Cybersecurity Risk Management: An Erm Approach

Book Description

The motivation for writing this book is to share our knowledge, analyses, and conclusions about cybersecurity in particular and risk management in general to raise awareness among businesses, academics, and the general public about the cyber landscape changes and challenges that are occurring with emerging threats that will affect individual and corporate information security. As a result, we believe that all stakeholders should adopt a unified, coordinated, and organized approach to addressing corporate cybersecurity challenges based on a shared paradigm. There are two levels at which this book can be read. For starters, it can be read by regular individuals with little or no risk management experience. Because of the book’s non-technical style, it is appropriate for this readership. The intellectual information may appear daunting at times, but we hope the reader will not be disheartened. One of the book’s most notable features is that it is organized in a logical order that guides the reader through the enterprise risk management process, beginning with an introduction to risk management fundamentals and concluding with the strategic considerations that must be made to successfully implement a cyber risk management framework. Another group of readers targeted by this book is practitioners, students, academics, and regulators. We do not anticipate that everyone in this group will agree with the book’s content and views. However, we hope that the knowledge and material provided will serve as a basis for them to expand on in their work or endeavors. The book comprises ten chapters. Chapter 1 is a general introduction to the theoretical concepts of risk and constructs of enterprise risk management. Chapter 2 presents the corporate risk landscape and cyber risk in terms of the characteristics and challenges of cyber threats vis-à-vis the emerging risks thereof from the perspective of a business organization. Chapter 3 presents the idea of enterprise risk management and explains the structure and functions of enterprise risk management as they relate to cybersecurity. Chapter 4 provides the cybersecurity risk management standards, which may be used to build a cybersecurity risk management framework that is based on best practices. The cyber operational risk management process begins in Chapter 5 with the introduction of the risk identification function. Chapter 6 continues with the next step of this process by presenting the risk assessment procedures for evaluating and prioritizing cyber risks. Chapter 7 explains the activities in the third step in the ORM process of risk mitigation and provides examples of the tools and techniques for addressing risk exposures. Chapter 8 presents a critical function from an operational perspective for its role in detecting risk and continual improvement of the organization’s cybersecurity processes through the reporting function. Chapter 9 discusses the crisis management steps that businesses must take to respond to and recover from a cyber incident. Chapter 10 emphasizes the essential ERM components that senior management should be aware of and cultivate to create an effective cyber risk control framework by focusing on the strategic aspects of cybersecurity risk management from a business viewpoint. This chapter proposes a cybersecurity ERM framework based on the content given in this book.

中文：

书名：网络安全风险管理：ERM方法

写这本书的动机是分享我们关于网络安全特别是总体风险管理的知识、分析和结论，以提高企业、学者和公众对网络格局变化和挑战的认识，这些变化和挑战将影响个人和公司的信息安全。因此，我们认为，所有利益攸关方都应该采用统一、协调和有组织的方法，基于共同的范式来应对企业网络安全挑战。这本书可以在两个层面上阅读。首先，风险管理经验很少或根本没有风险管理经验的普通个人都可以阅读。由于这本书的非技术性风格，它适合这类读者。这些智力信息有时可能看起来令人望而生畏，但我们希望读者不要灰心丧气。该书最显著的特点之一是，它是按照逻辑顺序组织的，引导读者通过企业风险管理过程，从风险管理基础的介绍开始，以成功实施网络风险管理框架必须做出的战略考虑结束。本书的另一个目标读者群体是从业者、学生、学者和监管者。我们并不期望这群人中的每个人都会同意这本书的内容和观点。然而，我们希望所提供的知识和材料将成为他们在工作或努力中扩展的基础。这本书由十章组成。第一章对风险的理论概念和企业风险管理的结构进行了概述。第二章从一个商业组织的角度，从网络威胁的特征和挑战与其新出现的风险的角度，介绍了公司的风险格局和网络风险。第三章介绍了企业风险管理的概念，阐述了与网络安全相关的企业风险管理的结构和功能。第4章提供了网络安全风险管理标准，可用于建立基于最佳做法的网络安全风险管理框架。网络操作风险管理过程从第五章开始，介绍了风险识别功能。第6章继续介绍这一过程的下一步，介绍了评估网络风险并确定其优先顺序的风险评估程序。第7章解释了ORM风险缓解过程中第三步中的活动，并提供了解决风险暴露的工具和技术的示例。第8章从业务角度介绍了其在检测风险和通过报告职能持续改进组织的网络安全程序方面的关键职能。第9章讨论企业必须采取的危机管理步骤，以应对网络事件并从网络事件中恢复过来。第10章强调高级管理层应该意识到并培养的基本ERM组成部分，通过从商业角度关注网络安全风险管理的战略方面，创建有效的网络风险控制框架。本章在本书内容的基础上提出了一个网络安全ERM框架。