 Framing cyber security as a business riskEvan Wheeler Cyber Security: A Peer-Reviewed Journal, 2018, vol. 2, issue 3, 202-210 Abstract: The information security industry struggles to get its programmes on the enterprise stage. When an organisation has a public breach, we are quick to criticise both the CISO and executive management. Is it that management ‘just doesn’t get it’, or is the problem that we’re still not presenting in a way that resonates with the business? We can learn a lot from other risk disciplines, how they organise risk scenarios and the techniques that they use. Mature organisations rely on risk profiles, the RCSA, stress testing, control testing and the analysis of loss events to understand their risk exposure. If you want your information risk programme to be taken seriously by the business, you have to do more than just throwing around a few business terms — you need to embrace enterprise risk techniques. Structuring a cyber security programme and assessment approach similar to other risk stripes not only provides credibility, but also allows the organisation to normalise risks across domains. By adopting taxonomies that are ERM-friendly, embracing the idea of a quantifiable loss event, and helping to translate impact and frequency factors into IT terms, you will see a great improvement in business engagement and ensure that cyber security concerns receive the right focus. Keywords: risk; assessment; analysis; quantification; ERM (search for similar items in EconPapers) Downloads: (external link) Related works: Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text Persistent link: https://EconPapers.repec.org/RePEc:aza:csj000:y:2018:v:2:i:3:p:202-210 Access Statistics for this article More articles in Cyber Security: A Peer-Reviewed Journal from Henry Stewart Publications |
Is your work missing from RePEc? Here is how to contribute.
Questions or problems? Check the EconPapers FAQ or send mail to .
EconPapers is hosted by the
School of Business at Örebro University.