Cyber security risk management
Recommendations for the market:
1. Integrate cyber security in the company’s risk framework
2. Monitor if management and employees take cybersecurity seriously
3. Develop a data breach action plan
4. Monitor data classification and security policies
5. Terminate or reduce/restructure reward of board members and management in case of
cyber impact
6. Increase board cyber savviness
Cyber security is the protection of cyber systems against cyber threats. A cyber threat is a threat that
exploits a cyberspace. A system does no longer meets its critical functionality and it needs time to
recover and adapt.
There are not always benefits for the costs
invested in cyber security systems. To some
extended there are clear benefits but after a
certain amount there are not as much returns as
investments.
Try to find the cost-effective balance.
The cyber security framework:
There are four opponents:
- Spooks: governments using tools to protect national interest – including the risk of ending
up in the hands of crooks.
- Crooks: Botnet herders, malware writers, spam senders, bulk account compromise, targeted
attackers, and cash-out operators.
- Geeks: Experts and researchers that repot vulnerabilities – to enable fixing the vulnerability
- The swamp: Focus on person rather than on property, e.g., hacktivism and hate campaigns.
,Risk is an uncertain event which may occur in the future. Risk management comprises coordinated
activities to direct and control an organization/set of efforts about risk, based on spending less
resources to achieve more goals.
- Classical viewpoint: risks will be converted into an expected loss
- Modern viewpoint: The effect of uncertainty on an organizations’ ability to meet its
objectives.
Biggest Cyber impacts:
- Operational disruption
- Intellectual property theft
- Drop in share price
- Loss of customer trust
- Regulatory fines
There are all kinds of security management mechanisms
and the organization’s cyber budget needs to be invested
to mitigate risks.
ISO27001 is a protocol for cyber protection. It is updated in 2022 in adaption to new risks. Some new
controls were added. There are four theme clauses: Organizational, people, physical and technology.
Artificial intelligence is also introduced in the field of cyber security. Many techniques can contribute
to early detection of risk mitigation:
Cyber insurance (Yes/No): Cyber insurance allows organizations to transfer some of the financial
risks associated with cyber incidents to an insurer. The financial losses might cost associated with
remediation, investigators, and crisis communication. Most cyber insurance companies are typically
insurance companies offering a broader range of insurance services. Companies are AIG, Chubb,
Hiscox, Liberty Mutual, HSB.
, - First party coverage is on the financial impact on the insured organization. It covers data
breaches and cyberattacks at the insurer’s business.
- Third party coverage provides liability protection in case the insured organization makes a
mistake that results in a client suffering
ISO 31000 for risk management. This standard comprises three main elements:
- The risk management process: Feedback on the performance of the process is used for
monitoring and reviews.
- The risk management framework: Defines the risk management process.
- A set of principles which guide risk management activities: Guide the creation of the
framework.
Risk management process (ISO 31000 standard):
Risk assessment: Risk identification – risk analysis – risk evaluation – risk treatment. before it is
important to establish the context. Define the scope for the risk management process, define
organization’s objectives, establish the risk evaluation criteria. This includes:
- External context: regulatory environment, market conditions, stakeholder expectations/
- Internal context: organization’s governance, culture, standards and rules, capabilities,
existing contracts, worker expectations, information systems etc.
Monitoring and review are also an important aspect: measure the risk management performance
against indicators, which are periodically reviewed for appropriateness. Check for deviations from
the risk management plan. Check if the risk management framework, policy, and plan is still
appropriate.