Cyber Risk Governance - Towards a framework for managing cyber related risks from an integrated IT governance perspective
Summary
Organizations become more dependent on IT (Information Technology) for managing critical business processes. The IT domain is a vastly changing and dynamic environment which evolves rapidly and is directly beneficial for organizations. However, this continuous changing environment implies new challenges for managing critical IT infrastructures in organizations, while maintaining the performance of primary processes, inter alia business continuity. One of the main challenges nowadays is to keep the environment safe from unwanted intruders assuring that the critical information of the company is kept safe and indoors. Unfortunately the chance of security breaches increase rapidly as a result of using more complex IT which contributes to vulnerabilities. In addition intruders flourish due to sufficient funding, input of low resources and tempting results which can be achieved. Organizations are on the verge of an increased number of attacks and are additionally more vulnerable to complex and sophisticated targeted attacks which both could harm critical business assets and affect their reputation.
It has become clear that organizations are not ready for the vastly ongoing changes of the IT environment. There is a lack of awareness regarding the potential risk facing and the negative outcomes which lie ahead. In addition investing in IT security does not contribute to financial benefits and is an attractive first target for budget cuts of organizations. The use of IT does not pose the initial problem per se; it is converging people, (business) processes and technology. Organizations show clear gaps on governing these elements structured and coherent. These organizations are reluctant to invest and to undertake and support these activities as well as lacking significantly in skills and knowledge throughout the organization.
This research focuses on protecting the cyber (IT; processes, information and technology) domain of organizations against cyber related risks, also defined as cyber risk governance (CRG). CRG refers to protection against cyber related risks and aims to mitigate unwanted consequences by coordinating activities between humans, processes and IT assets. Consequently this research supports organizations by supplying an executive instrument in order to protect against a continuous risk landscape.
The proposed instrument provides guidelines on how to cope with a changing cyber risk landscape. It entails an integrated governance perspective for managing cyber, people and processes throughout different levels of an organization. The instrument consists of two main models. The first model is a meta-model introducing four main components: risks, resources, response and reputation which form the basis for CRG. In addition the model visualizes dependency on external governance structures in addition to the own controllable CRG. Subsequently the meta-model is supported by a second model, a CRG framework which elaborates on these four main components by individual relation and operational characteristics of each component. Performing the instrument within the enterprise risk management processes will ensure a more clear and understandable organizational perspective on managing cyber related risks and supporting the coordination of cyber risk activities.
The hands on supportive managerial tool provides in addition to social scientific relevance via an elaborated scientific overview of the research field as this domain is still immature on scientific research.