Cyber risk not only poses a major threat to mainstream organisations, but has a big psychological component. The powerful cyber tools created by the US National Security Agency (NSA) are like a genie that has escaped from its bottle to create global cyber havoc. The scale of the havoc, which began in earnest in May, has been wide. The initial outbreak impacted roughly 100 countries, especially the UK, Russia, Spain and Taiwan. A prime example involves the UK’s National Health Service (NHS), which was virtually brought to a standstill by ransomware known as the WanaCrypt0r 2.0. That was only the beginning.

While not the first wakeup call in respect to cyber risk to be sure, the scale of the May cyber outbreak set off loud alarms. What, if anything, have we learned about addressing the threat? Although cyber risk cannot be eliminated, it is still the case that the cyber havoc represents a serious failure of risk management and compliance. Those failures stem less from the absence of sound risk management frameworks than from the presence of psychological pitfalls that receive insufficient attention or are otherwise ignored.

Before discussing the underlying psychological issues, consider how a general framework such as COSO applies to cyber risk. Although COSO is not the only risk management framework, it is widely used and well suited to a broad discussion of cyber issues. ‘COSO in the Cyber Age’, a Deloitte & Touche document published in 2015, reminds us about the overall COSO framework with its five component cube structure involving 60 subcubes. The five components pertain to control environment, risk assessment, control activities, information and communication, and monitoring activities. The three components pertain to operations, reporting and compliance. The four components pertain to level, categorised as entity, division, business unit and function.

Jul-Sep 2017 Issue

Santa Clara University