliance issues to identify areas for improvement. Effective
cybersecurity governance requires active engagement from senior leaders and all levels of the
organization, as well as ongoing collaboration between different functional areas, such as IT, Legal,
Human resources, Accounting, Compliance, and many others.

Using the Balanced Cybersecurity Scorecard

The tone of cybersecurity is set by governance. However, many cybersecurity professionals are
focusing more on selecting and implementing mitigation measures than on why and what is
needed. A balanced scorecard approach is necessary for ensuring good cybersecurity from both
perspectives.

29 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Figure 9: Balanced Cybersecurity Scorecard

An organization's vision and strategy can be translated into measurable objectives and key
performance indicators (KPIs) through the Balanced Scorecard, a strategic performance
management framework. By considering multiple dimensions, such as financials, customers,
internal processes, and growth and learning perspectives, it provides a balanced view of an
organization's performance. To address the limitations of assessing organizational performance
with only financial measures in the early 1990s, Robert Kaplan and David Norton introduced the
Balanced Scorecard. Their argument was that financial measures alone are not sufficient to provide
a comprehensive picture of an organization's health and performance. Cybersecurity can be
assessed and managed using the Balanced Scorecard framework by incorporating relevant metrics
and perspectives. Organizations should use the Balanced Scorecard framework to create a
comprehensive view of their cybersecurity performance and consider multiple perspectives, such
as operations, risk, and customer service. This helps create a holistic view of cybersecurity
performance and allows organizations to identify areas of improvement and make informed
decisions. For example, operations can be measured by the number of successful and unsuccessful
login attempts per month, risk can be measured by the percentage of vulnerabilities closed in each
period, and customer service can be measured by the average time to respond to a security
incident.
There are four interrelated perspectives that make up the Balanced Scorecard framework. They are
as follows:
1. As part of the financial perspective, revenue growth, profitability, and return on
investment are considered. In terms of cybersecurity, consider the financial impact of
cybersecurity incidents to assess how the organization's strategy contributes to its financial

30 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

goals. Take remediation expenses, lost revenue, legal fees, and regulatory fines into account
when evaluating cybersecurity breaches. You should also evaluate the return on investment
(ROI) of cybersecurity investments such as security technologies, training programs, and
incident response capabilities. This will help you determine the financial cost of any
incidents and the benefits of preventive measures. It can also help you decide how much to
invest in cybersecurity measures and which areas are most important. Ultimately, this will
help you maximize the ROI of your cybersecurity investments.
2. A customer's perspective examines metrics such as customer satisfaction, loyalty, and
market share. For cybersecurity, focus on metrics related to customer trust and satisfaction.
It helps organizations determine if their products or services are meeting customer needs
and creating value for customers. Monitoring customer feedback and complaints related to
cybersecurity incidents and their resolution. Identifying and evaluating customer
perceptions of the organization's security measures. Measuring customer willingness to
recommend the organization's cybersecurity products and services. Assessing customer
loyalty and trust in the organization's cybersecurity measures. Tracking customer
perceptions of the organization's data security. For instance, organizations can survey
customers to understand their level of confidence in the organization's ability to protect
their data.
3. The Internal Processes Perspective examines the internal processes and operational
efficiency of an organization. In cybersecurity, assess the effectiveness and efficiency of
cybersecurity processes, as well as the key processes that drive customer satisfaction and
financial performance. The number and severity of security incidents, the time it takes to
detect and respond to incidents, and the effectiveness of security controls should all be
monitored. Ensure compliance with cybersecurity policies and procedures, including
vulnerability management, access controls, and incident response protocols. Measure the
performance of security operations staff, including the effectiveness of their investigations
and response times. Review the effectiveness of security awareness programs to ensure
employees understand their role in protecting the organization. Monitor the security
posture of the organization and report any changes or weaknesses. For instance, security
operations staff should be evaluated on their ability to identify and respond to security
incidents within defined timeframes.
4. An organization's ability to learn, innovate, and develop its people and infrastructure is
emphasized in the Learning and Growth perspective. For cybersecurity, assess the
organization's cybersecurity workforce and capabilities, and measure the level of
cybersecurity awareness and training throughout the organization. This includes measures
related to employee training and development, knowledge management, and adopting new
technologies. Assess cybersecurity professionals' skills and certifications and monitor the
adoption and implementation of new security technologies, threat intelligence systems, and
security awareness programs. Investigate the current risk management processes and
ensure that the organization has a comprehensive cybersecurity strategy. Develop a
roadmap for improving cybersecurity preparedness and resilience. Establish a review
process to ensure the effectiveness of security measures. For example, the review process
could involve periodic assessments of the organization's security posture, and the results of
the assessments should be used to inform strategy and roadmap changes.
In addition to providing a holistic view of an organization's performance, the Balanced Scorecard
aligns strategic objectives with operational activities using these four perspectives. By encouraging
a balanced approach to decision-making and performance management, the balanced scorecard
ensures that actions in one area do not compromise others. Additionally, it is necessary to define
specific objectives and key performance indicators (KPIs) for each of these perspectives. In the

31 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

internal processes perspective, KPIs might include the number of security incidents per month, the
average time to resolve incidents, and the percentage of systems with current security patches.
To enhance the organization's overall cybersecurity posture, review and analyze the cybersecurity
Balanced Scorecard metrics regularly to identify opportunities for improvement, allocate resources
effectively, and make informed decisions. By aligning cybersecurity management with the
organization's strategic goals and ensuring continuous monitoring and improvement, it enables a
proactive and balanced approach to cybersecurity management.
As a tool for clarifying strategy, measuring performance, and driving continuous improvement, the
Balanced Scorecard framework is widely used by organizations across a variety of sectors. Through
it, employees at all levels are communicated the organizational goals and objectives, and their
efforts are aligned with them. The Balanced Scorecard framework helps to ensure that the
organization is focused on the right objectives, and that everyone is playing their part in achieving
them. It also helps to ensure that the organization is making progress towards its goals, and that
any areas of underperformance can be quickly identified and addressed. Balanced Scorecard helps
to ensure that the organization is making effective use of resources and that any areas of waste can
be identified and eliminated. Additionally, it helps to ensure that all employees are on the same
page and working towards the same objectives.

SMART Governance Metrics

It is important to use reliable measures in cybersecurity to ensure that organizations are on the
right track to continuously improve cybersecurity governance using the balanced scorecard
approach, as mentioned above. For several reasons, cybersecurity metrics are crucial:
• The performance of cybersecurity activities can be measured and assessed quantitatively
using metrics. By analyzing their security controls, incident response capabilities, and
overall security posture, organizations can gain insight into the current state of
cybersecurity. They also allow for benchmarking, setting goals, and tracking progress.
• Metrics can help organizations identify and manage cybersecurity risks. By measuring
metrics related to vulnerabilities, threats, and incidents, organizations can prioritize their
efforts and resources accordingly. Organizations can take proactive measures to mitigate
risks and improve their security posture by identifying vulnerabilities or weaknesses in
security controls.
• An informed decision-making process is supported by metrics. Organizations can make
data-driven decisions about security investments, resource allocation, and prioritization of
security initiatives when they have quantifiable metrics at their disposal. With metrics,
organizations can assess the cost-effectiveness and impact of different cybersecurity
measures and make decisions based on evidence rather than assumptions.
• A common language for discussing cybersecurity issues, risks, and progress within the
organization is provided by metrics. By demonstrating tangible results and quantifying the
value of cybersecurity investments, cybersecurity professionals can demonstrate the
importance of security initiatives to executives and other stakeholders. Additionally,
metrics can be used to objectively evaluate a team's and individual's performance, to hold
them accountable for their cybersecurity responsibilities.
• By regularly measuring and analyzing metrics, organizations can identify trends, patterns,
and areas for improvement. Continuous Improvement: Metrics play a crucial role in driving
continuous improvement in cybersecurity. Organizations can refine their strategies,
improve their incident response processes, and update security controls using metrics that
highlight areas that need attention. It is also possible to measure progress towards security
goals using metrics and evaluate the effectiveness of improvement initiatives.

32 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Figure 10: SMART metrics

As a result of metrics, organizations can assess, monitor, and improve cybersecurity practices.
Using them, organizations can strengthen their security posture, mitigate risks, and adapt to
evolving cyber threats by enhancing decision-making, accountability, and communication. Metrics
that will enable organizations to measure innovation to improve and learn.
Students need to remember the acronym Smart when thinking about metrics. They need to be
specific, measurable, achievable, relevant, and time-bound. By following this acronym, students will
be able to create metrics that are specific, measurable, achievable, relevant, and time-bound. Let's
break down each component of SMART metrics to gain a better understanding of how to set clear
objectives and define metrics that can be used to measure progress toward those objectives.
• It is important to ensure that metrics are specific and well defined. They should state what is
being measured, why it is being measured, and what is being achieved. Specific metrics provide
clarity and focus, ensuring that everyone understands what is intended.
• Measurable metrics permit objective assessment and comparison of progress and performance.
They provide concrete data to evaluate progress and performance. They should be quantifiable and
measurable.
• SMART metrics should be realistic and attainable, and they should set targets that are
challenging yet feasible within the context of resources, capabilities, and constraints. By setting
goals that are attainable, individuals or teams are motivated to strive for improvement and achieve
their goals.
• The SMART metrics should be relevant to the objective or goal being pursued, aligned with the
strategic priorities, and address the critical aspects of performance. Insights into the desired
outcome can be gained with relevant metrics, which guide decisions and actions.
• A time-bound SMART metric specifies when it will be measured or achieved. This creates an
urgency, encourages effective action, and allows for monitoring progress within a defined timeline.
An organization can ensure metrics are meaningful, actionable, and contribute to overall

33 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

performance improvement by applying the SMART criteria. By setting clear expectations, tracking
progress, and utilizing objective data, SMART metrics assist in making informed decisions. In
addition to supporting organizational objectives, they promote a culture of accountability and
continuous improvement through the design of metrics. SMART metrics allow organizations to
measure performance accurately, and in a way that is easily understood by all stakeholders. They
also provide the necessary structure to ensure that all goals are well-defined and achievable.
Finally, SMART metrics provide organizations with a way to track progress and evaluate the
success of their initiatives.

34 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Chapter 3: Cybersecurity Compliance

This chapter presents cybersecurity compliance, a vital aspect of cybersecurity governance. As
mentioned previously, cybersecurity governance is a continuum of three activities, called GRC. In
the cybersecurity context, the acronym GRC refers to Governance, Risk Management and
Compliance. Cybersecurity governance sets the framework and tone for cybersecurity in the
organization, while identifying the cybersecurity goals and obligations. From there, risk
management helps support the decision-making process, arbitrage, and identification of potential
strategies to deal with unacceptable risks. However, cybersecurity also depends on the ability of
demonstrating the organization's compliance with its obligations, the efficiency of controls and risk
mitigation activities. Compliance is essential for the cybersecurity of an organization's systems,
networks, and data. It helps ensure that the organization follows the applicable laws, regulations,
and standards. It is important to keep up to date with the latest compliance requirements.
Governance was presented in chapter 2. In this chapter, we go in-depth on, compliance. Risk
management is presented in a later chapter, along with a later chapter on risk assessments.
The idea behind compliance is simple: organizations need to be following rules. It must be able to
verify that the policies and mechanism that are in place to ensure that all stakeholders are
conforming to the rules and the policies that they are required to are working. As a business, we
want to make sure that our employees are acting in accordance with the guidelines, and we can
function properly as an organization. Looking further, we know that if the organization does not
follow, or comply, with the rules and regulations, it can get sued, fined, or have all kinds of legal
problems. The government, our customers, our suppliers, society, and other stakeholders are
expecting us to comply with our obligations. That organizations are legally obligated to respect the
Law, should be obvious. However, many still need to be reminded of this regularly. As well, there
are contractual obligations, due to clauses in contracts signed by the organization that require them
to have a certain cybersecurity process in place. Organizations have a need to demonstrate that it is
complying with laws, rules, regulation, standards and other obligations or face consequences.

Understanding Compliance
As mentioned in the introduction to this chapter, compliance refers to the act of adhering to rules,
regulations, laws, and standards applicable to a particular organization, industry, or jurisdiction. It
involves business processes that are in place to provide a framework for ensuring that an
organization operates in accordance with all relevant legal, regulatory, and ethical requirements.
Compliance is important for organizations to maintain a good reputation and protect their assets,
as well as avoid legal penalties or other sanctions. It also helps to ensure that an organization is
held accountable for its actions and can be trusted by its stakeholders. For example, an organization
that does business in the European Union needs to be compliant with European privacy regulations,
the GDPR. This organization must make sure that it protects its customers' personal data in
accordance with GDPR regulations. Having a formal compliance program in place provides the
added benefit of providing evidence that the organization is serious about compliance. This may be
useful if there is ever a need in the future to this effect, perhaps in legal proceedings.
By integrating compliance into the culture of an organization as well as promoting the compliant
behavior and attitudes of its employees, organizations can make compliance a sustainable and
successful opportunity. An organization must implement a compliance management system for the
purpose of complying with all its obligations. These obligations include relevant laws, regulations,
industry codes, and organizational standards. They also include generally accepted accounting
practices, best practices, ethics, as well as community and stakeholder expectations. Organizations
are increasingly turning to compliance management and compliance management systems to help

35 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

them maintain their integrity and avoid noncompliance. When compliance-related risks are
managed effectively, business opportunities, sustainability, reputation, and credibility can all be
maximized.
Compliance can cover a wide range of areas, depending on the nature of the organization and the
industry in which it operates. Other than cybersecurity compliance, which is the topic of this
chapter, there are many other common areas of compliance that concern organizations. These can
also overlap, as are they are often linked. Some of the compliance areas that are often found in
organizations include:
• Legal compliance: This involves following laws and regulations set forth by government
authorities at the local, state, and national levels. Legal compliance ensures that
organizations operate within the boundaries defined by the law, covering areas such as
labor laws, environmental regulations, intellectual property rights, data protection and
privacy laws, and consumer protection laws. There are many of these that are used. Some
are presented later in this chapter.
• Regulatory compliance: Many industries are subject to specific regulations and oversight
by regulatory bodies. Regulatory compliance ensures that organizations meet the
requirements and standards set by these regulatory authorities. Examples include the
Central Bank of Nigeria (CBN) which supervises and regulates the financial sector, while the
National Agency for Food and Drug Administration and Control (NAFDAC) oversees the
pharmaceutical and food industries. Most of these regulations have equivalents in other
jurisdictions.
• Contractual compliance: This category of compliance refers to the adherence to the
terms, conditions, and obligations outlined in a contract between two or more parties.
When parties enter into a contractual agreement, they are legally bound to fulfill the
requirements specified in the contract, some of which may be very specific as to business
processes of activities. Compliance ensures that all parties fulfill their contractual
obligations in a timely and satisfactory manner and can demonstrate their compliance,
perhaps by providing evidence, such as an external audit report.
• Corporate Social Responsibility (CSR): Organizations have a responsibility to act in a
manner that benefits society and the environment. It is often a voluntary initiative that goes
beyond legal compliance and focuses on the ethical, social, and environmental impacts of an
organization's activities. CSR’s goal is to foster a positive impact on various stakeholders,
including employees, customers, communities, and the environment. It involves integrating
social and environmental concerns into an organization's core business operations and
decision-making processes. An example of CSR compliance might be to provide evidence
that no child labor is used by sub-contractors or by fair-trade practices when dealing with
suppliers in countries that are known to mistreat certain groups, such as racial, sexual, or
religious minorities, first-nations, or other identified categories.
• Ethical compliance: Compliance extends beyond legal and regulatory requirements and
encompasses ethical considerations as well. In a similar manner to CSR, but perhaps in a
less structured manner, ethical compliance involves adhering to moral principles, values,
and codes of conduct that guide ethical behavior within an organization. It includes
practices such as anti-corruption measures, fair competition, responsible supply chain
management, and of course corporate social responsibility, which was mentioned.
• Compliance to Standards: Compliance can also involve adhering to industry-specific
standards and best practices. These standards are often developed by industry associations,
professional organizations, and international standardization communities. They serve as
guidelines for ensuring quality, safety, and ethical practices within a particular sector.
Compliance with industry standards helps organizations demonstrate their commitment to
excellence and responsible conduct. Not all standards offer a certification scheme, but in

36 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

cybersecurity ISO 27001, which proposes a cybersecurity management system, is probably

the most used cybersecurity standard to offer a certification process.
• Internal policies and procedures compliance: Organizations often establish their own
internal policies and procedures to ensure compliance with external regulations and to
maintain internal control and governance. These policies can cover various aspects such as
employee conduct, information security, information technology usage, financial
management, and risk management. The most often mentioned policy that is found in
literature in this category is information security policy compliance. Information security
policy compliance is discussed more in detail in this chapter.
Compliance involves identifying, assessing, and addressing compliance risks in a systematic
manner. It involves implementing appropriate controls and processes, conducting regular audits,
both internal and external, and maintaining documentation that demonstrates compliance. Non-
compliance can result in legal consequences, financial penalties, reputational damage, and loss of
trust from stakeholders.
The traditional compliance approach focuses on the reliance on external forces to enforce
compliance. To enforce desired compliance behavior, it uses coercive and compensatory control
mechanisms. This of this as the carrot (compensatory) or stick (coercive) strategy. For instance,
compliance approaches may include reprimand, fines, and suspension of privileges as forms of
punishment for non-compliance, and cash rewards, bonuses, and praise for desired behavior. Some
ill-advised managers and organizations tend to focus much of their strategy on punishment. While
this may show short-term improvements, it does not favor long-term adhesion, nor does it
contribute to creating a culture of compliance. Rather it encourages actors to find innovative
deviant behaviors and general dissatisfaction. By contrast, a modern compliance approach focuses
on internal motivation and encourages desired compliance behavior through education and proper
guidance. It emphasizes on building a culture of compliance in which employees understand the
importance of compliance and willingly comply with rules and regulations. In this manner,
resilience and maturity is increased, residual risk is reduced, and lasting changes occur.
Organizations can benefit from compliance in many ways, including, but not limited to:
• Improving business opportunities.
• Enhancing reputation and trustworthiness with partners and customers.
• Developing sustainable practices.
• Increasing stakeholders' confidence in the organization's ability to succeed
• Demonstrating an organization's commitment to managing compliance risks effectively.
• Avoid costly fines and penalties.
To oversee compliance efforts, organizations must appoint compliance officers and create an
independent compliance department. These actors are responsible for monitoring changes to
regulations, implementing compliance programs, providing training and education to employees,
conducting internal audits, and addressing any compliance issues that arise. They also work closely
with other departments to ensure that their policies and procedures are in line with regulations.
Finally, compliance officers are tasked with reporting any violations of laws or regulations to the
necessary authorities. For instance, a compliance officer might report a suspicious transaction to
the appropriate law enforcement agency or financial regulator. The compliance department needs
to be independent from IT, Finance, or other functional areas to ensure that it can operate free from
undue influences that inevitably will arise.
Compliance is a critical component of enterprise governance, ensuring businesses, institutions and
other types of organizations operate legally, ethically, and responsibly. Compliance programs are
designed to detect and prevent non-compliance with applicable laws and regulations. They can also
help organizations mitigate compliance risks and ensure that they are operating in an ethical and
responsible manner. However, compliance programs can be costly and time-consuming to
implement and maintain. They can also create a culture of fear and mistrust, where employees are

37 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

afraid to speak up or take risks. In some cases, compliance programs can even lead to unethical
behavior, as employees try to game the system to avoid getting caught. For these reasons, it is
important for organizations to take a balanced approach when implementing compliance programs.
They should focus on creating an environment of trust and respect, while also providing clear
expectations and consequences for unethical behaviors.

Cybersecurity Compliance
In the context of cybersecurity governance, we are particularly interested in IT compliance, the
obligations to meet certain requirements as far as business processes go, but from an IT point of
view. IT compliance and cybersecurity compliance are crucial to Business Technology Management.
They serve to ensure that sensitive information is protected, and system security is maintained.
Cybersecurity compliance ensures that organizations adhere to specific regulations, standards, and
best practices in relation to the CIA triad, which was presented in chapter 1. More simply, it is used
to ensure that the organizations’ cybersecurity governance framework and cybersecurity risk
management program work as intended. It helps to identify opportunities for improvement. It also
contributes to increase the level of cybersecurity maturity, the level of resilience and the
effectiveness of the cybersecurity program. The following are some key points to consider when
planning cybersecurity compliance management:
• Regulations and Standards: Familiarize yourself with relevant regulations and
standards that govern cybersecurity practices, such as the General Data Protection
Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Health
Insurance Portability and Accountability Act (HIPAA), ISO 27001, and NIST Cybersecurity
Framework. Each regulation has its own requirements and guidelines for securing data and
systems. Organizations need to make sure they are compliant with the elements of
regulations and standards that are applicable to them. Regular reviews should be
performed to ensure that there are no new regulations or standards that they need to deal
with. It is important to stay up to date with changes to regulations and standards.
Organizations need to ensure that competent and licensed legal professionals are involved.
• Data Privacy: Understand data privacy principles, including personal information
collection, storage, and processing. Learn about consent mechanisms, privacy protection
solutions, data anonymization, encryption, and other measures to protect personal data.
Understand data privacy regulations, such as GDPR and those that are used in your industry
and jurisdiction, and the implications of non-compliance to these privacy regulations.
Become aware of the implications of data breaches and how to prevent them. Develop
strategies for data privacy and security.
• Compliance risk Assessment: Develop skills in conducting cybersecurity risk
assessments and compliance risk assessments to identify potential vulnerabilities, threats,
and risks. This involves analyzing assets, determining their value, assessing vulnerabilities,
and estimating the impact of potential incidents. To mitigate identified compliance risks,
organizations should develop risk management plans that include strategies to address,
mitigate or appropriately treat the risks. These plans should be regularly reviewed and
updated to ensure they remain effective. Compliance risk management should be an
ongoing process.
• Security Controls: Gain knowledge of various security controls and practices, such as
access controls, encryption, intrusion detection and prevention systems, firewalls, network
segmentation, incident response procedures, and security awareness training. These
controls help mitigate risks and contribute to ensure compliance. Organizations should
periodically review their security controls and ensure that they are up to date and properly
implemented. Regular audits and reviews can help identify any gaps or weaknesses and

38 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

ensure that the security system is working as intended. Additionally, organizations should
be proactive in responding to changing security threats.
• Incident Response: Understand the basics of incident response planning and
management. Learn about the different phases of incident response, including detection,
containment, eradication, recovery, and lessons learned. Familiarize yourself with incident
response frameworks like NIST SP 800-61 or the SANS Incident Handling Process. Develop
a response plan that includes the roles and responsibilities of the team, as well as the
methods for communication and coordination. Additionally, create a checklist of activities
that should be performed during an incident. Finally, practice the plan regularly to ensure
its effectiveness.
• Auditing and Monitoring: Explore the importance of auditing and monitoring systems
and networks to detect security incidents, ensure compliance, and identify potential
vulnerabilities. Learn about log management, security information and event management
(SIEM) systems, and intrusion detection systems (IDS) to understand how organizations
monitor and respond to security events. Organizations must be able to track user activity,
detect anomalies, and respond to threats in a timely manner. Auditing and monitoring
systems are essential to ensuring the security of an organization’s networks and data.
Regular auditing and monitoring can help organizations detect and prevent security
incidents before they occur.
• Security Policies and Procedures: Identify the significance of security policies and
procedures in an organization. Learn how to develop, implement, and enforce security
policies that align with cybersecurity regulations. Understand the importance of user
awareness training and employees' role in maintaining cybersecurity compliance. Analyze
the impact of data breaches and other security incidents on the organization. Develop a risk
management strategy to reduce the risk of future incidents. Monitor and review security
policies to ensure they remain up to date.
• Compliance Assessments: Familiarize yourself with compliance assessment
methodologies and techniques. Understand how compliance audits are conducted, the
importance of documentation, and the process of evaluating an organization's adherence to
regulatory requirements. Learn about the different types of compliance assessments such as
internal audits, external audits, and self-assessments. Become familiar with the key
principles of compliance and how to apply them in practice. Develop the ability to identify
and address compliance gaps.
• Emerging Trends: Stay updated with the latest cybersecurity trends and emerging
technologies, such as cloud security, Internet of Things (IoT) security, mobile device
security, and artificial intelligence (AI) in cybersecurity. Understand the unique compliance
challenges these technologies pose and the corresponding security measures. Leverage the
latest tools and frameworks to ensure that your organization is secure. Be sure to keep up
with the latest patches and security updates to protect your systems from vulnerabilities.
Address any security risks quickly and effectively.
• Ethical and Legal Considerations: Develop an understanding of the ethical and legal
aspects of cybersecurity compliance, including ethical hacking, responsible disclosure, and
legal obligations related to data breaches and incident reporting. Security professionals
must adhere to the highest ethical standards and understand the legal implications of their
actions. Organizations must also ensure that their staff is well-versed in cybersecurity
regulations and laws, as well as the consequences of non-compliance. Finally, procedures
should be in place to quickly identify and respond to data breaches and cybersecurity
incidents.
Cybersecurity compliance is an ongoing process, and regulations and best practices evolve over
time, but also the environment organizations evolve in changes. It's imperative to stay informed

39 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

and update your knowledge to adapt to changing cybersecurity landscapes. Organizations should
have a regular review process in place to ensure their compliance and security policies are up to
date. It's also important to invest in training to ensure that staff have the necessary skills to protect
the organization's data and systems. Regular audits must be performed to help identify any
potential weaknesses in the system, as well as additional opportunities for improvement.
Information security and cybersecurity policies (ISP) are often used by organizations to assist with
compliance and thus improve cybersecurity controls. Organizations are also motivated to
implement ISPs to manage business, financial and legal impacts associated with business
technologies. Information security policies contribute to align compliance efforts with national and
international standards and regulations. As a result, a significant challenge remains about how to
influence or encourage information security policy compliance. The so-called traditional
compliance approach, which focuses on external forces, relies on coercive and compensatory
control mechanisms to enforce desired compliance behavior. Cybersecurity, and compliance, can be
managed more effectively if the focus is beyond the technical means of protecting information
assets. Experts say regulatory compliance improves cybersecurity performance and accountability
for cybersecurity mechanisms and procedures. This is consistent with research findings indicating
that regulatory compliance is critical to cybersecurity efforts. An ethical climate, which prioritizes
compliance reinforced by information security policies, normalizes consistent compliance
expectations. This helps to ensure that systems and processes are designed to protect against cyber
threats and to maintain the confidentiality, integrity, and availability of data. It also helps to ensure
that the organization complies with applicable regulations. Compliance contributes to customer
data protection and maintains trust of customers and partners. It also tends to minimize the risk of
data breaches, reputational damage, and financial losses.
Economic considerations are important for organizational compliance objectives, as gaps in
cybersecurity budgets will inevitably lead to increased risks and vulnerabilities. Organizations need
appropriate financial resources for cybersecurity activities. For example, improving the
cybersecurity infrastructure or carrying out awareness, education and training programs for its
staff requires significant human and financial resources. Similarly, the importance of mitigating
impacts on organizations and users is usually tied to an objective to minimize cybersecurity costs.
Organizations that lack the necessary human and financial resources, which can be particularly
significant, are looking to optimize the management of their limited resources. This is done while
improving their compliance posture. To do so, they should prioritize security controls and activities
that have the greatest potential to reduce the risk of a cyberattack, as identified by a formal risk
assessment. This requires an understanding of the risks and the cost of implementing controls to
mitigate them. Additionally, organizations should consider the cost of not implementing controls
and the potential financial and reputational damage of a breach. For instance, an organization
should prioritize controls that protect sensitive data, such as personally identifiable information,
over less critical data, such as marketing materials, thus also meeting their privacy compliance
requirements.

Cybersecurity Compliance Requirements

While non-compliance with cybersecurity best practices, including cybersecurity policies, increases
cybersecurity risks, compliance with recognized best practices and standards can be used to reduce
financial and reputational costs across an industry. There are many examples where, because of ISO
27001 certification, organizations have demonstrated cybersecurity compliance to various
stakeholders. Because the certification process requires time and effort, it also demonstrates that
the certified organization takes cybersecurity and compliance seriously. This creates value for
potential customers. Additionally, demonstrating compliance helps organizations gain trust of
partners, customers, and other stakeholders, leading to improved business opportunities. In the
long run, compliance can help organizations create and sustain a competitive advantage, as they can

40 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

demonstrate compliance in a way that others cannot. For instance, a company that is compliant
with GDPR regulations may be more likely to be chosen by an international client, due to the
assurance of data privacy and protection. Ultimately, compliance can improve security and reduce
risks, providing employees with a safer working environment. This is done by fostering a security
culture that extends beyond cybersecurity to all sectors of the organization. In a 2019 Gartner
DevOps survey (n=268), which was revised in 2021, respondents indicated that their organizations
had to comply with an average of three regulations. The most frequently mentioned regulations in
the study, listed in order of importance, include:
• Personal information and privacy laws, which vary by region, such as the General Data
Protection Regulation (GDPR) in Europe.
• ISO 27001
• Federal Information Security Management Act (FISMA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)
• National Institute of Standards and Technology (NIST) cybersecurity framework
• Family Educational Rights and Privacy Act (FERPA)
• Basel or Gramm-Leach-Bliley Act (GLBA)
• Sarbanes-Oxley Act (SOX)
• Service Organization Controls (SOC 2)
While the Gartner study focused on organizations in the USA, all the laws, regulations and
standards mentioned have local equivalents that can be identified for a particular situation. It is
imperative to recognize that the laws, regulations, and standards in one place may be different from
those in another. Organizations should research their local equivalents. Local research should also
include the investigation of any enforcement authorities that are applicable. Organizations should
be aware of enforcement authorities as they can provide professional advice and assistance in the
event of a breach. It is important to ensure that the organization is compliant with local laws and
standards. For instance, organizations with international operations should make sure that the data
they are collecting and storing is compliant with the applicable GDPR regulations in Europe, if they
have stakeholders in Europe, or the California Consumer Privacy Act of 2018 (CCPA), if they have
stakeholders in California.
The process of identifying applicable laws would need to be repeated for different sectors and
jurisdictions. This would require significant amounts of time and resources, including subject
matter experts and legal counsel. In addition, the laws are subject to change, so the process needs to
be regularly reviewed and updated. This could be a costly undertaking for organizations and could
be difficult to manage effectively. As a result, organizations should take the necessary steps to
ensure they are compliant with the relevant laws. Organizations must seek advice from legal and
regulatory experts, such as lawyers that are members of their local Bar association, to help navigate
the complexities of the laws. They should also have a system in place to regularly review and
update their compliance processes. Finally, organizations should invest in the necessary resources
and personnel to ensure their compliance. Later in this chapter w present a standards-based
international standard for a compliance management system that organizations could use to help
them implement and maintain cybersecurity compliance.

Compliance Assessment
Compliance analysis is a tenuous process of comparing the controls in place with its compliance
requirements and referenced standards. In addition, compliance assessment and analysis tools are
used to inspect the organization's level of compliance and to detect problems that arise after the
implementation of the generated information security policies. Organizations can assess their
compliance with cybersecurity requirements through various methods. Here are some common
approaches:

41 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

• Self-Assessment: Organizations can conduct internal self-assessments to evaluate their

compliance with applicable laws, regulations, and industry standards. These self-
assessments can take the form of a regular internal audit, led by a specialized team. This
involves reviewing security policies, procedures, controls, and practices against the relevant
requirements. Self-assessments may involve using checklists, questionnaires, or maturity
models to identify gaps and areas for improvement.
• External Audits: Organizations may engage external auditors or assessors to perform
independent audits of their cybersecurity compliance. These auditors have expertise in
evaluating compliance with specific regulations or standards and provide an unbiased
assessment. External audits may be required by regulatory bodies or may be voluntarily
initiated by the organization to ensure adherence to best practices.
• Penetration Testing and Vulnerability Assessments: Conducting penetration tests and
vulnerability assessments helps organizations identify weaknesses and vulnerabilities in
their systems and networks. These assessments simulate real-world attacks and attempt to
exploit vulnerabilities to assess the effectiveness of security controls. The results of these
tests provide insights into areas that require attention to improve compliance. Is it
becoming more common for organizations to create internal teams of highly-skilled
technical employees, so called ethical hackers or white-hats, to perform penetration tests.
• Relying on compliance Framework Assessments: Many compliance frameworks, such
as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or
ISO 27001, provide guidelines and frameworks for assessing cybersecurity compliance.
Organizations can use these frameworks as a reference to evaluate their security controls,
processes, and overall compliance posture. Organizations can get formal certifications to
demonstrate that they complied.
• Continuous Monitoring: Implementing continuous monitoring systems allows
organizations to track and evaluate their compliance status in real-time. This involves the
use of security information and event management (SIEM) tools, intrusion detection
systems, log analysis, and other monitoring mechanisms. Continuous monitoring helps
identify security incidents, anomalies, and deviations from compliance requirements,
enabling prompt remediation.
• Employee Training and Awareness: Regular and continuous cybersecurity training
programs and awareness campaigns can gauge employees' understanding of security
policies and best practices. Organizations can use quizzes, surveys, or other assessment
methods to assess employee knowledge and behavior regarding cybersecurity compliance.
Training outcomes can help identify areas where additional education or reinforcement is
needed.
• Regulatory Compliance Assessments: Regulatory bodies or industry associations may
conduct compliance assessments to ensure organizations are meeting specific
requirements. These assessments can involve audits, on-site inspections, interviews,
document reviews, and performance evaluations to determine if organizations are adhering
to mandated cybersecurity standards.
• Internal Controls and Assurance Functions: Internal audit or compliance teams within
organizations can perform assessments to evaluate cybersecurity compliance. These teams
can review security controls, policies, and practices, and provide recommendations for
improvement. Internal assessments help organizations maintain an ongoing view of their
compliance status.
It's important for organizations to select the most appropriate assessment methods based on their
specific needs, industry requirements, and regulatory obligations. Regular and systematic
assessments ensure continuous monitoring of compliance, identify areas of weakness, and facilitate
proactive measures to strengthen cybersecurity posture. There may be some opportunities here to

42 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

use automated systems, such as the compliance assessment and analysis tools mentioned earlier.
There are many developments in this area, including the use of data mining, business intelligence
and semi-supervised machine learning algorithms that can help identify anomalies and potential
non-compliances. There is currently a lot or research and development being done on this front.

Factors that Affect Compliance

Cybersecurity compliance in organizations can be influenced by a variety of factors, including
training, education, awareness, and deterrence measures. Likely the most important factor for
compliance to be sustainable it that organizations must establish and maintain a culture of
compliance. The concept of culture of compliance, is that all the individual actors in the
organization, at all levels, must promote compliance. Compliance must become part of the DNA of
the organization. If actors truly believe that it is important then it will be natural for them to have a
compliant behaviour, take actions, and make decisions that support compliance, even when there is
some uncertainty as to the best course of action. They will act diligently, ethically and in the best
interest of favoring compliance. It may be necessary to integrate social, technical, environmental,
and organizational factors when looking at improving compliance intentions. Here, as in many
other areas related to cybersecurity, the human factor remains the most difficult variable to
manage.
Some studies have revealed that the perceptions of individual actors about the severity and
effectiveness of threats have the greatest impact on cybersecurity policy compliance intentions and
behavior. While employees' compliance intentions are significantly affected by the severity of the
threat perceived by employees, this factor had an insignificant effect on behavioral intent among
participants in studies. This points to compliance awareness programs as an important factor to
foster compliance. Cybersecurity awareness programs that promote compliance and provide
guidance on compliance behaviors increase organizational maturity and resilience. This is the best
path to foster compliance.
Besides focusing on positive factors, studies suggest managers should be aware of environmental
factors that can motivate employees to engage in negative behaviors related to cybersecurity.
Lastly, reinforcing desirable behaviors can help employees develop better cybersecurity behaviors.
Educating employees about cybersecurity risks can help them understand how important it is to
follow cybersecurity protocols. Employees who demonstrate positive cybersecurity behaviors can
also be encouraged to continue doing so if rewards and recognition are provided. This will help
create a culture of security in the organization and ensure that employees take the necessary
measures to protect the company's data and networks. Furthermore, employees should be
informed of the consequences of not following security protocols. Employees should be reminded
of the potential risks associated with a weak password or not updating software regularly, for
example.
Being compliant requires being able to demonstrate compliance, therefore being able to provide
evidence that an organization complies with requirements. It is an ongoing process that is done
continuously. Organizations must continuously endeavor to maintain a state of compliance in
relation to their obligations. Compliance obligations change and evolve. New laws and regulations
are added every day. Compliance plans must be adjusted to changes all the time. Audits are an
effective way to help organizations keep compliance current. Organizations should have a process
in place that allows them to respond quickly to changes in compliance requirements. They should
also have a designated team responsible for monitoring and staying up to date with all relevant
compliance regulations. This team should also be able to provide guidance and advice to the
organization when changes are needed. Finally, organizations should have a clear and documented
process for reporting compliance violations, including a whistleblower program.

43 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Implementing a Standards-Based Compliance Management System

The strategy that is proposed is to implement a compliance management framework with an
international standard created used to establish a compliance management system. ISO 37301 is an
international standard for the creation and use of a compliance management system developed by
the International Organization for Standardization (ISO). It proposes a process for managing
compliance in a similar manner to how ISO 27001 is used to manage information security. This is
achieved by implementing a continuous improvement model based on the Deming quality PDCA
cycle. It is always very interesting to rely on international standards rather than seeking to reinvent
the wheel or develop a custom approach.

The Limits of Standards

Before making the decision to use a standard, organizations should understand that standards are
not perfect. However, they are a great source of recognized best practices. Most standards in use
today are the result of a consensus of several people, generally experts from several countries. In
the case of the international standard committees that do cybersecurity standards, the level of
expertise varies greatly from one committee to another and varies greatly over time. In general, ISO
standards committees are made up of representatives from 30 or more countries that have
contributed to writing them. There can be much more participation for popular standards that for
others that are less popular. As an example, we can look to ISO 27001 and 27002 in cybersecurity.
In the early 2000’s, when cybersecurity started to become a very hot topic in the standards
community, there were more than 50 countries that were represented in international meetings to
discuss their development. A few years before, there were less than 30 of them. It is important to
understand that, in the context of consensus-based standards creation, a consensus is what
everyone participating in a discussion, present around the table, can agree to. That means that
there are times when someone would like to be putting something in the standard, because they
think it's really the best way to do things or what's the most important, but it will not be possible. If
the people around the table on any given day are not able to agree, then what was being discussed
will not be included the standard. The result is a published standard based on this consensus. It will
be the most common lower denominator of what could be the best practices on a global scale that
everyone involved could agree on. It will not necessarily be at the cutting edge of modernity,
technologies, or advances in a particular field. Consensus-based standards will possibly always be a
little bit behind the latest developments. The most recent advances need to have matured a but
before they can be included and there can be a consensus on their benefits. This should be
understood as a good thing, as recent advances in any domain are not always a good thing once
they have been used in the real world, further down the road.

Introduction to ISO 37301

In the case of compliance management systems, what is proposed is the international standard ISO
37301, Compliance management systems — Requirements with guidance for use. ISO 37301
provides guidance and requirements for establishing, implementing, maintaining, reviewing, and
improving an effective compliance management system within an organization. The standard is
designed to help organizations ensure that they operate in compliance with relevant laws,
regulations, and ethical standards. It assists in establishing a systematic approach to compliance
that integrates with an organization's overall management system.

Key Elements of the Compliance Management System

The ISO 37301 international standard is a valuable tool for organizations seeking to enhance their
compliance practices, manage risks, and build trust with stakeholders. By implementing the
standard's requirements and getting a third-party certification of the appropriate implementation,
organizations can demonstrate their commitment to compliance and establish a robust framework

44 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

for maintaining legal and ethical integrity. This third-party certification audit must be done by an
approved auditor following a rigorous evaluation process, which is not presented here. There are
many specialized consulting firms that offer this service and can accompany organizations who
wish to do this. Organizations should also know that there is a need to renew the certification every
few years that will also require getting an external audit done by a certified auditor.
ISO 37301 outlines the key elements of a compliance management system, including:
• Context: Understanding the organization's internal and external factors that can impact
compliance.
• Leadership commitment: Demonstrating leadership support and commitment to
compliance, including the establishment of policies, objectives, and resources.
• Compliance policy: Developing a clear and comprehensive compliance policy that sets
out the organization's commitment to compliance and provides guidance to employees.
• Compliance risk assessment: Identifying and assessing compliance risks, including legal,
regulatory, and ethical risks, to prioritize actions and allocate resources effectively.
• Compliance objectives and planning: Establishing measurable compliance objectives,
developing action plans, and allocating responsibilities to achieve those objectives.
• Compliance support: Providing the necessary resources, training, and awareness
programs to support compliance efforts across the organization.
• Compliance operation: Implementing processes and controls to ensure compliance with
applicable laws, regulations, and standards.
• Performance evaluation: Monitoring and measuring compliance performance,
conducting internal audits, and periodical reviews of the effectiveness of the compliance
management system.
• Continuous improvement: Taking corrective actions to address non-compliance,
identifying opportunities for improvement, and continuously enhancing the compliance
management system.
As part of the process of establishing and maintaining its compliance management system, the
organization is required to consider a wide range of factors, such as the business model, nature, size
and scale, the complexity and sustainability of its activities and operations, as well as its
relationships with third parties. For instance, the organization should consider the risk of non-
compliance from the supply chain and the implications of any new or amended contracts with third
parties. Establishing the compliance management system ISO 37301 requires a management
system for compliance, as was mentioned. ISO management systems can be found in many different
standards, such as ISO 27001, ISO 9001, ISO 14001, and several others. They all follow the
continuous improvement model based on the PDCA, or Plan, Do, Check, Act cycle. PDCA is the basic
idea of cycling through the four steps continuously, as illustrated by figure 11. This cycle allows for
ongoing improvements to be made to the system, to help ensure that the organization is meeting
the requirements set forth by the standard. It is important for organizations to adopt and maintain
these standards, as they are essential for compliance and quality assurance.

45 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Figure 11: Compliance Management System PDCA cycle

The first thing any organization who wishes to implement a standard must do is purchase a copy of
the actual standard. Copies can be obtained from many sources, such as the ISO online store, or
from a national standards body. It might also be a wise idea to hire consultants to assist any
organization wishing to adopt any international standard for which they intend to get certification
in the future. This will accelerate the process and, hopefully, improve the quality of the effort. In this
case, consultants should hold recognized ISO Lead Implementer certifications for the standards
being implemented. It can also be beneficial to get some of your own staff certified as Lead
Implementers. This will ensure that the organization has the necessary expertise to maintain the
standards, even after the consultants have gone. Certified personnel can also act as mentors to
other staff, helping them to understand the requirements of the standard. For example, the
certification of your staff can help to ensure that the organization can remain ISO compliant in the
long term, reducing the need for costly external consulting services. From there, you will plan your
compliance management system. Organizations need to make an action plan for implementing their
compliance management system. The next step, called do, is to implement the action plan. Once we
have it in place, we will make sure it works, the check step. Finally, as the check may show possible
improvement opportunities, we get to the last element which is the act. We'll do another plan, then
get to work, check, act, etc. It’s a continuous improvement cycle done according to the Deming
model. It is like Toyota's continuous improvement model and others. In this case it's the PDCA for
compliance that we want to put in place. Figure 12 presents the steps to the implementation of a
compliance management system aligned with ISO 37301 that should be integrated into your plan.
We need to begin with a good understanding of the requirements of the standard, and then create a
plan and set measurable objectives. After that, we must implement the plan and measure the results
to evaluate the effectiveness of the system. Finally, we must take corrective action if necessary. We
must also review the system on a regular basis to ensure it is still effective and compliant with the
ISO 37301 standard. Finally, we need to communicate the system to all stakeholders and make sure
everyone understands how it works.

46 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Figure 12: Steps to the implantation of a compliance management system aligned with ISO 37301

If you read the previous part of this chapter, you already started Step 1, to learn the ISO 37301
standard. You should also read the standard itself once you purchase it. This will help you move to
Step 2, to identify the gaps between your current practices and the standard's requirements. From
there you can proceed with the gap analysis. This will require you to compare your present
situation with the key aspects of ISO 37301 identified in the previous section. You can start by
establishing a baseline. This is done by evaluating your organization's current practices, policies,
procedures, and systems related to cybersecurity compliance requirements. Identify the existing
processes, controls, and documentation you have in place. The organization needs to define
compliance objectives that align with ISO 37301 principles. These objectives should reflect your
organization's commitment to compliance and ethical practices. If it was not already done before
this project was initiated, you need to develop comprehensive compliance policies and procedures
that address ISO 37301 requirements. This includes areas such as compliance risk assessment,
compliance planning, compliance monitoring, training, and continuous improvement. You should
also create a checklist or matrix that lists all the requirements outlined in ISO 37301. This will serve
as a reference tool to compare your current practices against the standard. As you complete your
analysis, this checklist will evolve. Of course, if you follow the advice to hire a consultant to assist
you, they likely already have a checklist for you to use. This will save you a lot of work. If you are a
business technology specialist, you should know other tools, such as the five-force model, SWOT
analysis and PESTEL. These tools will help you create a picture of your compliance landscape and a
more thorough picture of your internal and external compliance environment. These tools can be
used to evaluate the different forces that affect your business decisions, such as competition,
suppliers, buyers, and market trends. They can also provide insights into the legal, social,
technological, environmental, and political factors that may influence your compliance decisions.
With these insights, you can make more informed decisions and better anticipate compliance risks
and opportunities. You can also use the data to benchmark your performance against peers and

47 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

industry standards. Finally, this data can be used to develop strategies to ensure compliance with
relevant regulations.
Once this is done, and you have gathered all the evidence you can find as to your current situation,
you can conduct the actual gap analysis. You should be able to identify any gaps between the
standards you need to comply with and your current situation. After this is done, you can create a
plan to address any issues you may have. Finally, you should implement the plan and review it
periodically to ensure your compliance. Once the plan is implemented, you should track the results
to make sure it is effective. If needed, you should make additional adjustments to ensure
compliance. Finally, you should document the entire process for future reference.
In Step 2 you will conduct a gap analysis to determine what needs to be done to meet the ISO
37301 standard requirements in your organization. You can do this by comparing your
organization's existing practices against ISO 37301. By doing this you can pinpoint areas where
your current practices align with the standard and areas where there are gaps or non-compliance.
You need to document the gaps by recording the identified gaps or areas of non-compliance in a
systematic manner to clearly document the specific requirements of ISO 37301 that your
organization does not meet or partially meets. From this information, assess the impact of the
identified gaps on your organization's compliance management system. Consider the severity of
each gap and the potential risks and consequences associated with non-compliance. By doing this
you can start to perform a compliance risk assessment. This will be updated later as you operate
the compliance management system and will be very useful to help the organization manage
compliance risks. With all this evidence, you will be ready to move on to the next step. This is to
develop a compliance management system to meet the requirements of the ISO 37301 standard
which is adapted to your organization and the desired scope. This system should include the
relevant processes, procedures, and controls for the organization to comply with applicable laws
and regulations. Once these are established, the system should be implemented and monitored to
ensure it functions properly and providing the expected results.
Developing your compliance management system is done in Step 3. This will start by developing an
Action Plan based on the identified gaps and their impact. With this action plan, your aim is to
formulate an action plan to address each gap. This will bring your organization into compliance
with ISO 37301. You will be required to determine the resources, timelines, and responsibilities
required to close the gaps effectively. You need to look at the key elements of an ISO 37301
compliance management system, listed earlier in this chapter. This will enable you to identify what
needs to be included in this action plan. Some of the required tasks, such as the compliance risk
assessment or identifying the regulatory landscape, were already done in earlier steps, but may be
required to be updated to account for new information being discovered as the organization's
compliance management system projects start to become more of a preoccupation for all the
stakeholders involved. At this point, if it was not already done prior to launching the effort to use
ISO 37301, the organization ought to designate roles and responsibilities for individuals involved in
CMS implementation and maintenance. This includes appointing a compliance officer or team
responsible for overseeing compliance activities and ensuring adherence to ISO 37301. The
organization will have to identify, select, develop, or acquire controls and risk mitigation measures
for compliance to mitigate identified compliance risks. These controls should align with ISO 37301
requirements and help prevent, detect, and respond to non-compliance. Another element in the
action plan are compliance management training and awareness programs. These are used to
educate employees and stakeholders on ISO 37301 requirements and compliance. These programs
will also help raise awareness about compliance risks, reporting mechanisms, and ethical behavior,
which will increase organizational maturity and resilience. Finally, the plan needs to propose the
establishment of compliance monitoring and reporting mechanisms to track compliance
performance and effectiveness. This includes regular assessments, audits, and incident reporting to
identify areas for improvement and ensure ongoing compliance. The action plan can then be

48 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

implemented in the next step as it becomes a formal project, with a project management team and
milestones towards implementation.
The organization can start Step 4, which is to implement the compliance management system
designed. As the system becomes a reality, the compliance management system project leadership
team, with the support of compliance team staff, will be able to prioritize the detected gaps based
on their severity and significance. From there they will allocate appropriate resources, including
personnel, time, and budget, to address the highest priority gaps first. The team will also begin
implementing the necessary corrective actions to bridge the identified gaps. This may involve
developing and revising policies and procedures, enhancing training programs, implementing
updated controls, or improving documentation systems. The goal is to close all identified gaps and
ensure compliance with applicable regulations and standards. Regular audits (Step 5) and reviews
(Step 6) should be conducted to evaluate progress and ensure the effectiveness of corrective
actions.
Once at Step 5 the organization performs an internal audit of the compliance management system
just implemented to verify its effectiveness. In the future, internal audits will also help identify any
remaining gaps or non-compliance. This will ensure that your organization is on track to meet ISO
37301 requirements. This information will be used for continuous improvement. Audits can be
conducted periodically or as needed. They should also be conducted after any major changes to the
system to ensure that the system is still compliant. This will help the organization remain compliant
and keep up to date with all the requirements. Further information and details on performing a
cybersecurity audit can be found in chapter 10.
As mentioned, in Step 6, the organization will conduct a management review of the compliance
management system and review the action plan progress. Past the initial implementation of the
compliance management system, the organization will need to regularly assess the effectiveness of
the implemented corrective actions. It will also need to track improvements in meeting ISO 37301
requirements. This will involve seeking feedback from stakeholders, using the results of internal
audits, and reviewing any changes in the external environment. This could affect the organization's
ability to fulfill its obligations. The organization should also review its compliance management
system periodically to ensure it meets its goals.
Finally, the organization may consider proceeding to Step 7, to get certified by an accredited
compliance management system accreditation authority. Once you have addressed the identified
gaps and are confident in your organization's compliance with ISO 37301, seeking third-party
certification can increase its value. This is done by engaging an accredited certification body to
conduct an external audit. The certification body will issue ISO 37301 certification if your
organization meets the requirements. The organization will then maintain and continuously
improve its compliance management system (Step 8). An ISO 37301 certification is valid for three
years and recertification is required to maintain the certification status. The organization should
also take internal audits periodically to ensure that the system is functioning effectively. The
organization should also take corrective and preventive actions as necessary. The organization
should continue to monitor any changes in the law, regulations, and standards that may affect the
system. They should document any changes and update the system accordingly.
In conclusion, cybersecurity compliance is crucial for organizations to protect their information
assets, comply with legal and regulatory requirements, and maintain trust with stakeholders. By
adhering to the organization's cybersecurity governance framework, selected controls and
recognized best practices, organizations can mitigate risks, respond to incidents effectively, and
safeguard sensitive information. Remember, compliance management is an ongoing process.
Regular reviews, updates, and enhancements to your compliance management system will ensure
its effectiveness in addressing emerging risks and changing regulatory landscapes. Continuous
improvement and a proactive approach to compliance will help your organization maintain a strong
ethical and legal framework.

49 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Chapter 4: Cybersecurity Risk

Management
This chapter presents cybersecurity risk management, a vital aspect of cybersecurity governance.
As mentioned previously, cybersecurity governance is a continuum of three activities, called GRC,
Governance, Risk Management and Compliance. Cybersecurity governance sets the framework, risk
management helps support the decision-making process, and compliance is used to demonstrate
that obligations are met, and that controls and risk mitigation activities are working. This chapter
investigates the second activity, or the R in GRC, more specifically, risk management and risk
assessments. The next chapter presents a scenario-based approach to implement what is discussed
in this chapter.
As mentioned in chapter 1, risk is created through the exploitation of vulnerabilities by a threat
agent. This is illustrated in the risk triangle (Figure 4), showing risk components. Risk occurs when
the threat exploits, or takes advantage of, a vulnerability, this resulting in a potential risk exposure
becoming an actual damage, loss, or negative outcome in some way. This is when an exposure to
risk becomes a materialized, negative outcome, such as financial losses or material damages. It
happens when all the risk components meet in time and space.
The risk triangle also illustrates that risk can be managed by reducing any of the components, such
as the vulnerability or the threat agent. This highlights the need for organizations to identify and
address potential vulnerabilities to reduce the risk of an attack. As well, the organizations must
identify and understand potential threats and threat agents, such as malicious actors. Finally, it
must seek to determine realistic scenarios of exploitation of vulnerabilities by threats with the
potential damages that could occur. These four activities, vulnerabilities identification, threats
identification, determination of scenarios of exploitation, and potential negative outcomes,
constitute risk assessment.
While this can apply to many categories of risks, cybersecurity risk management analyzes negative
outcomes in relation to the organization's cybersecurity objectives and its cybersecurity
governance framework. In addition to minimizing financial losses and complying to the governance
framework, cybersecurity objectives are expressed in relation to the CIA triangle, or the
requirements for confidentiality, integrity, and availability, presented in figure 1, in chapter 1. This
helps organizations create a comprehensive risk management strategy that will protect their data,
systems, and processes from malicious actors. The strategy should also include measures to
mitigate any potential risks, such as implementing appropriate access control measures, updating
software regularly, and conducting regular vulnerability scans.
As risk is achieved through this exploitation process, where something bad happens, risk
management is concerned with preventing risks or implementing protections measures to
minimize negative outcomes. The fraud triangle, it is linked to criminal intent, or Mens Rea,
displayed by mischievous individuals. It is therefore imperative that organizations take appropriate
measures to protect their data and systems from these malicious actors. Criminal intent must play a
role in taking advantage of a vulnerability to make it a cybercrime, otherwise it could be accidental.
When the threat agent exploits the vulnerability, risk results, as illustrated in figures 3 and 4.
Negative impacts, regardless of whether they are accidental or voluntary, must still be managed by
organizations. Organizations must understand and be aware of the vulnerabilities to manage the
risks and prevent any potential cybercrimes. It is important to recognize and protect against the

50 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

malicious intent of individuals to ensure cyber security. In this chapter we discuss how
organizations should assess and manage cybersecurity risks.
Another aspect of cybersecurity risk management is providing guidance to help organizations
allocate human and financial resources to appropriately protects data, information systems and all
business technologies that support an organization’s mission. This risk management is important to
help support cybersecurity operations and the selection of solutions.

Cybersecurity Risk Management Fundamentals

When thinking about risks, organizations need to investigate impacts to the organizations and its
stakeholders. The business impacts of cybersecurity are what most organizations would be looking
at. These can be of many types. The impacts can be physical, tangible, and measurable, such as the
destruction of equipment. But the impacts may also be intangible, difficult to estimate and
subjective, such as the reduced performance of equipment, individuals getting hurt, or event
individuals dying. Business impacts may be financial losses. Often organizations tend to focus on
financial losses. These can be expressed and measured in many ways, such as loss of clientele, loss
of market share, loss of reputation, loss of market capitalization, a reduction of the value of stocks,
or loss of value of the business in general. Although, there have been many studies that have shown
that there is really no evidence of long-term financial loss, most financial losses tend to be generally
more short term. When we look at examples of major cybersecurity issues that have happened in a
year later, then yes. But when you look at it 2-3 years or more down the line, then things generally
get back to normal at that point. The financial losses in many cases tend to be more short term than
long term. And then finally psychological aspects or loss of confidence in the organization,
psychological distress, perhaps social unrest as well.
When we look at the different types of cyber-harms that may occur, or bad things towards the
organization in the connected world, we can categorize them using a taxonomy or an ontology.
These are tools that we can use to catalogue them to help us better understand them. When trying
to identify threats, these tools are going to be useful. Taxonomies, ontologies, and other systematic
classification schemes of how different components of risk can be organized, will save time and
effort. As well, it will be useful to identify risk mitigation opportunities. There are many examples of
these that are available online, so we will not cover them at length here, as this topic should be
covered in a more advanced level.

What Risk Management is NOT

A fundamental aspect of risk is the potentiality for an undesirable outcome. Risk can only exist if
there is a possibility of some kind of loss, reduction in some future expected benefit, or loss of
utility. If an outcome is certain, or let’s say 99% to 100% sure, then there is no risk. This level of
certainty will not be manageable with risk management. In such a scenario it is an operational
problem. It must be managed through a normal business activity. This is not just true for
cybersecurity risks but all categories of risk. For example, in the cybersecurity domain, if there is a
100% chance that you will get a virus on your computers, then installing, managing, and supporting
an enterprise anti-virus system should be a default function of your IT department. There is no
need for risk management if the outcome is certain in the virus scenario that was presented.
Similarly, is the probably of an outcome is so infinitely small that it can’t be evaluated, then it
should not be addressed as a risk management problem as it won’t be manageable. Even if the
impacts are incredibly large, considering that organizations have so much to deal with already and
limited resources, it would make little business sense to implement specific risk mitigation
measures. For this last possibility, what organizations need is an incidents management program
(IM), a business continuity plan (BCP) for mission critical and strategic activities and a disaster
recovery plan (DRP) for the organization. They will allow organizations to prepare and deal with
totally unexpected events, as well as scenarios that have a very small likelihood. For example, the

51 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

likelihood of an asteroid falling on Earth is pretty much 100%, but the likelihood of an asteroid
falling on or near your IT Datacenter in impossible to assess. This trio of IM-BCP-DRP, are discussed
in detail in a later chapter of this book.
It is important to understand that risk management happens when there is a reasonable possibility
to put a probabilistic value on risk, even if this is highly subjective, if it is reasonably justifiable.
Should students absolutely need numbers for this, then let’s say that somewhere between 5% and
95% might be reasonable thresholds for risk management. More than that it is certainty, which is
not risk. Less than that is uncertainty, sometimes referred to as epistemological uncertainty in
scientific literature, and that too is not risk. Of course, we can have endless discussions on the best
minimum and maximum threshold to use in a particular context. An acceptable minimum might be
anywhere from 0.01% to 10% and the maximum might be anywhere above 90%. For this
introduction we set them arbitrarily at 5% and 95%. The exact cut-off is not that important.

The IPM Process

The risk management process can be defined by the acronym IPM. This stands for identification,
prioritization, and mobilization. It is presented on figure 13. In the identification phase,
organizations are going to try to identify potential threats, potential vulnerabilities, their potential
exposure to risk should these vulnerabilities be exploited, and what would be the business
consequences if the risk materialized. This can be difficult to achieve in an organizational setting as
individuals in BTM and cybersecurity roles often do not know how to get started. As well, there are
many cognitive biases that can interfere with this activity, as discussed later in this chapter. Often,
various individuals have different strategies to identify threats and vulnerabilities based on their
past-experience, beliefs, or because of their skill sets. One way to do this, which is what is proposed
in this book, is to use risk scenarios as a tool to facilitate the identification phase.

Figure 13: IPM process

Students need to understand that scenarios are stories. They are descriptions of things that could
happen when threats exploit vulnerabilities, which would potentially result in a negative outcome.
The negative outcomes are in relation to what was included in the cybersecurity governance
framework, which was discussed in previous chapters. As well, negative outcomes are in relation to
the CIA triangle, or to the cybersecurity objectives expressed in relation to the organizational
requirements for confidentiality, integrity, and availability. To create scenarios organizations,
create storyboards of ways that this could potentially happen. This is all happening in the
identification phase. Once these scenarios are created, and the threats and vulnerabilities are
identified, we move on to the next phase, prioritization.
In the prioritization phase of risk management, organizations are going to try to prioritize the risk
scenarios. This is necessary because resources are always limited and so they want to deal first
with the things that are more urgent or where there are more significant impacts. These are the

52 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

priorities. Of course, priorities are set based on requirements of an organization and the
preferences of its leadership. Organizations also need to determine what is acceptable and
unacceptable. Coming back to the definition of security and risk in chapter 1, we remember that
security is the absence of unacceptable risks. In the prioritization phase of risk management
organizations are going to try to identify what is acceptable and what is unacceptable. Based on the
results of prioritization the organization will make decisions about risk and then mobilize
resources.
In the mobilization phase, the organization will allocate resources, such as money and individuals
towards making unacceptable risks acceptable. This in a continuous cycle, a never-ending thing,
regularly identifying and updating and prioritizing and reviewing priorities, and then mobilizing
and implementing solutions, processes and providing training. Through the mobilization effort and
then the operations and management of the business technologies used in the organization, risk
will be managed appropriately by the organization. Security operations are presented in another
chapter. As well, risk management is supported by checks and balances to make sure that the
organization is doing a good job. This is the role of internal and external audit, also shown on figure
13. Organizations have two risk management feedback loops through BTM operations, such as the
IT department, and through the audit process, such as provided by the Compliance department.
These feedback loops are used to ensure that risk management procedures or practices are done
correctly.

Biases and other Factors

There are many biases that impact risk management in general and risk assessment in particular.
An individuals' risk tolerance influences their decision-making when it comes to risk-related
decisions. People who are risk-averse tend to make decisions that favor safety and security over the
potential of reward. Risk-seeking individuals, on the other hand, are more likely to take more risks
in pursuit of higher rewards. Both decision-making postures have merits and limitations. In an
organizational role however, this will become a significant factor if individual risk postures are not
coherent with the organization’s risk management strategy. For some individuals, their risk posture
can contribute to irrational decisions when there is an important disconnect with the organization.
Other factors can also influence the individual involved in risk decisions. For example, a person's
ability to understand risk, their access to resources, and their confidence in their own decisions can
all play a role in their risk-taking behavior. Additionally, their understanding of the rewards and
consequences of their decision-making will also influence their risk-taking behavior.
Because a non-scientific risk management is necessarily based on experience and intuition. As a
result, this type of risk management tends to be subjective and emotional, as it is based on an
individual's own beliefs, values, and limitations. An individual's experiences and biases, and their
own recognitions of risk, play an increasingly important role in risk management because of this
approach. There are many factors that can influence the interpretation of risk and its outcomes, and
this interpretation can be influenced by both culture and upbringing. Psychology teaches us that
this information, while seemingly accurate from the point of view of the individual as a particular
actor, is biased. These biases can cause us to overlook certain facts, draw incorrect conclusions, or
jump to inaccurate conclusions. To accurately interpret information and make decisions, it is
important to be aware of cognitive biases and take steps to mitigate them. Some of the most
common cognitive biases include confirmation, optimism, and many others. The biases in risk
management can have a significant impact on decision-making processes, potentially leading to
sub-optimal or incorrect results. To address these biases effectively, it is important to recognize
them. The following are some of the most common types of bias that affect risk management:
• In overconfidence bias, individuals or teams overestimate their knowledge, abilities, or
prediction accuracy. As a result, they may take inadequate precautions because they believe
they understand risks better than they do.

53 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

• Decision-makers can become overly dependent on the first piece of information they
encounter, the anchor, when making decisions. The anchor bias will affect subsequent
information may not be weighed appropriately because of this.
• A confirmation bias occurs when people favor information that confirms their existing
beliefs or values. This can lead to decision-makers selectively seeking out or giving more
credence to information that aligns with their preconceptions in risk management.
• The availability bias arises when decisions are based on immediate and easily recalled
information rather than comprehensive information. Due to their ease of recall, recent or
dramatic events can disproportionately influence risk assessments.
• Optimism bias occurs when individuals believe they are less likely to experience negative
events than others. Inadequate safeguards or inadequate risk management can result in
under-preparation.
• A status quo bias is a preference for the current situation. In general, people are resistant
to change, which can make it difficult to adopt effective risk management strategies.
There are other factors that may also influence risk management. For example, because of
groupthink, decisions may be made without thorough consideration or that don't account for all
potential risks in a group's desire for harmony and conformity. Risks will also be influenced by the
language used. The choice of words influences how individuals perceive risk, and more specifically,
how they evaluate the chances of loss and gain. According to Prospect Theory, the framing of the
problem, called framing effect, the way it is presented, and the scenario influence the construction
of risk, decision-making, and outcomes. People take risks based on the reference point they use
when estimating risk situations. Even if the underlying data are the same, presenting them as
potential losses instead of potential gains can lead to different risk management decisions.
In addition to these elements, cultural aspects, propensity to risk, and language will affect
individual behavior. There will be an underestimation or overestimation of the probability of an
element's vulnerability to hazards, damage, and risk. An individual filters subjective, unscientific
estimations. In terms of risk management, it cannot meet the needs of organizations. As it is difficult
to eliminate the subjective aspect of certain decisions, it cannot be completely ignored. Additionally,
it is not always possible to obtain reliable evidence sources that cover all possible risks. Finally, it is
difficult to see the situation due to the complexity of the organizational ecosystem. It is almost
impossible for organizations to completely rely on a science-based approach to risk management.
As a result, it is necessary to implement mechanisms to limit the impact of subjectivity inherent in
non-scientific approaches.

Other Components of The Risk Management Process

Best practices and international standards, such as COBIT and ISO 27005, provide additional
guidance as to what the cybersecurity risk management process should entail. For example, ISO
27005, presented in figure 14, includes the IPM process in an eight-step business process, providing
more specific guidance as to what should be included. In the identification phase of the IPM process,
ISO27005 includes Context establishment and Risk Identification. In the Priorization phase, we find
Risk Analysis and Risk Evaluation. Finally in the Mobilization phase, there is Risk treatment, Risk
acceptance, Communication and consultation and Monitoring and review. Monitoring and review is
also supported by Business Technology Operations and by the Audit process of the IPM model.
Using ISO 27005 provides a more detailed description of the cybersecurity risk management
process. Formal methodologies will proposed detailed steps that should integrate the IPM process
at a high level and ISO 27005 when looking into a more detailed description.

54 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Figure 14: ISO27005 risk management process

Decisions about Risk

The priorization phase leads to making decisions about risks. Decisions about risk encompass a
range of strategic choices and actions that organizations make to effectively manage and address
potential risks. These decisions are critical for creating a comprehensive risk management strategy.
Here are some key decisions that organizations need to make about risk. The different risk strategic
are used as part of a comprehensive risk management strategy. The organization might mitigate
some risks and accept others, while it might choose risk transfer, avoidance, reduction, and other
approaches for other risks. There are no one size fits all solutions. Any decision must be supported
by a diligent risk assessment.

Risk Acceptance
Risk acceptance is a strategic decision made by an organization to acknowledge and tolerate a
certain level of risk without implementing specific measures to mitigate it. In other words, the
organization acknowledges that a particular risk exists, but consciously chooses not to take further
actions to reduce its impact or likelihood. This decision needs to be based on a thorough
assessment of the risk's potential impact, the cost and feasibility of mitigation measures, and the

55 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

organization's risk tolerance level. A few key points that organizations need to understand about
risk acceptance:
• Risk tolerance: Risk acceptance is closely tied to an organization's risk tolerance level, or
the amount of risk the organization is willing to tolerate before acting. Some risks may fall
within the acceptable range and not warrant immediate or extensive mitigation efforts.
• Business Considerations: Organizations may choose to accept certain risks when the
cost of implementing controls or mitigation measures outweighs the potential impact of the
risk itself. This could be due to budget constraints, technical limitations, or other business
priorities. Managers need to be diligent about this, as their will be blamed if they decided
based on business considerations that later is shown to be an error.
• Informed decision: Risk acceptance is not a passive or negligent approach. It involves a
well-informed decision-making process where the organization understands the risks,
potential consequences, and potential benefits of accepting the risk.
• Ongoing Monitoring: Even when a risk is accepted, it's important for the organization to
continue monitoring the risk's impact and reassessing the decision periodically. Changing
circumstances or new information may lead to a re-evaluation of the risk acceptance
decision.
• Document accepted risks: When an organization decides to accept a certain risk, it
should document the decision-making process in a risk registry. This documentation helps
maintain transparency and accountability and serves as a reference for future risk
assessments. Documentation of accepted risks may often be a compliance and legal
requirement.
• Communication: Effective communication is crucial when it comes to risk acceptance.
Stakeholders, including senior management, the board of directors, and relevant teams,
should be aware of the decision to accept a particular risk.
It's important to note that risk acceptance should be a deliberate and well-considered choice. It
should not be mistaken for negligence or a lack of concern for security. Instead, it reflects a
thoughtful analysis of risks and their alignment with the organization's overall governance
framework, compliance obligations, business objectives and risk management strategy.

Risk Avoidance
Risk avoidance is a risk management strategy in which an organization takes deliberate actions to
eliminate or minimize exposure to certain risks. In essence, the organization makes decisions and
implements measures to completely steer clear of situations or activities that could lead to the
identified risks. The goal of risk avoidance is to prevent the occurrence of adverse events or
outcomes that could negatively impact the organization. Risk avoidance could include decisions like
not entering a specific market due to political instability, not adopting a certain technology that is
vulnerable to cyberattacks or discontinuing a product line with significant regulatory compliance
challenges. Key points to understand about risk avoidance:
• Preventive approach: Risk avoidance focuses on preventing risks from materializing
rather than managing their consequences after they occur. Organizations need to be
proactive, not reactive. This strategy aims to eliminate the possibility of the risk occurring
altogether.
• Proactive decision-making: Organizations that adopt risk avoidance assess potential
risks and decide not to engage in activities or situations that pose an unacceptable level of
risk. This could involve refraining from certain business practices, technologies, or
partnerships.
• Cost-benefit analysis: Organizations consider the cost of avoiding a risk versus the
potential benefits of doing so, or the potential benefits of the opportunities that are linked

56 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

to this potential risk. If the cost of avoiding the risk is justified by the potential harm it could
cause, risk avoidance may be deemed appropriate.
• Alternatives and substitutes: In some cases, risk avoidance might involve finding
alternative approaches, technologies, or strategies that achieve the organization's objectives
without exposing it to the identified risk.
• Trade-offs: While risk avoidance can be effective in preventing certain risks, it may also
come with trade-offs, such as missed business opportunities or potential innovation.
Organizations need to carefully consider these trade-offs when choosing risk avoidance as a
strategy.
• Transparency: Decisions related to risk avoidance should be communicated clearly
within the organization, especially to key stakeholders such as senior management and the
board of directors. Transparency helps ensure that everyone understands the rationale
behind the decisions.
• Periodic re-evaluation: Over time, the organization should periodically reassess its risk
avoidance decisions to determine if circumstances have changed or if new information has
emerged that could alter the risk landscape.

Risk avoidance is one of several strategies within the broader context of risk management. Risk
avoidance is a good decision in situations where the potential negative impact of a risk is deemed
too severe or costly, and where the benefits of avoiding the risk outweigh the potential rewards of
taking it. It is particularly useful for addressing risks that have high potential for severe impact or
where the cost of mitigation outweighs the benefits. However, like any risk management strategy,
risk avoidance should be aligned with the organization's overall goals and risk appetite. Here are
some scenarios where risk avoidance might be a prudent choice:
• Highly severe consequences: If the potential consequences of a risk event are
catastrophic and could significantly harm the organization's reputation, financial stability,
or ability to operate, risk avoidance may be the best option. This is particularly relevant for
risks that could lead to legal liabilities, regulatory penalties, or massive financial losses.
• Unacceptable risk tolerance: When an organization's risk tolerance is very low, it may
choose to avoid risks that fall outside the acceptable threshold, even if the likelihood of
occurrence is low. This is often the case with risks that could lead to irreversible damage or
are considered morally or ethically unacceptable.
• Limited ability to mitigate: If there are limited or ineffective ways to mitigate a
particular risk, avoiding it altogether may be the most feasible approach. This is especially
true for risks that cannot be adequately controlled through technical, administrative, or
operational measures.
• Regulatory compliance: When certain risks are associated with non-compliance with
industry regulations or legal requirements, risk avoidance may be necessary to ensure
adherence to the law and avoid legal consequences.
• High costs of mitigation: If the cost of implementing risk mitigation measures
significantly outweighs the potential benefits, risk avoidance may be a more cost-effective
choice. This could be the case for risks that require extensive investments in technology,
personnel, or infrastructure.
• Unpredictable risks: In situations where the likelihood of a risk event occurring cannot
be reliably predicted or where the risk landscape is constantly changing, risk avoidance
might be preferred over relying on uncertain mitigation strategies.
• Strategic business decisions: Risk avoidance can align with broader strategic decisions.
For example, if entering a new market or launching a new product presents significant risks
that could harm the organization's core business, avoiding those risks may support overall
business objectives.

57 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

• Preservation of reputation: Risks that could damage an organization's reputation or

brand equity are often prime candidates for avoidance, as reputation is a critical intangible
asset that can be difficult to repair once damaged.
• Public safety: Risks that pose threats to public safety, health, or the environment may
necessitate risk avoidance to prevent harm to individuals, communities, or the ecosystem.

Risk Transfer
Risk transfer is a risk management strategy in which an organization externalizes the risk by
shifting the financial burden or responsibility to another party. This is done through contractual
arrangements, outsourcing, insurance policies, or other financial mechanisms. By transferring risk,
the organization aims to reduce its exposure to potential losses or liabilities and ensure that
another entity bears the financial consequences if the risk event occurs. Some of the key points to
understand about risk transfer:
• Benefits and Costs: While risk transfer can provide financial protection, it comes with
costs such as insurance premiums or potential limitations in coverage. Organizations must
weigh the benefits of risk transfer against the costs.
• Risk Distribution: Risk transfer can also distribute risk across multiple parties, reducing
the concentration of risk on a single entity. This can enhance overall risk management
within an industry or ecosystem.
• Risk Sharing: In some cases, risk transfer might involve sharing the financial burden of a
risk with another party, rather than fully transferring it. This can be achieved through co-
insurance or other arrangements.
• Risk Retention: Even when risk is transferred, organizations may retain a portion of the
risk. This is known as risk retention. It's common for insurance policies to include
deductibles or self-insured portions that the organization must cover.
• Legal and Regulatory Considerations: Organizations should be aware of any legal or
regulatory requirements related to risk transfer in their industry or jurisdiction.
• Insurance Policies: One common method of risk transfer is purchasing insurance
coverage, such as a cybersecurity risk insurance, identity theft insurance or ransomware
insurance. Organizations pay insurance premiums to an insurer, which agrees to
compensate the organization for covered losses or liabilities in the event of a specified risk
occurring.
• Contractual Agreements: Organizations can transfer certain risks to vendors, suppliers,
or partners through contractual clauses. These clauses might outline the responsibilities of
each party in the event of a risk occurrence and specify who is liable for associated costs.
• Due Diligence: Organizations should conduct due diligence when selecting insurance
policies or entering contractual agreements for risk transfer. It's important to understand
the terms, conditions, and coverage limits to ensure they align with the organization's
needs.
Risk transfer is particularly valuable for risks that are difficult to mitigate or for which the potential
financial impact is too significant for the organization to absorb on its own. It allows organizations
to leverage the expertise and financial resources of external entities to manage and mitigate specific
risks. However, risk transfer decisions should be made carefully, considering the organization's
overall risk management goals and financial capabilities. Risk transfer is often considered the best
strategy in specific scenarios where it makes practical and financial sense to shift the burden of
potential losses or liabilities to another party. Here are other situations where risk transfer can be
the most effective strategy:
• Limited Risk Appetite: Organizations with a low tolerance for specific risks may choose
to transfer those risks to external parties to maintain their desired risk exposure level.

58 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

• Lack of Expertise: When dealing with complex or specialized risks that the organization
lacks the expertise to manage effectively, transferring the risk to a more knowledgeable
third party, such as an insurance company, can be a sensible option.
• Known and Calculable Risks: For risks that are well-understood and quantifiable, risk
transfer through insurance can provide a predictable and manageable way to allocate
potential losses.
• Pooling of Risks: Insurance mechanisms allow organizations to pool their risks with a
larger group of policyholders, spreading the financial burden and reducing the impact of
individual risk events. Insured risks can also be re-insured (insurance for the insurance),
spreading the risk over multiple insurers, thus adding a level of financial security, and
making sure that an eventual coverage would be possible.
• Regulatory Compliance: If certain risks are associated with legal or regulatory
requirements, transferring the risk through contractual agreements or insurance can help
ensure compliance and mitigate potential penalties.
• Resource Constraints: When an organization has limited resources to address certain
risks effectively, transferring the risk to a third party with greater resources and
capabilities can provide a practical solution.
• Strategic Outsourcing: Organizations that engage in strategic outsourcing of specific
functions or processes can transfer certain risks to their outsourcing partners through well-
defined contractual agreements.
• Supply Chain Risks: Transferring risks associated with suppliers, vendors, or business
partners can help ensure business continuity and reduce potential disruptions.
• Global Operations: For multinational organizations operating in different countries with
varying legal and regulatory environments, risk transfer can help navigate complexities and
ensure consistent risk management.
• Emerging Technologies: In sectors with rapidly evolving technologies or emerging risks,
transferring risk through specialized insurance products can provide coverage for unique
challenges.
• Catastrophic Events: In situations where the consequences of a risk event could be
catastrophic, transferring the risk through insurance can provide a safety net to help the
organization recover and rebuild.
It's important to note that risk transfer should be based on a thorough analysis of the risks, the
terms and conditions of insurance policies or contracts, and the financial implications for the
organization. Risk transfer is not always a one-size-fits-all solution and should be integrated into an
organization's comprehensive risk management strategy. Careful consideration of potential costs,
benefits, and any potential limitations of risk transfer is crucial before deciding.

Risk Mitigation
Risk mitigation is a proactive strategy employed by organizations to reduce the potential impact or
likelihood of identified risks. These basically correspond to the two red arrows seen in the risk
triangle, in figure 4, in chapter 1. Effective risk mitigation starts with a thorough risk assessment to
identify potential risks, evaluate their potential impact, and determine their likelihood. Risk
mitigation involves implementing measures, technologies, controls, business processes and other
actions to minimize the adverse consequences of risks should they occur. Examples of risk
mitigation measures include implementing firewalls and intrusion detection systems to prevent
cyberattacks, conducting regular equipment maintenance to prevent failures, establishing backup
systems and data recovery plans, and providing training to employees to prevent human error. The
goal of risk mitigation is to limit the extent of harm or loss and enhance the organization's ability to
effectively manage and recover from unexpected events. Many solutions that can be used for risk

59 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

mitigation and for controls are presented in mode details in other chapters of this book. Some of the
key points to understand about risk mitigation:
• Proactive approach: Risk mitigation focuses on taking preventative measures before a
risk event occurs, rather than solely dealing with its aftermath. It aims to reduce the
probability of a risk event happening or minimize its impact.
• Control implementation: Organizations develop and implement control measures to
address identified risks. These controls can be technical, administrative, or physical in
nature and are designed to either prevent or mitigate the risk.
• Monitoring and evaluation: Risk mitigation efforts should be continuously monitored
and evaluated to ensure their effectiveness. Adjustments may be necessary based on
changing circumstances or new information.
• Cost-benefit analysis: Organizations assess the costs of implementing mitigation
measures against the potential benefits of risk reduction. This analysis helps determine the
most appropriate and cost-effective strategies.
• Risk reduction: The goal of risk mitigation is to reduce the severity of potential losses.
This can involve measures to decrease the likelihood of a risk event (risk reduction) or
decrease the potential impact if the event occurs (impact reduction).
• Residual Risk: Zero risk does not exist. Even after implementing risk mitigation
measures, some level of residual risk will most likely remain. Residual risk is the risk that
still exists after all mitigation efforts have been applied. Organizations should determine
their level of comfort with residual risk and decide if further actions are needed.
• Compliance and Regulations: Organizations must consider industry-specific regulations
and compliance requirements when designing and implementing risk mitigation measures.
• Integration with overall strategy: Cybersecurity risk mitigation is a key component of
an organization's overall risk management strategy.
• Communication: Effective communication of risk mitigation measures is important to
ensure that all relevant stakeholders, including employees and management, understand
their roles and responsibilities in executing these measures.
Risk mitigation is an ongoing and dynamic process that requires vigilance and adaptability. It helps
organizations enhance their resilience and ability to navigate challenges while safeguarding their
assets, reputation, and continuity of operations.

Risk Tolerance and Risk Appetite

A key aspect of risk management is going to be the balancing of security needs, the inconvenience of
security measures, and the costs. Organizations have a requirement for security, a need for
protection and need to protect how legitimate users are accessing data. On the other side, the cost
of doing that, because there's always going to be a cost issue, is going to vary depending on the risk
appetite of the organization that is why this whole concept of risk tolerance and risk appetite are so
important.
Risk tolerance refers to the specific level of risk an organization or individual is willing to accept or
tolerate in pursuit of its objectives. It is the degree of uncertainty or potential loss that an entity is
comfortable with. Risk tolerance is often expressed numerically or descriptively, and it helps guide
decision-making about risk management strategies and actions. For example, if an organization
determines that it is willing to tolerate a 10% decrease in annual revenue due to market
fluctuations, its risk tolerance for revenue loss is 10%. This guides the organization in making
decisions about investments, strategies, and safeguards to manage risks that could lead to such a
revenue decline.
Risk appetite, on the other hand, is a broader, high-level statement or guideline that articulates the
amount and type of risk an organization is willing to take on to achieve its strategic objectives. It is
a qualitative statement that helps align the organization's risk management efforts with its overall

60 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

mission and goals. For instance, a financial institution might have a risk appetite statement that
expresses its willingness to take moderate risks in pursuit of growth opportunities but with a
strong focus on maintaining the safety and security of customer data. This guides the organization's
risk management strategies and provides a framework for decision-making.
The main differences between risk tolerance and risk appetite are:
• Nature: Risk tolerance is more quantitative, specifying specific levels of risk that are
acceptable. Risk appetite is more qualitative, providing a general framework for risk-taking
aligned with strategic objectives.
• Granularity: Risk tolerance is often expressed in specific numerical terms, such as
percentages or monetary amounts, while risk appetite is expressed in broader, qualitative
terms.
• Role: Risk tolerance guides the implementation of risk management measures and actions
based on specific thresholds. Risk appetite provides a broader context for decision-making
and helps set the tone for the organization's approach to risk.
• Scope: Risk tolerance is more focused on specific risks and scenarios. Risk appetite
encompasses a wider range of risks and is related to the organization's overall risk culture.
Both risk tolerance and risk appetite are important tools in risk management, helping organizations
strike a balance between pursuing opportunities and protecting against potential negative
outcomes. They work together to shape an organization's risk management strategy and actions.

Risk Averse or Risk Seeking

Risk averse and risk seeking are terms used in economics and decision-making to describe different
attitudes or preferences toward taking risks. This can be used to describe individuals and
organizations. Risk averse individuals tend to avoid or minimize risks. In other words, they prefer
scenarios where the outcome is more certain, even if it means sacrificing potential higher rewards.
Risk averse individuals are generally more comfortable with stable and predictable outcomes, and
they are willing to give up potential gains to ensure they don't face significant losses. This attitude
is often associated with conservative investment strategies and cautious decision-making. For
example, let's say you have a choice between receiving $100 or participating in a draw. In this draw,
a single ticket is picked from a hat. You have a 50% chance of winning $200 and a 50% chance of
winning nothing. A risk-averse person might choose $100 with certainty to avoid uncertainty.
On the other hand, a person is considered risk seeking when they prefer taking on risks even when
the outcome is uncertain. Risk-seeking individuals are often more interested in high rewards and
willing to accept losses. They might find the thrill of uncertainty exciting and are more likely to
engage in activities that involve potential gains even if the risks are substantial. Continuing with the
same example of the ticket draw, a risk seeking individual might choose to participate for a chance
to win $200, even though there's a 50% chance of winning nothing.
It's imperative to note that individual’s attitudes toward risk can vary depending on the context,
their personal experiences, and their individual circumstances. Additionally, some individuals
might fall somewhere in between being purely risk averse or risk seeking, resulting in a more
balanced approach to risk. Economists and psychologists often study these preferences to
understand how individual make decisions.
The concepts of risk aversion and risk seeking can also apply to organizations, especially when it
comes to decision-making, strategy development, and risk management. An organization that is risk
averse tends to prioritize stability, predictability, and minimizing potential losses. Such
organizations are more cautious in their decision-making and may opt for established and proven
strategies rather than venturing into uncharted territories. Risk-averse organizations might be
reluctant to pursue high-risk, high-reward opportunities and instead focus on maintaining a steady
course of action. Some examples of risk-averse behavior in organizations are:
• Choosing conservative investment options over riskier but more lucrative investments.

61 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

• Opting for incremental improvements to existing products rather than innovations.

• Implementing comprehensive risk management practices to mitigate potential threats.

Conversely, a risk-seeking organization is more inclined to take calculated risks in pursuit of

substantial rewards. These organizations often seek out innovative ideas, explore new markets, and
are willing to embrace uncertainty for the chance of achieving a competitive advantage. Risk-
seeking organizations might be more adaptable and open to disruptive changes. Examples of risk-
seeking behavior in organizations are:
• Investing in research and development for ground-breaking products or technologies.
• Entering emerging markets with high growth potential despite the associated
uncertainties.
• Pursuing mergers and acquisitions to expand market share, even if there are risks.

Most organizations fall somewhere on a spectrum between risk aversion and risk seeking. The ideal
approach often depends on the industry, market conditions, competitive landscape, and the
organization's goals and resources. Striking the right balance between risk and caution is crucial.
Risk aversion and risk seeking play a significant role in organizational decision-making and strategy
formulation. Organizations must assess their risk appetite based on their goals, resources, and the
external environment to make informed choices that align with their overall mission and objectives.
Looking at the cybersecurity spending data and recommendations from Gartner Research, the
larger consulting firms, and cybersecurity industry associations, we observe recommendations that
most organizations should spend between 4% and 15% of their total BTM and IT budget for
cybersecurity. Looking at existing data puts the spending median value at 7.8%. If you have a risk
seeking organization, an organization willing to take more risks, therefore you're going to spend
less on risk mitigation. In cybersecurity spending numbers, a risk seeking organization would lean
towards the 4% end of the spectrum. If an organization is risk averse, it would move towards the
15% end. A risk averse organization would be seeking to take less risks and willing to spend more
money on cybersecurity. A risk neutral organization would be at the median, 7.8%. This is when the
balanced approach should become a consideration. The context, the culture, the risk tolerance of
the organization, the industry that they're in, and all the things must be considered in setting the
right number for cybersecurity spending.
The amount is based on the total IT spending, which should include salaries. For example, a
company is spending $100 million everything IT, including cybersecurity, software and data
management and salaries. $100 million. If it is risk neutral, it means it should be spending at least
$7.8 million directly related to cybersecurity, which is not that much.

Assessing an Organizations Cybersecurity Risk Appetite

Assessing an organization's cybersecurity risk appetite is crucial in identifying and understanding
the level of risk tolerance within the organization. By evaluating the organization's risk appetite,
stakeholders can make informed decisions regarding cybersecurity investments, resource
allocation, and risk management strategies. In this section we provide some guidance on how to
assess an organization's cybersecurity risk appetite effectively.
The first step in assessing an organization's cybersecurity risk appetite is to establish a clear
definition of what risk appetite means for an organization. As mentioned previously, risk appetite
refers to the amount and type of risk an organization is willing to accept in pursuit of its objectives.
This definition should align with the organization's overall strategic objectives, considering its
industry, regulatory requirements, and risk management culture. From there, the organization will
need to identify the key stakeholders involved in the assessment process. These stakeholders may
include senior management, the board of directors, IT staff, cybersecurity teams, risk management
professionals, and legal and compliance teams. Identifying the organization's risk appetite will

62 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

involve these stakeholders to ensure their perspectives and insights are considered throughout the
assessment. Once the organization's key stakeholders have been identified, it is essential to
determine the cybersecurity risk landscape. This is done by performing an initial cybersecurity risk
assessment if one has not been done already. This will be useful to identify the appropriate
tolerance levels for each potential risk in the initial assessment. Risk tolerance refers to an
organization's willingness to accept or avoid specific risks. This determination should consider the
potential impact, likelihood, and cost of mitigating each risk.
Then, the organization can develop risk criteria that align with its risk appetite. These criteria will
serve as guidelines for decision-making and risk management activities. Risk criteria should include
factors such as acceptable levels of impact, likelihood, and cost for each risk. To facilitate the
identification appropriate tolerance levels and criteria, the organization can organize workshops
with key stakeholders to discuss and determine the organization's risk appetite. These workshops
should facilitate open and transparent communication to ensure a shared understanding of risk
tolerance levels. Document the outcomes and decisions made during these workshops.
Finally, the organization will need to document cybersecurity risk appetite. This includes risk
tolerance levels, risk criteria, and decisions made during the assessment process. The must ensure
that this documentation is widely communicated across the organization to create awareness and
alignment regarding cybersecurity risk management. It is this documentation that will be used in
the formal cybersecurity risk assessment process, as presented a later in this chapter, to conduct a
formal risk assessment. As well, regular reviews and updates to the risk appetite assessment should
be conducted to ensure its ongoing relevance and effectiveness in managing cybersecurity risks.

Assess Cybersecurity Risks

Cybersecurity metrics are quantitative and qualitative measures used to assess various aspects of
an organization's cybersecurity posture, effectiveness, and risk management efforts. Metrics can
support the decision-making process. These metrics provide insights into the organization's
security performance, help track progress over time, and aid in making informed decisions to
enhance cybersecurity strategies. Cybersecurity metrics can cover a wide range of areas within an
organization's security program. This book proposes to use cybersecurity risk scenarios supported
by Key Risk Indicators (KRI). These are further described in this chapter.

Decisions about Risk

When risk is being mitigated, what is being done is illustrated by the big red arrows that were
presented in chapter 1, figure 4. In managing cybersecurity risks, organizations are fundamentally
trying to do two things:
1. Reduce the probability that the threat will exploit the vulnerability, or
2. Reduce the impact, should the exploitation happen.
Understanding the nature and origin of risk is fundamental for risk management. That should seem
like an obvious statement if you read the previous chapters of this book. As risk starts with the
exploitation of a vulnerability by a threat, the threats, vulnerabilities, and exploits need to be
identified. As well, since the result of the exploitation might be a potential future impact, it remains
an exposure to risk until it materializes, which need to be determined. Once a possible scenario has
occurred a hazard, potential impacts, damages, or some reduction of an expected future utility
occurs. Another possible outcome is an inability to meet some of the cybersecurity governance
objectives, regulatory, legal, or contractual obligations that have been determined in the
governance framework, as explained in chapter 2.

Key Risk Indicators

One vital component of the risk assessments presented in this book is the use of Key Risk Indicators
(KRIs). Key Risk Indicators, commonly referred to as KRIs, are quantifiable metrics used to measure

63 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

the potential occurrence and impact of risks within an organization. They serve as early warning
signals, providing insights into the health of an organization's risk profile. Unlike Key Performance
Indicators (KPIs), which focus on measuring achievements, KRIs are forward-looking indicators
that help identify and assess potential risks before they escalate.
The primary purpose of using KRIs is to enhance an organization's risk management capabilities by
proactively identifying and monitoring risks. By establishing a set of predefined KRIs, companies
can gain a better understanding of their risk exposure and take necessary actions to prevent or
mitigate potential risks. KRIs provide management with timely and relevant information to make
informed decisions and allocate resources effectively. KRIs also help organizations to detect early
warning signals of potential risks and threats, allowing them to take proactive measures. By
monitoring KRIs, organizations can gain a better understanding of their risk profile and adjust their
risk management strategies accordingly. KRIs can be categorized into various types depending on
the nature of the risks they measure. Some common types of KRIs include:
• Financial KRIs, which are used to assess financial risks such as liquidity, credit, market,
or operational risks that can impact an organization's financial stability.
• Operational KRIs, which focus on risks related to operational processes, including supply
chain disruptions, system failures, compliance breaches, or employee safety incidents.
• Compliance KRIs are used to monitor compliance with applicable laws, regulations, and
internal policies. This ensures adherence to ethical standards and minimizes legal and
reputational risks.
• Strategic KRIs, which help gauge risks associated with achieving strategic objectives, such
as market volatility, competitive threats, or technological disruptions.
• Cybersecurity KRIs, which we are using in this book, to help organizations in their
cybersecurity risk management activities.
Implementing a robust KRI framework provides several benefits to organizations, including:
• Early Risk Detection: KRIs enable organizations to identify potential risks in their early
stages, allowing proactive risk mitigation measures to be implemented.
• Improved Decision-making: By providing timely and relevant risk information, KRIs
help management make informed decisions related to risk appetite, resource allocation, and
strategic planning.
• Enhanced risk communication: KRIs facilitate effective communication and
collaboration among different stakeholders, ensuring a shared understanding of risks
across the organization.
• Support regulatory compliance: KRIs help organizations comply with regulatory
requirements by monitoring and reporting on key risk areas.
Key Risk Indicators play a critical role in effective risk management by providing organizations
with valuable insights into their risk profile. By using quantifiable metrics to measure potential
risks, KRIs enable companies to take proactive measures, mitigate risks, and safeguard their long-
term success. Implementing a comprehensive KRI framework can significantly enhance an
organization's risk management capabilities and help it navigate the ever-changing business
landscape with confidence.

Threat Identification
While there are many ways to categorize threats, the simplest is to organize them as internal and
external, as they are presented in the next few paragraphs. Internal threats originate from within
an organization itself. These threats can come from employees, contractors, partners, or anyone
who has legitimate access to the organization's systems, networks, and data. Internal threats can be
intentional (malicious) or unintentional (accidental), and they pose a significant risk to an
organization's sensitive information, intellectual property, and overall security posture. Readers

64 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

should refer to the fraud triangle, presented in chapter 1 and figure 2, to better understand the
motivations that make this an important problem.
There are two primary categories of internal threats, malicious insider threats and unintentional
insider threats. Malicious insiders can be employees, such as disgruntled employees, former
employees, or individuals with malicious intent who exploit their access to carry out attacks or steal
sensitive data. They can also be contractors and business partners. These include third-party
individuals or organizations with authorized access who misuse their privileges for personal gain
or to harm the organization. These are using techniques such as privilege abuse. This is when
employees or insiders abusing their elevated access privileges to gain unauthorized access to
systems or data. However, problems can also arise from negligence. This occurs when employees or
individuals accidentally compromise security by not following established security protocols, such
as failing to update software or using weak passwords. Insiders can also become threat by
unknowingly fall victim to phishing attacks or social engineering tactics, resulting in data breaches
or unauthorized access. Often, this is caused by a lack of awareness, when employees who are not
adequately trained in cybersecurity best practices inadvertently contribute to security breaches.
Some examples of internal threats include:
• Unauthorized access to sensitive data by an employee who abuses their privileges.
• An employee sharing login credentials with unauthorized individuals, allowing them to gain
unauthorized access.
• An employee accidentally clicking on a malicious link in a phishing email, leading to a malware
infection, ransomware being installed, or data leak.
• A former employee who still has access to the organization's systems exploiting that access to
steal valuable intellectual property or disrupt activities to get some form of revenge.
• A contractor with network access inadvertently exposing confidential client information.

External threats in cybersecurity refer to risks and vulnerabilities that originate from outside an
organization. These threats are posed by individuals, groups, or entities that are not part of the
organization's internal structure. These can be cybercriminals, nation-states, activists, and even
competitors. External threats target an organization's digital assets, systems, networks, and data
with the intent to compromise security, steal sensitive information, disrupt operations, or cause
other forms of harm.
External threats encompass a wide range of actors and attack methods. Cybercriminals are
probably the first category that most think of when thinking about external threats. One should
keep in mind that the internal threats, even if less discussed in the media or outside specialist
circles, are often a much bigger threat. Cybercriminals might use malware attacks to distribute
malicious software (viruses, worms, Trojans) to compromise systems and steal data. The principal
strategies used are ransomware and phishing. This is often achieved by sending fraudulent emails
or messages to trick recipients into revealing sensitive information or clicking on malicious links.
Once a link is clicked, the malware would encrypt critical data, allowing the cybercriminal to
demand payment for its release. When aiming to disrupt an organization, cybercriminals may elect
to operate a Distributed Denial of Service (DDoS) attack, flooding business systems with a tsunami
of traffic to render them unavailable. Nation-State actors or activists might use the same techniques
as cybercriminals for cyber-espionage, targeting organizations to steal sensitive data, trade secrets,
and intellectual property. In a cyberwar scenario, they may revert to cyber-sabotage to disrupt
critical infrastructure, supply chains, services, or operations to cause economic or political harm.
When the opportunity arises, external attackers will collaborate with insiders to exploit their
knowledge and access, perhaps encouraged with bribes, shared ideology, or blackmail.
Assessing cybersecurity threats is a critical process for any organization to protect its digital assets,
sensitive information, and overall operations. As well as performing regular risk assessments, there

65 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

are many strategies for organizations to help them in identifying and assessing cybersecurity
threats. A few of them are mentioned here:
• Monitor your threat landscape: Stay updated on the latest cybersecurity threats,
vulnerabilities, and attack techniques by subscribing to threat intelligence feeds and
forums.
• Subscribe to cybersecurity news sources: Follow reputable cybersecurity news sources
and blogs for insights into emerging threats.
• Use an ethical hacking team: Conduct penetration testing (pen testing) to simulate real-
world attacks and identify vulnerabilities before malicious actors can exploit them.
• Perform regular external and internal testing: Perform both external (outside the
organization) and internal (within the network) penetration tests.
• Become part of a community: there are many industry associations, user groups and
communities that exist where you can share information and learn from your peers. For
example, in Nigeria, there are user groups and associations, such as CSEAN and others.
The identification of threats can be supported by using different tools, such as taxonomies and
ontologies, as mentioned previously. However, these are not covered in this book. One strategy that
should be used is to setup a formal cybersecurity threat intelligence activity in your organization, as
presented in the next section. This would typically be handled by a group of individuals in a cyber-
defence team. It would also be supported by cybersecurity vulnerability identification activities.
Using the methodology proposed in this book requires to create a scenario and identify a potential
threat for which there is a possibility of exploiting a vulnerability. From there, to contribute to the
creation of a risk indicator, it is assigned a severity value between 0.1 and 0.9. This can be done as
resultant of a consensus of stakeholders, as described later.

Threat Intelligence
Threat intelligence is a key component of cybersecurity efforts. As the business technology
landscape evolves, so do cyber threats. New vulnerabilities are discovered every day. As well,
cybercriminals constantly develop effective methods of exploiting vulnerabilities, stealing
information, or disrupting systems. It is therefore essential to stay on top of threats, and that is
where threat intelligence comes in. Threat intelligence enables organizations to detect, respond to,
and prevent cyber threats in a timely manner. It also provides insights into attackers and their
strategies, allowing organizations to stay one step ahead of malicious activity.
Threat intelligence is like a detailed briefing in military operations. Just as commanders need
intelligence about enemy positions, movements, and strategies, cybersecurity professionals require
detailed information about potential or current cyber threats. Organizations that have access to up-
to- date threat intelligence can quickly and accurately identify malicious actors and their activities,
allowing them to take appropriate action to protect their systems. Additionally, threat intelligence
can provide organizations with the necessary information to plan and implement effective security
measures. Threat intelligence refers to organized, analyzed, and refined information about possible
or current attacks on a system or organization. Data collection and analysis result in actionable
information that can be used to minimize or defend against potential and existing security threats.
By using threat intelligence, organizations can make informed decisions to protect their systems
and data from malicious actors. It also helps organizations identify and respond to potential threats
efficiently and timely.
However, it's not about collating vast volumes of raw data. Threat intelligence lies in converting
raw data into actionable insights, providing organizations with a lucid understanding of the
potential risks they face in the digital expanse.
This intelligence is meticulously crafted, drawing from diverse sources like public forums,
specialized cybersecurity blogs, and even clandestine communications on the dark web. By
scrutinizing this data, analysts can discern patterns, identify emerging threats, and uncover

66 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

malicious actors' modus operandi. The value it offers is proactive; it's about anticipating cyber
threats before they strike, preparing for them, and devising strategies to counteract or mitigate
potential harm.
In a world brimming with advanced defense mechanisms, intrusion detection systems, and state-of-
the- art firewalls, threat intelligence remains a vital function for cybersecurity teams. Traditional
cybersecurity tools are indispensable, but they often function based on previously known threat
patterns. Cybercriminals continuously innovate and devise creative methods of intrusion and harm.
Threat intelligence operates in this ever-changing landscape, illuminating the path for
organizations, allowing them to navigate safely and respond adeptly to emerging threats.
Imagine an organization armed with intelligence about a new malware strain targeting its industry.
With this information, they can swiftly adapt their defenses, remaining impervious to this new
threat. Furthermore, it's not just about technical defenses. Armed with threat intelligence,
organizations can engage in extensive staff training, making individuals more alert to sophisticated
phishing attempts or potential insider threats. The advantages extend beyond mere defense.
Organizational leaders can leverage threat intelligence to make well-informed decisions, be it
related to investments in cybersecurity infrastructure, personnel training, or even business
strategies that consider cyber risks. In the unfortunate eventuality of a breach, having prior
intelligence can significantly expedite response times, possibly curtailing the extent of damage and
subsequent financial implications. Threat intelligence is at the forefront of cyberdefense. It is the
reconnaissance team, or recon, of the digital world. It ensures that they, and the organizations they
protect in the future, are always one step ahead in the intricate dance with cyber adversaries. Table
1 presents a sample of information sources for threat and vulnerability intelligence.

Vulnerability Identification
Vulnerabilities are a fundamental component of risk, as discussed in chapter one. To grasp the full
impact of vulnerabilities, it's crucial to delve into their nature, the processes for identifying them,
and the immense value organizations derive from understanding and mitigating them.
Vulnerabilities can be exploited to gain unauthorized access to critical systems and resources. The
exploitation of a vulnerability by a threat agent is where cybersecurity risks materialize. Therefore,
it is essential to have a comprehensive vulnerability management plan in place to ensure that any
potential risks are identified and addressed promptly.
In the business technology management field, cybersecurity vulnerabilities can be likened to weak
links in a chain. It represents a flaw or weakness in a system's design, implementation, or operation.
This flaw can lead to an unauthorized breach or contravention of system expected behavior. These
vulnerabilities can stem from a variety of sources, ranging from errors in code, system
misconfigurations, to even lapses in security protocols or practices.
Identifying these vulnerabilities is a task that parallels looking for a needle in a haystack but on a
magnified scale. The sheer complexity of today's software and systems means that vulnerabilities
can lurk in the shadows, often unnoticed until exploited. Organizations must adopt a proactive
stance in this quest. In addition to performing regular risk assessments and strategies to help
organizations identify and assess cybersecurity threats, mentioned in the section on threat
identification, other strategies can be used. Some of them are mentioned here, such as vulnerability
assessments and penetration testing. These systematic evaluations of systems or applications
simulate cyberattacks, aiming to discover weaknesses before malicious entities do.
Central to these evaluations is a multidisciplinary approach that combines automated tools with
human expertise. Cyber-defense teams will use advanced vulnerability identification software to
scan applications, networks, and systems for known vulnerabilities. These software tools also
analyze patches, configurations, and permissions. However, the human touch remains
indispensable. Expert penetration testers, sometimes called ethical hackers, bring creativity and
intuition to the table, often discovering complex vulnerabilities that machines might overlook.

67 | P a g e
 CYB2203: CYBERSECURITY IN BUSINESS AND INDUSTRY
2023/2024

Addressing and rectifying these vulnerabilities post-identification is equally crucial. This often
entails patching software, altering configurations, or even revisiting and overhauling certain
aspects of the system design. The speed and effectiveness with which organizations respond to
these identified vulnerabilities can often make the difference between a secure environment and a
catastrophic breach.
While there are challenges and complexities involved, the tangible benefits for organizations justify
the time and resources required. First, it comes as no surprise that understanding and mitigating
vulnerabilities contributes to risk reduction and cybersecurity maturity levels. By pre-emptively
identifying and addressing potential points of exploitation, organizations can prevent data
breaches, system downtimes, and unauthorized access to sensitive information. This not only
safeguards an organization's assets but also bolsters its reputation in the eyes of stakeholders,
clients, and customers. Furthermore, in an era where regulatory landscapes are becoming
increasingly stringent, addressing vulnerabilities ensures compliance with various cybersecurity
standards and regulations. Non-compliance can result in hefty fines and legal repercussions, adding
financial incentive to security concerns. Vulnerabilities present both challenges and opportunities.
They represent the chink in digital armor, demanding vigilance, expertise, and swift action. By
understanding and addressing them, organizations enhance their security posture.

***************************************************************************************************

68 | P a g e