Cyber and information security risk definitions
- 4 July 2019
Since the start of 2019, we've been exploring how we can support financial firms with their day-to-day management of cyber and information security risk. Working with project participants, we have now developed the definitions which will be used throughout this work.
About the definitions
We needed to develop and share a set of definitions and a common language to be used throughout our work on cyber and information security risk (CISR). These definitions will underpin the work we do across the programme, including information sharing and practice standards.
There are many approaches to managing cyber and information security, so a common language is essential. This ensures that the information we collect and share is clear and consistent, and enables meaningful peer comparison.
We developed the definitions in partnership with our community of cyber and information security experts. Twenty five firms participated in this project and a working group of five firms provided further input. The definitions have been created for use in ORX work on cyber, and are not currently intended to replace external standards or definitions.
We will continue to reference these definitions throughout our work and will review them regularly to capture changes in the industry and ensure they continue to reflect our activities.
Terms and definitions
Cyber and information security risk (CISR)
Cyber and information security risk (CISR) is the risk of loss (financial/non-financial) arising from digital events caused by external or internal actors or third parties, including:
- Theft of information/technology assets
- Damage to information/technology assets
- Compromised integrity of information/technology assets
- External and internal fraud
- Business disruption
The events may impact the confidentiality, integrity and/or availability of data. Implicit in this definition are elements of privacy risk where relevant.
Cyber and information security risk taxonomy
The majority of our community consider cyber and information security to be part of operational risk, treated as a distinct risk type within technology risk.
Taxonomy structure:
Indicator
A metric used to measure the status of something an organisation needs to know to support its day-to-day operations.
Early warning indicator
An early warning indicator is a metric that can provide a signal of a risk event before it occurs.
Key risk indicator
A key risk indicator is a metric that provides insight into the level of risk an organisation is exposed to, as well as to provide an early warning of potential loss.
Key control indicator
A key control indicator is a metric that provides information on the effectiveness and performance of an institution’s key controls.
Key control
A key or critical control is fundamental to reducing the level of material risk an institution faces. Typically, it has these characteristics:
- Proven to be effective; often described as particularly relevant for a specific material risk
- Often has a mitigating impact on other, less severe risks
- Failure of a key control could have substantial financial or non-financial impacts for an organisation
Data, resources and more for cyber risk managers
ORX Cyber is a premium service which combines information sharing, research and collaboration to support second line cyber and information security risk managers at financial firms.