 Biases in Threat-Led Penetration Testing – maintaining the TIBER spirit under DORAKonrad Richter and
Romana Wellischowitsch ()
Financial Stability Report, 2025, issue 50, 6 Abstract: The EU’s Digital Operational Resilience Act (DORA) came into force in January 2025. It requires financial entities to perform Threat-Led Penetration Testing (TLPT) to find weaknesses in their cybersecurity. TLPT was previously optional, but now that it is mandatory, there is a risk that it could become a formality that does not provide any real benefits. This article looks at key biases that could make TLPT less effective and outlines strategies to address them. Keywords: Threat-Led Penetration Testing (TLPT); TIBER-EU; Digital Operational Resilience Act (DORA); Cybersecurity Regulation; groupthink bias; supervisory oversight; financial entities; operational resilience; TIBER Cyber Team (TCT) (search for similar items in EconPapers) Downloads: (external link) Related works: Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text Persistent link: https://EconPapers.repec.org/RePEc:onb:oenbfs:y:2025:i:50:b:2 Ordering information: This journal article can be ordered from Access Statistics for this article Financial Stability Report is currently edited by Markus Schwaiger, Birgit Niessner, Vanessa Redak and Martin Schuerz More articles in Financial Stability Report from Oesterreichische Nationalbank (Austrian Central Bank) P.O. Box 61, A-1011 Vienna, Austria. Contact information at EDIRC. |
Is your work missing from RePEc? Here is how to contribute.
Questions or problems? Check the EconPapers FAQ or send mail to .
EconPapers is hosted by the
School of Business at Örebro University.