On July 02, 2024, Prof. Sergeja Slapnicar (University of Queensland, Australia) will give a talk entitled "Measurement and management of cyber risk" as part of the TRR 266/TAF Research Workshop (TAF Department) and PRIME Seminar (Information Systems Department).
The talk will take place at 16:00 in room Q5.245.
Those interested are cordially invited.
Sergeja Slapnicar is an Associate Professor of Accounting at the University of Queensland Business School. Her recent research focuses on financial quantification of cyber risk, cyber risk management, governance and assurance. She has published in many highly reputed accounting journals such as Accounting, Organizations and Society, Management Accounting Research, European Accounting Review, Journal of Management Accounting Research, European Financial Management, International Journal of Accounting Information Systems, Computers and Security and others. She is an associate editor of the Global Journal of Flexible Systems Management and a member of the editorial board of the Journal of Management Control and Behavioral Research in Accounting. Sergeja is a passionate educator and has been recognized by the University of Queenlands with two teaching awards for her outstanding contribution to student learning and employability.
Abstract
In this study, we investigate the question of “How is cyber risk perceived, measured, and managed in contemporary organizations?”. We start by exploring the normative perspective promoted by professional organizations as to how organizations should measure and manage cyber risk. However, as high-level guidelines and standards provide numerous discretions, we analyze how organizations apply them by drawing on the literature describing the qualitative and quantitative
organizational approaches to risk management. We then analyzed the perception, measurement, and management of cyber risk in large organizations across different industries. Twenty-seven indepth interviews with individuals in the three lines of defense and top leadership from five multibillion-dollar organizations were conducted. We found that in all participating organizationsber risk management is driven bottom-up by cybersecurity experts who perceive cyber risk as a technical risk. Despite being large, complex, and/or regulated, none of the five organizations adopted a rigorous approach to cyber risk quantification that would be reflected in a coherent control system of quantified exposure to cyber risk, clearly defined risk appetite, objectives, targets, and triggers for corrective actions. Although extensive risk metrics were reported, the quantification of cyber risk is an illusion that is effectively a qualitative approach with a quantitative veneer. All but one organization instead follow a loose risk-based management approach by selectively adapting an international cybersecurity framework to their own needs. We develop a framework of combined normative and organizational perspectives to cyber risk management, suggesting that ‘qualculation’, and not quantification, is the highest standard that could be aspired in measuring and managing cyber risk.