Blog Details

  • Home
  • Managing Cyber Risk

Managing Cyber risk

By 2021, cybercrime damage is expected to hit $6 trillion annually—the equivalent of almost 10% of the world’s economy

Every organization faces a variety of cyber risks from external and internal sources. Cyber risks are evaluated against the possibility that an event will occur and affect the achievement of the organization’s objectives. Malicious actors, especially those motivated by financial gain, tend to operate on a cost/reward basis.

The perpetrators of cyber-attacks, and the motivations behind their attacks, generally fall into the following broad


  • Nation-states and spies: Hostile foreign nations who seek intellectual property and trade secrets for military and competitive advantage (e.g., those that seek to steal national security secrets or intellectual property).
  • Organized criminals: Perpetrators that use sophisticated tools to steal money or private and sensitive information about an entity’s consumers (e.g., identity theft).
  • Terrorists: Rogue groups or individuals who look to use the Internet to launch cyber-attacks against critical infrastructure, including financial institutions.
  • Hacktivists: Individuals or groups that want to make a social or political statement by stealing or publishing an organization’s sensitive information.
  • Insiders: Trusted individuals inside the organization who sell or share the organization’s sensitive information. While the results of the risk assessment should ultimately drive the allocation of entity’s resources toward risk management responses designed to prevent, detect, and manage cyber risk, investments must also be directed at the risk assessment process itself. An organization has finite resources and its decisions to invest in these responses must be made upon relevant, quality information that prioritizes funding to the information systems that are the most critical to the entity.

An organization’s cyber risk assessment should begin first by understanding what information and systems are valuable to the organization. The value should be measured against the potential impact to the entity’s objectives (including the potential impact of failed legal or regulatory compliance, which can have an indirect effect on accomplishing business objectives). For example, companies in various industries (e.g., financial services, technology, healthcare) may be a prime target for cybercrime given their assets and the highly automated nature of business transactions, processes, and systems

Leave Comment