Login or signup to connect with paper authors and to register for specific Author Connect sessions (if available).
Integrating Business Strategy with Cyber-Risk Management
Swati Jain, Arunabha Mukhopadhyay
Cyber risk management requires a holistic approach that aligns steps towards making a firm cyber-resilient with its strategic objectives. At the core of this approach lies the integration of strategic decisions regarding the firm's risk appetite with its risk mitigation budget, which collectively provides a comprehensive defense against cyber threats (Benaroch, 2017). Organizations must establish their tolerance for cyber risk, considering factors such as industry standards, regulatory requirements, and strategic objectives (Mukhopadhyay & Jain, 2024). Accordingly, the top management can decide how much and in which cybersecurity measures to invest while effectively managing the firm's risk exposure. However, the firms face the constraints of risk mitigation budget (Jain & Mukhopadhyay, 2023b, 2023a). Hence, allocating the cyber-security budget effectively to different mitigation methods is necessary (Jain et al., 2023).
Organizations can optimize their cybersecurity investments by focusing on more significant impact and vulnerability areas. The Cyber Kill Chain (CKC) framework offers a systematic approach to understanding and mitigating cyber threats (Lockheed Martin, 2011). It delineates the stages of a cyber-attack, from initial survey to data exfiltration, enabling organizations to anticipate and disrupt attacks at various points along the chain. Each step represents an opportunity for defenders to detect, mitigate, or prevent an attack from progressing further. The first stage of the CKC is reconnaissance, where attackers gather information about their target. By understanding this stage, organizations can focus on securing their publicly available information and monitoring for suspicious activities that could indicate potential attackers probing their systems. The next stages - weaponization, delivery, exploitation, and installation - highlight the methods attackers use to infiltrate systems and establish control. By recognizing these stages, defenders can implement security measures such as email filtering, patch management, and endpoint protection to thwart attacks at various points along the chain. In the final stage of the CKC, the attacker establishes command and control to fulfil malicious objectives such as data exfiltration or system disruption. By understanding these objectives, organizations can prioritize resources to protect critical assets and develop incident response plans to minimize the impact of successful attacks. Overall, the CKC framework provides a structured approach to understand and mitigate cyber threats, allowing organizations to identify areas of vulnerability and allocate resources effectively to defend against evolving cyber threats (Lockheed Martin, 2011).
Moreover, integrating the cybersecurity frameworks and principles fosters a synergistic approach to cyber risk management. COBIT (Control Objectives for Information and Related Technologies) and ISO (International Organization for Standardization) principles provide valuable guidance in establishing effective governance structures, risk management processes, and control mechanisms, ensuring cybersecurity initiatives align with industry best practices and regulatory requirements (Fitzgerald, 2018).
Furthermore, the NIST Cybersecurity Framework provides a structured approach to managing cybersecurity risk, offering a set of guidelines and best practices for organizations of all sizes and sectors. It emphasizes five core functions—identify, protect, detect, respond, and recover—that serve as pillars for building a robust cybersecurity posture (NIST, 2014). By aligning with the NIST framework, organizations can systematically assess their cybersecurity capabilities, identify gaps, and implement targeted improvements to enhance their security posture. Overall, this integrated approach strengthens organizational resilience against cyber-attacks and fosters a culture of proactive risk management and continuous improvement in an increasingly complex and dynamic threat landscape (Chen et al., 2011)
AuthorConnect Sessions
No sessions scheduled yet