Components and Challenges of Integrated Cyber Risk Management

Kosub, Thomas

doi:10.2139/ssrn.2593645

Cited by 5 publications

(10 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The study shows that the nodes with more degrees are more likely to be infected and have higher chances of getting affected by others' decisions. See Kosub (2015) and Eling and Schnell (2016) for comprehensive reviews of cybersecurity risk modeling and the management of cybersecurity risk.…”

Section: Introductionmentioning

confidence: 99%

Cybersecurity Insurance: Modeling and Pricing

Hua

2019

North American Actuarial Journal

View full text Add to dashboard Cite

Cybersecurity risk has attracted considerable attention in recent decades. However, the modeling of cybersecurity risk is still in its infancy, mainly because of its unique characteristics. In this study, we develop a framework for modeling and pricing cybersecurity risk. The proposed model consists of three components: the epidemic model, loss function, and premium strategy. We study the dynamic upper bounds for the infection probabilities based on both Markov and non-Markov models. A simulation approach is proposed to compute the premium for cybersecurity risk for practical use. The effects of different infection distributions and dependence among infection processes on the losses are also studied.

show abstract

Section: Introductionmentioning

confidence: 99%

Cybersecurity Insurance: Modeling and Pricing

Hua

2019

North American Actuarial Journal

View full text Add to dashboard Cite

show abstract

“…First of all, it is crucial to perform appropriate activities to identify the occurrence of a cybersecurity event or to determine the key cyber risks, risk appetite, and assessment of controls and vulnerabilities. Therefore, it is primarily necessary to define and understand the business model, business objectives, and assets of the organization to determine the relevance of IT to the business and ultimately agree on a level of cybersecurity (Kosub, 2015). After the identified cyber risks and their relevance to the organization have been analyzed, they must each be quantified, assessed and evaluated in terms of probability of occurrence and potential impact (McKinsey, 2019), e.g.…”

Section: Organizational Aspects Of Cybersecuritymentioning

confidence: 99%

Organizational aspects of cybersecurity in German family firms – Do opportunities or risks predominate?

Ulrich

Timmermann

Frank

2021

OCJ

View full text Add to dashboard Cite

PurposeThe starting point for the considerations the authors make in this paper are the special features of family businesses in the area of management discussed in the literature. It has been established here that family businesses sometimes choose different organizational setups than nonfamily businesses. This has not yet been investigated for cybersecurity. In the context of cybersecurity, there has been little theoretical or empirical work addressing the question of whether the qualitative characteristics of family businesses have an impact on the understanding of cybersecurity and the organization of cyber risk defense in the companies. Based on theoretically founded hypotheses, a quantitative empirical study was conducted in German companies.Design/methodology/approachThe article is based on a quantitative-empirical survey of 184 companies, the results of which were analyzed using statistical-empirical methods.FindingsThe article asked – based on the subjective perception of cybersecurity and cyber risks – to what extent family businesses are sensitized to the topic and what conclusions they draw from it. An interesting tension emerges: family businesses see their employees more as a security risk, but do less than nonfamily businesses in terms of both training and organizational establishment. Whether this is due to a lack of technical or managerial expertise, or whether family businesses simply think they can prevent cybersecurity with less formal methods such as trust, is open to conjecture, but cannot be demonstrated with the research approach taken here. Qualitative follow-up studies are needed here.Originality/valueThis paper represents the first quantitative survey on cybersecurity with a specific focus on family businesses. It shows tension between awareness, especially of risks emanating from employees, and organizational routines that have not been implemented or established.

show abstract

“…The risk treatment option is based on the outcome of the risk assessment result. The priorities of each individual risk should be defined clearly for the implementation and their timeframes [8], [31]. The purpose of risk treatment activity is to specify which security controls need to implemented, who is responsible for it, what the deadlines are and which resources, for example, financial or human, are required for the implementation.…”

Section: Risk Treatmentmentioning

confidence: 99%

“…The controls from Annex A of ISO/IEC 27001:2013 [8], [9] are useful in handling and helping to reduce the risks encountered. Risk treatment will reduce the risks which are not acceptable by using the controls from Annex A in ISO/IEC 27001.…”

Section: Introductionmentioning

confidence: 99%

Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft

Hamit¹,

Sarkan²,

Azmi³

et al. 2020

Int. J. Adv. Sci. Eng. Inf. Technol.

View full text Add to dashboard Cite

The concern raised in late 2017 regarding 46.2 million mobile device subscriber's data breach had the Malaysian police started an investigation looking for the source of the leak. Data security is very important to protect the assets or information by providing its confidentiality, integrity, and availability not only in the telecommunication industry but also in other sectors. This paper attempts to protect the data of a patient-based clinical system by producing a risk treatment plan for its software products. The existing system is vulnerable to information theft, insecure databases, poor audit login, and password management. The information security risk assessment consisting of identifying risks, analyzing, and evaluating them were conducted before a risk assessment report is written down. A risk management framework was applied to the software development unit of the organization to countermeasure these risks. ISO/IEC 27005:2011 standard was used as the basis for the information security risk management framework. The controls from Annex A of ISO/IEC 27001:2013 were used to reduce the risks. Thirty risks have been identified, and seven high-level risks for the product have been recognized. A risk treatment plan focusing on the risks and controls has been developed for the system to reduce these risks to secure the patient's data. This will eventually enhance the information security in the software development unit and, at the same time, increase awareness among the team members concerning risks and the means to handle them.

show abstract

Components and Challenges of Integrated Cyber Risk Management

Cited by 5 publications

References 0 publications

Cybersecurity Insurance: Modeling and Pricing

Cybersecurity Insurance: Modeling and Pricing

Organizational aspects of cybersecurity in German family firms – Do opportunities or risks predominate?

Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft

Contact Info

Product

Resources

About