| الوصف: |
Purpose - The purpose of this study is to examine how companies integrate cyber risk into their enterprise risk management practices. Data breaches have become commonplace, with thousands occurring each year, and some costing hundreds of millions of dollars. Consequently, cyber risk has become one of the gravest risks facing organizations, and has attracted boardroom-level attention. On the other hand, companies already manage many kinds of difficult and growing risks, and that firms lose less than 1% of annual revenues as a result of cyber incidents. Therefore, how should firms appropriately address cyber risk? Is it indeed a materially different kind of risk area, or is it simply just one more risk that can seamlessly be integrated into existing enterprise risk management (ERM) practices? Design/methodology/approach - The authors performed thematic analysis based on semi-structured interviews, with non-probabilistic, purposive sampling, to answer two main questions. First, how do firms manage enterprise risks, generally? And second, how are they integrating cyber risk into these existing processes? Findings - The authors find that there is considerable variation in the approach and sophistication in ERM practices, such as whether they are driven more like an auditing function, or as a risk champion. The authors also find that despite the novelty of cyber risk, it can be integrated like other enterprise risks, and that cyber risk is most often seen as an operational risk (similar to workplace accidents or fraud), rather than a strategic risk, emerging from, for example, technology innovation and R&D. Research limitations/implications - The generalization of the results is limited by the sample size and variation of firms interviewed. While the authors attempted to interview enterprise risk managers across a wide variation of firms, there were clear limitations in the scope. That being said, the authors were fortunate to be able to examine ERM and cyber risk practic |
