Risk Management

Organizations today face unprecedented risk from cyberattacks, which can lead to significant financial and reputational loss, inconvenience customers and employees, severely compromise private and proprietary information, cripple the operations of an organization or the economy, and even cause physical harm. All levels of an organization -- especially senior managers both in the private and public sectors -- must be more vigilant than ever before in order to mitigate the risk caused by cyberattacks and data breaches, whether it is a direct attack on an enterprise or the risks brought to it by personal employee devices.

Several evolving technical solutions partially mitigate these risks for organizations. These solutions are continuously adapting as the nature of cyberattacks change over time, and multiple technical solutions are used in parallel to provide “defense in depth.” The role of technology managers, especially those with cybersecurity responsibilities, is to manage the deployment of such technical solutions, countermeasures, policies and procedures to meet the risk objectives of senior management within the limited resources available. The research focus of the Risk Management area of the Institute for Information Security & Privacy is on this middle layer that deploys the technical solutions available to meet the risk objectives of senior management, with special emphasis on policies, procedures and end-user training in order to create a safer computing environment. In addition, the research focus is also on public policy issues that provide the right incentives to various stakeholders within the ecosystem to minimize risk for participants.

Broad research themes for Risk Management are:
  • Controls and Countermeasures – understanding the best practices and security management processes to reduce risk for the organization. These include business continuity and disaster recovery, software vulnerability management, audit controls, human resource policies, employee training, data, software and device usage policies, traffic and activity monitoring processes, access control methods, customer, vendor and user credentialing, and various other organizational processes that minimize risk from cyber attacks.
  • Financial Analysis and Metrics – understanding the cost-benefits of information security, the financial and reputational impact of security breaches on the organization, cybersecurity insurance, risk analytics, and metrics to evaluate and quantify cybersecurity risk.
  • Cybersecurity Ecosystem – understanding public policy approaches that pose incentives for stakeholders and facilitate optimal information sharing among participants, creating a more secure ecosystem for commerce.