Cyber risk management: an illusion of a risk-based approach
Sergeja Slapničar et al.
Abstract
In this study, we investigate how organizations align qualitative and quantitative approaches to measure and manage cyber risk effectively. Cyber risk involves the potential compromise of data integrity, availability, or confidentiality due to attacks or incidents. We draw on the theoretical framework of calculative cultures, describing the qualitative and quantitative organizational approaches to risk management. We conducted twenty-seven in-depth interviews with individuals involved in cyber risk management from five multi-billion-dollar organizations. We find that while organizations claim to rely on risk-based (quantitative) management, they measure cyber risk qualitatively with a ‘quantitative veneer’ - that is, merely giving the appearance of using quantitative methods. This mismatch creates the illusion of a risk-based approach. We extend the literature of calculative cultures with the concept of 'qualculation'. It combines qualitative and quantitative approaches and suggests that 'qualculation', not quantification, is the highest standard that could be attained in aligning measurement and management of cyber risk.
2 citations
Evidence weight
Balanced mode · F 0.40 / M 0.15 / V 0.05 / R 0.40
| F · citation impact | 0.25 × 0.4 = 0.10 |
| M · momentum | 0.55 × 0.15 = 0.08 |
| V · venue signal | 0.50 × 0.05 = 0.03 |
| R · text relevance † | 0.50 × 0.4 = 0.20 |
† Text relevance is estimated at 0.50 on the detail page — for your query’s actual relevance score, open this paper from a search result.