When it comes to security, specifically cybersecurity experts and scholars alike often make a variation of the statement that the people within the organization can be both the biggest asset and the biggest liability. Such a statement is a reflection of the challenges a cybersecurity expert faces at work. They have to convey to so many individuals the concept of risk and what constitutes risky behaviors. Successful governance means that they have effectively conveyed these concepts. This work examines risk governance and management and proposes original research asking cybersecurity experts about their practices.
Trying to run cybersecurity for an organization is a challenging and demanding job that requires vigilance and great responsibility. While doing their job, the cybersecurity expert considers and thinks about an institution’s finances, goals, reputation, consumer perceptions, good faith, and fears. They spend time staying abreast of the latest tools and technologies, and threats. However, all the time, in front of the latest journals, industry reports, and adopting the most high-end tools will not do anything unless strong governance policies and practices are in place, emphasizing the concept of risk and how actions can correlate to risk. Successful risk management governance is vital to protecting both the company assets and the sensitive data of consumers. Devos and Van de Ginste (2015) found that when businesses or other institutions implemented a governance framework, they saw a 40% higher return than places that had nothing in place. Consumers want risk management governance for their most sensitive data. An extreme example of a few people not performing risk management is last year when the intimate technology company Vibratissimo failed to protect their company data. The data of 50,000 customers, including addresses, were left out in plain text, with no one taking protection measures like encryption (Fox-Brewster, 2018). People felt violated because someone was not performing governing risk very well nor performing risk management tasks adequately.
Even with implementing governance policies and frameworks, an increase like the one Devos and Van de Ginste (2015) noted is not guaranteed. Whatever risk governance frameworks or policies are implemented needs to reach each end-user, which is why studying risk governance and management is essential.
Throughout this work, it might seem like risk governance and risk management is used interchangeably. They are two different ideas that share a relationship. It can be simply thought of as governance as a board of managers devising rules, and management is the people and tactics used to enforce the rules. Both require and provide leadership, but one does the theory, and one does the practice. To use a military analogy, one leads in the war room, and one leads out on the battlefield. For things to work, the theory and rule devising and practice properly and enforcing need to share a relationship, hence why in this paper, they may sometimes be spoken in almost the same breath and almost synonymously. It is not necessarily out of laziness or sloppiness, but for risk to effectively be mitigated by strong risk governance and strong risk management need to be in place. Both systems should feed off of each other and give each other feedback.
Not all risk governance and management are successful or effective. The hard part of implementing governance frameworks and policies is reaching everybody and making sure they understand that the actions they take matter, even the seemingly innocuous ones. Many people do risky things with their technology in the workplace innocently. People simply do risky things without thought, knowledge, or because the risk lets them do a job quicker or better. Maybe they want to connect their phone via USB to the computers to have it charge because the battery is really low, or they want to show off some photos they took on vacation. Many people wouldn’t think anything of such an action, but it can have some massive security ramifications like introducing malware to the network. Another way people innocently put the network at risk is shadow IT. Many people adopt shadow IT with the justification of saving time or thinking that the device or program helps them do a better job. Unsecured shadow IT has enormous risks as the technology may have vulnerabilities, it may not be being backed up properly, and it could cause a breach or data loss.
The crux of the problem is what are the most effective ways and methods to govern risk management. How do we get through to people to let them know that the activities above pose danger? Any workplace or institution has technologies from all walks of life, different levels of formal education, different ways of learning, and interpreting information. However, Wachinger et al. (2013) found that it is not so much the cultural or individual factors that create the concept of risk perception. Instead, risk perception is shaped by experiences and a mediator such as an IT security professional. So, it is crucial to connect with end-users. Dialogues, conversations, meetings are critical to risk governance. These moments are vital to risk governance because they convey to end users that their actions matter and impact security, the organization, and its goals. When people don’t have these moments, they won’t understand what comprises risk, and when that is the case, chaos quietly lurks around the corner.
The impacts of not having moments to connect with end-users and figure out the best ways to explain risk to them are financial and reputational damages. According to IBM’s (2019) most recent study on data breaches, the worldwide average data breach costs USD 3.92 million. The average lifecycle between a breach was 279 days, with the average data breach impacting 25,575 records. The United States has the most expensive data breaches. The national average is USD 8.19 million, and the costliest industry to experience a breach is healthcare, which typically costs USD 6.45 million. These are some staggering numbers. The average data breach also impacts company perceptions, and consumers can also be left feeling violated and scared about identity theft. The Ponemon Institute (2014) found that 79% of people expressed concern about becoming an identity theft victim after a breach. Those surveyed had responses that varied between somewhat concerned to extremely concerned. Likely a breach or incident is going to change the way people also feel about the company, which means that perceptions regarding reputation and trustworthiness have been damaged. A company’s finances, reputation, consumer perception, and trust are the biggest impacts of a breach resulting from ineffective risk management.
Employees are also impacted by ineffective risk management. Not knowing which of their actions are risky and ineffective explanations about policy and procedure makes people feel like they are set up for failure and walking into a situation that they don’t know how to navigate. Not having adequate explanations about navigating a situation can make people feel like failures and unimportant. Those are dreadful feelings that make people hate their jobs. No one wants to walk around feeling very small and unimportant. It makes people feel like their roles, performance, and value is not of any worth. When people hate their work environment, they stop caring, get sloppy in performance, and spend their evenings online filling out application after application looking to get out. Sloppiness may mean more risky behaviors. Those with a streak for sabotage may intentionally create a cyber incident. Upon the employee parting ways with the company, the employers have to go through the process of replacing the person who left. Each time this happens, it is a draw on assets because it takes money and time to hire and train a new person.
Inadequate planning and poor organization by IT security professionals or, more generally, the organization are often the reason for deficient understandings of risk. People end up somewhat confused when professionals within the organization fail to develop strong organized governance programs thoroughly. The outcome of ineffective governance is chaos because people don’t know their roles and what is risky behaviors. This type of situation happens because structure is not present, and the organization has failed to designate leadership. The MITRE Corporation (2016) found that successful and effective governance happens when people know the desired outcomes, when people know how decisions should be made and monitored, and most importantly, there is a chain of command that knows their responsibilities and what they are accountable for. When people are not aware of what is constituting a risk or what constitutes policy and procedure, the chain of command is either not working, or someone is not performing their job. Perhaps the entire governance policy was poorly designed and not thoroughly tested to see if it worked. Designing a good governance policy involves time, research, testing with all stakeholders, and concise and simple language writing. The written portion needs to have concise and simple language so people can reference it quickly to navigate a situation without feeling overwhelmed or like it is too hard. The policy and its writings simply need to tell people how their desired behaviors will align with company goals. Employees need to know why what they are doing matters. When they have a simple explanation, it becomes easy to incorporate into the work routine. However, even with a governance plan and policy in place, regular revisions are necessary. A situation where people do not understand their roles or actions could be because what is in place is no longer working or is out of date. Regular monitoring needs to lead to regular revisions, which make good governance a reality.
Another real-world reason people don’t understand risk is that some places have established strong management, but management sends mixed messages on what is acceptable. IT governance teams should also work hard to send united messages on what constitutes a risk or policy and procedure. The reason for this could be different interpretations of a policy or maybe even managerial preferences. Nonetheless, it is horrible for an employee to show up to work on Monday and have manager Y state one thing and then on Tuesday have manager Z state something different. Inconsistent mixed messages make employees feel lost at work and like they are just muddling through the day. That employee just ends up trying to remember what actions work in front of manager Y and what actions fly in front of manager Z. They don’t really know policy.
There have been many pieces of research that study governing risk, and it is also a common subject in trade publications. Everyone has a take, and the thing is that sometimes what is written does not always translate into real-world practice very well. This research aims to find out how successful and effective governance works in real-world practice. What types of common policies are in place, but also what are IT professionals doing in practice to govern risk? Maybe they are relying on regular meetings. Maybe they email briefings. Also, it is important to know what they have tried, failed at, and learned while governing risk. Not all approaches work, and getting insights from a seasoned professional on what has failed or needed to be amended is vital, so others in the profession can also learn from the findings. Sometimes more can be learned from failures rather than successes, especially to an aspiring IT person who does not have a great deal of first-hand experience to draw upon.
This research will be measured by seeing how real-world answers given are matching or not matching journal articles and trade publications. If answers are vastly different, the chances to ask research subjects elaborate, why will be presented, and numbers related to cyber incidents will be collected. Data like IBM (2019) collected, such as asking about how many cyber incidents they have dealt with and average days between incidence, will lend credence and credibility to the respondent’s answers.
Risk governance needs to be studied more because it will always be relevant and significant to protecting company assets and should help grow them. Cybercriminals are always growing more sophisticated, and companies and institutions need risk governance to stay in operation. The foundation of all the time, research, and all the ideas that a company or institution develops can shatter or be greatly damaged without risk governance. They also need risk governance to cultivate a trustworthy image and show that they care and respect the personal data that others are sharing with them. Having defined risk governance and management means that everyone knows what risk is and that they know their responsibilities. When people know what constitutes policy and procedure, they know what is expected of them and are less likely to make a mistake. This should reduce turnover, which reduces risk as former employees can be an outsider threat.
The outcome of this research is to create a work about and for the field. The subject is going to seem like a very ground-level or novice focus of IT and cybersecurity research, but in all honesty, I am a novice. Hearing the voices and collected knowledge of seasoned professionals give the novice some tried and true experiences to draw upon. Also, such a work is good for the seasoned professional who is running up against something they haven’t before or simply would like to see a consensus of thoughts from the field to shape their own decision making. Whether it is the eyes of the novice or the seasoned expert, seeing what has and has not worked in terms of risk management is helpful to our job performances and protecting the vital assets of the organization that is our employer. Ultimately the research proposed in this work is intended to be a conversation and reflection of the people in the field and their discernments when it comes to risk governance and management that will inform those researching and creating policies. The intent is to inform and assist IT professionals in lowering data breaches, cyber incidents and provide more ways of reaching end users when it comes to risk management.
In my approach to understanding academic findings and conversations that will inform my study, I created the following categories academic journals about risk governance, academic journals about risk management, trade publications and reputable websites on risk governance, and trade publications and reputable websites on risk management.
The first work examined was Wachinger et al. (2013), who wrote “The Risk Perception Paradox—Implications for Governance and Communication of Natural Hazards.” The article examines literature to find insights on risk perceptions. Although not specifically about IT or cybersecurity risks, the findings inspired the study proposed in this work. Wachinger et al. (2013) found that personal experiences are the basis of risk perception. Cultural or individual factors can either amplify or minimize perceptions and act as a link to how to perceive and act. This intriguing read gives credence to IT people using emulators or acting out scenarios to connect with end-users. The activities give them a personal experience to draw upon in real-world applications.
Srikandini et al. (2018) wrote, “Disaster Risk Governance in Indonesia and Myanmar: The Practice of Co-Governance.” This work was about the practice of co-governance in disaster risk reduction. The focus was on Indonesia and Myanmar because both nations are prone to natural disasters. One would think that having more actors involved could help reduce risk as more actors mean more hands and minds to push away and mitigate risk. This was not the case; both places had numerous stakeholders involved in disaster risk governance that were competitive with each other, and the ability to mitigate risk was impacted negatively. This was another risk governance article that was not about IT or cybersecurity but could have implications for IT and cybersecurity. It would be interesting to ask technology professionals if they have ever operated with a co-governance structure and if the findings were along the lines of Srikandini et al. (2018) unsuccessful due to competition or if, for some reason, co-governance was a smashing success due to shared goals, defined roles, or some other agreement.
Shackelford (2017) wrote, “Human rights and cybersecurity due diligence: A comparative study,” which dealt with the fact that there are minimal international laws regulating cybersecurity and human rights. Shackelford (2017) makes a compelling case that companies should widen the scope of risk management that combines the two concepts. The two concepts can be combined by marrying human rights frameworks with cybersecurity frameworks. Many companies are looking to combine the concepts because it falls under the idea of sustainable development. Sustainable development is when economic growth does not compromise natural resources. The value of this piece is to help those in charge of risk management think about how actions and activities impact those outside the company and in other lands. Also, it helps them think about the potential legalities of actions and activities. This work is an important piece as it could inform my research and help ask questions asking professionals about how they combine risk mitigation and social responsibility.
IT Governance (2019) is a website out of the United Kingdom that is a treasure trove of information on risk governance. Many leading European and international companies such as Volkswagen, Barclays, Intel, and HSBC have relied on IT Governance for information and their services. The website explains how a cybersecurity risk assessment is conducted, what such an assessment can protect, and information on frameworks such as becoming ISO 27001 certified. Unfortunately, the website does not offer much in the way of professionals discussing their experiences with the ideas and concepts mentioned. However, it is a valuable resource to reference when encountering literature that gets into the specifics of these ideas.
Belbey (2016) wrote about governance and social media. Social media is a great way of connecting with customers, offering special sales and promotions, promoting products, and connecting with customers offering glowing praise of the latest or diffusing the situation when they are not happy. However, navigating governance and social media is presenting its own new set of challenges. One of the biggest risks is a poorly worded or planned posting that either creates an unfortunate public opinion or where everyone states what they don’t like about the product or company. Risks also deal with companies functioning internationally and dealing with different standards on privacy and security. As far as risk mitigation goes, Belbey (2016) touches on extensive social media training involving videos and other interactive methods. These are great suggestions as they offer a memorable experience. However, an important governance suggestion was overlooked in this work, which is hiring someone whose only role is social media, and they have undergone training or have an extensive background.
Corzine (2018) wrote, “What CISOs Wish They Could Tell Their Boards.” This work asked chief information security officers (CISO) via survey about the realities of managing cybersecurity risk and what the CISO wishes boards would understand about the job. The aspects of the job the respondents were asked about where information on the risk-based approach to cybersecurity as part of enterprise risk management, security budgets, and strategies for dealing with IT risks. This had a very surprising finding that board committees typically fail to be concerned with technology risks and strategies to deal with risk, which leaves CISOs absolutely and rightfully frustrated. This is a huge oversight by boards because people, whether accidentally or on purpose, cause data breaches.
High (2017) wrote an interesting piece that is almost a companion piece to Corzine (2018) that was written at an earlier date. High’s (2017) piece is from the board's perspective, giving recommendations to cybersecurity and risk management. High (2017) stresses “the basics,” which is using best practices. Also, devise a risk policy with concisely written statements. Make a risk report using analytics that can shape future policy. Have ways of checking the policy and performing revisions. Lastly, High (2017) emphasized that risk management needs to focus on people and company culture. These are very simple points that are great real-world practices, particularly the focus on best practices and the emphasis on people and company culture.
Because one of the most widely used risk management frameworks is the National Institute of Standards and Technology (2019), their website must be examined. The NIST framework is comprised of guidelines, best practices, and standards. People involved with the project do their best to think internationally to meet standards and practices worldwide and connect and obtain perspectives from the international community. The NIST risk management framework has been translated into many languages and references many global standards. While it does not offer a lot of interviews with people using the standard and their ups and downs, the National Institute of Standards and Technology (2019) is a valuable resource for learning about the specifics of the risk management framework that so many places use.
The best approach to discover how ideas from scholarship and trade papers translate into real-world practices is to conduct a series of interviews. IT professionals who focus on cybersecurity will be sought out for interviews. This research project will be a series of interviews conducted over 90 days via a series of emails and videos on conferencing programs. This approach is taken to be flexible for the research subjects. They can be interviewed at the time that best works for them without any travel involved, which will mean that they are not being inconvenienced and have the time to offer thoughtful responses. The questions I will ask draw from scholarship findings and best practices covered in trade publications.
This is a mixed-methods study. For the quantitative side of the study, I want to get some numbers from each interview subject. I want to know how many breaches they have had to deal with and the average of days or years between cyber incidents that they have experienced. The quantitative numbers that they have give validity to the qualitative answers given. The qualitative questions are going to ask about risk governance policies and procedures that are in the place where they work. I want to know if they spearheaded any of them. I also want to know what they are doing daily to govern. I want to know how they connect with the people they have to govern and get through to them and understand what they need to do and why. I also want to know how they successfully govern and how they know that they are successfully governing. I want to know the times that they failed or didn’t quite get it right and what they did about it. Everybody makes mistakes, but how do the mistakes get fixed.
Discussions about what elements of risk governance is working and not working are needed to ward off cybercriminals, protect assets like computers, finances, reputation, and sensitive data. While it may seem common knowledge to implement risk governance to protect assets, not all governance is effective. The proposed research intends to spark discussions on what is and what has not worked helps the IT professional research in the creation of policy and aids in ways that they can start dialogues to connect with and inform employees. A work collecting the real-world experiences of IT professionals imparting their successes and failures involving risk governance and management and seeing how they stack against findings and advice in journals and trade publications is needed to help inform best practices. Hopefully, such a work can inform the IT professional, help them avoid mistakes, and help them create stronger policies and practices.
Belbey, J. (2016, January 5). Social media: Meeting the challenges of risk and governance. Retrieved from Forbes
Corzine, S. (2018, May 1). What CISOs Wish They Could Tell Their Boards. Corporate Board, 39(230), 7.
Devos, J., & Van de Ginste, K. (2015). Towards a theoretical foundation of IT governance - The COBIT 5 case. Electronic Journal of Information Systems Evaluation, 18(2), 95–103.
Fox-Brewster, T. (2018, February 1). Retrieved from Forbes
High, P. (2017, October 30). A board member's top five recommendations for cybersecurity and risk management. Retrieved from Forbes
IBM. (2019). Cost of a data breach study. Retrieved from IBM
IT Governance. (2019). IT governance, risk management and compliance for information technology. Retrieved from IT Governance
MITRE Corporation. (2016, February 24). IT governance. Retrieved from MITRE Corporation
National Institute of Standards and Technology. (2019). Cybersecurity framework. Retrieved from NIST
Ponemon Institute. (2014, April). The aftermath of a data breach: Consumer sentiment. Retrieved from Ponemon Institute
Shackelford, S. J. (2017). Human rights and cybersecurity due diligence: A comparative study. University of Michigan Journal of Law Reform, 50(4), 859–885.
Srikandini, A., Hilhorst , D., & van Voorst, R. (2018). Disaster risk governance in Indonesia and Myanmar: The Practice of Co-Governance. Politics and Governance, (3), 180.