Reporting Cybersecurity Risk

to the Board of Directors

Risk © 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)
2 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

CONTENTS
4 Introduction
4 Role of the Board of Directors
5 Cyberrisk as Strategic Risk
6 Structure of Cybersecurity Program
Oversight
6 / First Line of Defense (1L)
6 / Second Line of Defense (2L)
7 / Third Line of Defense (3L)
7 Legal Concerns
7 / GDPR
8 / PCI-DSS
8 / Private Rights of Action and Class
Actions
8 / Unfair Business Practices and Other
Regulations
9 Threat Intelligence
9 / Attacker Profiles
9 / Industry-based Risk Profiles
10 Risk Identification and Scenario Analysis
11 Risk Measurement
12 Dashboards and Metrics
14 Capacity, Appetite and Limits
15 Cyberrisk Economics
15 / Materiality
15 / Cyberinsurance
16 / Capital Allocation
16 Peer Comparisons
16 Budgeting
17 Issues and Findings
17 Board Education and Awareness
18 Conclusion
19 Acknowledgments

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

3 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

ABSTRACT
Enterprise boards of directors need to understand how cybersecurity risk affects
business objectives and board oversight responsibilities. Cybersecurity professionals
have the knowledge that boards require but need to learn how to translate that
information into business language that is useful to boards. This white paper helps risk
and cybersecurity professionals to report cybersecurity risk in ways that their enterprise
board of directors can understand, by providing an overview of board responsibilities and
structure, a method to decompose high-level board concerns into technologically relevant
(and measurable) risk scenarios, and information on cyberrisk economics.

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 4 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

Introduction
Cybersecurity professionals are being asked increasingly This white paper will help to lay out the landmarks that
to prepare materials for and give presentations to their can be used to better understand how to adapt
enterprise board of directors. Communicating priorities to cybersecurity matters for consumption by professionals
any board member requires understanding the board who are less knowledgeable about technology. The goal is
perspective on the subject that is being considered. This to better understand the process of reporting technology
means recognizing that board members have an overall risk to the board and provide context for how to tailor their
enterprise perspective that subsumes cybersecurity. messages. This white paper provides an overview of the
Therefore, gaining attention (and being relevant to the role and structure of boards, and information on
board) requires placing cybersecurity concerns in the presenting cybersecurity as a strategic risk, scenario
context of business objectives—cybersecurity analysis, risk economics, risk appetite, metrics and
practitioners need to learn how to speak the language of dashboards. These discussions help technology
business. professionals to communicate cybersecurity risk in ways
that businesses can understand.

Role of the Board of Directors

For cybersecurity professionals to better connect their and business partners (i.e., duty of care). This governance
specialized skills and roles to concerns of the board of oversight extends to ensuring that the enterprise fully
directors, it is critical that professionals understand the understands its cybersecurity risk and is managing that
job of a board director. The National Association of risk adequately and effectively. However, to fulfill these
Corporate Directors (NACD), in the United States, explains responsibilities, directors need to be appropriately briefed
that boards have two primary responsibilities—to oversee by the enterprise cybersecurity and risk professionals.
management and to advise management.1 According to 1

Directors understand enterprise operations, such as

the United Kingdom Institute of Directors (IoD), boards
finance, sales, corporate investment, risk management,
have a responsibility to ensure the prosperity of an
legal and audit, and have a depth of experience from
enterprise.2 2

which they can draw to give guidance to enterprise

Boards have limited ability to be involved in day-to-day operators. When boards make decisions, it is important
operations, which is the role of enterprise management. that they balance short-term and long-term goal; keep
Directors take an overarching and strategic vantage point operations focused on core business functions, while also
to ensure the long-term prosperity and survivability of the encouraging growth and innovation; and generally
enterprise. They also have a legal responsibility to provide understand the marketplace in which the enterprise
effective governance oversight, to ensure that the operates. Typical board tasks include
enterprise is well managed and to provide reasonable establishing/advising on vision, mission, values, strategy,
protections to its customers, employees, shareholders legal/regulatory issues and corporate structure. The board

1
1
National Association of Corporate Directors, “The Role of the Board vs. the Role of Management FAQ,” 30 September 2016,
https://www.nacdonline.org/insights/publications.cfm?ItemNumber=35784
2
2
Institute of Directors, “What is the role of the board?,” 25 September 2018, www.iod.com/services/information-and-advice/resources-and-
factsheets/details/What-is-the-role-of-the-board

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 5 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

delegates specific tasks to management, which operates the Research in reputational risk reveals that cybersecurity
business in alignment with board strategy and guidance. events can cause enterprises to no longer purchase from
an enterprise that experienced an event.3 Because
3

Although cybersecurity was not a typical board task in the

enterprises rely on their reputations to meet their strategic
past, the proliferation of IT in enterprise objectives prompted
goals, anything that can negatively affect those
the need for individuals with an IT background to
reputations has strategic importance. Therefore, insights
appropriately advise management on their technology
into how cybersecurity failings can be connected to
choices. As boards and shareholders become increasingly
strategic objectives are key to helping boards better
concerned about cybersecurity incidents, the need increases
understand cybersecurity risk.
for directors that understand what good cybersecurity
operations look like and how they can influence them. Successfully presenting cybersecurity concerns to the
board requires the ability to weave a narrative around
Although cybersecurity was not a typical board task in what is occurring in the broader cybersecurity industry,
the past, the proliferation of IT in enterprise objectives
prompted the need for individuals with an IT background how attackers are affecting industry peers, and using
to appropriately advise management on their technology metrics, financial impact and enterprise maturity to show
choices.
how cybersecurity events will affect the enterprise.

Cyberrisk as Strategic Risk

For long time, cybersecurity was not clearly connected to Financial impacts like that of the Wannacry attack spurred
enterprise objectives. This disconnect between senior executives and boards of directors to want to know
cybersecurity and the business only recently began to be if their enterprises are at risk and how these events will
repaired. Breaches and ransomware events during the look if they happen in their enterprises. Although they have
past three years brought into sharp focus how keen interest in understanding cybersecurity risk
devastating the failure to manage cybersecurity risk can exposure, these executives and boards need a bridge
be to enterprise operations. The Wannacry ransomware between cybersecurity and business. This bridge function
attack in 2017 is the high-water mark in business is best filled by risk management professionals who
interruption, with enterprises around the world impacted— understand the details of technology and can render these
utilities, governments, universities, healthcare, technology concerns into operational and strategic
manufacturing, telecommunications, transportation and matters.
more. Aggregate losses from this single ransomware
Presenting cybersecurity as a business issue requires
event are estimated at between several hundred million
some translation. Strategic risk areas are those that
US dollars and $4 billion.4 4

affect, or are created by, the enterprise business strategy

Breaches and ransomware events during the past three and objectives. The technology-to-business translation
years brought into sharp focus how devastating the goal is to capture the elements of technological failure
failure to manage cybersecurity risk can be to enterprise and connect them to enterprise objectives, presented as
operations.
strategic risk. This process typically involves

3
3
Moody’s Investors Service, Inc., “Cyber Risk – Global: Reputational Risks From Cyberattacks Are Rising As Episodes Become More Publicized,”
www.moodys.com/research/Cyber-Risk-Global-Reputational-risks-from-cyberattacks-are-rising-as—PBC_1205103
4
4
Berr, J.; “’WannaCry’ ransomware attack losses could reach $4 billion,” 16 May 2017, CBS Interactive Inc., www.cbsnews.com/news/wannacry-
ransomware-attacks-wannacry-virus-losses/

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 6 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

decomposing cybersecurity risk into a series of interruption and fraud. Depending on the industry, this
progressively decomposed loss scenarios. level may also include product security and privacy.
Developing a full slate of risk that connects technology to
At the top of the process, the broadest categories are
business strategy requires the identification of scenarios
thematic risk; cybersecurity may be one, but credit and
that can cause negative outcomes. The section about risk
market risk are also at this level. At the next level, the
identification and scenario analysis describes how to
categories get more granular. For cybersecurity, this may
create this taxonomy.
include categories such as data disclosure, business

Structure of Cybersecurity Program

Oversight
A board of directors typically organizes itself into several
committees—some standing committees and often some Boards vary in their structures, but governance of
cybersecurity operations typically comes from either the
ad hoc committees. The exact charge of these risk or audit committee—and sometimes both.
committees varies among enterprises, but some
expectations on how different committees can The 3LoD model provides layers of management controls
have an impact on cybersecurity risk reporting are to protect against risk. The model evolved in the late
described here. 1990s and was codified in a 2013 paper by the Institute of
Internal Auditors (IIA).5 Since then, it has become a
5

Standing committees typically include an executive

cornerstone of most risk management frameworks and is
committee to oversee the chief executive, a governance
referenced in the ISACA Risk IT Framework.6 6

committee that provides oversight to the board, a finance

or budget committee that is responsible for revenues and A description of the foundation of this framework follows.
expenses, and an audit committee that oversees financial
reporting and disclosure. Some enterprises also have a
risk committee that focuses on sources of strategic,
First Line of Defense (1L)
financial, compliance and operational (including These are the control and risk owners who have

cybersecurity) risk. operational responsibility for managing enterprise risk.

Typically, these owners include the personnel in IT that are
Boards vary in their structures, but governance of responsible for the day-to-day operation of technology
cybersecurity operations typically comes from either the controls. For example, business process owners set the
risk or audit committee—and sometimes both. It is requirements, and IT professionals develop software and
typically the role of an enterprise risk management (ERM) systems to meet those requirements.
function to establish a risk governance framework to
provide these committees the information they need to
provide appropriate oversight. A generic design principle Second Line of Defense (2L)
to accomplish this is to use the Three Lines of Defense The second line is a relatively new addition to the
(3LoD) model. assurance world and encompasses risk management and
5
5
The Institute of Internal Auditors, “The Three Lines of Defense in Effective Risk Management and Control,” January 2013, https://na.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf
6
6
ISACA, Risk IT Framework, 2nd Edition, www.isaca.org/bookstore/bookstore-risk-digital/ritf2?cid=pr_2004614&Appeal=pr

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 7 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

compliance functions. The goal of the second line of lines of defense and shares roles and responsibilities of
defense is to provide checks and oversight on the both. The 1.5L is typically a function assigned to IT risk
responsibility of the first line of defense. This line sets the management, because it operates inside a security
standards either explicitly, by publishing internal policies function and, therefore, alongside security control
and standards, or implicitly, by its influence in an advisory operators. Because information risk management
function and creating issues and findings. In some typically has a large scope of work, the amount of
enterprises, the 2L reports independently of operations technology in use is often too much for a pure second-
and directly to the chief executive officer (CEO) or the line-of-defense function to oversee. In enterprises that use
chief risk officer (CRO). a 1.5L, the 2L tends to oversee checks done by the 1.5L
instead of doing its own detailed checks of the first line.

Third Line of Defense (3L) These lines of defense connect to the board committees
to report on risk. The 3LoD traditionally aligned to the
The third line of defense is the internal audit, which provides
board audit committee, giving them independent
independent validation of the functions of the first line and
oversight of the performance of the enterprise controls.
second line of defense. The 3L reports independently,
As the second line of defense developed, so too did the
outside of operations, and directly to the CEO.
board risk committee. Thus, 2L work products are
IT risk management can also have a 1.5 line of defense delivered to the risk committee in a way that is similar to
(1.5L). This function sits between the first and second the 3L reporting to the audit committee.

Legal Concerns
Some enterprises realize that their strategic goals are tied
GDPR
to technology and place security requirements in
contracts with third parties. Governments place similar The biggest recent cybersecurity regulation to be
legal requirements on enterprises to help protect the implemented is the General Data Protection Regulation
public, creating economic externalities to shift the (GDPR), which passed into law in 2016 with an
marketplace towards more secure and privacy-aware implementation date in 2018. With this single law, the
computing practices. number of countries that require breach notification jumped
from eight in 2015 to 40 in 2016.7 As of 2020, 64 countries
7

Boards must ensure that their enterprises are meeting

require such disclosure. The more countries that require
these contractual and regulatory obligations to avoid
breach disclosure, the more consumers who will be made
potential legal claims, including any personal liability that
aware of security failings and, by extension, the less likely
board members may have. As a result, connecting
that the reputation of an affected enterprise will be imperiled.
cybersecurity to legal and regulatory implications is
critical to help ensure that the needs of the board Reporting on GDPR risk for a board does not require a
are met and that board members understand lawyer. The cybersecurity professionals advise enterprises
potential pitfalls. The following subsections include two on their legal risk. It is important that cybersecurity
major legal frameworks—GDPR and PCI DSS—that can professionals align with the legal function in an enterprise
help boards understand their legal and regulatory (internal and/or external) around the following requirements:
exposure. • Data subject consent and access to personal data (right of access)

7
7
Op cit Moody’s Investors Service, Inc.

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 8 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

• Data subjects can request the removal of their information • Maintaining a secure system (end to end) for accepting and

(right of erasure) processing cardholder data

• Data subjects can object to having their data processed for • Conducting regular security testing

sales and marketing or other reasons (right to object to

PCI has 12 requirements and numerous subrequirements to
automated decisions)
ensure a secure cardholder data environment. Penalties or
• Cross-border data transfers have strict requirements
restrictions on how an enterprise can accept payment cards
can be a huge limitation in an enterprise executing its
Not having these requirements in place creates legal risk.
strategies to achieve its objectives. Board reporting on PCI
GDPR fines can be the greater of either €20 million
noncompliance requires connecting it to revenue goals and
(US$23.8 million) or up to four percent of annual
reputational harm. If customers do not feel safe using their
worldwide turnover. Another GDPR requirement is to
credit cards at an enterprise, revenue targets suffer.
notify the supervising authority within 72 hours of
identifying a reportable breach. The GDPR states that an
enterprise should have processes in place to be able to
Private Rights of Action and
detect security breaches. However, the IBM “Cost of a Class Actions
Data Breach Report 2020” shows that the average In some cases, following a cybersecurity event at an
time to identify a breach is 207 days (up from enterprise, affected customers, individually or with others,
206 days in 2019) and a further 73 days to contain the can initiate legal proceedings against the enterprise, under
breach. Therefore, there is a potential gap between how
8 8

laws established by a jurisdiction. Individual lawsuits

long it takes to identify a breach and the legal focus on the damage incurred by a single aggrieved party;
requirements of GDPR. a class action lawsuit combines a series of grievances
represented by a single plaintiff. There is often much
The GDPR states that an enterprise should have greater cumulative damage from a combined lawsuit, but
processes in place to be able to detect security potentially less distraction than multiple, simultaneous
breaches.
lawsuits generate. Class action lawsuits are primarily a
phenomenon in the United States, but they can also occur
Although the GDPR is an EU law, it impacts enterprises in
in Canada and some EU countries.
countries outside the EU if the enterprise operates in an
EU country or on behalf of a data controller in the EU that
For board reporting, it is important to consider legal
processes (i.e., stores, alters, utilizes, records, etc.) data
defense costs, ranges of possible settlements, marketing
from an enterprise that is under GDPR jurisdiction.
and public relation efforts to counteract any reputational
harm, and costs associated with distracted boards and
PCI-DSS executives. These costs can be incorporated into risk

Since 2004, enterprises that issue or process credit cards quantification efforts.

are subject to the PCI-DSS contractual obligation.

Although not a regulation, it exposes enterprises to Unfair Business Practices and
sometimes significant financial penalties, including a Other Regulations
prohibition against accepting credit cards. Key factors in
If a cybersecurity event impacts products or services
PCI include:
offered, there can often be additional regulatory oversight.
• Limiting a collection of cardholder data For example, unfair business practices cover things like
deceptive marketing plans (intentional or not), outright

8
8
IBM, “Cost of a Data Breach Report 2020,” www.ibm.com/security/digital-assets/cost-data-breach-report/#/

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 9 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

fraud and misrepresentation. Attempting to market a (financial services for instance) have regulations they
product or service as being secure when it is not can must follow that prescribe security requirements and
result in action against an enterprise by government limitations around how they represent their products and
entities. Enterprises that operate in specific verticals services to customers.

Threat Intelligence
It is critical that board directors understand the threats the concept is to develop a series of attacker profiles that
that are facing their enterprises. Like all board and can be characterized in terms of access to resources and
executive communications, it is important to make sure access to skill sets. Following is a sample set of threat
that the complex cyberthreats that are managed every communities:10 , 11 10 11

day are translated appropriately to the business concerns • Nation states

that are managed by the board. • Cybercriminals

• Suppliers
This translation is of critical importance for technology
• Hacktivists
professionals. Threat intelligence is a critical component
• Privileged insiders
of cyberdefense and leverages paid and open-source
• Nonprivileged insiders
services to provide technological insight into who is
attacking and what tactics, techniques and procedures These categories are not meant to identify specific
(TTPs) they are employing. There are many frameworks attackers (e.g., APT28 or Fancy Bear), but, instead, to give
that can be used to collect, classify and report executives a range of types of attackers that the
cyberthreats, such as MITRE ATT&CK and Lockheed ® enterprise might face. Such attacker groups can be
Martin Cyber Kill Chain . ®9 9
expressed quantitatively using two variables: threat
capability and threat event frequency. These variables give
Threat intelligence is a critical component of executives a vantage point into how often these threats
cyberdefense and leverages paid and open-source
are acting against them and how powerful an attacker is
services to provide technological insight into who is
attacking and what tactics, techniques and procedures when it does attack.
(TTPs) they are employing.

Industry-based Risk Profiles

Although these models are useful, they are too complex to
Some immutable qualities can contribute to an
be effective for executive and board communication.
enterprise threat profile. People intuitively understand that
Instead, categorizing the attackers and the attack types is
operating in certain industries can have more risk than in
very useful for giving executives an understanding of who
others. Sutton’s Law states that the reason to rob a bank
is attacking and what they are using to attack.
is that is where the money is located. Cybercrime
against financial service enterprises is well known.
Attacker Profiles Nation-state action against government contractors
Constructing attacker profiles is a critical part of a threat and the intelligence community (IC) at large is also well
communication plan. Attribution is not the goal—instead, known.

9
9
Lockheed Martin Corporation, “The Cyber Kill Chain®,“ www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
10
10
Freund, J.; J. Jones; Measuring and Managing Information Risk: A FAIR Approach, Portsmouth, NH, Butterworth-Heinemann, 2014
11
11
Freund, J.; S. Fritts; J. Marius; “Using Data Breach Reports to Assess Risk Analysis Quality,” ISSA Journal, February 2016, vol. 14, issue 2, https://issa-
cos.org/wp-content/uploads/2016/02/ISSA_Journal_February_2016.pdf

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 10 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

Two factors that are necessary to communicate to boards The second factor measures how likely threat
and executives regarding their industry risk are target value communities are to take action against the enterprise.
and probability of attack by various threat communities. Industry classification systems, such as the North
Creating an inventory of relevant data types, finances and American Industry Classification System (NAICS) and
other information assets that might be of value to attackers Standard Industrial Classification (SIC),12 can show the
12

is a useful exercise. This list doubles as the enterprise list of board where the enterprise fits alongside peers and how it
crown jewels, which deserve special protection. fares across all other industries.

Risk Identification and Scenario

Analysis
Risk identification is more than simply identifying a • Strategic Objective 1: Increase percentage of customers that

potentially bad thing. It requires a combination of use more than one enterprise product by 40 percent

systematic thinking and creativity to imagine an entire • Risk to Objective 1 (filtered for cybersecurity):

series of failings. To build out these connections – Layer 1—External fraud

between the highest and lowest levels of an enterprise – Layer 2—Systems security

requires the decomposition of high-level board – Layer 3—Hacking

concerns into technologically relevant (and measurable) – Layer 4—Credential stuffing, privilege escalation,

scenarios. lateral movement, etc.

• Strategic Objective 2: Increase sales in North American market

To accomplish this, many risk professionals use labels to
by 15 percent
describe the level of decomposition with which they are
• Risk to Objective 2 (filtered for cybersecurity):
working. Building an enterprise risk taxonomy can be
– Layer 1—Business disruption
accelerated by leveraging the BASEL II loss event type
– Layer 2—Systems
classifications.13 This framework was originally
13

– Layer 3—Software
established as a regulatory tool for financial services;
– Layer 4—Ransomware
however, this breakdown of risk types is very
executive-friendly and is often already familiar to them. The upper layers tend to be less technologically specific
Risk type categories include fraud, hacking and but are helpful when trying to label and classify risk from
business disruption. all sources in an enterprise. For example, Objective 2 risk
may also include things like natural disasters and
The first step is to identify a business strategy and then
pandemics at layers 1 and 2 (in BASEL II terms: damage
decompose it into the series of cybersecurity failings that
to physical assets and workplace safety, respectively).
can prevent it from succeeding. A typical chain of risk
decomposition (i.e., risk taxonomy) using this approach Figure 1 shows a simplified example of this
follows. decomposition.14 14

12
12
NAICS Association, “NAICS & SIC Identification Tools,” www.naics.com/search/
13
13
BIS, “OPE - Calculation of RWA for operational risk,” www.bis.org/basel_framework/chapter/OPE/30.htm
14
14
Freund, J.; “Communicating Technology Risk to Nontechnical People: Helping Enterprises Understand Bad Outcomes,” ISACA Journal, vol. 3, 2020,
https://www.isaca.org/resources/isaca-journal/issues/2020/volume-3/communicating-technology-risk-to-nontechnical-people

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 11 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

FIGURE 1: Decomposition of Scenario Analysis

Business Scenarios IT Scenarios

Overall

Data Loss and Theft ꞏ Theft of data from

Privileged insiders leverage
critical applications
legitimately granted
ꞏ Data sent to the wrong credentials to steal data from
customer critical applications.

Data Reliability ꞏ Financial data not reliable

ꞏ Asset inventories compromised Cybercriminals compromise
customer portal to access PII.
Systems Availability ꞏ Critical systems offline > 1 hour
ꞏ Back-end transaction processing
delayed > 8 hours Manual processes lead
to data being sent to the
wrong customers.
Fraud ꞏ Credit card processing
compromised
ꞏ Purchase-order fraud

Risk Measurement
After the scenarios are articulated using decomposition, methodology, such as the factor analysis of information
measuring them becomes a straightforward task. Presenting risk (FAIR), can enable the economic representation of
a full slate of risk scenarios to the board is not beneficial until cybersecurity risk that is sorely missing in the boardroom,
the scenarios are ordered and prioritized using quantitative but can illuminate cybersecurity exposure.15 15

measurement that is in a familiar format for executives. The

Too many risk presentation methods use ordinal scale
members of board committees are adept at managing
measures, which have inherent limitations and can be
financial measurements. The more a risk-management
detrimental to good management. Such scales typically
measurement resembles the financial statements and
represent risk as a value from 1 to 5, for example. The
income projections that the board typically sees, the easier it
actions that the board needs to take are difficult to
is for board members to manage cybersecurity risk.
envision with a descriptor like risk factor 3.
Measuring each of the risk scenarios that is articulated in
the previous taxonomy by using measures of economic Too many risk presentation methods use ordinal scale
impact is the best way to provide prioritization for board measures, which have inherent limitations and can be
detrimental to good management.
directors. Using a cybersecurity value at risk (VaR)

15
15
Op cit Freund, J.; J. Jones

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

12 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

Measuring cybersecurity risk using FAIR requires a fully overall loss distribution model. This model shows a
formed risk scenario that allows for measurement of the range of possible losses if a cybersecurity event
following: materializes. An example of such a loss distribution
• How often threat agents act against an asset model is shown in figure 2, which represents the
• How much resistance the control environment offers money that an enterprise may lose if a particular
• How much loss can occur if they are successful. scenario materializes.

FAIR asks that each variable be estimated three times, to Because there are numerous scenarios at the L4 level, it is
represent a best case (5th percentile), worst case (95th not feasible to escalate all of them to the board. Instead,
percentile) and a most likely (mode) value. These three the strategy should be to choose exemplar scenarios to
estimates are input to a Monte Carlo function that represent each aggregate category. A good way to
creates a distribution of possible values for each input present these scenarios and metrics to executives is
variable and then combines them to create an through a dashboard.

FIGURE 2: Monte Carlo Loss Distribution Output from a FAIR Calculation

24%
22%

19%

12%
11%

5%
3%
2%
0% 1% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%

39228781 52775697.8 66322614.6 79869531.4 93416448.2 106963365.0 120510281.8 134057198.6 147604115.4 161151032.2

Dashboards and Metrics

Combining risk quantification into a board-friendly event loss value (as opposed to annualized) is easier to
presentation requires some abstraction. Fortunately, understand and does not require probabilistic understanding.
decomposing risk scenarios allows for easy The most likely value (mode) from the previous loss
representation. Figure 3 shows a clear and concise report distribution is a good representative value to use in this
that can represent enterprise risk to a board. graph. However, a value at the 95th percentile might be
helpful for communicating a worst-case scenario.
In figure 3, there are four high-level scenarios—data loss and
theft, data reliability, systems reliability and fraud. An Each of these categories of cybersecurity risk can be
aggregate amount of risk is associated with each scenario. decomposed down to the next level, as illustrated
For communication and accessibility purposes, a single loss- in figure 4.

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

13 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

FIGURE 3: High-Level Board Cyber Loss Report

$500M

$400M

$200M
$225M
$175M

$50M $85M

Data loss and theft Data reliability Systems reliability Fraud

FIGURE 4: Decomposed Board Cyber Loss Report

L3 – Data Theft from

L1 – Data Loss and Theft L2 – Data Theft from Crit Apps Prod 1 Apps

$2B

Privileged insiders
leverage legitimately
granted credentials
to steal data from
critical applications
in <Product 1>.
$200M

$175M $175M $175M

$125M
$50M $90M
$50M

<Prod 1> <Prod 2> <Service 1> <Service 2>

The L1 – Data Loss and Theft risk category is derived becomes the example that is representative of the risk
from a measurement of the risk in critical enterprise associated with the L1 risk scenario.
products and services. The L3 scenario shows the
highest-rated risk among these key scenarios. The Further decomposing the L3 scenario for that product
highest-risk scenario across all the products and services establishes a series of metrics, as illustrated in figure 5.

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 14 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

FIGURE 5: Cybersecurity Risk-Aligned Board Metrics

Metric Thresholds (G/Y/R) Value Trend

KRI: Percent of applications with

10% <= 12% <= 15% 17%
risk scenarios that exceed limit

KRI: Number of applications 2% <= 5% <= 8% 1%

with open audit issues

KPI: Percent of applications

that completed annual risk 99% >= 97% >= 95% 97%
assessment

KCI: Percent of endpoints with 99%

99% >= 97% >= 95%
updated DLP agent

KCI: Percent of applications with

99% >= 97% >= 95% 99%
validated quarterly entitlements

These metrics can help to establish actions that boards series of control failures or gaps that can be prioritized for
and executives can take in response to risk that is remediation. Generating actions for any of these
unacceptable. For example, in the first metrics quantitative risk assessments requires thresholds that
(applications that exceed limits), the recommendation is a drive action.

Capacity, Appetite and Limits

The concept of risk appetite can cause much confusion. • Capacity—Maximum level of risk at which an enterprise can

Using key risk indicator (KRI) metrics to serve as an operate, while remaining within constraints implied by capital

appetite is a mismatch of data and purpose. For example, and funding needs and its obligations to stakeholders

using something like record count as a measure of risk (Enterprises should not operate at this level..)

has problems in implementation. 16 16

What happens when • Appetite—Level of risk at which the enterprise is willing to

the record limit is reached? Are those records removed operate, but necessitates immediate escalation and action

from the environment? Or, is it a lagging measure that can (Also known as tolerance.)

only be taken after a negative event has occurred? • Limits—Thresholds and triggers

Instead, it is advisable to establish three thresholds that Applying these thresholds determines whether
each drive different actions and represent a different level action is necessary for the board and is helpful
of risk to the enterprise. The three categories are capacity, for making other financial decisions related to
appetite and limits (figure 6): 17 17 cybersecurity.

16
16
Freund, J.; “Problems With Using Record Count as a Proxy for Risk,” @ISACA, vol. 19, 14 September 2020, www.isaca.org/resources/news-and-
trends/newsletters/atisaca/2020/volume-19/problems-with-using-record-count-as-a-proxy-for-risk
17
17
Deloitte, “Risk appetite frameworks: How to spot the genuine article,” 2014, www2.deloitte.com/content/dam/Deloitte/au/Documents/risk/deloitte-au-
risk-appetite-frameworks-financial-services-0614.pdf

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 15 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

FIGURE 6: Capacity, Appetite and Limits on Board Cyberrisk Report

L3 – Data Theft from

L1 – Data Loss and Theft L2 – Data Theft from Crit Apps Prod 1 Apps

Capacity $2B
Undesirable: Privileged insiders
Needs escalation leverage legitimately
granted credentials
to steal data from
critical applications
in <Product 1>.
Appetite $200M
Acceptable:
Monitor $175M $175M $175M
$125M
Limit $50M $90M
Desirable $50M

<Prod 1> <Prod 2> <Service 1> <Service 2>

Cyberrisk Economics
Several governance activities can be enabled by assessments previously outlined, a comparison can be
measuring and reporting cybersecurity risk in financial made between the amount of expected loss and whether
terms. Each of these has a role in determining the right such a loss is financially material to the enterprise. In
risk treatment decision. The board responsibilities for many cases, such a loss is considered significant and
protecting the enterprise depends on the directors may warrant a material disclosure, regardless of whether
understanding whether the enterprise is well-capitalized it is financially so. Further, such a materiality threshold is
for regular negative events and worst-case events. Doing likely to have a great influence on decisions to set risk
this properly includes exercises to measure materiality, appetite and limit thresholds for comparison.
insurance and capital allocation.
Cyberinsurance
Materiality Boards are also interested in knowing if they have the
correct amount of cybersecurity risk insurance coverage
It is important for the board directors to understand how
in place. For these types of assessments, it is helpful to
financially material a cyberevent will be to an enterprise.
know how much loss the enterprise may face.
Many measures of materiality tend to be fairly subjective
Cybersecurity risk quantification exercises are extremely
in nature; however, some research suggests that using a
helpful in determining loss potential.
value between two percent and 10 percent of gross
revenue is a reasonable threshold against which to For insurance purposes, a tail value can be far more
compare cyberloss estimates.18 Based on the 18
helpful than a most-likely one. For boards, casting an

18
18
Freund, J.; “Engineering Economic Externalities: Methods for determining material cybersecurity fines,” Society of Information Risk Analysts, 2020,
https://societyinforisk.org/SIRACon-2020#Jackfreund20

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 16 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

assessment, like a pseudo-stress test, can be helpful in severely adverse financial impacts to the enterprise.
setting the context. The purpose is not necessarily to These are called capital reserves and effectively serve as
insure against all cybersecurity losses, but to limit the a rainy-day fund. Many of these requirements were
extreme values at the tail and their impact on the established or enhanced after the global financial
enterprise balance sheet. Reporting potential risk losses crisis of 2007 to 2008, and there are formal
to the board, accounting for insurance reductions, helps stress-testing exercises that help financial services
board members to understand if they are over-insured, enterprises to determine how much capital to set aside.
under-insured, or properly managing their risk posture. These tests include operational and cybersecurity risk.
Even if an enterprise does not have specific
Capital Allocation capital allocation requirements, it is prudent to
Certain enterprises have regulatory requirements to consider setting money aside, depending on the
ensure that they have money set aside in case there are enterprise risk culture.

Peer Comparisons
Many boards and executives are curious about how their quantification efforts that are required for effective board
enterprise compares to their peer enterprises, not only in communication are not done at the lower maturity levels
cybersecurity loss potential, but also the maturity of their of the CMMI model.
control measures. Most concerns focus on where the
enterprise performs worse than its peers and what is Further, many of the quantification efforts that are
needed to close the gap. required for effective board communication are not done
at the lower maturity levels of the CMMI model, as
Most enterprises looking for a peer comparison use a
specific quantitative elements are prescribed at level 4.
third party to provide such measures. This comparison
typically includes an assessment of enterprise maturity, Other peer comparisons can be done using global scales,
measured on a CMMI scale from 0 to 5.19 Although these 19
such as the one being developed by Moody’s Investor
scales are widely used, they have the aforementioned Services, which has been considering global scales in
ordinal scale limitations. Further, many of the their credit-scoring methodology for several years.20 , 21 20 21

Budgeting
The board often has conversations about funding. Boards compared to overall technology spending, with a target
may ask introspectively if they are spending enough goal, for example, 10 percent, is a typical comparison to
money on cybersecurity. Often, basic comparisons peer enterprises.22 It is difficult to make absolute
22

against peers are done. The ratio of security spending comparisons, because enterprises allocate funding for

19
19
ISACA, “CMMI Levels of Capability and Performance,” CMMI Institute, https://cmmiinstitute.com/learning/appraisals/levels
20
20
Williams, R.; “Credit implications of cyberattacks will hinge on long-term business disruptions and reputational impacts,” Moody’s Investors Service Inc.,
28 February 2019, www.moodys.com/research/Moodys-Credit-implications-of-cyberattacks-will-hinge-on-long-term—PBC_1161216
21
21
Fazzini, K.; “Moody’s is going to start building the risk of a business-ending hack into its credit ratings,” CNBC, 12 November 2018,
www.cnbc.com/2018/11/12/moodys-to-build-business-hacking-risk-into-credit-ratings.html
22
22
Bernard, J.; D. Golden; M. Nicholson; “Reshaping the cybersecurity landscape,” Deloitte Insights, 24 July 2020,
www2.deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

 17 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

security expenses in different ways. For example, some However, presenting such incremental spending in terms
enterprises pay for network device security through their of potential economic cybersecurity losses is helpful in
IT budget as opposed to their security budget. drawing a straight line from loss exposure that has
crossed defined thresholds (appetite and limit), to the
The ratio of security spending compared to overall systems supporting the products and services, and to the
technology spending, with a target goal, for example, compromised technological controls that are causing this
10 percent, is a typical comparison to peer enterprises.
excess loss exposure.
In general, these ratio comparisons offer a limited argument
It is critical that such straight-line arguments allow for a
when trying to justify additional spending. For example, if the
follow-up to show that loss exposure was reduced. It is
enterprise has a real need for an updated logging and
important that the loss amount (quantitatively) shows a
monitoring solution, including software, hardware and
reduction after the money is allocated, controls are
staffing, the argument that peers spend three percent more
implemented and assessments are updated, in a
is likely to fail to get additional spending.
subsequent board report.

Issues and Findings

Sometimes, enterprises want to escalate missing, failed
or broken controls directly to boards. Many enterprises It is important that IT organizations align their top risk
concerns reports with risk scenarios and not with
mistakenly designate these issues as risk and place them missing, failed or broken controls.
in their risk register. In most cases, such voluminous lists
are not appropriate for inclusion in board reports, which Translating these broken and missing controls into
may include a list of top risk concerns. It is important that strategic risk management requires a risk practitioner to
IT organizations align their top risk concerns reports with avoid confusing security terminology. Leveraging the
risk scenarios and not with missing, failed or broken nomenclature in the FAIR methodology provides
controls. Identifying cybersecurity as a strategic concern additional clarity to distinctions between risk, threat and
and applying it to patching is a critical activity, but a list of vulnerability that are helpful to boards.23 When asked for
23

missing patches does not communicate a strategic top risk concerns, cybersecurity professionals should not
concern. Instead, those missing patches should be provide lists of control vulnerabilities, attack types and
aligned to scenarios that provide a bottom-up view and, other maturity-based gaps. Instead, they should translate
when aggregated, support the high-level assessment of those concerns into risk scenarios and tie them to critical
organizational risk. functions in the enterprise.

Board Education and Awareness

Another element that is often included in board understand the particular threat actors, industry profile
presentations is general cybersecurity education and and risk posture facing the enterprise. However, there is
security awareness. These can include helping directors value in selected storytelling to help directors understand

23
23
Op cit Freund, J.; J. Jones

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

18 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

issues in the broader security industry. Directors read the cannot happen in the enterprise. Lastly, some enterprises
news and are aware of major cybersecurity incidents. It is provide their board members with internal security
helpful to be conversant in these stories and to be able to awareness training, such as including them in phishing
offer comparisons to the enterprise. A board director is tests to prepare them for attempts to compromise
concerned with relatability, and why an event can or systems and access sensitive information.

Conclusion
Communicating cybersecurity risk to the board of that are aligned to those financial flows. Those scenarios
directors requires an individual to be conversant in can be broken down into quantitatively valid and
technology and business. This ability starts with accessible financial assessments that the board can
understanding the concerns of the board and its role in leverage to adjust spending and take advantage of risk
ensuring the longevity of the enterprise. It is imperative to transfer devices to manage the enterprise and ensure its
understand how money flows through the enterprise and longevity. Cybersecurity board reporting is increasing, and
how technology systems support that money flow. more technology professionals will be asked to adjust
their skill sets to respond.
Articulating cybersecurity risk to the board requires the
need to establish a taxonomy of cybersecurity scenarios

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

19 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

Acknowledgments
ISACA would like to recognize:

Lead Developer Board of Directors

Jack Freund, Ph.D.
Tracey Dedrick, Chair Brennan P. Baybeck
CISA, CRISC, CISM, CGEIT,
Former Chief Risk Officer, Hudson City CISA, CRISC, CISM, CISSP
CDPSE, CISSP
Bancorp, USA ISACA Board Chair, 2019-2020
VisibleRisk, USA
Rolf von Roessing, Vice-Chair Vice President and Chief Information
Security Officer for Customer Services,
CISA, CISM, CGEIT, CDPSE, CISSP, FBCI
Oracle Corporation, USA
Expert Reviewers Partner, FORFA Consulting AG,
Mike Hughes Switzerland Rob Clyde
CISA, CRISC, CGEIT, MIoD CISM
Gabriela Hernandez-Cardoso
Prism RA, United Kingdom ISACA Board Chair, 2018-2019
Independent Board Member, Mexico
Independent Director, Titus, and Executive
Jack Jones Pam Nigro Chair, White Cloud Security, USA
CISA, CRISC, CISM, CISSP CISA, CRISC, CGEIT, CRMA
RiskLens, USA Chris K. Dimitriadis, Ph.D.
Vice President–Information Technology,
CISA, CRISC, CISM
Linda Kostic Security Officer, Home Access Health, USA
ISACA Board Chair, 2015-2017
CISA, CISSP, Doctor of IT-Cybersecurity & Maureen O’Connell Group Chief Executive Officer, INTRALOT,
Information Assurance, PRMIA Complete Board Chair, Acacia Research (NASDAQ), Greece
Course in Risk Management, George Former Chief Financial Officer and Chief
Washington University Administration Officer, Scholastic, Inc.,
Citi, USA USA
Katsumi Sakagawa David Samuelson
CISA, CRISC Chief Executive Officer, ISACA, USA
Japan
Gerrard Schmid
Dirk Steuperaert President and Chief Executive Officer,
CISA, CRISC, CGEIT Diebold Nixdorf, USA
IT In Balance, Belgium
Gregory Touhill
Alok Tuteja CISM, CISSP
CRISC, CGEIT, CIA, CISSP President, AppGate Federal Group, USA
BRS Ventures, United Arab Emirates
Asaf Weisberg
Prometheus Yang CISA, CRISC, CISM, CGEIT
CISA, CRISC, CISM, CFE Chief Executive Officer, introSight Ltd.,
Standard Chartered Bank, Hong Kong Israel

Lisa Young Anna Yip

CISA, CISM, CISSP Chief Executive Officer, SmarTone
Axio, USA Telecommunications Limited, Hong Kong

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)

20 REPORTING CYBERSECURITY RISK TO THE BOARD OF DIRECTORS

About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
1700 E. Golf Road, Suite 400
talent, expertise and learning in technology. ISACA equips individuals with
Schaumburg, IL 60173, USA
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
Phone: +1.847.660.5505
quality teams. ISACA is a global professional association and learning
organization that leverages the expertise of its 145,000 members who work in Fax: +1.847.253.1755
information security, governance, assurance, risk and privacy to drive
Support: support.isaca.org
innovation through technology. It has a presence in 188 countries, including
more than 220 chapters worldwide. Website: www.isaca.org

DISCLAIMER

ISACA has designed and created Reporting Cybersecurity Risk to the Board of
Directors (the “Work”) primarily as an educational resource for professionals. Provide Feedback:
ISACA makes no claim that use of any of the Work will assure a successful https://www.isaca.org/reporting-
outcome. The Work should not be considered inclusive of all proper cyberrisk-to-bod
information, procedures and tests or exclusive of other information,
procedures and tests that are reasonably directed to obtaining the same Participate in the ISACA Online
results. In determining the propriety of any specific information, procedure or Forums:
test, professionals should apply their own professional judgment to the https://engage.isaca.org/onlineforums

specific circumstances presented by the particular systems or information Twitter:

www.twitter.com/ISACANews
technology environment.
LinkedIn:
www.linkedin.com/company/isaca
RESERVATION OF RIGHTS
Facebook:
© 2020 ISACA. All rights reserved. www.facebook.com/ISACAGlobal
Instagram:
www.instagram.com/isacanews/

Reporting Cybersecurity Risk to the Board of Directors

© 2020 ISACA. All Rights Reserved.

Personal Copy of VASUTHEVAN MUNIANDI (ISACA ID: 1357412)