Abstract
Many organizations continue to struggle with the implementation of cybersecurity risk assessment and management programs. Navigating the evolving cybersecurity landscape and trends in technology commercialization require an understanding of the relational organizational context within which cybersecurity risks are rooted. While several existing cybersecurity risk management frameworks discuss the importance of identifying a context for cyber risks, they do not provide much guidance on “how” that should be done. Leaning on systems theory, this chapter advances the notion that a business and IT alignment approach can be leveraged to inform and drive subsequent cybersecurity risk management and assessment efforts. We outline a holistic roadmap through the incorporation of multiple interconnected dimensions as the underpinning of cybersecurity risk identification and mitigation. We introduce a novel framework that identifies practical organizational drivers and priorities to improve cyber resiliency within the organizational perspective.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cyber Security Statistics. (2020). The ultimate list of stats, data & trends. Purplesec.us. Retrieved December 7, 2020, from https://purplesec.us/resources/cyber-security-statistics
Meszaros, J., & Buchalcevova, A. (2017). Introducing OSSF: A framework for online service cybersecurity risk management. Computers & Security, 65, 300–313.
Althonayan, A., & Andronache, A. (2019). Resiliency under strategic foresight: The effects of cybersecurity management and enterprise risk management alignment. In 2019 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA) (pp. 1–9). Oxford, UK.
Stine, K., Quinn, S., Witte, G., & Gardner, R. K. (2020). Integrating cybersecurity and enterprise risk management (ERM). NISTIR 8286. Gaithersburg, MD: National Institute of Standards and Technology.
Suroso, J. S., Harisno, & Noerdianto, J. (2017). Implementation of COSO ERM as security control framework in cloud service provider. Journal of Advanced Management Science, 5, 322–326.
Wolden, M., Valverde, R., & Talla, M. (2015). The effectiveness of COBIT 5 information security framework for reducing cyber attacks on supply chain management system. IFAC-PapersOnLine, 48, 1846–1852.
Avison, D., Jones, J., Powell, P., & Wilson, D. (2004). Using and validating the strategic alignment model. Journal of Strategic Information Systems, 13, 223–246.
Luftman, J., & Brier, T. (1999). Achieving and sustaining business-IT alignment. California Management Review, 41, 109–122.
El-Talbany, O., & Elragal, A. (2014). Business-information systems strategies: A focus on misalignment. Procedia Technology, 16, 250–262.
Henderson, J. C., & Venkatraman, H. (1993). Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal, 32, 472–484.
Luftman, J. (2000). Assessing business alignment maturity. Communications of AIS, 4.
Maes, R., Rijsenbrij, D., Truijens, O., & Goedvolk, H. (2000). Redefining business: IT alignment through a unified framework. PrimaVera Working Paper Series, University of Amsterdam, Amsterdam, The Netherlands.
Almgren, K. (2014). Implementing COSO ERM framework to mitigate cloud computing business challenges. International Journal of Business and Social Science, 5.
Apostolou, B., Apostolou, N., & Schaupp, L. C. (2018). Assessing and responding to cyber risk: The energy industry as example. Journal of Forensic & Investigative Accounting, 10.
Boyson, S. (2014). Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34, 342–353.
Camillo, A. (2016). Cybersecurity: Risks and management of risks for global banks and financial institutions. Journal of Risk Management in Financial Institutions, 10, 196–200.
Cebula, J. J., Popeck, M. E., & Young, L. R. (2014). A taxonomy of operational cyber security risks version 2. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
Ruan, K. (2017). Introducing cybernomics: A unifying economic framework for measuring cyber risk. Computers & Security, 65, 77–89.
Moore, T., Dynes, S., & Chang, F. R. (2015). Identifying how firms manage cybersecurity investment. Dallas, TX: Southern Methodist University.
COSO. (2017). Enterprise risk management—Integrating with strategy and performance. Executive summary. Retrieved November 23, 2020, from https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
ISACA. (2018). COBIT 2019: Framework governance and management objectives. Schaumburg, IL.
ISO. (2018). Risk management—Guidelines. ISO 3100:2019, Geneva, Switzerland.
Meadows, D. H. (2008). In D. Wright (Ed.), Thinking in systems: A primer. White River Junction, VT: Chelsea Green Publishing.
Ramirez, R., & Choucri, N. (2016). Improving interdisciplinary communication with standardized cyber security terminology: A literature review. IEEE Access, 4, 2216–2243.
D’Arcy, P. (2011). CIO strategies for consumerization: The future of enterprise mobile computing. Dell CIO Insight Series.
Silic, M., & Back, A. (2014). Shadow IT—A view from behind the curtain. Computers & Security, 45, 274–283.
Servaes, H., Tamayo, A., & Tufano, P. (2009). The theory and practice of corporate risk management. Journal of Applied Corporate Finance, 21, 60–78.
Peffers, K., Tuunanen, T., Rothenberger, M., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of Management Information Systems, 24, 45–77.
Zou, Y., Mhaidli, A. H., McCall, A., & Schaub, F. (2018). “I’ve got nothing to lose”: Consumers’ risk perceptions and protective actions after the equifax data Breach. In USENIX Symposium on Usable Privacy and Security (SOUPS).
Luftman, J., Lyytinen, K., & Zvi, T. B. (2015). Enhancing the measurement of information technology (IT) business alignment and its influence on company performance. Journal of Information Technology, 32, 26–46.
Tallon, P. P. (2008). Inside the adaptive enterprise: An information technology capabilities perspective on business process agility. Information Technology and Management, 9, 21–36.
Reynolds, P., & Yetton, P. (2015). Aligning business and IT strategies in multi-business organisations. Journal of Information Technology, 30, 101–118.
Yaokumah, W., & Brown, S. (2015). An empirical examination of the relationship between information security/business strategic alignment and information security governance domain areas. Journal of Business Systems, Governance and Ethics, 9, 50–65.
Samonas, S., & Coss, D. (2014). The cia strikes back: Redefining confidentiality, integrity and availability in security. Journal of Information System Security, 10, 21–45.
Anderson, J. (2002). Why we need a new definition of information security. Computer & Security, 22, 308–313.
Dhillon, G., & Backhouse, J. (2000). Technical opinion: Information system security management in the new millennium. Communications of the ACM, 43, 125–128.
Chan, Y., & Reich, B. H. (2007). IT alignment: What have we learned? Journal of Information Technology, 22, 297–315.
Wilkin, C. L., & Chenhall, R. H. (2010). A review of IT governance: A taxonomy to inform accounting information systems. Journal of Information Systems, 24, 107–146.
Andronache, A. (2019). Aligning cybersecurity management with enterprise risk management in the financial industry. Doctoral Thesis, Brunel University, London, UK.
Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity version 1.1: NIST Cybersecurity Framework. Gaithersburg, MD: National Institute of Standards and Technology.
Alslihat, N., Matarneh, A. J., Moneim, U. A., Alali, H., & Al-Rawashdeh, N. (2018). The impact of internal control system components of the COSO model in reducing the risk of cloud computing: The case of public shareholding companies. Ciência E Técnica Vitivinícola, 33, 188–202.
Campbell, B., Kay, R., & Avison, D. (2005). Strategic alignment: A practitioner’s perspective. Journal of Enterprise Information Management, 8, 653–664.
Oppliger, R. (2007). IT security: In search of the holy grail. Communications of the ACM, 50, 96–98.
Coutaz, J., Crowley, J. L., Dobson, S., & Garlan, D. (2005). Content is key. Communications of the ACM, 48, 49–53.
Grover, V., & Segars, A. H. (2005). An empirical evaluation of stages of strategic information systems planning: Patterns of process design and effectiveness. Information & Management, 42, 761–779.
Bernroider, E. W. (2008). IT governance for enterprise resource planning supported by the DeLone-McLean model of information systems success. Information & Management, 45, 257–269.
Hardy, G. (2006). Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges. Information Security Technical Report, 11, 55–61.
Sims, S., Hewitt, G., & Harris, R. (2015). Evidence of a shared purpose, critical reflection, innovation and leadership in interprofessional healthcare teams: A realist synthesis. Journal of Interprofessional Care, 29, 209–215.
Plachkinova, M., & Maurer, C. (2018). Teaching case security breach at target. Journal of Information Systems Education, 29, 11–20.
Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014). Missed alarms and 40 million stolen credit card numbers: How target blew it. Bloomberg News. Retrieved November 17, 2020, from https://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data
Srinivasan, S., Paine, L., & Goyal, N. (2019). Cyber breach at target. Harvard Business School Case Studies. Retrieved from www.hbsp.harvard.edu
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Jarjoui, S., Murimi, R. (2021). A Framework for Enterprise Cybersecurity Risk Management. In: Daimi, K., Peoples, C. (eds) Advances in Cybersecurity Management. Springer, Cham. https://doi.org/10.1007/978-3-030-71381-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-71381-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-71380-5
Online ISBN: 978-3-030-71381-2
eBook Packages: Computer ScienceComputer Science (R0)