Am 02. Juli 2024 wird Prof. Sergeja Slapnicar (University of Queensland, Australien) im Rahmen des TRR 266/TAF Research Workshops (TAF Department) und PRIME Seminar (Winfo Department) einen Vortrag mit dem Titel "Measurement and management of cyber risk" halten.
Der Vortrag findet um 16:00 Uhr im Raum Q5.245 statt.
Alle Interessierten sind herzlich eingeladen.
Sergeja Slapnicar ist außerordentliche Professorin für Rechnungswesen an der University of Queensland Business School. In ihrer jüngeren Forschung konzentriert sie sich auf die finanzielle Quantifizierung von Cyber-Risiken, Cyber-Risikomanagement, Governance und Assurance. Sie hat in vielen renommierten Fachzeitschriften für Rechnungswesen wie Accounting, Organizations and Society, Management Accounting Research, European Accounting Review, Journal of Management Accounting Research, European Financial Management, International Journal of Accounting Information Systems, Computers and Security und anderen veröffentlicht. Sie ist Mitherausgeberin des Global Journal of Flexible Systems Management und Mitglied des Editorial Board des Journal of Management Control und Behavioral Research in Accounting. Sergeja ist eine leidenschaftliche Pädagogin und wurde von der University of Queenlands mit zwei Lehrpreisen für ihren herausragenden Beitrag zum Lernen der Studierenden und zur Steigerung ihrer Beschäftigungsfähigkeit ausgezeichnet.
Abstract
In this study, we investigate the question of “How is cyber risk perceived, measured, and managed in contemporary organizations?”. We start by exploring the normative perspective promoted by professional organizations as to how organizations should measure and manage cyber risk. However, as high-level guidelines and standards provide numerous discretions, we analyze how organizations apply them by drawing on the literature describing the qualitative and quantitative
organizational approaches to risk management. We then analyzed the perception, measurement, and management of cyber risk in large organizations across different industries. Twenty-seven indepth interviews with individuals in the three lines of defense and top leadership from five multibillion-dollar organizations were conducted. We found that in all participating organizationsber risk management is driven bottom-up by cybersecurity experts who perceive cyber risk as a technical risk. Despite being large, complex, and/or regulated, none of the five organizations adopted a rigorous approach to cyber risk quantification that would be reflected in a coherent control system of quantified exposure to cyber risk, clearly defined risk appetite, objectives, targets, and triggers for corrective actions. Although extensive risk metrics were reported, the quantification of cyber risk is an illusion that is effectively a qualitative approach with a quantitative veneer. All but one organization instead follow a loose risk-based management approach by selectively adapting an international cybersecurity framework to their own needs. We develop a framework of combined normative and organizational perspectives to cyber risk management, suggesting that ‘qualculation’, and not quantification, is the highest standard that could be aspired in measuring and managing cyber risk.
