Cyber Security and Risk Management
The security of computer and information systems is a fundamental aspect in any organization because nearly all organizations, in the current information age, depend on computer networks and information systems to execute their daily operations. Attacks to computer systems can lead to detrimental effects to an organization because it can lead to loss of important information and worse, breakdown of the entire organization system. For this reason, Information security measures must be implemented using vigilant approaches in order to control the pervasive effects of cyber threats and vulnerabilities.
There are three elements that must exist for a crime to occur: • motivation • capability • opportunity This concept is called the crime triangle. With knowledge of the elements within the crime triangle the risk of a crime being committed can be estimated and preventative measures may be put in place. Motivation according to Vellani is created by the actual target for the crime which is the asset or assets. An asset contains of people, property and information. Vellani states that removal of motivation probably is impossible, and therefore the focus for security programs should be reducing the opportunity to commit crime. Vellani suggests that the crime triangle is an easy and effective method of illustrating how crime can be prevented. Consequence Consequence is described in the risk management standard as the “outcome of an event affecting objectives”. According to this a consequence can be both positive and negative. 2. What are the needs of the security industry? To answer that question one must first know what the security industry is. Security is not easily defined and can even be considered being the national military defence.
Security should constitute an entire facet of the business itself and should be implemented by identifying key performance indicators built around existing business goals and organizational objectives. Risk management is not a stagnant process but a continuous one that has to be constantly re-visited and modeled based on changing requirements and needs of the organization in question (Brandel, 2007). According to National Institute of Standards & Technology (NIST), the overall aim of an organization’s risk management framework is to provide an effective means of fulfilling the mission of the organization. This risk management strategy extends beyond the protection of IT assets. It’s both a technical and managerial function of the IT and security departments (Stoneburner, Goguen, & Feringa, 2002). If effective security principles can be modeled to center around business objectives, then organizations will learn to incorporate security as a core component of their corporate culture.
In short, investors may decide not to price such risk even if they are aware of it because they believe that firms with lengthy cyber disclosures are likely to significantly increase investments to address the risk, reducing the probability of future material incidents. Another avenue for future research is to examine the time-series change of firms’ cybersecurity risk disclosures. While the essay demonstrates that such disclosure is informative in a cross-sectional setting, it is possible that the change in a firm’s disclosure from year to year may also convey useful information.
Brandel, M. (2007, October 16). Harland Clarke Rechecks Risk Management.
Stoneburner, G. , Goguen, A. , & Feringa, A. (2002). Risk Management
Guide for Information Technology Systems. Falls Church, US: National Institute of Standards & Technology. VeriSign.
Brown, S. V., & Tucker, J. W. (2011). Large‐sample evidence on firms' year‐over‐year MD&A modifications. Journal of Accounting Research, 49(2), 309-346.
Benaroch, M., Chernobai, A., & Goldstein, J. (2012). An internal control perspective on the market value consequences of IT operational risk events. International Journal of Accounting Information Systems, 13(4), 357-381.