Skip to main content
SpringerLink
Log in

A Framework for Enterprise Cybersecurity Risk Management

  • Chapter
  • First Online:
Advances in Cybersecurity Management

Abstract

Many organizations continue to struggle with the implementation of cybersecurity risk assessment and management programs. Navigating the evolving cybersecurity landscape and trends in technology commercialization require an understanding of the relational organizational context within which cybersecurity risks are rooted. While several existing cybersecurity risk management frameworks discuss the importance of identifying a context for cyber risks, they do not provide much guidance on “how” that should be done. Leaning on systems theory, this chapter advances the notion that a business and IT alignment approach can be leveraged to inform and drive subsequent cybersecurity risk management and assessment efforts. We outline a holistic roadmap through the incorporation of multiple interconnected dimensions as the underpinning of cybersecurity risk identification and mitigation. We introduce a novel framework that identifies practical organizational drivers and priorities to improve cyber resiliency within the organizational perspective.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 99.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Cyber Security Statistics. (2020). The ultimate list of stats, data & trends. Purplesec.us. Retrieved December 7, 2020, from https://purplesec.us/resources/cyber-security-statistics

  2. Meszaros, J., & Buchalcevova, A. (2017). Introducing OSSF: A framework for online service cybersecurity risk management. Computers & Security, 65, 300–313.

    Article  Google Scholar 

  3. Althonayan, A., & Andronache, A. (2019). Resiliency under strategic foresight: The effects of cybersecurity management and enterprise risk management alignment. In 2019 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA) (pp. 1–9). Oxford, UK.

    Google Scholar 

  4. Stine, K., Quinn, S., Witte, G., & Gardner, R. K. (2020). Integrating cybersecurity and enterprise risk management (ERM). NISTIR 8286. Gaithersburg, MD: National Institute of Standards and Technology.

    Book  Google Scholar 

  5. Suroso, J. S., Harisno, & Noerdianto, J. (2017). Implementation of COSO ERM as security control framework in cloud service provider. Journal of Advanced Management Science, 5, 322–326.

    Article  Google Scholar 

  6. Wolden, M., Valverde, R., & Talla, M. (2015). The effectiveness of COBIT 5 information security framework for reducing cyber attacks on supply chain management system. IFAC-PapersOnLine, 48, 1846–1852.

    Article  Google Scholar 

  7. Avison, D., Jones, J., Powell, P., & Wilson, D. (2004). Using and validating the strategic alignment model. Journal of Strategic Information Systems, 13, 223–246.

    Article  Google Scholar 

  8. Luftman, J., & Brier, T. (1999). Achieving and sustaining business-IT alignment. California Management Review, 41, 109–122.

    Article  Google Scholar 

  9. El-Talbany, O., & Elragal, A. (2014). Business-information systems strategies: A focus on misalignment. Procedia Technology, 16, 250–262.

    Article  Google Scholar 

  10. Henderson, J. C., & Venkatraman, H. (1993). Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal, 32, 472–484.

    Article  Google Scholar 

  11. Luftman, J. (2000). Assessing business alignment maturity. Communications of AIS, 4.

    Google Scholar 

  12. Maes, R., Rijsenbrij, D., Truijens, O., & Goedvolk, H. (2000). Redefining business: IT alignment through a unified framework. PrimaVera Working Paper Series, University of Amsterdam, Amsterdam, The Netherlands.

    Google Scholar 

  13. Almgren, K. (2014). Implementing COSO ERM framework to mitigate cloud computing business challenges. International Journal of Business and Social Science, 5.

    Google Scholar 

  14. Apostolou, B., Apostolou, N., & Schaupp, L. C. (2018). Assessing and responding to cyber risk: The energy industry as example. Journal of Forensic & Investigative Accounting, 10.

    Google Scholar 

  15. Boyson, S. (2014). Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34, 342–353.

    Article  Google Scholar 

  16. Camillo, A. (2016). Cybersecurity: Risks and management of risks for global banks and financial institutions. Journal of Risk Management in Financial Institutions, 10, 196–200.

    Google Scholar 

  17. Cebula, J. J., Popeck, M. E., & Young, L. R. (2014). A taxonomy of operational cyber security risks version 2. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.

    Book  Google Scholar 

  18. Ruan, K. (2017). Introducing cybernomics: A unifying economic framework for measuring cyber risk. Computers & Security, 65, 77–89.

    Article  Google Scholar 

  19. Moore, T., Dynes, S., & Chang, F. R. (2015). Identifying how firms manage cybersecurity investment. Dallas, TX: Southern Methodist University.

    Google Scholar 

  20. COSO. (2017). Enterprise risk management—Integrating with strategy and performance. Executive summary. Retrieved November 23, 2020, from https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf

  21. ISACA. (2018). COBIT 2019: Framework governance and management objectives. Schaumburg, IL.

    Google Scholar 

  22. ISO. (2018). Risk management—Guidelines. ISO 3100:2019, Geneva, Switzerland.

    Google Scholar 

  23. Meadows, D. H. (2008). In D. Wright (Ed.), Thinking in systems: A primer. White River Junction, VT: Chelsea Green Publishing.

    Google Scholar 

  24. Ramirez, R., & Choucri, N. (2016). Improving interdisciplinary communication with standardized cyber security terminology: A literature review. IEEE Access, 4, 2216–2243.

    Article  Google Scholar 

  25. D’Arcy, P. (2011). CIO strategies for consumerization: The future of enterprise mobile computing. Dell CIO Insight Series.

    Google Scholar 

  26. Silic, M., & Back, A. (2014). Shadow IT—A view from behind the curtain. Computers & Security, 45, 274–283.

    Article  Google Scholar 

  27. Servaes, H., Tamayo, A., & Tufano, P. (2009). The theory and practice of corporate risk management. Journal of Applied Corporate Finance, 21, 60–78.

    Article  Google Scholar 

  28. Peffers, K., Tuunanen, T., Rothenberger, M., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of Management Information Systems, 24, 45–77.

    Article  Google Scholar 

  29. Zou, Y., Mhaidli, A. H., McCall, A., & Schaub, F. (2018). “I’ve got nothing to lose”: Consumers’ risk perceptions and protective actions after the equifax data Breach. In USENIX Symposium on Usable Privacy and Security (SOUPS).

    Google Scholar 

  30. Luftman, J., Lyytinen, K., & Zvi, T. B. (2015). Enhancing the measurement of information technology (IT) business alignment and its influence on company performance. Journal of Information Technology, 32, 26–46.

    Article  Google Scholar 

  31. Tallon, P. P. (2008). Inside the adaptive enterprise: An information technology capabilities perspective on business process agility. Information Technology and Management, 9, 21–36.

    Article  Google Scholar 

  32. Reynolds, P., & Yetton, P. (2015). Aligning business and IT strategies in multi-business organisations. Journal of Information Technology, 30, 101–118.

    Article  Google Scholar 

  33. Yaokumah, W., & Brown, S. (2015). An empirical examination of the relationship between information security/business strategic alignment and information security governance domain areas. Journal of Business Systems, Governance and Ethics, 9, 50–65.

    Google Scholar 

  34. Samonas, S., & Coss, D. (2014). The cia strikes back: Redefining confidentiality, integrity and availability in security. Journal of Information System Security, 10, 21–45.

    Google Scholar 

  35. Anderson, J. (2002). Why we need a new definition of information security. Computer & Security, 22, 308–313.

    Article  Google Scholar 

  36. Dhillon, G., & Backhouse, J. (2000). Technical opinion: Information system security management in the new millennium. Communications of the ACM, 43, 125–128.

    Article  Google Scholar 

  37. Chan, Y., & Reich, B. H. (2007). IT alignment: What have we learned? Journal of Information Technology, 22, 297–315.

    Article  Google Scholar 

  38. Wilkin, C. L., & Chenhall, R. H. (2010). A review of IT governance: A taxonomy to inform accounting information systems. Journal of Information Systems, 24, 107–146.

    Article  Google Scholar 

  39. Andronache, A. (2019). Aligning cybersecurity management with enterprise risk management in the financial industry. Doctoral Thesis, Brunel University, London, UK.

    Google Scholar 

  40. Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity version 1.1: NIST Cybersecurity Framework. Gaithersburg, MD: National Institute of Standards and Technology.

    Google Scholar 

  41. Alslihat, N., Matarneh, A. J., Moneim, U. A., Alali, H., & Al-Rawashdeh, N. (2018). The impact of internal control system components of the COSO model in reducing the risk of cloud computing: The case of public shareholding companies. Ciência E Técnica Vitivinícola, 33, 188–202.

    Google Scholar 

  42. Campbell, B., Kay, R., & Avison, D. (2005). Strategic alignment: A practitioner’s perspective. Journal of Enterprise Information Management, 8, 653–664.

    Article  Google Scholar 

  43. Oppliger, R. (2007). IT security: In search of the holy grail. Communications of the ACM, 50, 96–98.

    Article  Google Scholar 

  44. Coutaz, J., Crowley, J. L., Dobson, S., & Garlan, D. (2005). Content is key. Communications of the ACM, 48, 49–53.

    Article  Google Scholar 

  45. Grover, V., & Segars, A. H. (2005). An empirical evaluation of stages of strategic information systems planning: Patterns of process design and effectiveness. Information & Management, 42, 761–779.

    Article  Google Scholar 

  46. Bernroider, E. W. (2008). IT governance for enterprise resource planning supported by the DeLone-McLean model of information systems success. Information & Management, 45, 257–269.

    Article  Google Scholar 

  47. Hardy, G. (2006). Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges. Information Security Technical Report, 11, 55–61.

    Article  Google Scholar 

  48. Sims, S., Hewitt, G., & Harris, R. (2015). Evidence of a shared purpose, critical reflection, innovation and leadership in interprofessional healthcare teams: A realist synthesis. Journal of Interprofessional Care, 29, 209–215.

    Article  Google Scholar 

  49. Plachkinova, M., & Maurer, C. (2018). Teaching case security breach at target. Journal of Information Systems Education, 29, 11–20.

    Google Scholar 

  50. Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014). Missed alarms and 40 million stolen credit card numbers: How target blew it. Bloomberg News. Retrieved November 17, 2020, from https://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data

  51. Srinivasan, S., Paine, L., & Goyal, N. (2019). Cyber breach at target. Harvard Business School Case Studies. Retrieved from www.hbsp.harvard.edu

Download references

Author information

Authors and Affiliations

  1. University of Dallas, Irving, TX, USA

    Samir Jarjoui & Renita Murimi

Authors
  1. Samir Jarjoui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Renita Murimi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Renita Murimi .

Editor information

Editors and Affiliations

  1. University of Detroit Mercy, Detroit, MI, USA

    Kevin Daimi

  2. Ulster University, Newtownabbey, UK

    Cathryn Peoples

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Jarjoui, S., Murimi, R. (2021). A Framework for Enterprise Cybersecurity Risk Management. In: Daimi, K., Peoples, C. (eds) Advances in Cybersecurity Management. Springer, Cham. https://doi.org/10.1007/978-3-030-71381-2_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-71381-2_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-71380-5

  • Online ISBN: 978-3-030-71381-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation