IDEAS home Printed from https://ideas.repec.org/a/bla/rmgtin/v24y2021i1p93-125.html
   My bibliography  Save this article

Cyber risk management: History and future research directions

Author

Listed:
  • Martin Eling
  • Michael McShane
  • Trung Nguyen

Abstract

Cybersecurity research started in the late 1960s and has continuously evolved under different names such as computer security and information security. This article briefly covers that history but will especially focus on the latest incarnation known as “cyber risk management,” which includes both technical and economic/management dimensions. The main focus of the article is to review research on individual steps of the cyber risk management process and on the overall process to highlight gaps and determine research directions. Two main findings are that cyber risk is difficult to include in the overall enterprise risk management process and that a move toward cyber resilience is necessary to deal with such a complex risk. Both findings require a level of interdisciplinary collaboration that is currently lacking.

Suggested Citation

  • Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
  • Handle: RePEc:bla:rmgtin:v:24:y:2021:i:1:p:93-125
    DOI: 10.1111/rmir.12169
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/rmir.12169
    Download Restriction: no

    File URL: https://libkey.io/10.1111/rmir.12169?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Michael McShane, 2018. "Enterprise risk management: history and a design science proposal," Journal of Risk Finance, Emerald Group Publishing Limited, vol. 19(2), pages 137-153, March.
    2. Michael McShane & Trung Nguyen, 2020. "Time-varying effects of cyberattacks on firm value," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 580-615, October.
    3. Martin Eling & Werner Schnell, 2016. "What do we know about cyber risk and cyber risk insurance?," Journal of Risk Finance, Emerald Group Publishing Limited, vol. 17(5), pages 474-491, November.
    4. Anat Hovav & John D'Arcy, 2003. "The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 6(2), pages 97-121, September.
    5. Simon Ashby & Trevor Buck & Stephanie Nöth-Zahn & Thomas Peisl, 2018. "Emerging IT Risks: Insights from German Banking," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 43(2), pages 180-207, April.
    6. James H. Lambert & Jeffrey M. Keisler & William E. Wheeler & Zachary A. Collier & Igor Linkov, 2013. "Multiscale approach to the security of hardware supply chains for energy systems," Environment Systems and Decisions, Springer, vol. 33(3), pages 326-334, September.
    7. Martin Eling & Werner Schnell, 2020. "Capital Requirements for Cyber Risk and Cyber Risk Insurance: An Analysis of Solvency II, the U.S. Risk-Based Capital Standards, and the Swiss Solvency Test," North American Actuarial Journal, Taylor & Francis Journals, vol. 24(3), pages 370-392, July.
    8. Aven, Terje, 2011. "On the new ISO guide on risk management terminology," Reliability Engineering and System Safety, Elsevier, vol. 96(7), pages 719-726.
    9. Lin, Zhaoxin & Sapp, Travis R.A. & Ulmer, Jackie Rees & Parsa, Rahul, 2020. "Insider trading ahead of cyber breach announcements," Journal of Financial Markets, Elsevier, vol. 50(C).
    10. Sherrie Cannoy & Prashant C. Palvia & Richard Schilhavy, 2006. "A Research Framework for Information Systems Security," Journal of Information Privacy and Security, Taylor & Francis Journals, vol. 2(2), pages 3-24, April.
    11. Spencer Wheatley & Thomas Maillart & Didier Sornette, 2016. "The extreme risk of personal data breaches and the erosion of privacy," The European Physical Journal B: Condensed Matter and Complex Systems, Springer;EDP Sciences, vol. 89(1), pages 1-12, January.
    12. Rafael La Porta & Florencio Lopez-de-Silanes & Andrei Shleifer & Robert W. Vishny, 1998. "Law and Finance," Journal of Political Economy, University of Chicago Press, vol. 106(6), pages 1113-1155, December.
    13. Omer Ilker Poyraz & Mustafa Canan & Michael McShane & C. Ariel Pinto & T. Steven Cotter, 2020. "Cyber assets at risk: monetary impact of U.S. personally identifiable information mega data breaches," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 616-638, October.
    14. Anil Nair & Elzotbek Rustambekov & Michael McShane & Stav Fainshmidt, 2014. "Enterprise Risk Management as a Dynamic Capability: A test of its effectiveness during a crisis," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 35(8), pages 555-566, December.
    15. Soomro, Zahoor Ahmed & Shah, Mahmood Hussain & Ahmed, Javed, 2016. "Information security management needs more holistic approach: A literature review," International Journal of Information Management, Elsevier, vol. 36(2), pages 215-225.
    16. Bojanc, Rok & Jerman-Blažič, Borka, 2008. "An economic modelling approach to information security risk management," International Journal of Information Management, Elsevier, vol. 28(5), pages 413-422.
    17. J. Park & T. P. Seager & P. S. C. Rao & M. Convertino & I. Linkov, 2013. "Integrating Risk and Resilience Approaches to Catastrophe Management in Engineering Systems," Risk Analysis, John Wiley & Sons, vol. 33(3), pages 356-367, March.
    18. Christian Biener & Martin Eling & Jan Hendrik Wirfs, 2015. "Insurability of Cyber Risk: An Empirical Analysis†," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 40(1), pages 131-158, January.
    19. Priya Garg, 2020. "Cybersecurity breaches and cash holdings: Spillover effect," Financial Management, Financial Management Association International, vol. 49(2), pages 503-519, June.
    20. Young, Derek & Lopez, Juan & Rice, Mason & Ramsey, Benjamin & McTasney, Robert, 2016. "A framework for incorporating insurance in critical infrastructure cyber risk strategies," International Journal of Critical Infrastructure Protection, Elsevier, vol. 14(C), pages 43-57.
    21. Alessandro Mazzoccoli & Maurizio Naldi, 2020. "Robustness of Optimal Investment Decisions in Mixed Insurance/Investment Cyber Risk Management," Risk Analysis, John Wiley & Sons, vol. 40(3), pages 550-564, March.
    22. Detmar W. Straub, 1990. "Effective IS Security: An Empirical Study," Information Systems Research, INFORMS, vol. 1(3), pages 255-276, September.
    23. Alexander A. Ganin & Phuoc Quach & Mahesh Panwar & Zachary A. Collier & Jeffrey M. Keisler & Dayton Marchese & Igor Linkov, 2020. "Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management," Risk Analysis, John Wiley & Sons, vol. 40(1), pages 183-199, January.
    24. M. Martin Boyer, 2020. "Cyber insurance demand, supply, contracts and cases," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 559-563, October.
    25. Eling, Martin & Wirfs, Jan, 2019. "What are the actual costs of cyber risk events?," European Journal of Operational Research, Elsevier, vol. 272(3), pages 1109-1119.
    26. Michael McShane & Trung Nguyen, 0. "Time-varying effects of cyberattacks on firm value," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 0, pages 1-36.
    27. Natalie M. Scala & Allison C. Reilly & Paul L. Goethals & Michel Cukier, 2019. "Risk and the Five Hard Problems of Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 39(10), pages 2119-2126, October.
    28. Daniel Schatz & Rabih Bashroush, 2017. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 19(5), pages 1205-1228, October.
    29. Saini Das & Arunabha Mukhopadhyay & Manoj Anand, 2012. "Stock Market Response to Information Security Breach: A Study Using Firm and Attack Characteristics," Journal of Information Privacy and Security, Taylor & Francis Journals, vol. 8(4), pages 27-55, October.
    30. Mikhed, Vyacheslav & Vogan, Michael, 2018. "How data breaches affect consumer credit," Journal of Banking & Finance, Elsevier, vol. 88(C), pages 192-207.
    31. Daniel Schatz & Rabih Bashroush, 0. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 0, pages 1-24.
    32. Martin Eling, 2018. "Cyber Risk and Cyber Risk Insurance: Status Quo and Future Research," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 43(2), pages 175-179, April.
    33. Nicky J. Welton & Howard H. Z. Thom, 2015. "Value of Information," Medical Decision Making, , vol. 35(5), pages 564-566, July.
    34. Hulisi Öğüt & Srinivasan Raghunathan & Nirup Menon, 2011. "Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self‐Protection," Risk Analysis, John Wiley & Sons, vol. 31(3), pages 497-512, March.
    35. Iyer, Subramanian R. & Simkins, Betty J. & Wang, Heng, 2020. "Cyberattacks and impact on bond valuation," Finance Research Letters, Elsevier, vol. 33(C).
    36. Viktoria Gisladottir & Alexander A. Ganin & Jeffrey M. Keisler & Jeremy Kepner & Igor Linkov, 2017. "Resilience of Cyber Systems with Over‐ and Underregulation," Risk Analysis, John Wiley & Sons, vol. 37(9), pages 1644-1651, September.
    37. Eling, Martin & Loperfido, Nicola, 2017. "Data breaches: Goodness of fit, pricing, and risk measurement," Insurance: Mathematics and Economics, Elsevier, vol. 75(C), pages 126-136.
    38. Spencer Wheatley & Thomas Maillart & Didier Sornette, 2016. "The extreme risk of personal data breaches and the erosion of privacy," The European Physical Journal B: Condensed Matter and Complex Systems, Springer;EDP Sciences, vol. 89(1), pages 1-12, January.
    39. Claire Lending & Kristina Minnick & Patrick J. Schorno, 2018. "Corporate Governance, Social Responsibility, and Data Breaches," The Financial Review, Eastern Finance Association, vol. 53(2), pages 413-455, May.
    40. Kevin M. Gatzlaff & Kathleen A. McCullough, 2010. "The Effect of Data Breaches on Shareholder Wealth," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 13(1), pages 61-83, March.
    41. Dirk Wrede & Tino Stegen & Johann-Matthias Schulenburg, 2020. "Affirmative and silent cyber coverage in traditional insurance policies: Qualitative content analysis of selected insurance products from the German insurance market," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 657-689, October.
    42. Zachary A. Collier & Igor Linkov & James H. Lambert, 2013. "Four domains of cybersecurity: a risk-based systems approach to cyber decisions," Environment Systems and Decisions, Springer, vol. 33(4), pages 469-470, December.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Nadine Gatzert & Madeline Schubert, 2022. "Cyber risk management in the US banking and insurance industry: A textual and empirical analysis of determinants and value," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 89(3), pages 725-763, September.
    2. Gareth W. Peters & Matteo Malavasi & Georgy Sofronov & Pavel V. Shevchenko & Stefan Trück & Jiwook Jang, 2023. "Cyber loss model risk translates to premium mispricing and risk sensitivity," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 372-433, April.
    3. Erkan-Barlow, Asligul & Nguyen, Trung, 2024. "Cybersecurity and executive compensation: Can inside debt-induced risk aversion improve cyber risk management effectiveness?," International Review of Financial Analysis, Elsevier, vol. 93(C).
    4. Denuit, Michel & Ortega-Jimenez, Patricia & Robert, Christian Y., 2024. "No-sabotage under conditional mean risk sharing of dependent-by-mixture insurance losses," LIDAM Discussion Papers ISBA 2024019, Université catholique de Louvain, Institute of Statistics, Biostatistics and Actuarial Sciences (ISBA).
    5. Alessandro Mazzoccoli & Maurizio Naldi, 2022. "An Overview of Security Breach Probability Models," Risks, MDPI, vol. 10(11), pages 1-29, November.
    6. Nguyen, Son & Shu-Ling Chen, Peggy & Du, Yuquan, 2022. "Risk assessment of maritime container shipping blockchain-integrated systems: An analysis of multi-event scenarios," Transportation Research Part E: Logistics and Transportation Review, Elsevier, vol. 163(C).
    7. Matteo Malavasi & Gareth W. Peters & Stefan Treuck & Pavel V. Shevchenko & Jiwook Jang & Georgy Sofronov, 2024. "Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications," Papers 2410.05297, arXiv.org.
    8. Pavel V. Shevchenko & Jiwook Jang & Matteo Malavasi & Gareth W. Peters & Georgy Sofronov & Stefan Truck, 2022. "The Nature of Losses from Cyber-Related Events: Risk Categories and Business Sectors," Papers 2202.10189, arXiv.org, revised Mar 2022.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Zängerle, Daniel & Schiereck, Dirk, 2022. "Modelling and predicting enterprise‑level cyber risks in the context of sparse data availability," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 136276, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).
    2. Michael McShane & Trung Nguyen, 0. "Time-varying effects of cyberattacks on firm value," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 0, pages 1-36.
    3. Michael McShane & Trung Nguyen, 2020. "Time-varying effects of cyberattacks on firm value," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 580-615, October.
    4. Alessandro Mazzoccoli, 2023. "Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis," Risks, MDPI, vol. 11(9), pages 1-14, August.
    5. Alessandro Mazzoccoli & Maurizio Naldi, 2022. "An Overview of Security Breach Probability Models," Risks, MDPI, vol. 10(11), pages 1-29, November.
    6. Angelica Marotta & Michael McShane, 2018. "Integrating a Proactive Technique Into a Holistic Cyber Risk Management Approach," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 21(3), pages 435-452, December.
    7. Spencer Wheatley & Annette Hofmann & Didier Sornette, 2021. "Addressing insurance of data breach cyber risks in the catastrophe framework," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 46(1), pages 53-78, January.
    8. Gareth W. Peters & Matteo Malavasi & Georgy Sofronov & Pavel V. Shevchenko & Stefan Trück & Jiwook Jang, 2023. "Cyber loss model risk translates to premium mispricing and risk sensitivity," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 372-433, April.
    9. Daniel Zängerle & Dirk Schiereck, 2023. "Modelling and predicting enterprise-level cyber risks in the context of sparse data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 434-462, April.
    10. Farkas, Sébastien & Lopez, Olivier & Thomas, Maud, 2021. "Cyber claim analysis using Generalized Pareto regression trees with applications to insurance," Insurance: Mathematics and Economics, Elsevier, vol. 98(C), pages 92-105.
    11. Gareth W. Peters & Matteo Malavasi & Georgy Sofronov & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang, 2022. "Cyber Loss Model Risk Translates to Premium Mispricing and Risk Sensitivity," Papers 2202.10588, arXiv.org, revised Mar 2023.
    12. Eling, Martin & Jung, Kwangmin, 2018. "Copula approaches for modeling cross-sectional dependence of data breach losses," Insurance: Mathematics and Economics, Elsevier, vol. 82(C), pages 167-180.
    13. Kjartan Palsson & Steinn Gudmundsson & Sachin Shetty, 2020. "Analysis of the impact of cyber events for cyber insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 564-579, October.
    14. Md. Hamid Uddin & Md. Hakim Ali & Mohammad Kabir Hassan, 2020. "Cybersecurity hazards and financial system vulnerability: a synthesis of literature," Risk Management, Palgrave Macmillan, vol. 22(4), pages 239-309, December.
    15. Jevtić, Petar & Lanchier, Nicolas, 2020. "Dynamic structural percolation model of loss distribution for cyber risk of small and medium-sized enterprises for tree-based LAN topology," Insurance: Mathematics and Economics, Elsevier, vol. 91(C), pages 209-223.
    16. Kjartan Palsson & Steinn Gudmundsson & Sachin Shetty, 0. "Analysis of the impact of cyber events for cyber insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 0, pages 1-16.
    17. Matteo Malavasi & Gareth W. Peters & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang & Georgy Sofronov, 2021. "Cyber Risk Frequency, Severity and Insurance Viability," Papers 2111.03366, arXiv.org, revised Mar 2022.
    18. Domenico Giovanni & Arturo Leccadito & Marco Pirra, 2021. "On the determinants of data breaches: A cointegration analysis," Decisions in Economics and Finance, Springer;Associazione per la Matematica, vol. 44(1), pages 141-160, June.
    19. Malavasi, Matteo & Peters, Gareth W. & Shevchenko, Pavel V. & Trück, Stefan & Jang, Jiwook & Sofronov, Georgy, 2022. "Cyber risk frequency, severity and insurance viability," Insurance: Mathematics and Economics, Elsevier, vol. 106(C), pages 90-114.
    20. Omer Ilker Poyraz & Mustafa Canan & Michael McShane & C. Ariel Pinto & T. Steven Cotter, 2020. "Cyber assets at risk: monetary impact of U.S. personally identifiable information mega data breaches," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 616-638, October.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:bla:rmgtin:v:24:y:2021:i:1:p:93-125. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: http://www.blackwellpublishing.com/journal.asp?ref=1098-1616 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.