Cyber and information security risk definitions
- 4 July 2019
Since the start of 2019, we've been running a programme to see how we can support firms with their day-to-day management of cyber and information security risk (CISR). Working with project participants, we have now developed the definitions which will be used throughout the programme.
About the definitions
We needed to develop and share a set of definitions and a common language to be used throughout the ORX cyber and information security risk (CISR) programme. These definitions will underpin the work we do across the programme, including information sharing and practice standards. There are many approaches to managing cyber and information security, so a common language is essential. This ensures that the information we collect and share is clear and consistent, and enables meaningful peer comparison.
We developed the definitions in partnership with our community of cyber and information security experts. Twenty five firms participated in this part of the programme, and a working group of five firms provided further input. The definitions have been created for use in the programme, and are not currently intended to replace external standards or definitions.
We will continue to reference these definitions throughout the project. We will also review the definitions during the project to capture changes in the industry and ensure they continue to reflect the activities.
Terms and definitions
Cyber and information security risk (CISR)
Cyber and information security risk (CISR) is the risk of loss (financial/non-financial) arising from digital events caused by external or internal actors or third parties, including:
- Theft of information/technology assets
- Damage to information/technology assets
- Compromised integrity of information/technology assets
- External and internal fraud
- Business disruption
The events may impact the confidentiality, integrity and/or availability of data. Implicit in this definition are elements of privacy risk where relevant.
Cyber and information security risk taxonomy
The majority of our community consider cyber and information security to be part of operational risk, treated as a distinct risk type within technology risk.
A metric used to measure the status of something an organisation needs to know to support its day-to-day operations.
Early warning indicator
An early warning indicator is a metric that can provide a signal of a risk event before it occurs.
Key risk indicator
A key risk indicator is a metric that provides insight into the level of risk an organisation is exposed to, as well as to provide an early warning of potential loss.
Key control indicator
A key control indicator is a metric that provides information on the effectiveness and performance of an institution’s key controls.
A key or critical control is fundamental to reducing the level of material risk an institution faces. Typically, it has these characteristics:
- Proven to be effective; often described as particularly relevant for a specific material risk
- Often has a mitigating impact on other, less severe risks
- Failure of a key control could have substantial financial or non-financial impacts for an organisation
About the cyber and information security risk programme
Financial firms are increasingly focusing on managing risk in addition to measuring its impact. To support them, we are expanding our activities and developing a blend of services that will better meet the changing needs of the operational risk industry. As part of this, we are exploring what support we can provide in the management of the most material risk types identified in the Operational Risk Horizon 2019 study. We have started with cyber and information security risk (CISR), which was identified as one of the most concerning material risks.
The CISR programme combines our established research services and information sharing capabilities with the input of our community of experts. We are focusing on three key areas:
- Information sharing – Helping firms understand their cyber and information security risk exposure, including data sharing, allowing for peer comparison and benchmarking.
- Governance and management practice standards – Helping firms improve their management of cyber and informations security risks. This may include the future development of risk management standards and benchmarking.
- Collaboration – Building a community of second line CISR specialists.