from a traditional to a more adaptive approach? · between 2010 and 2015, roughly, twice the...
TRANSCRIPT
Managing risks in the cyber realm: From a traditional to a more adaptive approach?
An exploratory study on changing demands placed on risk management,
while taking into perspective the dynamics related to the cyber realm
Author Emma Meines MBA (S1962663)
7 januari 2019
Page 2 of 66
ACKNOWLEDGEMENTS
This thesis was written as conclusive piece of the Executive Master in Cybersecurity. This program
started in February 2017 and it was developed by the Cyber Security Academy (CSA). This academy is
a collaboration between Leiden University, Delft University of Technology and The Hague University of
Applied Sciences. I would like to express great appreciation to all core and guest lecturers for their
stories and lectures. The governance track has helped me to conceptualize the cyber realm and I have
enjoyed the broad range of discussions. I would like to thank my employer for the opportunity to follow
this program. Secondly, I would like to thank my family and friends for their support during this time-
consuming course. Specifically, I would like to thank my husband Jeroen. In addition, I would like to
mention Linda, Floor and Angelique. I am also very grateful for the open information sharing by all the
experts that were interviewed. Last but certainly not least, I would like to express my gratitude to my
supervisors, Dr. Jeroen M. van der Velden and Wouter-Jan van der Woude, for their support and advise
throughout the research design as well as the writing process of this final academic piece.
Page 3 of 66
ABSTRACT
Drones can shutdown airports and a global ransomware attack can paralyze an entire container
terminal due to severe hick-ups in the IT systems. Complex and interconnected Information
Technology systems (IT) as well as Operational Technology (OT) systems have become more and more
embedded in the daily operations of companies. Cloud computing, Artificial Intelligence (AI) as well as
the Internet of Things (IoT) are enlightening examples of technologies which create new business
opportunities but also have a downside. The Organisation for Economic Co-operation and
Development (OECD) proclaims in their Science, Technology and Industry (STI) scorecard: “Collectively
they are enabling a future of ’smart everything’, and empowering businesses, consumers and society
as a whole”.1 Although these technologies empower, the global dependence on the internet and
connected digital technologies also have the potential to create (un)foreseen (global) shocks.
Companies struggle to respond adequately to the often non-transparent challenges in the cyber realm,
while these technologies are abused by criminals of other threat actors. In the Global Risks Report
2018 of the World Economic Forum, cyberattacks were ranked 3rd in the top 10 risks in terms of
likelihood.2 It is an intensive process to keep the daily operations of organizations secure, adaptive and
resilient. Traditional risk management practices have always been one of the bedrocks for internal
organizations, by keeping risk profiles within boundaries. This research paper explores changing
demands placed on risk management, taking into perspective the cyber realm dynamics. Starting off
with conceptualizing some basic definitions of risk management and the cyber realm, this paper, looks
at the distinctive features of the cyber realm. In addition, several challenges and developments in
traditional risk management practices are identified. The presented results were collected via a
literature review as well as via semi-structured qualitative interviews with security experts from
multiple sectors in the Netherlands. Ultimately this paper will show that traditional risk management
practices have to work at full stretch today to cope with the digital era. Although the traditional
building blocks still remain in place, there are risk management practices changes visible. This paper
lists nine specific modus operandi features, while managing cyber risks. Ultimately this explorations
shows that risk practices are transforming and becoming more adaptive.
Keywords: cyber risk, risk management, complex systems, uncertainty, adaptability, resilience
1 OECD (2017), “Executive summary”, in OECD Science, Technology and Industry Scorecard 2017: The digital transformation, OECD Publishing, Paris. Doi: http://dx.doi.org/10.1787/sti_scoreboard-2017-3-en, page 13 2 World Economic Forum. The Global Risks Report 2018, 13th Edition, 2018. doi:978-1-944835-15-6, page 3
Page 4 of 66
TABLE OF CONTENT ACKNOWLEDGEMENTS ................................................................................................................. 2
ABSTRACT .................................................................................................................................... 3
TABLE OF CONTENT ...................................................................................................................... 4
PART I – INTRODUCTION .............................................................................................................. 7
Cyber introduction ...................................................................................................................................8
Problem description .................................................................................................................................9
Relevance of the research ..................................................................................................................... 10
Research goals and questions ............................................................................................................... 10
PART II – RESEARCH METHODOLOGY ........................................................................................... 12
RESEARCH METHODOLOGY ......................................................................................................... 13
Qualitative approach ............................................................................................................................. 13
Type of research .................................................................................................................................... 13
Literature review ................................................................................................................................... 13
Semi-structured interviews ................................................................................................................... 14
Selection of respondents ....................................................................................................................... 14
Setup interviews .................................................................................................................................... 15
Data analysis .......................................................................................................................................... 16
Research scope, assumptions and limitations ............................................................................... 17
Thesis outline .............................................................................................................................. 18
PART III– LITERATURE REVIEW ..................................................................................................... 19
CONCEPTUALIZATION OF RISK MANAGEMENT ............................................................................. 20
Risk management levels ........................................................................................................................ 20
Process of managing risk ....................................................................................................................... 21
Defining a risk ........................................................................................................................................ 22
CONCEPTUALIZATION OF THE CYBER REALM ................................................................................ 23
Defining the cyber realm ....................................................................................................................... 23
Trans-boundary, non-transparent traits ............................................................................................... 24
Complexity ............................................................................................................................................. 25
Cyber threats and threat actors ............................................................................................................ 25
Definition of cyber risks ......................................................................................................................... 26
Definition of cyber security ................................................................................................................... 26
RISK MANAGEMENT DEVELOPMENTS .......................................................................................... 27
Managing cyber risks ............................................................................................................................. 27
Dealing with uncertainty ....................................................................................................................... 27
A-PRIORI THEME 1: ADAPTABILITY ........................................................................................................ 29
Trend towards Enterprise Risk Management (ERM) ............................................................................. 31
Page 5 of 66
Cyber risks relevant at strategic level ................................................................................................... 32
Risk based approach .............................................................................................................................. 32
A PRIORI THEME 2: CYBER INTELLIGENCE ............................................................................................. 33
The Intelligence Process ........................................................................................................................ 34
Indicators of Compromise (IOC) ............................................................................................................ 35
Standards of information & threat intelligence tools ........................................................................... 35
CTI as input for risk management processes......................................................................................... 36
A PRIORI THEME 3: RESILIENCE ............................................................................................................. 36
Definition of Organizational Resilience ................................................................................................. 36
Operationalization: Contributing factors .............................................................................................. 37
Design factor: Security by design .......................................................................................................... 38
Detection potential ............................................................................................................................... 38
Emergency response: Crisis Management ............................................................................................ 39
Human factor: Knowledge, skills and abilities ....................................................................................... 39
Risk management & resilience hand in hand ........................................................................................ 40
Link between resilience and adaptability .............................................................................................. 40
A PRIORI THEME 4: SUPPLIER MANAGEMENT ...................................................................................... 40
Definition of supplier chain cyber-resilience ......................................................................................... 41
Identifying the total attack surface ....................................................................................................... 41
Procurement cycle ................................................................................................................................. 42
Risk Management scope extension ....................................................................................................... 42
PART IV – QUALITATIVE INTERVIEWS ........................................................................................... 44
INTERVIEWS ................................................................................................................................ 45
CYBER REALM TRAITS ............................................................................................................................ 45
A-PRIORI THEME: ADAPTABILITY ........................................................................................................... 46
Additional risk governance (new roles) for cyber risks ......................................................................... 46
Create responsiveness........................................................................................................................... 47
Risk based approach .............................................................................................................................. 48
RM needs to be more adaptive, cycle time shorter .............................................................................. 48
A-PRIORI THEME: CYBER INTELLIGENCE ............................................................................................... 49
Pro-active information gathering on cyber activities ............................................................................ 49
A-PRIORI THEME: RESILIENCE ............................................................................................................... 50
Awareness ............................................................................................................................................. 50
Crisismanagement ................................................................................................................................. 50
Security by design .................................................................................................................................. 51
Outsourcing as mitigation measure ...................................................................................................... 51
Mitigation focus points ......................................................................................................................... 51
Intensifying monitoring & review including reporting .......................................................................... 52
Page 6 of 66
Supportive tooling ................................................................................................................................. 52
A-PRIORI THEME: SUPPLY CHAIN MANAGEMENT ................................................................................ 52
Scope extension with external suppliers ............................................................................................... 53
PART V - ANALYSIS ...................................................................................................................... 55
PART VI - CONCLUSIONS AND FURTHER RECOMMENDATIONS ...................................................... 57
CONCLUSIONS ............................................................................................................................. 57
Evaluation of the research .................................................................................................................... 61
Suggestions on further research ........................................................................................................... 61
REFERENCES ................................................................................................................................ 62
LIST OF FIGURES .......................................................................................................................... 65
LIST OF TABLES ............................................................................................................................ 65
ANNEXES .................................................................................................................................... 66
Page 7 of 66
PART I – INTRODUCTION
Introduction / background
Problem description
Relevance of the research
Research goal and questions
Page 8 of 66
Cyber introduction
Complex and interconnected Information Technology systems (IT) as well as Operational Technology
(OT) systems have become more and more embedded in the daily operations of companies. Cloud
computing, Artificial Intelligence (AI) as well as the Internet of Things (IoT) are enlightening examples
of technologies that enable plethora of innovative products and services. In 2017 the Organisation for
Economic Co-operation and Development (OECD) published the Science Technology and Industry (STI)
Scoreboard3: “Collectively they [IT and OT systems] are enabling a future of ‘smart everything’, and
empowering businesses, consumers and society as a whole.”
Figure 1: Intensity and development speed in ICT-related technologies, 2000-144
The increasing intensity and the speed of developments of complex and interconnecting ICT related
technologies are eminent. In Figure 1 the graphical representation of the number of AI related patents
in the five top IP offices highlights the acceleration: an increase in patents of 6% per year on average
between 2010 and 2015, roughly, twice the average annual growth rate observed for all patents. In
2015 alone, 18,000 AI inventions were filed worldwide.5 Although companies have embraced all sorts
of enabling technologies, they also struggle to respond adequately to the often non-transparent
challenges in the cyber realm. These technologies can and will be (ab)used. The Global Risks Report
2018 of the World Economic Forum (WEF) 6 proclaims: “Attacks against businesses have almost
doubled in five years, and incidents that would once have been considered extraordinary are becoming
more and more commonplace.”
3 OECD (2017), “Executive summary”, in OECD Science, Technology and Industry Scorecard 2017: The digital transformation, OECD Publishing, Paris. Doi: http://dx.doi.org/10.1787/sti_scoreboard-2017-3-en, page 13
4 OECD (2017), "Science, innovation and the digital revolution", in OECD Science, Technology and Industry Scoreboard 2017: The digital transformation, OECD Publishing, Paris, Doi: https://doi.org/10.1787/sti_scoreboard-2017-4-en, page 21 5 OECD (2017), “Executive summary”, in OECD Science, Technology and Industry Scorecard 2017: The digital transformation, OECD
Publishing, Paris. Doi: http://dx.doi.org/10.1787/sti_scoreboard-2017-3-en, page 13 6 World Economic Forum. The Global Risks Report 2018, 13th Edition, 2018. doi:978-1-944835-15-6.
Page 9 of 66
Problem description
Internet has become a global social & economic platform. Global dependence on the internet and
connected digital technologies is a fact and have the potential to create (un)foreseen (global) shocks.
It is a time-consuming process to keep the daily – highly connected and increasingly complex -
operations of organizations, secure as well as adaptive and resilient. In the Global Risks Report 2018
of the World Economic Forum, cyberattacks were ranked 3rd in the top 10 risks in terms of likelihood.7
Figure 2: Internet as global social & economic platform 8
Traditional risk management practices were always considered to be one of the bedrocks of internal
organizations. These practices were often focussed on conventional risks, which were easy to isolate
and usually had one root-cause. In the digital age, however, risks are: “trans-boundary because they
do not have a single-root cause […] and also involve multiple causal agents and pathways for
transmission”9. The report of the WEF also declared: “… we are much less competent when it comes
to dealing with complex risks in systems characterized by feedback loops, tipping points and opaque
cause-and-effect relationships that can make intervention problematic.”10 Cyber risks are not always
identified, analysed and monitored properly. In addition new risk responses were introduced. With the
current number and speed of changes as well as the (often non transparent) emerging risks due to
new techniques, organizations can no longer react and rapidly adapt to everything. Organizations are
in need of modern risk-based strategies, tailored to the complexity of present day threats, that help
focus and enable them to take firmly but balanced actions.
7 World Economic Forum. The Global Risks Report 2018, 13th Edition, 2018. doi:978-1-944835-15-6, page 3 8 Towards a future internet (2010), Interim report, European Commission, Brussels. 9 Smith, D., & Fischbacher, M. (2009). The changing nature of risk and risk management: The challenge of borders, uncertainty and resilience. Risk management, 11(1), 1-12. 10 World Economic Forum. The Global Risks Report 2018, 13th Edition, 2018. doi:978-1-944835-15-6, page 15
Page 10 of 66
Relevance of the research
Within the risk management community as a whole there are various discussions on how the field of
cyber risk management should develop further. The current literature on managing risks in the cyber
realm or literature on cyber in general in that manner, is still relatively young and limited. Cyber has
exposed organizations to specific phenomenon (e.g. malicious threat actors). Recent studies often
focus on a specific area or on specific risk management techniques (e. g. modeling cyber insurance).11
Few papers provide a broader perspective. In addition the literature is mostly focused on theory and
do not provide insights on the daily experiences of experts. This paper takes a more broad approach
by exploring if risk management practices have changed, while dealing with the specific dynamics
related to the cyber realm. The paper will describe a wide array of topics. Each organization has its
own DNA and there is not a one-size-fits-all approach. However, it is expected that there are generic
changes and developments in risk management, which can be identified. The approach is exploratory
as, given the scarcity of the available literature, no a-priori hypotheses or expectations can be
formulated.
Research goals and questions
This study will employ an exploratory approach in order to synthesize a broad perspective on managing
risks in the cyber realm. The ultimate goal of this study is to explore the changing demands that have
been placed on traditional risk management while taking into perspective the dynamics related to the
cyber realm.
Research question
The sub-questions supporting the main research question are:
11 Modeling cyber insurance, Bohme and Schwartz 2010 Cyber-Insurance : Towards A Unifying Framework.” Workshop on the Economics
of Information Security, no. June (2010): 1–36.
What is the impact of the cyber realm on risk management practices?
* Which definitions are used when talking about risk management as well as the cyber realm?
* What are the characteristics (or distinctive features) of the cyber realm?
* What changes or developments in current risk practices can be identified related to the cyber
context?
* How do experts in the field evaluate the current performance of risk management practices as
supporting backbone and value creator for the organization?
Page 11 of 66
The first sub question supports conceptualization and provides the reader with a general starting point
on risk management practices as well as the cyber realm. The second question focusses on specific
characteristics or traits of the cyber realm. This question will provide the possible triggers for
organizations to change their modus operandi. With this context in mind, the third sub question
focusses on the changes and developments of organizations and the way this influences risk
management practices. The final sub question provides insides in the way the performance of current
modus operandi are perceived by experts in the field and potential areas of maturity growth.
Page 12 of 66
PART II – RESEARCH METHODOLOGY
Research methodology
Research Scope, assumptions and limitations
Thesis outline
Page 13 of 66
RESEARCH METHODOLOGY
Qualitative approach
In order to answer the research questions above an exploratory study was done. A qualitative
approach was chosen. Assessing and mitigating risks are activities where multiple people come
together and interact. Based on professional judgements, they form an unified opinion on what the
uncertainties and risks are and what the likelihood and impact is when these risks indeed materialize.
Due to the social aspects while performing risk management, the analysis can “not rely on numbers as
unit of analysis”.12 Every professional has his/her own idiosyncratic, experiences and reality and a
statistical approach is therefore less suited in this particular context. In addition a qualitative research
design has flexibility as it could emerge and evolve as the study moved forward. As such, this study
takes a qualitative approach.
Type of research
A qualitative approach was chosen, where information on the risk management practices in a context
of the cyber realm was collected via multiple sources. Also called data triangulation13. First of all a
literature review were done on existing literature and secondary information sources on risk
management and the cyber realm. Secondly, in-depth interviews with experts in the field were used
to pertain participants’ experience and viewpoints and identify possible changes and developments in
the risk management field. The different viewpoints were combined and standardized in order to form
a broad view on the cyber risk management field and bring forward themes that submerged. The
qualitative research interview14 of King and Horrocks was selected for data gathering and the matrix
analysis method15 (a specific variation on the template analysis method) of the same authors was
selected for the analysis part.
Literature review
A literature review was the first step and it provided the general concepts as well as the first indications
on possible changes in demands on risk management practices. For the initial data collection, the
libraries of Leiden University as well as other sources (e.g. Researchgate.net and Google Scholar) were
used with several keywords (e.g. cyber risk management). The criteria to select these papers were:
12 King, N, and C Horrocks. Interviews in Qualitative Research. SAGE Publications, 2010, page 7 13 King, N, and C Horrocks. Interviews in Qualitative Research. SAGE Publications, 2010 14 King, N, and C Horrocks. Interviews in Qualitative Research. SAGE Publications, 2010 15 King, N, and C Horrocks. Interviews in Qualitative Research. SAGE Publications, 2010
Page 14 of 66
relevance to the research (sub)question(s), critical gaps or disagreements in the field, mayor themes
and concepts within the literature as well as personal interest of the author. The literature review were
used to conceptualize risk management as well as to conceptualize the cyber realm. In advance of the
actual analysis of collected data, the Template Analysis technique “allows the researcher to define
some themes in advance of the analysis process – referred to as a-priori themes”16. The themes
Adaptability, Cyber Intelligence, Resilience and Supply chain management were identified. A
combination of inclusion and exclusion criteria for these themes were used to match information to a
theme. Criteria as “outside in focus”, “inside out focus”, “alignment with environment”, “creating
context”, “internal process” or “external process” were combined in order to map information. These
initial areas of interest, based on the literature review, were then used in the second part of the
research (the interviews).
Semi-structured interviews
The second step entailed several semi-structured qualitative interviews with experts in the field. The
qualitative research interview17 guidance of King and Horrocks was selected due to its suited interview
characteristics and strong practical guidance given by the authors. In order to give experts maximum
space to bring in their personal views on the changing demands and developments within the risk
management field, the interviews “emphasise open-ended, non leading questions, and focus on
personal experiences”.18 This type of interview was chosen as it facilitated a more confidential, private
setting as well as a basic structure for the interviews to start with. However it also enabled the
researcher to use a flexible approach during the interaction, which “focused on personal experience,
and seeks to build rapport with the interviewee”19 in order to maximize the outcomes of the interview
and obtain the interviewees’ opinions and beliefs. Looking at visibility, a high level of confidentiality
and anonymity was realised.
Selection of respondents
Selection of the interviewees was done while using multiple criteria in order to create diversity. The
participants represent a heterogenic group of functions and they have experience in a wide range of
sectors. The participants hold a wide variety of functions, from all layers of the corporate governance
“three lines of defence” (3LOD) model20 within different organizations. Directors, senior managers and
other business experts (1st line of defence), risk managers and policy experts (2nd line of defence) as
16 King, N, and C Horrocks. Interviews in Qualitative Research. SAGE Publications, 2010, page 168 17 King, N, and C Horrocks. Interviews in Qualitative Research. SAGE Publications, 2010 18 King, N, and C Horrocks. Interviews in Qualitative Research. SAGE Publications, 2010 19 Idem, page 2 20 https://www.coso.org/Documents/COSO-2015-3LOD.pdf
Page 15 of 66
well as auditors (3rd line of defence) were interviewed. In addition the participants have experience in
a wide variety of sectors. In addition multiple supportive advisors were included in the round of
interviews. This diversity is important as in practice these various blood types need to collaborate
together while managing risks. In the Appendix the list of participants, their current position and their
experiences in sectors was provided.
Setup interviews
For most interview a location setting was chosen which provided comfort, privacy and quiet as well as
a location the participant perceived as “neutral” terrain or even “their” terrain. Ultimately the
interviewee had the opportunity to fully influence the setting he or she wanted to have. Eleven out of
fifteen interviews were done in an office environment, which fitted all three criteria. Two interviews
were done in a public environment where it was less quiet. However, this location did provide enough
privacy and the location was used on explicit request of the interviewees. Due to agenda constraints
or physical distance an additional two interviews were conducted by telephone. In both cases the
authentication of the interviewees could be done as first connections were already made in an earlier
stage. Also here the interview settings were sufficient.
Audio recording were used and full transcripts of the interviews were made. In preparation to the
interview, the participants receive basic information on why they are selected, anonymous use of data
in the general report and confidentiality is discussed. As a backup system for the audio recordings,
additional notes were also taken during the interviews. With the recording of interview 5 the audio
file was unusable (due to data corruption) and the notes formed the base for the transcript. Because
the outcomes could not be transcribed literally, an additional review was done by the interviewee. This
was done to exclude any interpretation on the authors side.
During the preparation an interview guide was made and explicit efforts were taken to avoid leading
questions, and over complex or multiple questions. At the start of each interview sufficient time was
taken to build rapport with the participants and introduce the goal of the research. As initial question
the interviewees were asked to elaborate on his or her experience in relation to the subject. This also
gave the interviewees some more time to settle in. Secondly, they were asked to provide
characteristics of the cyber domain, the organisational impact of the cyber domain and in specific the
risk management changes they have encountered. Finally they were asked to provide their vision on
the efficiency and effectiveness of current risk management practices. During the interview the
researcher also used additional probes (e.g. please clarify or elaborate) to encourage sharing of
Page 16 of 66
additional information. Concluding the interview, the explicit check was done if there was anything the
interviewee still wanted to add.
During the interviews, the technique of saturation is used. It was difficult to determine the exact,
appropriate sample size in order to achieve saturation. Due to time and resource limitations, and for
planning, waiting for data saturation to occur was not an option. In addition, there were limited
sources that operationalized sample sizing in this context to an exact number. Bertaux21 argued that a
minimum sample size for qualitative research is fifteen. Karzel22 argued a size between twelve to
twenty when dealing with a heterogenic group. Based on these numbers a sample size of fifteen for
the qualitative interviews was chosen. In case of new observations and insights during the interviews,
these were directly taken in account in the next interviews.
Data analysis
Verbatim transcripts of the interviews were used as basis for the Template Analysis23. For the analysis
all transcripts were printed with big margins and space in between lines to create room for
commenting. The transcripts were then read through multiple times in order to get a good
understanding of the text. Secondly the interviews were analysed part by part while keeping the
interviews as a whole in the back of the mind. Parts that provided information on the participants
experiences, views were highlighted and descriptions were written down. After finalizing the
descriptive coding for each interview, the descriptive (but still quite literal) words or phrases were
reviewed and refined multiple times as well as digitized in an Excel file. In the columns the a-priori
themes were added and were used to map the descriptive codes in a matrix format. In the next stage
descriptive codes which share common meaning are brought together in groups and interpretive
coding was added. In this process the transcripts and descriptive codes were reviewed in order to make
sure the codings remained in line with the raw data provided. Multiple times codes were refined,
reapplied during the process. This process was supported by the Excel filter options as the interpretive
codings were put in a separate column. During the third stage a number of overarching themes that
characterise concepts within the analysis were linked to the interpretive codes. The themes are of a
higher abstraction level. As a whole the different levels of coding provide a hierarchy of data. Finally,
combining both the literature review outcomes and the interview explorations, an analysis was done
in order to state the changing demands in the risk management field in the context of the cyber realm
21 Bertaux,D.1981.Fromthelife-historyapproachtothetransformationofsociologicalpractice. InBiographyandsociety:Thelifehistoryapproachinthesocialsciences,ed.byD.Bertaux, 29–45. London: Sage. 22 Kuzel, A. J. (1992). Sampling in qualitative inquiry. In B. F. Crabtree & W. L. Miller (Eds.), Research methods for primary care, Vol. 3. Doing qualitative research (pp. 31-44). Thousand Oaks, CA, US: Sage Publications, Inc. 23 King, N, and C Horrocks. Interviews in Qualitative Research. SAGE Publications, 2010
Page 17 of 66
Concluding, the research questions were reviewed and linked to the outcomes of the research. In
addition suggestions for further research are provided.
Research scope, assumptions and limitations
The research scope is focussed on risk management in the cyber realm. For the research specialists
working in organizations in the Netherlands will be contacted in order to get insights in how these
organizations deal with risks in their daily operations.
As stated earlier, the knowledge base on cyber is still quite young and subjected to change. For
example, the definition debate on what cyber risk precisely is and how these risks are related to
information risk as well as IT risk.
The cyber risk management field is still very broad and there are many different lenses to look at the
risk management field. Although we will provide a general overview on cyber risk management, this
does not mean that every aspect will be explored and described in the same depth. Depending on the
outcomes of the literature and interviews specific elements will receive additional attention.
Another limiting factor in the research is our natural biases. It needs to be stated that there is no such
thing as a fully “neutral lens”. In relation to the researcher it needs to be explicitly mentioned that the
author is a thirty nine year old coordinator risk management and senior advisor with extensive
experience in the financial sector. Her expertise lies in risk, IT and managing operations. As educational
background she has an International Executive MBA as well as a bachelor’s degree Business
Information Science. In addition she is in the possession of multiple risk management certifications.
She is a Certified Information System Security Professional, a Certified Crisis Management Professional
and a Certified Business Continuity Management Professional. She carries her own thoughts and
experiences with her. This needs to be taken into account, while looking at the collected data, the
outcomes of the analysis and conclusions. As stated earlier, the study design has incorporated multiple
aspects in order to support “neutral” data collection as well as generalization and data analysis. The
principle of triangulation (multiple sources) is used by executing both a literature review and semi
structured interviews. The setting of the interviews (open questions, one on one interviews) supports
an open dialogue. Full transcripts were made in order to maintain as much detail as possible. During
the analysis of the data, the author used software (Microsoft Excel) to maximize consistently while
reviewing the data from different angles (using filters) and determining which generalizations of data
were possible. The coded “matrix” provides an overview of the descriptive and interpretive coding as
well as overarching themes. The matrix supports the findings as stated in the report. In the report,
quotations from interviews were provided per theme in order to illustrate findings via explicit
Page 18 of 66
examples and commenting remarks given by the interviewees. At the end of the writing process. one
interviewee was asked to peer review the overall report.
Thesis outline
Part I gives a short introduction on the cyber era and the challenges organizations face and the goal of
the research and the related research questions are presented. In Part II the research methodology is
presented. Part III starts with the conceptualization of traditional risk management practices and the
conceptualization of the cyber realm. Important developments in the field of managing risks, identified
during the literature review, followed by the a-priori themes and the implications towards risk
management. In Part IV the outcomes of interviews with specialists in the field of (cyber) risk
management are presented. In Part V the outcomes of both explorations are combined and analysed
and in Part VI the overall conclusions and recommendations for further research are introduced.
Page 19 of 66
PART III– LITERATURE REVIEW
Conceptualization on risk management
Conceptualization on the cyber realm
Managing cyber risks
Specific traits of the cyber realm
Risk management developments due to cyber
Page 20 of 66
CONCEPTUALIZATION OF RISK MANAGEMENT
The overall aim of organizations is often stated in a mission statement. In order to realize the
companies objectives, it needs to undertake actions. Traditional risk management practices have for
years been one of the bedrocks for internal organizations, by keeping risk profiles within boundaries.
Hopkins, the author of fundamentals of risk management, summarizes the motivation for executing
risk management activities as: Mandatory, Assurance, Decision making and Effective & Efficient
processes (MADE2)24 . Mandatory: organizations need to ensure that they comply with legal and
regulatory obligations. Assurance: risk management and internal control need to be proportionate,
aligned comprehensive, embedded and dynamic. Decision making: risk information should assist
organizations during decision making. Effective & Efficient: risk management supports the
achievement of efficient and effective processes.
Risk management levels All humans, even small children, are involved in risk management on a daily basis. A child is explicitly
instructed to look at both ways of street to determine if it can cross safely. Risk management is done
in many forms and at different levels of an organization. The Board of Directors (BoD) monitors the
strategic business objectives and the current performance of the organization. At an executive level
the agenda setting, prioritisation as well as budget allocation take place and the outcomes are
communicated. In an ideal setting the most important risk categories (e.g. financial, operational incl.
possible cyber risks) are evaluated as a whole.
Figure 3: Levels of Risk Management25
24 Hopkin, P. Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management. Kogan Page, 2018. 25 National Institute of Standards and Technology (2018 ). Framework for Improving C. I. Cybersecurity. Framework, 1.1, page 12
Page 21 of 66
All activities that take place at the business/process level need to remain within the risk tolerances and
consistent with risk strategies as set out by the BoD. Radical changes in the external environment might
be of influence on the risk exposure of the company and are monitored. On a more tactical level the
outcomes are used by business managers as reference, while setting the frameworks for risk
management and to perform impact assessments. In addition policies, processes and procedures are
implemented to manage (cyber) risks and enable the organization to execute risk management
activities on an operational level. At the lowest level risk controls are implemented.
Process of managing risk
The International Organisation for Standardization (ISO) principles, guidelines and standards for risk
management in general as well as for information security risk management are used worldwide. The
ISO 31000:2009 provides: a) one vocabulary, b) a set of performance criteria, c) an overarching process
for identifying, analysing, evaluating and treating risks, 4) guidance on how that process should be
integrated into the decision making processes of an organization26. ISO defines risk management as
“coordinated activities to direct and control an organization with regard to risk”27. To provide the
reader with a general starting point on risk management process28, as described in ISO 31000:2009, is
presented in figure 4.
Figure 4: Risk management process from ISO 31000:200929
The process starts with the step “Establish the Context” and defines what the organization wants to
achieve and the external and internal factors which may influence success in realizing objectives. The
outcomes of the first process are input for the “Risk Assessment” step, which consists of Risk
Identification (what, where, when and how), Risk Analysis (consequences and likelihood) and Risk
26 ISO, I. (2009). 31000: 2009. Risk management. Principles and guidelines. 27 ISO, E. (2011). IEC 27005: 2011 (EN) Information technology--Security techniques--Information security risk management Switzerland. ISO/IEC, page 13 28 Idem 29 ISO 31000:2009, Risk Management—Principles and Guidelines. Geneva: International Standards Organisation, 2009.
Page 22 of 66
Evaluation (level of risk, priority of attention). When it is clear what exactly is going on, it is necessary
to choose an appropriate “Risk Treatment” (e.g. mitigation strategy, transference). Existing controls
are evaluated in order to determine if they need to be improved or if new controls are needed in order
to keep the risk exposure within acceptable levels. On the right side in figure 4 the process “Monitoring
and Reviewing” risks is shown. This process describes reactions on emerging risks or if something
changes in the organizations objectives or in the internal/external environment. On the left side, the
process “Communication and Consultation” focusses on interaction with external and internal
stakeholders. Both are continual process.
Defining a risk
In the ISO 31010 over thirty techniques (e.g. brainstorms, root cause analysis, bow tie analysis) are
described to define and analyze risks. In figure 5 below an schematic diagram of a bow tie is presented.
“Bow tie analysis is a simple diagrammatic way of describing and analyzing the pathways of a risk from
causes to consequences”30.
Figure 5: Schematics of a bow tie diagram31
In the exemplary bow tie an event (e.g. a malware infection) is shown with multiple sources of risk
(e.g. a malware attack) and a range of consequences (e.g. a service failure, data corruption). Prevention
controls (e.g. virus scanner) as well as mitigation & recovery controls (e.g. backups) are also shown.
One of the controls is not working optimal and is therefore labelled as an escalation control (e.g. use
of an old software version). Probability levels are often calculated based on historical data, probability
forecasts or determined on professional judgement. Consequence calculations are often based on
quantitative modelling. The risk equation can be defined as: Risk = likelihood x impact. “A
30 ISO, E. (2009). IEC 31010: 2009 (EN). Risk management - Risk assessment techniques, page 64 31 Idem, page 66
Page 23 of 66
consequence/probability matrix is a means of combining qualitative or semi-quantitative ratings of
consequence and probability to produce a level of risk or risk rating” .32
After conceptualizing risk management, the following section focusses on the conceptualization of the
cyber realm.
CONCEPTUALIZATION OF THE CYBER REALM
Over the years, complex and interconnected Information Technology systems (IT) as well as
Operational Technology (OT) systems have become more and more embedded in society and the daily
operations of companies. Mobile phones, iPads and other electronic devices are used twenty four
seven. IoT devices are “expected to expand from an estimated 8.4 billion devices in 2017 to a projected
20.4 billion in 2020”.33 Many of our activities contain some sort of cyber activity.
Figure 6: Cyber ecosystem by Chehadé & company 201634
Defining the cyber realm
Cyberspace, also named cyber realm or cyber domain, is the “global domain within the information
environment whose distinctive and unique character is framed by the use of electronics and the
electromagnetic spectrum to create, store, modify, exchange, and exploit information via
interdependent and interconnected networks using information-communication technologies (Kuehl,
2009)”.35 This is a quite abstract description but does cover all elements which are relevant in the
32 Idem, page 82 33 Gartner. 2017. “Gartner Says 8.4 Billion Connected ‘Things’ Will Be in Use in 2017”. 7 February 2017. https://www.gartner.com/newsroom/id/3598917 34 https://cyber.harvard.edu, Lecture cyberspace governance, retrieved 02-11-2018 35 https://cyber.harvard.edu, Lecture cyberspace governance, retrieved 02-11-2018
Page 24 of 66
realm. To conceptualize further and make it more concrete, the subdivision of three layers in
cyberspace by professor van der Berg ed.36 is introduced. The technical layer presents IT facilities which
enable cyber activities (Internet, applications, servers, cloud). The socio-technical layer consist of the
actual cyber activities (e.g. information searching, e-watching, electronic banking). The technical and
the socio-technical layer are both managed and controlled by the governance layer. A wide variety of
human actors and organizations are involved in this process.
Figure 7: Conceptualization of cyberspace in layers and (cyber) sub-domains. 37
Trans-boundary, non-transparent traits
Historically the perimeters of an organization were quite straightforward. Nowadays, the perimeters
of an organization are much more opaque, as organizations have numerous locations and all sorts of
suppliers and IT solutions are part of their value chain. In the modern society almost everything is
connected (e.g. via mobile phones, Ipads, laptops) and over the years also the dividing line between
private and business has become shady. The value chain of an organization can become extremely far-
reaching and non-transparent as it also include global suppliers like Microsoft or Amazon (e.g. cloud
services). IT systems provide organizations with all sorts of market opportunities and the potential to
create a global reach. However, the backside is the dependencies on techniques also bring global risks
(e.g. via cascading effects). “They are trans-boundary, because at their simplest, they transcend
national, political and social boundaries”.38
36 Jan Van den Berg, ed.,On (the Emergence of) Cyber Security Science and its Challenges for Cyber Security Education, Leiden: CSA Academy, Study material Master of Cyber Security, 2017. 37 Jan Van den Berg, ed.,On (the Emergence of) Cyber Security Science and its Challenges for Cyber Security Education, Leiden: CSA Academy, Study material Master of Cyber Security, 2017. 38 Smith, D., & Fischbacher, M. (2009). The changing nature of risk and risk management: The challenge of borders, uncertainty and resilience. Risk management, 11(1), 1-12, page 6
Page 25 of 66
Complexity
The volume of threats have increased and the risks are more complex due to dynamic nature. Our
washing machine lets us know when it has finished its program and all kind of sensors (e.g. light) make
our lives easier. Also for organizations the opportunities are endless, while making use of all sorts of
new services (e.g. cloud services) and technologies (e.g. mobile technology). However, with this
borderless phenomenon, also comes a “complex mosaic in which the causal factors, mechanisms of
transmission and escalation, and the range of processes around mitigation, and control cut across
disciplinary and structural boundaries”.39
Cyber threats and threat actors
There are Internet sites (e.g. https://www.fireeye.com/cyber-map/threat-map.html) available, which
provide real-time information on malicious cyber attacks. The fire eye website shows the high volumes
of attacks (500,000 plus) per day. The types of attacks range from small to large (e.g. Advanced
Persistent Threats (APT)). “A cyber attack is usually profitable, low-threshold and involves little risk for
the actor. The easy accessibility of attack tools and the use of insecure products and services are
reasons for this low threshold.” 40 . “The costs of cyber-crime to society so far may already be
substantial. Some studies cite figures as high as $388 billion or $ 1 trillion”.41
Figure 8: Threat model42 Figure 9: Cyber attacks 43
In the threat model above, different kinds of threat actors are presented. These actors vary from
individuals and hacktivists, professional criminals but also include nation states. The motivations or
intentions of the actors are different. A criminal is “an actor who perpetrates attacks with an economic
39 Smith, D., & Fischbacher, M. (2009). The changing nature of risk and risk management: The challenge of borders, uncertainty and resilience. Risk management, 11(1), 1-12, page 3 40 https://www.ncsc.nl/binaries/content/documents/ncsc-en/current-topics/cyber-security-assessment- netherlands/cyber-security- assessment-netherlands-2018 41 Tendulkar, R. (2013). Cyber-crime, securities markets and systemic risk. CFA Digest, 43(4), 35-43., page 3 42 Gosler, J. R., & Von Thaer, L. (2013). Task force report: Resilient military systems and the advanced cyber threat. Washington, DC: Department of Defense, Defense Science Board. 43 Refsdal, A., Solhaug, B., & Stølen, K. (2015). Cyber-risk management. In Cyber-Risk Management (pp. 33-47). Springer, Cham., page 34
Page 26 of 66
or financial motive” as a hacktivist is “an actor who mounts digital attacks motivated by a certain
ideology”. Espionage is defined by the NCSC as “Impairing the confidentiality of information by state
or state-sponsored actors copying or removing information”.44 Malicious attacks on enterprises can
originate from the external environment (e.g. malware or a social engineering attack) as well as the
internal environment (e.g. via an temporary hired external employee). It is good to note that cyber
risks consist of malicious as well as non-malicious attacks.
Definition of cyber risks
There are many opinions and discussions on the definitions and intersections between the cyber realm
and the longer existent IT and information security realms. The discussions, up to this day, are
illustrative for the still developing knowledgebase on cyber. A cyber risk is defined as “the risk that is
caused by a cyber-threat.”45 Non-malicious threats can be characterized as accidents and unintended
acts (e.g. incorrect use of a system). The attack surface is defined as “all of the different points where
an attacker or other threat source could get into the cyber-system, and where information or data can
get out”46.
Definition of cyber security
Depending to whom you talk to, there are different perceptions on the scope and focus point of cyber
security, information security and IT security. Cyber security can be used as synonym for information
security (Ogut et al.)47. Using this scope, security requirements focus on the Confidentiality, Integrity
and Availability (CIA) triad. But there are also authors which define cyber security with a different
scope. Cebula and Young stated: “Within the cyber security space, the risk management focus is
primarily on operational risks to information and technology assets. People and facility assets are also
considered to the extent that they support information and technology assets.”48 Also specific types
of systems are argued to determine the scope. Third generation (networked) Industrial Control
systems (ICS), which use open technologies, have specific attention points due to specific safety
features (e.g. failsafe modes). The European Network and Information Security Agency (ENISA) has
debated, that when maintaining these Industrial Control Systems, the triad Safety, Reliability and
Availability (SRA) is more appropriate.49
44 https://www.ncsc.nl/english/current-topics/Cyber+Security+Assessment+Netherlands/cyber-security-assessment-netherlands-2018.html 45 Refsdal, A., Solhaug, B., & Stølen, K. (2015). Cyber-risk management. In Cyber-Risk Management (pp. 33-47). Springer, Cham., page 33 46 Refsdal, A., Solhaug, B., & Stølen, K. (2015). Cyber-risk management. In Cyber-Risk Management (pp. 33-47). Springer, Cham., page 37 47 Oğüt, H., Raghunathan, S., & Menon, N. (2011). Cyber security risk management: Public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Analysis : An Official Publication of the Society for 48 Cebula, Young, & Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst. (2010). A Taxonomy of Operational Cyber Security Risks. 49 Knowles, Prince, Hutchison, Disso, & Jones. (2015). A survey of cyber security management in industrial control systems. International Journal of Critical Infrastructure Protection, 9, 52-80.
Page 27 of 66
Figure 10: Cyber security border50
This paper does not go into details on the underlying (often semantic) discussions, as the focus for this
paper lies on the developments in the risk management field. The realms (however semantically
defined) are closely linked to each other and together provide overall protection for an organization.
As the central starting point the definition for cyber security is chosen, which is more broad and
explicitly place the use of cyber techniques (e.g. the human aspects) in scope. The National Institute
of Standard and Technology (NIST) has defined cyber security as: “the ability to protect or defend the
use of cyberspace from cyber attacks.”51
RISK MANAGEMENT DEVELOPMENTS
The concepts on risk management and cyber, which have been explained in the previous sections, are
now combined. The ultimate goal of this study is to explore the changing demands that have been
placed on traditional risk management while taking into perspective the dynamics related to the cyber
realm.
Managing cyber risks
The process in order to manage information security risks, is an exact match with the generic risk
management process (as summarized in Figure 4). Looking at the most widely used standard for
information security, the ISO2700X series, the exact same process steps are shown (e.g. context
establishment, risk assessment, risk treatment, risk acceptance, risk communication and consultation,
and risk monitoring and review).52
50 http://www.cisoplatform.com/profiles/blogs/understanding-difference-between-cyber-security-information 51 http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf, page 62 52 Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(02), 92.
Page 28 of 66
Figure 11: Interrelations within the ISO 27 K family of standards 53
Dealing with uncertainty
Although the risk management steps itself remained the same. The traits of the cyber domain stretch
traditional risk methods. In contrast to risks on which sufficient levels of information are present and
are considered “business as usual”, the primary focus of risk management goes out to managing the
“unexpected”. The external environment is becoming more and more complex and interconnected
and non-transparent. In addition the cyber work field is still young and still full in development. The
current state leads to more risk factors and in addition to a higher level of uncertainty. Lack of insights
or information leads to difficulties to predict and complicates the traditional, direct estimation of risks
(risk =probability x likelihood). Information of which people know they lack and form blind spots (e.g.
risks related to introduction of an innovative service) as well as information that is very relevant for
the organization but totally not on the radar (e.g. a zero day vulnerability with huge impact in software)
can confront the organizations with uncertainties which ultimately lead to pleasant or unpleasant
surprises. Black swans are more likely and were defined by Taleb as: “highly improbable events with
three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we
concoct an explanation that makes it appear less random, and more predictable, than in was.” 54 Due
to the more ambiguous external environment, dealing with uncertainty has more difficult.
Risk management traditionally focusses on “control” uncertainties. The increase in uncertainties in the
environment stretch traditional risk management approaches, which had a quite lineair approach. In
modern society, with developments on Artificial Intelligence and other groundbreaking innovations as
well as the fact that organizations use more and more external partners to serve their customers. The
53 ISO 27000, “Information Technology, Security Tech- niques, Information Security Management Systems, Overview and Vocabulary,” International Organization for Standardization ISO, Geneve, 2009. 54 Taleb, N. N. (2007). The black swan: The impact of the highly improbable (Vol. 2). Random house.
Page 29 of 66
developments in levels of uncertainty, the increase of indirect control and the increase in speed of
changes make it interesting to explore if a focus on “adaptability” and “resilience” might be more
suited. Organizations need to adjust continuously and risk management supports the decision making
process when debating on possible future scenario’s.
The remaining pages of Part II focusses on a selection of developments that can be derived from the
current literature. As stated earlier, the used analysis technique allows the researcher to identify a
limited number of interesting patterns in the data, so-called a-priori themes, in advance. The themes
that are presented here are further explored during the other half of the data collecting activities,
namely the semi-structured interviews. The a-priori themes that are presented are: Adaptability, Cyber
Intelligence, Organizational Resilience and Supplier Management. These were chosen as these themes
are expected to be the most determinative for changes in risk management practices.
A-PRIORI THEME 1: ADAPTABILITY
The WEF describes that the current world is “increasing volatility, complexity and ambiguity”.55 The
market conditions for organizations vary per sector, however the digital environment is changing
rapidly. Using the various degrees of market turbulence by Ansoff (1=Repetitive, 2=Expanding,
3=Change, 4=Discontinuous, 5=Surpriseful)56, the market conditions are likely to rank within the range
of 4 and 5.
LEVEL 1 2 3 4 5
ENVIRONMENTAL TURBULENCE
REPETITIVE No Change
EXPANDING Slow Incremental
Change
CHANGING Fast Incremental
Change
DISCONTINOUS Discontinuous
Predictable outcome
SURPRISEFUL Discontinuous
Unpredictable Change
STRATEGIC AGGRESSIVESS
STABLE Stable based on
Precedents
REACTIVE Incremental
Change Based on Experience
ANTICIPATORY Incremental
Change Based on Extrapolation
ENTREPRENEURAL Discontinuous New Strategies Based on
Observable Opportunities
CREATIVE Discontinuous Novel Strategies Based on
Creativity
RESPONSIVENESS OF GENERAL
MNGT CAPABILITY
STABILITY SEEKING
Reject Change
EFFICIENCY DRIVEN
Adapts to Change
MARKET DRIVEN Seeks Familiar
Change
ENVIRONMENT DRIVEN
Seeks Related Change
ENVIRONMENTAL CREATING
Seeks Novel Change
Table 1: Matching turbulence, aggressiveness and responsiveness57
This asks for active monitoring and when necessary recalibration of novel business strategies, in order
to create but also preserve sustainable stakeholder value. Being able to continuously adapt to external
changes in order to ensure long term survival asks for strong strategic capabilities and is becoming
more and more important. Keep doing the right things is crucial. Adaptability can be defined as: “the
55 World Economic Forum. The Global Risks Report 2016, 11th Edition, 2016, 56 Ansoff, H. I., & Sullivan, P. A. (1993). Optimizing profitability in turbulent environments: A formula for strategic success. Long range 57 Ansoff, H. I., & Sullivan, P. A. (1993). Optimizing profitability in turbulent environments: A formula for strategic success. Long range, page planning, 26(5), 11-23, page 15
Page 30 of 66
ability to fit more particularly for existence under the conditions of its changing environment.”58
Organizations, that fail to keep up, are at risk of an unsustainable business model and are at risk to
become a proverbial dinosaur. Scenario plans and early warning systems are supportive instruments
for fast reaction processes. The rapid stream of new available technologies provide organizations with
many business opportunities. However, these digital technologies also introduce all kinds of challenges
(e.g. new competition, cyber threats and reputational risk).
Degree Optimum strategy process Comments
1. Repetitive Procedures, budgets Bottom up budgets, top down procedures
2. Expanding Financial control, extrapolated budgets Tight performance targets, extrapolations
3. Changing Formal planning based on patterns of
success
Top down/bottom up Planning formal
process
4. Discontinuous
Strategic planning Stronger top down input: scenario
planning; issue management
5. Surpriseful Fast reaction process Scenario plans, early warning systems
Table 2: Optimum strategic process for each level of turbulence (slightly altered for readability purpose)59
An organization need to balance the focus on short- and long-term objectives and the resources
connected to them. “The process of adaptation includes … subprocesses: adaptive generalization or
managing misfits [to move to a higher state of adaptation] and adaptive specialization or managing for
fits [within a given state].”60 In relation to adaptive specialization, Chakravarthy describes that material
capacities (MATCAP) and organizational capacities (ORGCAP) need to be optimized in order to adapt
adequately. Low levels of pressure on short term results and higher risk appetite and tolerances, will
enable the organization to explore long-term objectives. In addition information needs to flow freely
through all layers of the organization. In Figure 14 the concepts as described above are linked together
in a Framework for Strategic Management.
58Chakravarthy, B. S. (1982). Adaptation: A promising metaphor for strategic management. Academy of management review, 7(1), 35-44. 59 Hussey, D. (1999). Igor Ansoff's continuing contribution to strategic management. Strategic Change, 8(7), 375-392. 60 Chakravarthy, B. (1982). Adaptation: A Promising Metaphor for Strategic Management. The Academy of Management Review, 7(1), 35.
Page 31 of 66
Figure 12: A Comprehensive Framework for Strategic Management61
Trend towards Enterprise Risk Management (ERM)
Every strategy choice and business opportunity is accompanied with specific risks. While executing
ERM, the business opportunities as well as the top risks of the company are evaluated as a whole. “This
allows the organization to gain an overview of all risks that it faces so that it can take coordinated
actions to manage these risks.“62 The shift towards integrated risk management, as a strategic enabler
for the C-level of the organization, is also shown in the recent update of risk management standards
(COSO in 2017 as well as ISO in 2018). The words of Jason Brown, the Chair of the technical committee
ISO/TC 262 on risk management, illustrate this by saying: “The revised version of ISO 31000 focuses on
the integration with the organization and the role of leaders and their responsibility… Risk is now
defined as the ‘effect of uncertainty on objectives’, which focuses on the effect of incomplete
knowledge of events or circumstances on an organization’s decision making”63. These uncertainties
force organizations to anticipate and take in account multiple scenario’s with all their own risk profile.
61Chakravarthy, B. S. (1982). Adaptation: A promising metaphor for strategic management. Academy of management review, 7(1), 35-44. page 35 62 Hopkin, P. (2018). Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers. 63 https://www.iso.org/news/ref2263.html, The new ISO 31000 keeps risk management simple, places 15022018, retrieved 07112018
Page 32 of 66
Cyber risks relevant at strategic level
Cyber risks need to be incorporated in the strategic risk management processes. New cyber
opportunities arrive every day with new technologies surfacing like mushroom from the air. Kosub
states: “The change of traditional business models to modern, more complex and interconnected
Internet-based business models (e.g., e-commerce) affects the vulnerability of data privacy and will
certainly increase the relevance of cyber risk management, as the continuing digitalization will
consequently increase the amount of digital personal data and hence expand the potential for cyber
risks.”64 The threats that can emerge when unmatured or unsafe digital technology become integrated
in the operation of an organization. Data leakages due to a hack are headlined in the newspapers
almost every day and the recovery costs connected to these hacks can also be extremely high. That
cyber attacks can have a huge impact is demonstrated by numerous cases. The Department of Health
and Social Care (DHSC) estimates that the Wannacry ransomware attack on the National Health Service
(NHS) in the UK at approximately 92 million.65
During attach (£m) Aftermath (£m) Total (£m)
1. Lost output 19 0 19
2. IT cost 0,5 72 73
Total cost 20 72 92
Table 3: estimated financial costs WannaCry attack @ NHS UK
Also the logistics company Maersk was hit. It had to reinstall thousands of servers and pc’s due to a
NotPetya attack. Their freight shipping volume dropped with 2,5 %, which translates into a $300m
loss66. In the Global Risks Perception Survey 2017–2018 of the WEF, the participants ranked cyber
attacks as 3rd of the Top 10 risks in terms of Likelihood and as 6th in terms of Impact. Cyber risks
obviously have potential to lead to a high impact on the reputation as well as the financials of the
organization. This asks for monitoring at the highest level.
Risk based approach
The attack surface of an organization is very wide, therefore it is common practice to focus on the
assets of most value, the so-called “crown jewels”, first. The critical assets are assets that cannot be
absent during the daily operation (e.g. the online webshop, R&D information system). For the lower
64 Kosub, T. (2015). Components and challenges of integrated cyber risk management. Zeitschrift Für Die Gesamte Versicherungswissenschaft, 104(5), 615-634. 65 DHSC, Securing cyber resilience in health and care, October 2018 66 https://www.computing.co.uk/ctg/news/3020561/maersk-pins-usd300m-cost-on-notpetya-ransomware
Page 33 of 66
critical assets a lower security level should be sufficient. “Assets are defined as tangible or intangible
entities which are necessary and have values to the organization. Identification of key assets, and
putting value on each key asset, is an important process of risk management”.67 In order to respond to
environmental developments quickly, it is essential to anticipate on potential future scenario’s. The
critical assets are therefore assessed on impact via several expected cyber attack scenario’s. It is
important to know the exact impact of specific cyber scenario’s (e.g. via cyber physical systems) which
include the cascading effect of threats and vulnerabilities on the assets. Based on the outcomes, it can
be determined if mitigation levels are sufficient.
A PRIORI THEME 2: CYBER INTELLIGENCE
Due to the fact that cyberspace is far-reaching, and the potential threat sources and threats are very
large, the processing of information on cyber-risks is a difficult process. In addition, long ranges of
historical data are absent. The traditional approach of manually identifying, categorizing, and
countering each threat is not effective when dealing with a diversified and voluminous set of attack
vectors in the form of advanced persistent threats (APTs).68 Cyber Threat Intelligence (CTI) is used to
combine data and create “context”, detect new attacks and respond to attacks pro-actively. CTI gives
insights in the actors that attack an organization, which methods are used and what the attackers are
looking for. At the basis, the technical threat intelligence level (TTI), the aim is to help prevent attacks
or at least shorten the window between compromise and detection.
Figure 13: Relationship of Data, Information, and Intelligence69
“Intelligence has two critical features that distinguish it from information. Intelligence allows
anticipation or prediction of future situations and circumstances, and it informs decisions by
67 Kure, H., Islam, S., & Razzaque, M. (2018). An Integrated Cyber Security Risk Management Approach for a Cyber-Physical System. Applied Sciences, 8(6), 898. 68 Qamar, S., Anwar, Z., Rahman, M. A., Al-Shaer, E., & Chu, B. T. (2017). Data-driven analytics for cyber-threat intelligence and information sharing. Computers & Security, 67, 35-58. 69 Dempsey, M. E. (2013). Joint Intelligence. Joint Publication, 2-0 , I-2
Page 34 of 66
illuminating the differences in available courses of actions (COAs).”70 During the process there are
several challenges to overcome (e.g. massive information flows). The qualitative outcome at the end
of the road, can ultimately be used as input for security assessments.
The Intelligence Process
‘Planning and direction’ is the first step in the total Intelligence Process and is of importance to make
sure the cyber intelligence process is steered towards a meaningful outcome. This step consists of “…
the determination of intelligence requirements, development of appropriate intelligence architecture,
preparation of a collection plan, assurance of orders and requests to information collection
agencies.”71 To create ‘situational awareness’ a standard intelligence cycle is used, to collect data from
all sorts of sources. This raw data is then processed and transformed into information. Via Analysis
‘Intelligence’ is produced. The output is than delivered to and used by the consumer.
Figure 14: Cyber Intelligence Process72
There are many different models which divide the threat intelligence in certain sections, depending on
gathering methods, analysis forms as well as the end consumer. From this last viewpoint, intelligence
is divided in: Strategic intelligence (high level information consumed by decision-makers in order to
weigh risks and allocate budgets for mitigation), operational intelligence (information on threatening
attacks consumed by higher-level security staff of government), tactical intelligence (tactics techniques
and procedures (TTP) and information on how threat actors are conducting attacks consumed by
incident responders) and technical threat intelligence (consumed through technical resources).73
70 Dempsey, M. E. (2013). Joint Intelligence. Joint Publication, 2-0, I-1 71Dempsey, M. E. (2013). Joint Intelligence. Joint Publication, 2-0 , I-6 72 Dempsey, M. E. (2013). Joint Intelligence. Joint Publication, 2-0 , I-6 73 Tounsi, & Rais. (2018). A survey on technical threat intelligence in the age of sophisticated cyber attacks. Computers & Security, 72, 212-233, page 215
Page 35 of 66
Indicators of Compromise (IOC)
A variety of sources can be identified as Indicators of Compromise (IOC), including internal sources as
logs and honeynets. In addition governmental-sponsored sources like national security organizations
deliver information. Example of Indicators of Compromise are: IP addresses, DNS, malicious file hashes,
remote logins, system access as root or attachments and links.
Standards of information & threat intelligence tools
One of the challenges during the collection of all different data from multiple sources is standardization
of information “which is expected to be expressive, flexible, extensible, machine-parsable and human-
readable.”74 There are multiple standard formats to share information. For example: the Standardizing
Cyber Threat Information eXpression (STIXTM).
Figure 15: Structured Threat Information eXpression (STIXTM) use cases75
In figure 15 several use cased of the STIX standard are presented. “STIX aims to extend indicator sharing
to enable management and widespread exchange of significantly more expressive sets of indicators as
well as other full-spectrum cyber treat information”.76 After collection of raw data via all sorts of
libraries, value creation (e.g. via aggregation) needs to be achieved via analysis. Popular tools (e.g.
Malware Information Shared Platform (MISP), Collaborative Research into Threats (CRITs)) make use
of the more organized storage of the IOC. Figure 18 provides basic information on the two tools.
74 Idem, page 224 75 Barnum, S. (2012). Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX). MITRE Corporation, 11, 1-22. , page 9 76Barnum, S. (2012). Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX). MITRE Corporation, 11, 1-22, page 7
Page 36 of 66
Figure 16: Threat Intelligence tools evaluation (partly presented)77
CTI as input for risk management processes
The cyber intelligence process is an important source of information for the risk management
processes. As stated earlier, it is difficult to respond adaptively to the external challenges and the
signals and information flows are high. In traditional risk management, it was often very difficult to
determine the likelihood and impact of risks as historical data were missing. Nowadays this process
remains difficult, due to the enormous amounts of data that need to be processed. The threat
intelligence process supports the risk management process with valuable data.
A PRIORI THEME 3: RESILIENCE
With the external environment being turbulent, it can be expected that not everything can be
foreseen. Even with good risk management practices in place, unforeseen events or crises will take
place. The term resilience is used in the context of organizations who want to prepare for the unknown
future. The ultimate goal is to absorb unforeseen events and to have the ability to turn things around
and move forward in an effective and efficient way. To do so, organization will needs to grow resilience
capabilities.
Definition of Organizational Resilience
The Operational Research (OR) concept initially comes from the field of ecology. In 1973, Holling
researched the development of ecological systems and stated: “The resilience view emphasizes
domains of attraction and the need for persistence. But extinction is not purely a random event; it
77 Tounsi, & Rais. (2018). A survey on technical threat intelligence in the age of sophisticated cyber attacks. Computers & Security, 72, 212-233, page 228
Page 37 of 66
results from the interaction of random events with those deterministic forces that define the shape,
size, and characteristics of the domain of attraction.” 78 The views on organizational resilience have
evolved over time and were described by BSI. Initially the focus lay on preventive controls (e.g. risk
management, physical barriers, redundancy) in order to ‘bounce back’ from an unforeseen event.
Then, the human contribution were brought into the equation. People have to notice and respond to
threats and situations. Over time the definition shifted towards ‘bounce back and forward’.
Performance optimization looks at aspects of continuous improvement. In a later stage the adaptive
innovation view was introduced. Organizational Resilience also included creating, inventing and
exploring unknown markets and new technologies. Summarizing the four ways of thinking about
Organizational Resilience: preventative control (defensive consistency), mindful action (defensive
flexibility), performance optimization (progressive consistency) and adaptive innovation (progressive
flexibility). An organization has to balance these perspectives and manage the tensions between them.
Figure 17: Organizational Resilience Tension Quadrant: blending defensive and progressive thinking
The first worldwide standard on Organizational Resilience by British Standard (BS65000, 2014)
captures these angles by taking a more philosophical approach and defines OR as: the ability to
“anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to
survive and prosper”.79
Operationalization: Contributing factors
On a non-strategic level, all sorts of (industrial) process are implemented and executed. Looking at an
industrial system, three states of an industrial system are used: normal, upset or catastrophic. When
an upset in the system occurs, build in recovery methods are used to go back to a normal state.
78 Holling, C. (1973). Resilience and Stability of Ecological Systems. Annual Review of Ecology and Systematics, 4, 1-23, page 79 BS65000, B. S. (2014). Guidance on organizational resilience.
Page 38 of 66
However, if not managed accordingly, escalation to a catastrophic state might occur. Dinh states: “A
resilient system can prevent such highly undesirable transactions through appropriate design,
technology, human and management activities and, well-planned emergency procedures, which can
reverse an incipient mishap and eliminate potential hazardous side effects.”80
Figure 18: Contributing factors to process resilience81
Design factor: Security by design
Dinh describes multiple design principles in order to ultimately create resilient systems. “In Design
aspect, if the system was designed to eliminate or absorb vibration, then the failure is prevented. Also,
if the downstream section was designed to withstand the higher pressure or to have a relief valve, the
operator may have time to control…”. Figure 20, principles that are used by resilience engineers in
order to recover system stated after an incident happens.
Figure 19: Resilience principles
Detection potential
Detection potential is strongly linked to the process as designed. Systems with built-in abilities to
detect and monitor anomalies support monitoring, review and respond capabilities.
80 Dinh, Linh T.T., Pasman, Hans, Gao, Xiaodan, & Mannan, M. Sam. (2012). Resilience engineering of industrial processes: Principles and contributing factors. Journal of Loss Prevention in the Process Industries, 25(2), 233-241. 81Dinh, Linh T.T., Pasman, Hans, Gao, Xiaodan, & Mannan, M. Sam. (2012). Resilience engineering of industrial processes: Principles and
contributing factors. Journal of Loss Prevention in the Process Industries, 25(2), 233-241.
Page 39 of 66
As there is not a 100% assurance that critical systems (e.g. gas installations) stay within their
boundaries, additional emergency response is needed.
Emergency response: Crisis Management
A crisis has the potential to endanger lives and may lead to severe reputational damage (when
managed badly). Crisis management is a wide field. The leadership assessment framework of Boin,
Kuipers and Overdijk82 is based on a introduced a framework that can be used to evaluate if the
organization is capable to effectively respond to a crisis at hand. In total ten executive tasks are
identified: Early recognition (recognizing deviations from complex but known processes), Sense
making (collective understanding of the nature, characteristics, consequences, and potential scope
and effects of an evolving threat), Making Critical Decisions, Orchestrating Vertical and Horizontal
Coordination (establish cooperation across vertical and horizontal borders), Coupling and Decoupling
(‘island’ the problem), Meaning Making (interpret the situation and determine a plan to restore a state
of normalcy), Communication (framing the situation in a key message), Rendering Accountability
(creating transparency on preparations, logs, meeting notes), Learning (evaluations) and Enhancing
Resilience (preparatory practices).
Human factor: Knowledge, skills and abilities
Alert reaction and adequate actions are needed, when dealing with unforeseen situations. Employees
are one of the most important factors, while building (and sustaining) resilience capabilities. If they
know exactly what’s expected from them and they act accordingly. The HR system and the HR policy
house should enable them fully. In the context of Operational Resilience, Lengnick-Hall states: “Desired
employee contribution are not focused on a set of specific strategic objectives, but instead are more
broadly focused on developing component capabilities (e.g. cognitive, behavioral, and contextual
elements that support resilience) and interaction patterns…”.83
Figure 20: Strategic human resource management system
in developing a capacity for organizational resilience
82
Arjen Boin, Sanneke Kuipers, & Werner Overdijk. “Leadership in Times of Crisis: A Framework for Assessment (2013): 79–91 83 Lengnick-Hall, Cynthia A., Beck, Tammy E., & Lengnick-Hall, Mark L. (2011). Developing a capacity for organizational resilience through strategic human resource management. Human Resource Management Review, 21(3), 243-255.
Page 40 of 66
Risk management & resilience hand in hand
The notions of risk management and resilience are complementary to each other. In basis risk
management is used to prevent incidents to happen by implementing all sorts of measures. However,
as stated earlier, in today’s world it is almost impossible to know everything and react in time.
Resilience capabilities are needed to ensure the organization can absorb unforeseen events that occur
(when something was not mitigated in advance). Due to the complexities and cascading effects of the
digital age, small details (e.g. the use of an obsolete protocol) can have a huge impact to the total
system. The example of TJX, given by Walker, illustrates this. “For TJX, two deficiencies in their security
system became apparent: 1) the company had not updated its wireless system, and 2) the company
continued to transmit and store data in an outdated approach… The organization accepted an
operational risk, assuming that its system would not be compromised. Although their assessment that
the probability of a hack might be quite small, they also implicitly assumed that the firm could detect
or react to such a hack before much damage was experienced. This was incorrect. The movement to
digital and electronic platforms has increased the severity of operational risk. When things go wrong,
the damages can and do have greater severity. It is a reminder that operational risks are more quantum
in nature than incremental.” 84 The story above illustrated that also the risk management processes
have become more intense and complex, as small details can have a big impact and there is lots of
information to deal with.
Link between resilience and adaptability
Resilience and adaptability are related subjects but are not the same. Adaptability focusses on the fit
with the external environment and translates signals outside-in, as resilience is focused on capabilities
and has an inside-out focus.85
A PRIORI THEME 4: SUPPLIER MANAGEMENT
Organizations become more and more interweaved in their digital environment. In the modern society,
it is enormously important to control the security processes across the (often not so transparent)
supply chain. It is an enormous challenge to get assurance on security processes, which is executed by
external parties. When examined in detail, it often shows that supplier also use subcontractors. Also
the use of a wide variety of cloud solutions, makes it fuzzy where data is stored and how the data is
processed.
84 Walker, R., & World Scientific (Firm). (2013). Winning With Risk Management. Singapore: World Scientific. Retrieved from https://login.ezproxy.leidenuniv.nl:2443/login?URL=http://search.ebscohost.com.ezproxy.leidenuniv.nl:2048/login.aspx?direct=true&db=nlebk&AN=592581&site=ehost-live 85 Lengnick-Hall, Cynthia A., Beck, Tammy E., & Lengnick-Hall, Mark L. (2011). Developing a capacity for organizational resilience through strategic human resource management. Human Resource Management Review, 21(3), 243-255.
Page 41 of 66
Definition of supplier chain cyber-resilience
Before diving into the challenges in the cyber supply chain, the definition of supplier chain cyber-
resilience is given, namely: “the capability of a supply chain to maintain its operational performance
when faces with cyber-risk”. 86
Identifying the total attack surface
An attack often takes place via the weakest link in a supply chain. The total chain of suppliers can be
very long, while all have their own infrastructures, interdependencies and vulnerabilities. An
organization needs to know what critical systems they have and who is responsible for them. Also data
storage and access control are important features. An acquiring organizations might have multiple
supply chains with their own issues. It is a challenge to create a comprehensive overview on how
suppliers meet security requirements and ultimately know the total cyber risks relevant for the total
chain of suppliers.
Figure 21: Factors that can impact the ability of an acquirer to
protect its information using a simplified supply chain model
ISO/IEC 27036-1:2014 states: “… a key issue is that, despite a lot of hard work and significant
expenditure, the acquirer cannot negotiate, agree, measure, and assess the cybersecurity and
associated risks of its suppliers and across a supply chain.”87 The list of 10 factors can be grouped in
Acquirer-focused (1-4) and Supply-chain-focused (5-10). The last category being out of the acquirer’s
control.
86 Khan, O., & Estay, D. A. S. (2015). Supply chain cyber-resilience: Creating an agenda for future research. Technology Innovation
Management Review, (April), 6-12. 87 Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4).
Page 42 of 66
Procurement cycle
The procurement process provides an opportunity for the acquirer to state requirements of
performance to her suppliers. The protection asked can consist of encryption methods while
exchanging information or the location where data is stored. In the process as shown in Figure 24 the
steps of the procurement cycle are shown. Each step is of importance in order to acquirer as much
assurance as possible. After awarding the contract, the performance of suppliers also need to be
monitored. The outputs of this process is also valuable information for the risk management process.
Figure 22: Integration information into a typical procurement cycle88
Risk Management scope extension
As stated earlier the cyber realm brings high level and trans-boundary connectivity. Organizations
potentially have the whole world at their digital feet. Unfortunately also criminals and other threat
actors can abuse these digital techniques. Looking at the supply chain from a risk management
perspective, the interconnected nature in the modern world increases the risk exposure. As stated
above, all kinds of services are used by an organization. These services are more and more not indirect
management of an organization. All kinds of contractors and suppliers fulfill a smaller or larger part of
the total chain of operations of the organization. These external parts of the supply chain are now
beyond the organizations control but are still under responsibility of the organization.
88 Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4).
Page 43 of 66
Figure 23: Horizon shift of the risk management process 89
Therefor getting assurance on the security levels of those parts is of importance. To execute
monitoring tasks on the supplier, getting assurance on all activities done externally and explicit test
security requirements takes considerable efforts. All steps of the procurement cycle ask for specific
actions. Overall the scope of risk management has become larger and due to the indirectness takes
more effort.
89 Picture derived from https://logistik-aktuell.com/2017/10/22/transparent-supply-chains/
Page 44 of 66
PART IV – QUALITATIVE INTERVIEWS
Specific traits of the cyber realm
Risk management developments
Performance of current RM practices
Page 45 of 66
INTERVIEWS In the previous part, the outcomes of the literature review were presented. In this part of the paper
the findings from the fifteen interviews are presented. In order to give experts maximum space to
bring in their personal views on the changing demands and developments within the risk management
field, the interviews were semi-structured and consisted of open-ended, non-leading questions and
had a specific focus on personal experiences. In the Appendix the list of participants and their
experiences in the different sectors is provided.
CYBER REALM TRAITS
Figure 24: Cyber realm traits overview
During the interviews multiple traits were mentioned. The cyber realm traits, which were mentioned
more than once, are presented in Figure 24. The traits are shown on the X-axis and the number of
interviews in which the trait is mentioned is presented on the Y-axis. Each interview is represented by
its own color. Risk exposure, as example, was mentioned thirteen out of fifteen times. The
digitalization of society enables all kinds of new business opportunities. Rapid development & new
technologies were mentioned eight times in eight different interviews. Due to high connectivity and
the trans-boundary aspect of the internet, the whole world is potentially standing at the doorstep of
an organization. Products and services via all kinds of (mobile) devices are facilitated in order to satisfy
customer needs and direct interaction with customers creates a more transparent view on their
demands. However, there is also a down side to these business opportunities. Risk exposure was
Page 46 of 66
mentioned most during the interviews. This trait came up twenty five times during thirteen different
interviews. New (and more and more advanced) threats were named as a direct result of the
introduction of cyber. Criminals and other threat actors from all around the world can also show up at
the same doorstep of the organization. In addition the cyber realm was often illustrated by the words
“Blackbox” of “Intangible”. The interconnectedness as well as the many different suppliers involved in
the total supply chain makes it difficult to oversee the total chain and the risks that are connected to
the different shackles. The trait “Blackbox, intangible” was mentioned fourteen times in eight different
interviews and is ranked last in the top 3 of answers. Looking at the saturation of the data, it can be
stated that after six interviews a 100% saturation was achieved.
A-PRIORI THEME: ADAPTABILITY
As presented during the literature review, adaptability is “the ability to fit more particularly for
existence under the conditions of its changing environment.”90 The traits of the digital environment,
as described above, have led to changes and have challenged organizations in their modus operandi.
In Figure 25 an overview is provided on mentioned aspects. The top five are explicitly clarified.
Figure 25: Adaptability top of mind
Additional risk governance (new roles) for cyber risks
In Figure 25 it shows that the interviewees indicated that in order to manage cyber risks the
governance of the organization was extended. New coordinating roles (e.g. the Chief Information
Security Officer), new departments (e.g. Security Operation Centres) as well as specific committees
were initiated to coordinate and monitor cyber risks. This was mentioned twenty three times in eleven
90 Chakravarthy, B. S. (1982). Adaptation: A promising metaphor for strategic management. Academy of management review, 7(1), 35-44.
Page 47 of 66
interviews. In addition (integrated) information security or cyber frameworks were initiated and new
cyber specific processes were initiated. In Interview 5 JG stated: “Within the government we work with
the Baseline Informatiebeveiliging Rijk (BIR), a framework based on ISO”. In contrast, in interview 12
TI illustrated that in the Healthcare sector it is not common practice to create dedicated roles. In this
sector, the new roles and tasks were initiated but were added to existing profiles. The volatility of the
external environment asks for solid risk management practices.
Allocation of resources & building HR capabilities
During the interviews, it became clear that the maturity level of risk management in the different
organizations vary. The full spectrum of extremely high up to extremely low was covered. In multiple
interviews several strategic projects were mentioned, in order to enhance the maturity of (cyber) risk
management processes. Interview 8 with RM illustrates this by the quote: "we have just started a
project on Information security (and we include cyber in that) in order to become up to standard." The
new cyber tasks also ask other capabilities within the organization. In 80% of the interviews it was
mentioned that there were multiple HR challenges due to the digital times. Knowledge on cyber, cyber
security as well as general IT knowledge were mentioned as attention point. Both the workforce within
the total organization and the board were expected to have at least “some” notion on the subjects in
order to support their actions and decisions. In addition, hiring and retaining highly specialized and
certified personnel with expertise in information security and cyber remains hard due to scarcity. In
interview 4 WW stated: "Good qualified people, who can work with the data (making correlations &
use cases), are needed. Certainly while executing threat hunting, specific skills are needed. And these
people are scars and expensive."
Create responsiveness
Creating responsiveness, realizing a shorter Time To Market (TTM) and the use of Agile and Devops
methodologies were mentioned eleven times during twelve of the fifteen interviews. The digital
environment provides endless possibilities but also endless competition. New business opportunities,
based on digital technologies, were mentioned during the interviews. As stated in the literature review,
a continuous changing environment, asks for a pro-active strategy. It takes significant effort to keep
“aligned” with the external environment.
Page 48 of 66
Risk based approach
In addition to new cyber roles as well as the introduction of a cyber specific framework, it became clear
that organizations responded to cyber and changed their risk strategy. Due to the nature of cyber
(trans-boundary, interconnectedness, rapid changes), it became impossible to secure everything at the
highest level. This would also be capital destructive. Therefore a more risk based approach was taken.
In 53% of the interviews it was stated that organizations focus on their “gold” or “crown jewels” (e.g.
secret information like formulas) and take very specific measures in order to create a high level of
security. Less confidential elements are secured at a lower level while using more basic measures. In
addition it is important to mention that all cyber security measures need to “fit” with the rest of the
organization. Depending on the business model, type of employees, existing IT infrastructure and other
factors, the cyber risks need to be evaluated in combination with other risks. An integrated approach
was mentioned in the interviews. However, it was also made clear that this is still “under construction”.
In interview 5 EW stated that was important to look at information security risks, cyber risks, IT risks
and others in an integral way.
RM needs to be more adaptive, cycle time shorter
The risk management process itself remained the same. However, due to the complexity and intangible
nature of the cyber realm, it is difficult to keep a comprehensive view on all cyber risks and focus on
the top risks. Rapid changes in the external environment also continuously influence the lifecycle of
frameworks and work methods. The risk management process cycle (from context determination up
to monitoring & review) has become shorter. In Interview 13 AM stated that “many different attention
areas influence each other (mobile, file sharing, user interfaces) … and all developments need to
remain aligned”. Response times to developments in the outside world have become shorter.
Multidisciplinary teamwork and information sharing needed
Last but not least, it was mentioned that managing risks in this realm asks for the collaboration in
multidisciplinary teams (IT and business). Determining the business impact of certain “threat
scenario’s” occur ask understanding of many different areas understanding. This also asks for an
adequate level of communication skills. As stated earlier, the cyber realm is complex and overseeing
the impact of certain activities is difficult. To determine a solid overview on impact of certain cyber
activities, disciplines from the whole organization need to share information and work together
intensively as a team. The different IT disciplines (e.g. IT technical administrators, IT network
specialists), the more business oriented disciplines (e.g. business unit managers) as well as supportive
departments (e.g. security specialists, legal counsellors) need to understand the different perspectives
Page 49 of 66
of the group and together form an idea on the (potential) impact of cyber events. Illustrative is the
comment of DE during interview 11, that security is a multi-mastery field where multiple disciplines
are needed.
A-PRIORI THEME: CYBER INTELLIGENCE
In the paragraph above, the external context of the organization and the strategic reactions of
organizations were briefly discussed. As stated above, the cyber realm asks for a solid process for
managing cyber risks due to its potential large impact on the risk profile of the organization. The new
departments and functions (e.g. the Chief Information Security Officer) manage new initiated
processes in order to identify, detect and also monitor cyber risks. It involves identification of new
threats and vulnerabilities, monitoring network traffic as well as hunting for threats within the
organization. The high volumes of changes as well as the (often not sufficient, often not targeted)
information flows on specified Indicators of Compromise (IOC’s) make it difficult to keep the overview
as well as respond pro-actively. In twelve out of fifteen interviews these processes were mentioned.
This was illustrated in Interview 1, where FE mentioned that specific cyber processes (e.g. threat
management, vulnerability management) were identified. The rationale of these comments was that
increasing the performance of these processes (when existent at all) is needed. The comment of MK
in interview 10 might be pessimistic in percentage but indicates the general tenor on the maturity
level of these skills. He stated: "I think that 70% of the companies has no clue what the actual risks are
when someone explicitly targets the company in order to penetrate or want to generate damage." The
need for Cyber Intelligence processes were mentioned twenty three times in eleven out of fifteen
interviews.
Pro-active information gathering on cyber activities
In the interviews it became clear that identification, detection as well as monitoring and response
activities were far from mature and CTI processes were needed in order to provide valuable
information for the entire risk management process. Nineteen times it was mentioned as development
aspect. Due to the risk exposure and constantly evolving attack patterns a continuous “state of alert”
is needed. As it is seen as impossible to secure everything, response capabilities are just as important.
CT information flows help to “establish context” , “identification risks”, “assess risks” up to “monitoring
& review”. In interview 14 for example, IA brought forward the shift from prevention towards more
detection and response activities. The necessity of efficiently and effectively processing information
on the changes in the external environment was mentioned twenty four times during the interviews.
Page 50 of 66
A-PRIORI THEME: RESILIENCE
After looking at the adaptability of organizations based on an outside-in as well as the process needed
to handle all signals from the digital realm, now the lens inside-out is applied. In the literature review
the term resilience was described that initially the focus lay on preventive controls (e.g. risk
management, physical barriers, redundancy) in order to ‘bounce back’ from an unforeseen event. In
the digital realm, human interaction is one of the most specific traits mentioned. People are using
technology every day. Therefore, the human contribution was brought into the equation. People have
to notice and respond to threats and situations. Over time the definition shifted towards ‘bounce back
and forward’. The resilience aspects mentioned in the literature review were also highlighted during
the interviews.
Figure 26 : Resilience
Awareness
In figure 26 the main answers related to resilience are presented. As stated earlier, one of the traits of
the cyber realm is human interaction. People use technology via all sorts of (mobile) devices. In the
cyber realm little errors can ultimately lead to high impact. An end user might download a vicious file
or might respond to a mail which asks for entering usernames and passwords. With the acquired
information an attacker can than take its attack forward. This example illustrates the importance of
awareness. Adequate behaviour by all individuals within the organization is essential. In interview 15
MBU states: “awareness is needed for all. No exceptions. Awareness campaigns for targeted audiences
with focus on work situations. At board level and work floor…. Repetition is needed… Gamification can
possible help as well.” This aspect of resilience was mentioned by the experts twenty times in twelve
different interviews.
Crisis management Crisis management and rapid response capabilities were also flagged as an important resilience aspect.
Due to amount of threats and vulnerabilities as well as the fact that part of the supply chain are under
Page 51 of 66
indirect management of the organization , the experts state it is basically not possible to secure
everything. Therefore, capabilities have become important in order to contain and control the
situation when a hack occurs. Crisis management structures and escalation mechanisms need to be in
place. In Interview 3 RB stated that “Emergency Response Services are more often asked for in addition
to monitoring services”. New roles , e.g. that of the Chief Information Security Officer (CISO) of
Manager of a Security Operations Centre (SOC), were identified earlier in the paragraph adaptability.
The officials responsible for monitoring cyber often have a dominant role, while responding to an
security breach or other incidents. As security incidents have a specific character, the process is similar
to other incidents but they are often reviewed and managed via different (specific cyber officials). This
was for example mentioned in interview 15 by MBU. Crisis management and rapid response were
mentioned twenty times in nine out of fifteen interviews.
Security by design
Security by design was also flagged as important resilience aspect. In interview 11 DE stated: “IT
developments have been functional driven for the last 30 years. To catch up with security asks for
investments.” In addition explicit examples were given. In interview 9 AN gave the example: “It still
happens that after programming SQL injections are possible. Of course that's stupid.” Or in interview
5 EW stated that there is: "more attention for quality aspects of software in relation to cyber. More
requirements via pen testing and code reviews".
Outsourcing as mitigation measure
However there was also a different signal given. In three interviews it was stated that, for companies
that struggle to get their security and business continuity in order, the digital services offered by third-
parties could also provide a solution.
Mitigation focus points
In reaction to the cyber realm traits, the focus on specific types of controls have increased. Employees
at all layers of the organization use computers or other devices while executing their tasks. Due to the
interaction of humans with the cyber realm, they form a central role in controlling potential problems.
Therefore the need for more focus on soft controls (e.g. repetitive awareness campaigns with targeted
audiences) was brought forward. In addition, digital products and services always consist of (some
level of) programmable coding. This coding can expose the organization to all kinds of risks due to
programming errors. Every organization uses digital technologies and the use of secure software is an
important contributing factor to resilience. Therefore also focus on security by design was mentioned.
During the interviews also the links between the IT domain and the Operational Technology (OT) were
Page 52 of 66
mentioned as focus point. Via IT links it can be possible to access the OT platforms if the separated
architectures are connected in a unsecure way. In Interview 15 MBU gave the example of a reckless
action of a supplier, that made a remote connection in order to execute maintenance activities. This
also illustrates that incident will happen. Despite of the measures taken, adequate monitoring of a
situation and the ability to respond adequately is extremely important. Adequate escalation
mechanisms, clear responsibilities as well as sufficient training on different cyberattack scenarios are
ways of mitigating operational risks. Also these kinds of controls are more on radar.
Intensifying monitoring & review including reporting
Due to the nature of the cyber realm, continuous monitoring & review of cyber risks is needed. The
risk management process needs to be executed more quickly and more detailed. Developments in the
field need to be taken in account, while re-evaluating the risk exposure due to cyber risks. Reporting
on the top 10 risks (at board level) is not sufficient for the monitoring at operational level. On an
operational level daily reporting (e.g. on threats, vulnerabilities) is needed in order to respond actively
on changes in the external environment as well as new business opportunities which were launched.
Also signals from the CI processes might trigger the re-evaluation teh risk profiles. In addition cyber
risks might also influence or be influenced by other risk categories (e.g. physical safety risks) and need
to also be assessed integral periodically.
Supportive tooling
To combine high amount of information and in order to support “ad hoc” information requests,
supportive tooling was also mentioned as enabling factor. At this moment, these tools are not yet seen
as optimal supportive due to laboriousness.
A-PRIORI THEME: SUPPLY CHAIN MANAGEMENT
As stated earlier the supply chain is an important point of entrance for cyberattacks. Unfortunately a
big part of this chain is outside of the organization itself. This makes it essential for organizations to
(indirectly) manage and monitor the chain in order to enforce control. The different elements of the
procurement cycle, as stated in the literature review, were also mentioned during the interviews.
Requirements (e.g. NDA, screening, location of data storage as well as right to audit) for contracts were
mentioned as important element of control. The importance of involvement of security during the
procurement cycle was seen. When a contract is signed, it was also stated several times that
monitoring afterwards is needed. In general the tenor of the comments was, that supply chain
management has become more important but has not yet reached its potential. Thirty five times (parts
of) the procurement cycle were explicitly mentioned in ten out of fifteen interviews. For example JVK
Page 53 of 66
stated a general comment (during interview 6) that contract and supplier management is an important
mechanism to manage risks in the chain. In interview 8 RM mentioned that contract clauses, a service
level agreement and supportive audit reports for assurance are needed. In interview 2 MB detailed
requirements as “location of data storage” or “right to audit” were brought forward important contract
clauses. Last but not least there were two different strategies for monitoring discussed during the
interviews. On the one hand the comply strategy, where an organization imposes its own frameworks
on its supply organizations. On the other hand the trust strategy, where an organization trusts its
suppliers to have their own checks and balances in order. This does not mean that there is no
monitoring, but suppliers have more freedom in the way they control their processes. These two
strategies were for example mentioned by WW in interview 4.
Scope extension with external suppliers
As stated earlier the supply chains of organizations need to be managed indirectly. Organizations
potentially have the whole world at their digital feet via the digital supply chain but it also provides
criminals with numerous entry points for an attack. The importance of these activities was made clear
during the interviews. The subject was mentioned eighteen times during ten interviews. In Interview
2 MB stated: “security has to "secure" things beyond its control (e.g. at cloud suppliers, network
provider) … and need to put pressure on relation management, contract and supply management”. To
ensure the right levels of cyber security contracts need to contain the right requirements and also
monitoring and review of supplier performance needs to be done. Getting a sufficient level of
assurance from these parties takes time. The risk management workload therefor increases
significantly.
Summarizing specific RM modus operandi aspects
During the interviews it became clear that the maturity levels on all the aspects mentioned above
varied enormously at all organizations discussed. Due to the different types of organizations a
straightforward comparison is not possible. However, several specific modus operandi points when
managing cyber risks were pointed out. In figure 27 an overview of the aspects that needed tweaking
or were specifically initiated due to the characteristics of the cyber realm is provided. Due to the
uncertainty and complexity in the external environment, experts state that a pro-active response is
needed. Secondly, the extension of the scope by adding the suppliers in the chain to the risk
management scope, was top of mind. The specific traits of the cyber domain also lead to different
mitigation treatments. The characteristic of human interaction makes mitigation by awareness a focus
point. In 100% of the interviews the importance of awareness was brought forward. Only during 6%
of the interviews it was indicated that the awareness level within the organization were at a high level.
Page 54 of 66
In addition security by design was mentioned as focus point. Also the links between the IT networks
and the OT systems are an important attention point. The domain of Programmable Logic Controllers
and other physical systems and the IT domain on the other hand slowly grow more towards each other.
For example due to added on remote control (IT) functionalities. These links ultimately introduce IT
risks within the OT domain. In Interview 15 MBU stated: “historically the OT systems were build layer
by layer. The knowledge of the systems is low, which forms a vulnerability… Via IT systems the OT
systems can be accessed. Even though the networks are physically separated. Often there are
unknown links.” Legacy systems are an additional attention point. One of the reasons mentioned is the
complexity of these systems in comparison to modern solutions.
Figure 27: Specific modus operandi points when managing cyber
The interviewees indicated that response time during the risk management process need to be shorter
and that work approaches are tuned regularly (e.g. due to introduction of new innovations). In addition
a more risk based approach is appropriate due to the fact that it is not possible to secure everything
and the external environment is continuously changing. Frameworks provide a basic level of “control”
for the total organization. However, additional measures should primarily be targeted to mitigate risks
related to the critical assets (also called crown jewels) within the organization. In addition the
intensification of monitoring and reviewing risks was top of mind. Continuous changes in the external
environment as well as new business initiatives ask for more frequent and detailed monitoring and
adjustment of risk profiles. Last but not least it was mentioned that, due to the fact that risk
management activities have increased, enhancement of supportive tooling is also point of attention.
Page 55 of 66
PART V - ANALYSIS
In this part the concepts which were presented in the literature review (Part III) and the outcomes of
the interviews with several specialists in the field (Part IV) are brought together.
Influence of the cyber realm on the organization and risk management
As stated the cyber realm is described as a realm with brings all kinds of specific traits. It brings
uncertainty and risk exposure due to the complex, intangible and trans-boundary nature. In modern
society the cyber realm has become an indispensable feature as organizations, or more in general
people, use all kinds of systems intensively.
In both Part III and Part IV it was shown that the cyber realm creates all kinds of challenges for
organizations. The volatility of the environment makes organisation change its modus operandi and
consequential also risk management practices change. Risk management is fully interweaved with the
organization and forms a backbone for all decision making activities in the organization. As the
organization moves from “A” to ‘B” while determines which steps to take next (on a strategic, tactical
and operational level), risk management process have to stay aligned and fully support the
“organizational configuration.”. In figure 28 the author combined the a-priori themes with the
identified specific modus operandi points for risk management.
Figure 28: Overview Risk Management changes (E. Meines, 2019)
Page 56 of 66
Two a-priori themes are named explicitly in figure 28, namely: Adaptability (outside in focus) and
Resilience (inside-out focus). The a-priori theme Cyber Intelligence is a specific process in order to
enable an organization to be adaptive by collecting valuable signals from the outside world. Therefore
this a-priori theme was fused together with adaptability. It can be positioned at the top of yellow part,
where we can find the attention point on detection and monitoring (number 4). The a-priori theme
supply chain management describes a specific process needed to (indirectly) control cyber risks on the
outside perimeters of the organization. It can be positioned at the bottom of the green part, where we
can find the attention point on managing the supply chain (number 9). As the end goal of this process
is to influences the resilience capabilities of the internal organization this theme has been fused
together with the a-priori theme resilience. The suggested changes in the modus operandi of risk
management are positioned on top of the a-priori themes. Indicating how they are linked to the
“organizational configuration”.
Summarizing
Looking at the risk management process, all steps have still remained the same. The basis of traditional
risk management practices have not changed. However, cyber risks were added to the risk portfolio
and have to be managed in order to keep the organization within tolerable risk levels. The specific
nature of the cyber realm have put the performance of the risk management process under pressure.
In total nine specific aspects in the risk management practices, when dealing with cyber, were brought
forward:
Specific modus operandi when managing cyber risks:
1: Cyber risks added to the scope of risk management process
2: Risk based approach
3: Cycle time shorter
4: Pro-active information gathering on cyber activities
5: Multidisciplinary information sharing and teamwork needed
6: Mitigation focus
7: Intensifying monitoring & review including reporting
8: Supportive tooling
9. Extension of scope of “monitoring & review” with external suppliers
Page 57 of 66
PART VI - CONCLUSIONS AND FURTHER RECOMMENDATIONS
CONCLUSIONS
Organizations are under constant pressure to deliver customers relevant products and services, and to
perform optimally and to meet their strategic goals. The specific traits of the cyber realm, that have
been discussed in the paper (e.g. trans-boundary, interconnected, complexity, intangible), are
challenging for an organization to deal with. The described traits ultimately result in a more ambiguous,
non-transparent reality which in addition changes rapidly. The cyber realm brings all kinds of business
opportunities on a high-frequency basis. However, these new opportunities introduce a higher level of
uncertainty and enhance the overall risk exposure of the organization. In addition the rapid changes
and developments ask for a constant alignment process between the organization and its external
environment. These adaptations also influence the demands that are stated to risk management.
Risk management as strategic enabler
Due to the increase of uncertainty the position of risk management is changing. Risk management
activities have become more prominent and is more and more seen as an “strategic enabler” instead
of a “cost generator”. Looking at the cyber domain, it has become clear that the IT components within
the organization has become of strategic importance and are indispensable for organizations to realize
their organizational goals. With this in mind cyber incidents are taken more serious and it is recognized
that cyber incidents can have a significant importance on the organizations reputation, finance and
ultimately the right to exist. Risk management processes are brought to a higher level and integrated
with decision making processes at all levels. Ultimately this leads to a shift form a reactive to a more
pro-active risk management approach.
The road toward a more pro-active approach
Traditional risk management practices were very suited for lineair, stable environments. Risks were
focused on control, by implementing full scaled frameworks and by following the traditional steps of
identifying risks, evaluation risks and then putting the suited mitigation measures in place. Periodically
risks were monitored and reviewed and when needed additional steps were taken.
The current complex systems stretch these traditional practices. In basis all risk management process
elements remain the same. Risks are still identified, assessed and mitigated. However the specific traits
of the realm lead to more risk factors which bring uncertainties and risk exposure. The complexity of
Page 58 of 66
systems, interconnectedness, as well as lack of (historical) data make the full risk management process
including the estimation of probability and impact more difficult and intensive. It has become more
complex to collect all necessary data and transforming the data properly throughout the risk
management process in order to ultimately evaluate risks and estimating exact risk levels.
Rapid changes in the environment ask for a constant monitoring and ability to quickly adapt. Ultimately
organizations have to continuously look outside in and make sure that their “organizational
configuration” is still aligned with their strategic goals in order to service their customers optimally.
The cyber realm brings a constant stream of new business opportunities but in addition also
uncertainties.
Due to the constant developments this is not a lineair path. Strategic goals push an organization
towards a certain direction but within bandwidths. Via a continuous process of adaptation an
organization moves step by step towards, every time adjusting and moving forward towards a new
“state of being”. Due to the interweaved nature of risk management this also asks for continuous
adaptation and alignment of the risk management process.
Taking in account the risk exposure and the possibility of high impact incidents happening, the
exploration has shown that the risk management field also focusses more on resilience aspects as crisis
management abilities as well as employee awareness. This enables an organization to bounce back
and move forward again, in the event of a unexpected event with high negative impact occurs.
This asks for an adaptive reaction of an organization as well as sufficient resilience capabilities. Risk
management, as a supportive beam during decision making processes, fulfills a central role while
evaluating the risks related to different adaptive reaction scenario’s and the direction of the internal
organization.
Adopted risk-based strategies
In order to achieve their strategic portfolio all organizations use their own combinations of risk-based
strategies. However there were actions which were mentioned multiple times during the interviews
and could possibly be the “work standards for the future”. In general the following can be stated:
Adaptability strategies: In order to make sure that the organization remains focused and aligned the
following strategies were identified.
Supply and demand side disintegration Transfer/share strategies: Prominent mentioned were
transfer/share strategies. Looking at the supply chain the interviews show that multiple
organizations have chosen to share or transfer certain risks by supply and demand side
Page 59 of 66
disintegration. Concrete this means that organizations had decided to focus on core
activities/competencies and therefore outsourced other tasks. Due to the fact that organizations
remain accountable for certain activities some risks can be fully transferred but some can only
be shared. From a risk management perspective monitoring and review tasks intensify as in-
direct monitoring and review activities increase. In the preparation phase this asks for a solid
procurement cycle (from setting requirements up to contract delivery).
Pro-active HR strategy: During the interviews it became clear that focus on having the right
people with the right knowledge and competences is an important enabler. This is a difficult
aspect in relation to cyber risk management. Experts in the different knowledge areas are highly
scares. In addition organizational learning ability is of importance. Facilitating learning ultimately
will build an internal knowledge base and helps to build and retain the right capabilities and
skillset within an organization. Ultimately, knowledge on risk management, IT, security are
needed in order to enable the organization to adapt in new or developing areas.
Avoidance strategies: These strategies target to reduce overall probability and were mentioned
during the research.
o Supplier exclusion: Certain suppliers were excluded to deliver services/products in order to
avoid risks and prevent them to occur.
Resilience strategies: In order to deal with unexpected surprises several strategies are taken.
Robustness of infrastructure: These strategies target to reduce probability and impact on
specific subjects.
o Standardization: Reducing complexity of IT landscapes in order to reduce probability
(and in some occasions also impact) was mentioned during the interviews.
o Adaptive software development: To keep up with new technological developments,
more responsive development techniques (e.g. Agile) are used in order to reduce the
time to market and reduce the risks of missing business opportunities. However a
critical note was mentioned on the prioritization of security requirements in these
development sprints. This could ultimately introduce other risks.
o Security by design: By incorporating security in the design from day one the risks on
insecure features are reduced. This mitigation strategy also supports the risk
management processes in the prior part.
Buildup of respond capabilities
Building escalation mechanisms and crisis management capabilities: The ability to
quickly get in control of unsurprising event will ultimately lead to a more quick
containment and will therefor reduce the impact.
Page 60 of 66
Acceptance strategy: Last but not least examples were provided on risks which were accepted. The
more risk based approach was stated multiple times and indicates that for some (non-critical)
areas risk acceptance is done.
Additional remarkable elements
During the interviews some additional remarkable elements (out of primary scope) were mentioned
which were are worth mentioning:
Concerns on systemic risks / concentration risks:
Concerns on systemic risks on a national or global level were brought forward. multiple times. The
impact of global IT monopolists (e.g. Amazon, Google, Facebook) forming systemic risks as
everyone in the world uses these parties.
Influence of the General Data Protection Regulation (GDPR):
During the interviews often the implementation of the GDPR or compliance activities in general
were mentioned. Privacy risks are often coordinated separately within the organization. Mitigation
measures for these risks however are often also general security measures. Collaboration with this
field is therefore eminent. This is not always the case. On the other hand, it was mentioned that
the implementing the GDPR also has brought momentum for business cases concerning the
implementation of cyber security measures.
Concluding
The position of risk management as well as the maturity level of risk management within organizations
are viewed quite different. It seems that more and more risk management is seen as strategic enabler
and is becoming more integrated in decision processes. This leads to a more pro-active approach with
multiple strategies in order to enable organizations to reach their strategic objectives. At the other end
of the spectrum there are organizations where risk management practices are still seen as cost
generator. Here more compliance oriented practices can be identified. The cyber realm seem to
stimulate organizations to professionalize risk management practices and bring them to a higher
maturity level. Due to the high risk exposure related to the cyber realm and rapid changes risk
management practices need to be continuously adjusted to remain effective and efficient. This
exploration has indicated all kinds of attention points to potentially tweak the current, and often still
traditional, risk management practices, to a more adaptive approach. The author hopes that this paper
is food for thought and that it will form a starting point for further discussions in order to modernize
risk management practices.
Page 61 of 66
Evaluation of the research
This paper has explored a broad variety of topics related to risk management in a cyber context. The
research approach has answered the goal it was aiming for. All steps of the research can be repeated
and all underlying data are available. During the research a multisource approach was used via
interviewing experts and through literature review. Using multiple sources increases reliability and
accuracy. However it needs to be noted that the research contains limited data due to time-
constraints. The data samples were small and they need to be extended in order to make the current
outcomes more significant.
Suggestions on further research
The current data samples have shown multiple elements that can be used for further research. These
data were partly in scope of this paper as well as out of scope of this paper. For example:
Further research on making risk management practices more efficient and effective in modern
times
Benchmarking maturity levels of risk management over the different sectors
The development of strategies in order to manage systemic or concentration risks on a
national/global level
The legal/compliance options in order to “persuade” product and service deliverers to
incorporate sufficient security
Page 62 of 66
REFERENCES
Barnum, Sean. “Standardizing Cyber Threat Intelligence Information with the Structured Threat Information EXpression (STIXTM).” MITRE Corporation, 2014, 1–20. doi:10.1002/ejoc.201200111.
Bertaux, D. (1981). Biography and society: The life history approach in the social sciences (Vol. 23). Sage Publications (CA). BS65000, B. S. (2014). Guidance on organizational resilience.
Berg, Jan Van Den, Jacqueline Van Zoggel, Mireille Snels, Mark Van Leeuwen, Sergei Boeke, Leo Van De Koppen, Jan Van Der Lubbe, Bibi Van Den Berg, and Tony De Bos. “On ( the Emergence of ) Cyber Security Science and Its Challenges for Cyber Security Education.” NATO STO/IST-122 Symposium in Tallin, no. c (2014): 1–10. https://www.csacademy.nl/images/MP-IST-122-12-paper-published.pdf.
Böhme, Rainer, and Galina Schwartz. “Modeling Cyber-Insurance : Towards A Unifying Framework.” Workshop on the Economics of Information Security, no. June (2010): 1–36.
Chakravarthy, Balaji S. “Adaptation: A Promising Metaphor for Strategic Management.” Academy of Management Review 7, no. 1 (1982): 35–44. doi:10.5465/amr.1982.4285438.
Crown. “Securing Cyber Resilience in Health and Care: A Progress Update,” no. October (2018).
Dempsey, M. E. (2013). Joint Intelligence. Joint Publication, 2-0.
Dinh, Linh T.T., Hans Pasman, Xiaodan Gao, and M. Sam Mannan. “Resilience Engineering of Industrial Processes: Principles and Contributing Factors.” Journal of Loss Prevention in the Process Industries 25, no. 2 (2012): 233–41. doi:10.1016/j.jlp.2011.09.003.
Gartner. 2017. “Gartner Says 8.4 Billion Connected ‘Things’ Will Be in Use in 2017”. 7 February 2017. https://www.gartner.com/newsroom/id/3598917 Gosler, J. R., & Von Thaer, L. (2013). Task force report: Resilient military systems and the advanced cyber threat. Washington, DC: Department of Defense, Defense Science Board, 41.
Hoque, Romy, Cesar Liendo, and Andrew L. Chesson. “A Girl Who Sees Dead People.” Journal of Clinical Sleep Medicine 5, no. 3 (2009): 277–79. doi:10.1007/978-1-4419-7133-3.
Holling, C S. “RESILIENCE AND S1i\BILI1-’Y .:. 4050 OF ECOLOGICAL SYS1-’EMS.” Annu.Rev.Ecol.Syst. 4 (1973): 1–23. doi:10.1146/annurev.es.04.110173.000245.
Hussey, David. “<Ansoff Continuing.Pdf>” 392, no. November (1999): 375–92.
IEC/NEN. “Nen-Iso/Iec 31010:2009,” 2012.
IEC/NEN. “Nen-Iso/Iec 27005” 2011 (2014).
IEC/NEN. ISO, E. (2011). IEC 27005: 2011 (EN) Information technology--Security techniques--Information security risk management Switzerland. ISO/IEC.
Page 63 of 66
ISO/NEN. International Organization for Standardization. (2009). ISO 31000: Risk Management: Principles and Guidelines. ISO.
Igor Ansoff, H., and Patrick A. Sullivan. “Optimizing Profitability in Turbulent Environments: A Formula for Strategic Success.” Long Range Planning 26, no. 5 (1993): 11–23. doi:10.1016/0024-6301(93)90073-O.
King, N, and C Horrocks. Interviews in Qualitative Research. SAGE Publications, 2010. https://books.google.nl/books?id=Cj1dBAAAQBAJ.
Knowles, William, Daniel Prince, David Hutchison, Jules Ferdinand Pagna Disso, and Kevin Jones. “A Survey of Cyber Security Management in Industrial Control Systems.” International Journal of Critical Infrastructure Protection 9 (2015): 52–80. doi:10.1016/j.ijcip.2015.02.002.
Kosub, Thomas. “Components and Challenges of Integrated Cyber Risk Management.” Zeitschrift Fur Die Gesamte Versicherungswissenschaft 104, no. 5 (2015): 615–34. doi:10.1007/s12297-015-0316-8.
Kure, Halima, Shareeful Islam, and Mohammad Razzaque. “An Integrated Cyber Security Risk Management Approach for a Cyber-Physical System.” Applied Sciences 8, no. 6 (2018): 898. doi:10.3390/app8060898.
Lengnick-Hall, Cynthia A., Tammy E. Beck, and Mark L. Lengnick-Hall. “Developing a Capacity for Organizational Resilience through Strategic Human Resource Management.” Human Resource Management Review 21, no. 3 (2011): 243–55. doi:10.1016/j.hrmr.2010.07.001.
Mambo, Masahiro, and Shahrokh Saeednia. “Signature Schemes Based on the DSA and the Related Atomic Proxy Functions.” IEEE International Symposium on Information Theory - Proceedings, 2003, 138. doi:10.6028/NIST.CSWP.04162018.
Mcphee, Chris, Omera Khan, Daniel A Sepúlveda Estay, Adrian Davis, Hugh Boyes, Lars Jensen, Richard Wilding, and Malcolm Wheatley. “Supply Chain Cyber-Resilience: Creating an Agenda for Future Research Cyber-Resilience: A Strategic Approach for Supply Chain Management Luca Urciuoli Building Cyber-Resilience into Supply Chains Cybersecurity and Cyber-Resilient Supply Chains Challenges in Maritime Cyber-Resilience Q&A. How Can I Secure My Digital Supply Chain? Technology Innovation Management Review,” no. April (2015). www.timreview.ca.
NCSC-NL. “Cybersecuritybeeld Nederland 2018,” 2018, 1–88. https://www.ncsc.nl/actueel/Cybersecuritybeeld+Nederland/cybersecuritybeeld-nederland-2017.html.
National Institute of Standards and Technology (2018 ). Framework for Improving C. I. Cybersecurity. Framework, 1.1
Observability of Self-Protection.” Risk Analysis 31, no. 3 (2011): 497–512. doi:10.1111/j.1539-6924.2010.01478.x.
“OECD Multilingual Summaries OECD Science , Technology and Industry Scoreboard 2017 The Digital Transformation Scientific Power - Houses Drive Digital Innovation Broad Skill Sets Are Required More People Are Being Connected , but Gaps Remain,” 2017.
Page 64 of 66
Öǧüt, Hulisi, Srinivasan Raghunathan, and Nirup Menon. “Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and
Qamar, Sara, Zahid Anwar, Mohammad Ashiqur Rahman, Ehab Al-Shaer, and Bei Tseng Chu. “Data-Driven Analytics for Cyber-Threat Intelligence and Information Sharing.” Computers and Security 67 (2017): 35–58. doi:10.1016/j.cose.2017.02.005.
Ramamoorti, Sridhar. “The Institute of Internal Auditors Global.” The Internal Auditor 68, no. 4 (2011): 25. http://ud7ed2gm9k.search.serialssolutions.com/?ctx_ver=Z39.88-2004&ctx_enc=info%253Aofi%252Fenc%253AUTF-8&rfr_id=info%253Asid%252Fsummon.serialssolutions.com&rft_val_fmt=info%253Aofi%252Ffmt%253Akev%253Amtx%253Ajournal&rft.genre=article&rft.atitle=The+cor.
Refsdal, Atle, Bjørnar Solhaug, and Ketil Stølen. “Cyber-Risk Management.” In Cyber-Risk Management, 33–47. Cham: Springer International Publishing, 2015. doi:10.1007/978-3-319-23570-7_5.
Smith, Denis, and Moira Fischbacher. “The Changing Nature of Risk and Risk Management: The Challenge of Borders, Uncertainty and Resilience.” Risk Management 11, no. 1 (2009): 1–12. doi:10.1057/rm.2009.1.
Stohlman, Frederick, and George Brecher. “Humoral Regulation of Erythropoiesis III. Effect of Exposure to Simulated Altitude.” The Journal of Laboratory and Clinical Medicine 49, no. 6 (1957): 890–95. doi:10.4236/jis.2013.42011.
Taleb, N. N. (2007). The black swan: The impact of the highly improbable (Vol. 2). Random house.
Tendulkar, Rohini. “Cyber-Crime , Securities Markets and Systemic Risk.” CFA Digest 43, no. 4 (2013): 1–59. doi:10.1080/09670870701621274.
Tounsi, Wiem, and Helmi Rais. “A Survey on Technical Threat Intelligence in the Age of Sophisticated Cyber Attacks.” Computers and Security 72 (2018): 212–33. doi:10.1016/j.cose.2017.09.001.
Walker, R., & World Scientific (Firm). (2013). Winning With Risk Management. Singapore: World Scientific. Retrieved from https://login.ezproxy.leidenuniv.nl:2443/login?URL=http://search.ebscohost.com.ezproxy.leidenuniv.nl:2048/login.aspx?direct=true&db=nlebk&AN=592581&site=ehost-live
World Economic Forum. The Global Risks Report 2018, 13th Edition, 2018. doi:978-1-944835-15-6.
Referenced websites
https://cyber.harvard.edu
http://www.cisoplatform.com/profiles/blogs/understanding-difference-between-cyber-security-information
https://criticaluncertainties.com
http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
https://www.computing.co.uk/ctg/news/3020561/maersk-pins-usd300m-cost-on-notpetya-ransomware
https://logistik-aktuell.com/2017/10/22/transparent-supply-chains/
Page 65 of 66
LIST OF FIGURES
Figure 1: Intensity and development speed in ICT-related technologies
Figure 2: Internet as global social & economic platform
Figure 3: Levels of Risk Management
Figure 4: Risk management process from ISO 31000:2009
Figure 5: Schematics of a bow tie diagram
Figure 6: Cyber ecosystem by Chehadé & company 2016
Figure 7: Conceptualization of cyberspace in layers and (cyber) sub-domains
Figure 8: Threat model
Figure 9: Cyber attacks
Figure 10: Cyber security border
Figure 11: Interrelations within the ISO 27k family of standards
Figure 12: A Comprehensive Framework for Strategic Management
Figure 13: Relationship of Data, Information, and Intelligence
Figure 14: Cyber Intelligence Process
Figure 15: Structured Threat Information eXpression (STIXTM) use cases
Figure 16: Threat Intelligence tools evaluation (partly presented)
Figure 17: Organizational Resilience Tension Quadrant: blending defensive and progressive thinking
Figure 18: Contributing factors to process resilience
Figure 19: Resilience principles
Figure 20: Strategic human resource management system in developing a capacity for organizational
resilience
Figure 21: Factors that can impact the ability of an acquirer to protect its information using a
simplified supply chain model
Figure 22: Integration information into a typical procurement cycle
Figure 23: Horizon shift of the risk management process
Figure 24: Cyber realm traits overview
Figure 25: Adaptability top of mind
Figure 26 : Resilience
Figure 27: Specific modus operandi points when managing cyber risks
Figure 28: Overview Risk Management changes
LIST OF TABLES
Table 1: Matching turbulence, aggressiveness and responsiveness
Table 2: Optimum strategic process for each level of turbulence
Table 3: estimated financial costs WannaCry attack @ NHS UK
Page 66 of 66
ANNEXES
List of interviewees
Transcripts of interviews (N-15)
Coding overviews of interviews (N=15)