Статті в журналах з теми "Chief Information Security Officer (CISO)"

Purpose The aim of this study is to advance research on the position of the CISO by investigating the role that CISOs play before and after an IT security breach. There is a dearth of academic research literature on the role of a chief information security officer (CISO) in the management of Information Technology (IT) security. The limited research literature exists despite the increasing number and complexity of IT security breaches that lead to significant erosions in business value. Design/methodology/approach The study makes use of content analysis and agency theory to explore a sample of US firms that experienced IT security breaches between 2009 and 2015 and how these firms reacted to the IT security breaches. Findings The results indicate that following the IT security breaches, a number of the impacted firms adopted a reactive plan that entailed a re-organization of the existing IT security strategy and the hiring of a CISO. Also, there is no consensus on the CISO reporting structure since most of the firms that hired a CISO for the first time had the CISO report either to the Chief Executive Officer or Chief Information Officer. Research limitations/implications The findings will inform researchers, IT educators and industry practitioners on the roles of CISOs as well as advance research on how to mitigate IT security vulnerabilities. Originality/value The need for research that advances an understanding of how to effectively manage the security of IT resources is timely and is driven by the growing frequency and sophistication of the IT security breaches as well as the significant direct and indirect costs incurred by both the affected firms and their stakeholders.

Ohne funktionierende IT steht ein Krankenhaus weitgehend still, das belegen zahlreiche Beispiele von Hackerangriffen. Damit ein solcher Fall nicht eintritt, brauchen Krankenhäuser redundante IT-Systeme, ein fehlerfreies Zusammenspiel der eingesetzten Anwendungssysteme sowie einen wirksamen Schutz gegen Cyberattacken. Und: einen CISO.

Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises, making their cyber-security function critically important. Many organisations employ a Chief Information Security Officer (CISO) to lead such a function. We conducted in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders, between October 2019 and July 2020, as part of a wider exploration into the purpose of CISOs and cyber-security functions. In this paper, we employ broader security scholarship related to ontological security and sociological notions of identity work to provide an interpretative analysis of the CISO role in organisations. Research findings reveal that cyber security is an expert system that positions the CISO as an interpreter of something that is mystical, unknown and fearful to the uninitiated. They show how the fearful nature of cyber security contributes to it being considered an ontological threat by the organisation, while responding to that threat contributes to the organisation's overall identity. We further show how cyber security is analogous to a belief system and how one of the roles of the CISO is akin to that of a modern-day soothsayer for senior management; that this role is precarious and, at the same time, superior, leading to alienation within the organisation. Our study also highlights that the CISO identity of protector-from-threat, linked to the precarious position, motivates self-serving actions that we term 'cyber sophistry'. We conclude by outlining a series of implications for both organisations and CISOs.

Expected growth of the job market for cyber security professionals in both the US and the UK remains strong for the foreseeable future. While there are many roles to be found in cyber security, that vary from penetration tester to chief information security officer (CISO). One job of particular interest is security architect. The rise in Zero Trust Architecture (ZTA) implementations, especially in the cloud environment, promises an increase in the demand for these security professionals. A security architect requires a set of knowledge, skills, and abilities covering the responsibility for integrating the various security components to successfully support an organization’s goals. In order to achieve the goal of seamless integrated security, the architect must combine technical skills with business, and interpersonal skills. Many of these same skills are required of the CISO, suggesting that the role of security architect may be a professional stepping-stone to the role of CISO. We expected degreed programs to offer courses in security architecture. Accredited university cyber security programs in the United Kingdom (UK) and the United States of America (USA) were examined for course offerings in security architecture. Results found the majority of programs did not offer a course in security architecture. Considering the role of the universities in preparing C-suite executives, the absence of cyber security architecture offerings is both troubling and surprising.

Data security breaches (DSBs) are increasing investor and regulator pressure on firms to improve their IT governance (ITG) in an effort to mitigate the related risk. We argue that DSB risk cannot be mitigated by one executive alone, but, rather, is a shared leadership responsibility of the top management team (TMT) (i.e., Chief Executive Officer [CEO], Chief Financial Officer [CFO], and Chief Information Officer [CIO]). Our results suggest that IT-savvy CEOs see technologies related to mitigating DSBs as a top-three most important type of digital methodology for their firm. Similarly, the results related to CFOs with IT expertise single out the critical investment in controls designed to prevent DSBs. Our strong findings for CIOs on the TMT add to the related guidance from COBIT 5 for information security and consistently suggest that they are the key executive for securing IT systems. Finally, our granular explanation of each executive’s DSB-related responsibility could potentially provide firms the start of a governance-led roadmap for compliance to the Securities and Exchange Commission’s and Justice Department’s cyber regulations.

Previous studies concerning the economic impact of security events on publicly listed companies have focussed on the negative effect of data breaches and cyberattacks with a view to encouraging firms to improve their cyber security posture to avoid such incidents. This paper is an initial study on the impact of investment in human capital related to security, specifically appointments of chief information security officers (CISO), chief security officers (CSO) or similar overall head of security roles. Using event study techniques, a dataset of 37 CISO type appointment announcements spanning multiple world markets between 2012 and 2019 was analysed and statistically significant (at the 5% level) positive cumulative abnormal returns (CAR) of around 0.8% on average were observed over the three-day period before, during and after the announcement. Furthermore, this positive CAR was found to be highest, at nearly 1.8% on average, within the financial services sector and showing statistical significance at the 1% level. In addition to the industry sector, other characteristics were investigated such as job title, reporting structure, comparison of internal versus external appointments, gender and variations between markets. Although these findings were not as conclusive they are, nevertheless, good pointers for future research in this area. This overall positive market reaction to CISO related announcements is a strong case for publicly listed firms to be transparent in such appointments and to, perhaps, review where that function sits within their organisation to ensure it delivers the greatest benefits. As 24% of the firms analysed were listed outside the US, this study also begins to counter the strong US bias seen in similar and related studies. This research is expected to be of interest to business management, cyber security practitioners, investors and shareholders as well as researchers in cyber security or related fields.

A client of a security services firm has received an email from the dark web demanding a ransom or it will start selling data it has stolen from the client. The client as asked for the firm’s assistance in paying the ransom. How should the company proceed? It was late on a Friday afternoon. The ReliaQuest Security Operations Center was busy as usual, but nothing was out of the ordinary. ReliaQuest Chief Technology Officer, Joe Partlow, was in his office working on a new technology innovation when his cell phone rang. It was the Chief Information Security Officer (CISO) for ABC Company, one of ReliaQuest’s clients–a company with millions of customers across the United States. ABC Company’s CISO had a crisis on his hands. He had just gotten word from his public relations staff that a journalist had called asking for a comment about a supposed leak of millions of customer records containing personally identifiable information (PTT) that could potentially be used to steal identities. Apparently, the data was listed “for sale” on the “dark web” portion of the Internet by an anonymous hacker. The CISO wanted ReliaQuest’s help figuring out whether the data had, in fact, been stolen. If so, who stole it, and how? And what could be done now to re-procure the data lost? The journalist had given the company a 24-hour window before he said he would post a story. There was also the question of whether the supposed data leak was legitimate at all. ABC Company’s security team had not been able to verify that any of their systems had been breached, and there seemed to be no way to inspect the supposed stolen data without purchasing it from the anonymous hacker–something the company was not comfortable doing on its own. The situation was urgent. The prospect of alleged customer data floating around the dark web was deeply troubling to the CISO and to Joe, yet he knew that finding the underlying cause of the situation could require members of the ReliaQuest team to use tactics outside the scope of work formally agreed upon by ReliaQuest and ABC Company. Joe also knew that if the breach was real, any tactics to identify and secure the data that ReliaQuest used could be subject to discovery in a criminal case. Moreover, Joe worried that if the breach was real and had somehow happened while under ReliaQuest’s watch, the incident could create a public relations crisis not only for ABC Company, but also for ReliaQuest. Joe was at a high stakes crossroad for making a decision and time was of the essence. ReliaQuest prided itself on team members’ willingness to do whatever it took to make security possible for customers. Nonetheless, Joe needed to decide: How far should ReliaQuest go to verify the breach? How would they find the underlying cause of the breach? How would they recover stolen data? And who should he consult with both within and outside of ReliaQuest to solve the problem while protecting stakeholders?

ABSTRACT We investigate the relationship between security breaches and chief information officer (CIO) turnover. Because CIOs are directly responsible for IT performance, we argue that their turnover likelihood is higher when they fail to meet IT performance expectations, as reflected by information security breaches. Specifically, we find that breaches caused by system deficiency increase CIO turnover likelihood by 72 percent. However, we find no such association for breaches caused by criminal fraud or human error. We extend our analyses to other executives and document that CEOs are more likely to turn over following breaches caused by both system deficiency and human error, consistent with their broader role within the firm. By contrast, we find no evidence suggesting that CFOs are more likely to turn over following breaches. The findings indicate negative labor market consequences for executives who fail to meet performance expectations within the scope of their duties.

Purpose The purpose of this paper is to contribute to a growing body of research on information systems security, by studying open source alternatives for cloud computing. Several questions have been raised about the reliability of these promising but ambiguous offers, as the adoption of a cloud solution within an enterprise is generally accompanied by a change in the chief information officer (CIOs) role and loss of expertise. Design/methodology/approach The research uses a mixed research methodology: a first step is based on a questionnaire survey to investigate the security aspects of open source and understand the role of CIOs in the migration process. The investigation involved nearly 800 companies operating in the cloud computing sector in 16 European countries between November 2015 and January 2016. Then, this paper completes the research with a qualitative study by examining the activity of two sample companies. Findings Research confirms that open source cloud solutions offer a higher level of security than proprietary solutions. It is also noted that the role of CIOs is delegated to a third external actor: a transition CIO. Transition CIO is the guarantor of the strategic and security choices of small and medium enterprises. Research limitations/implications These findings have important implications and great value to managers and cloud computing providers, in terms of formulating better cloud computing solutions. This study can also assist in increasing their understanding of the new role of CIO in the migration process to cloud computing. Originality/value This study contributes to the body of research on cloud computing. It is first of its kind with its focus on open source alternatives. Another novelty of this research is that it suggests a new conception for the CIOs role in the migration to cloud computing. Finally, the findings of this study would serve as a European market study to different companies interested in cloud computing.

This paper examines the challenges that small, medium, and large businesses in the financial services industry are facing concerning data security and providing relevant tools and strategies to protect the same. A qualitative research-based approach has been used where one-on-one interviews were conducted with 10 CIOs (chief information officers) and CISOs (chief information security officers). This data was compared with secondary data sources to validate the findings. This paper presents an in-depth analysis regarding security technologies and their efficacy to protect data assets and sensitive information. It will also opine about the technologies that each business type can use economically to cover the gamut of cyber-attacks. Existing research is restricted to either addressing small and medium businesses (SMBs) or large businesses. This paper attempts a comprehensive review for all sizes of businesses.

Validity is concerned with establishing evidence for the use of a method to be used with a particular set of population. Thus, when we address the issue of application of security policy models, we are concerned with the implementation of a certain policy, taking into consideration the standards required, through attribution of scores to every item in the research instrument. En today's globalized economic scenarios, the implementation of information security policy, in an information technology environment, is a condition sine qua non for the strategic management process of any organization. Regarding this topic, various studies present evidences that, the responsibility for maintaining a policy rests primarily with the Chief Security Officer. The Chief Security Officer, in doing so, strives to enhance the updating of technologies, in order to meet all-inclusive business continuity planning policies. Therefore, for such policy to be effective, it has to be entirely embraced by the Chief Executive Officer. This study was developed with the purpose of validating specific theoretical models, whose designs were based on literature review, by sampling 10 of the Automobile Industries located in the ABC region of Metropolitan São Paulo City. This sampling was based on the representativeness of such industries, particularly with regards to each one's implementation of information technology in the region. The current study concludes, presenting evidence of the discriminating validity of four key dimensions of the security policy, being such: the Physical Security, the Logical Access Security, the Administrative Security, and the Legal & Environmental Security. On analyzing the Alpha of Crombach structure of these security items, results not only attest that the capacity of those industries to implement security policies is indisputable, but also, the items involved, homogeneously correlate to each other.

Background: Brian Murphy has just wrapped up a decorated twenty-five-year career in the government, which included five years in the Marine Corps, followed by twenty years in the FBI. Brian’s career in the government recently concluded with a stint at the Department of Homeland Security, where he was the Chief Intelligence Officer, Chief Information Sharing Officer, and Chief Counterintelligence Officer for the department. M. Murphy also became the highest-ranking whistleblower in US government history in 2020 when he said he was told to stop discussing the threat of Russian interference in the 2016 Presidential election and to highlight the role of left-wing groups in anti-racism protests. All of these experiences provide him with a unique view about the intersection of national security and international trade issues.

Grace Kennedy Group was the fourth largest Jamaican company listed on the Jamaican Stock Exchange by market capitalization in 2016. The company operated in several market segments focusing mainly on foods and financial services industries. Geographically, GraceKennedy Group had a diversified revenue stream operating across the Caribbean, Central and North America, Europe and Africa. Diversification had led to a diverse set of Information Technology platforms to serve the needs of the various subsidiaries of GraceKennedy Group. With the emergence of new technological trends like big data, social and cloud computing, the Group’s Audit Committee in 2014 conducted a risk profile around the company’s IT governance structure. The Committee recommended a change in the decentralized model of IT governance and the hiring of a Chief Information Officer to inter alia, strategically using IT to create value and to coordinate system security. The Chief Information Officer position was externally advertised; however, after several interviews, the Chief Executive Officer decided to offer the position to Robert Sutherland the then general manager of one of its subsidiaries. Sutherland was a former chairman of the Business Technology (BizTech) Council which was established in 2006 to oversee the delivery of IT services within the group and to provide guidance to the business leadership on enterprise-wide related matters such as the strategic use of IT. The case focuses on the issues faced by a newly promoted Chief Information Officer, in an environment in which the Chief Executive Officer has articulated the need for a new, transformative, strategic and value creating vision for IT.

Abstract The Atomic Weapons Establishment (AWE) was founded in 1952 to make the UK's warheads for the nation's strategic nuclear deterrent. Talking to Tony Mather, Chief Information Officer and Executive Director for Security at AWE, Johanna Hamilton AMBCS discovers more about their work, recruitment and ethics.

Nowadays Cloud Computing and Cloud Sourcing is on the agenda in many organizations. Many Chief Information Officers (CIOs) that urge for alternatives to traditional outsourcing are interested in how they can take advantage from Cloud Computing, by sourcing Information Technology (IT) from the cloud. This paper provides an overview of the research direction of Cloud Sourcing in the IS field. A literature review based on selected papers from top Information Systems (IS) journals and conferences were conducted. Findings from the review indicate that the attention of Cloud Sourcing in IS literature has mainly been directed towards security and risk as well as adoption issues, and that Cloud Sourcing is claimed to be the next generation of outsourcing. Unfortunately, this is where this strong claim ends without any further evidence, which indicate that there is a need for more research on Cloud Sourcing, especially in the direction of investigating relationships and implications when organizations start using Cloud Sourcing.

Information is the most important and powerful term in today’s age. Information is needed in almost all the areas and sectors, and there are many practitioners who manage the information and similar contents. Among them, few important are the Chief Information Officer, Information Manager, Information Analyst domains and specific information managerial areas such as Archivist, Librarian, Documentation Officer and so on. Information Scientist, however, performs a different role and duties and responsibilities for the information management with technological solutions and also technology management depending upon need. Creating information systems with proper planning and management are the important task of an Information Scientist. Though there are many misconceptions about these professionals. This paper talks about such professionals and relationship with the Information Scientist.

Telemedicine has drawn increasing attention as a beneficial healthcare delivery medium, especially in developing countries that struggle with physician and health professional shortages, through providing health services in remote areas. This paper presents the findings of a survey conducted to investigate the national factors influencing the adoption of telemedicine technology in Iran, as a less developed country. Designing a self-administered questionnaire the data were collected from the Chief Information Officers (CIOs) of Iranian healthcare system. The findings indicate that political factors such as Information and Communication Technology (ICT) policies, national data security policies, national e-health policies, national ICT infrastructures and rational decision-making, along with organizational factors such as organizational readiness and implementation effectiveness, are positively associated with telemedicine capability in Iran. However, no evidence was found to support the direct impact of cultural factors on transferring telemedicine technology in the country.

Purpose This paper summarizes the requirements of rule amendments promulgated by the Commodity Futures Trading Commission (CFTC) in 2018 regarding the duties of Chief Compliance Officers (CCOs) of swap dealers, major swap participants, and futures commission merchants (collectively, Registrants) and the requirements for preparing, certifying and furnishing to the CFTC the CCO’s annual report. Design/methodology/approach This paper provides a close analysis of the CFTC’s final rule amendments that make clarifications regarding the CCO’s duties and seek to harmonize with similar rules of the Securities and Exchange Commission (SEC) applicable to security-based swap dealers.It also analyzes rule amendments for the CCO’s report that provide clarifications and simplify certain requirements.In each case, it discusses comments from the public and the CFTC’s responses to those comments. Findings This paper finds that the rule amendments provide a number of helpful clarifications and simplify certain existing requirements for Registrants and their CCOs subject to the rules.While the rules overall achieve greater harmonization with similar rules of the SEC governing CCOs of security-based swap dealers, this paper notes that care will need to be taken by CFTC Registrants who also become registered with the SEC to be cognizant of remaining differences between the CFTC’s and SEC’s rules in order to ensure compliance with the rules of each agency. Originality/value This paper provides valuable information regarding the duties of CCOs of Registrants and CCO annual report requirements from an experienced lawyer focused on commodities, futures, derivatives, energy, corporate, and securities regulatory matters.

Health Information Systems (HIS) are becoming crucial for health providers, not only for keeping Electronic Health Records (EHR) but also because of the features they provide that can be lifesaving, thanks to the advances in Information Technology (IT). These advancements have led to increasing demands for additional features to these systems to improve their intelligence, reliability, and availability. All these features may be provisioned through the use of cloud computing in HIS. This study arrives at three dimensions pertinent to adoption of cloud computing in HIS through extensive interviews with experts, professional expertise and knowledge of one of the authors working in this area, and review of academic and practitioner literature. These dimensions are financial performance and cost; IT operational excellence and DevOps; and security, governance, and compliance. Challenges and drivers in each of these dimensions are detailed and operationalized to arrive at a model for HIS adoption. This proposed model detailed in this study can be employed by executive management of health organizations, especially senior clinical management positions like Chief Technology Officers (CTOs), Chief Information Officers (CIOs), and IT managers to make an informed decision on adoption of cloud computing for HIS. Use of cloud computing to support operational and financial excellence of healthcare organizations has already made some headway in the industry, and its use in HIS would be a natural next step. However, due to the mission′s critical nature and sensitivity of information stored in HIS, the move may need to be evaluated in a holistic fashion that can be aided by the proposed dimensions and the model. The study also identifies some issues and directions for future research for cloud computing adoption in the context of HIS.

Purpose – The main aim of this paper is to investigate the potential of Cloud Computing as a multilayer integrative collaboration space for knowledge acquisition, nurturing and sharing. The paper will pinpoint benefits and challenges of Cloud Computing in satisfying the new techno-sociological requirements of the knowledge society through the provision of information technology (IT) green services. Furthermore, the article calls for the engagement of researchers to generate additional discussion and dialog in this emerging and challenging area. Design/methodology/approach – The paper applies a conceptual analysis to explore the utilization of the Cloud ecosystem as a new platform for knowledge management (KM) technologies characterized by environmental and economic benefits. Findings – This paper reveals the emergence of a new layer in the Cloud stack known as Knowledge Management-as-a-Service. The article discusses how KM has the opportunity to evolve in synergy with Cloud Computing technologies using the modified Metcalfe’s law, while simultaneously pursuing other benefits. This research reveals that if Cloud Computing is successfully deployed, it will contribute to the efficient use of the under-utilized computing resources and enable a low carbon economy. However, challenges such as security, information overload and legal issues must be addressed by researchers before Cloud Computing becomes the de facto KM platform. Originality/value – While the technical, legal and environmental complications of Cloud Computing have received the attention warranted, the KM concepts and implementation facets within the realm of the knowledge society have not yet received adequate consideration. This paper provides enterprise KM architects, planners, chief information officers (CIOs) and chief knowledge officers (CKOs) with a comprehensive review of the critical issues, many of which are often overlooked or treated in a fragmented manner within the Cloud environment.

In Luxembourg, like in many other countries, information security has become a central issue for private companies and public organizations. Today, information is the main asset of a company for its business and, at the same time, regulations are imposing more and more rules regarding its management. As a consequence, in Luxembourg, a clear need has emerged regarding the development of new learning trajectory fulfilling the requirements of the new job profile associated with a Chief Security Officer. This need was relayed by the national professional security association which asked for the development of a new education program targeting professional people engaged in a lifelong learning trajectory. The paper reports on the rigorous and scientific participatory approach for producing the adequate learning program meeting requirements elicited from the professional association members. The authors present the skills card that has been elaborated for capturing these requirements and the program, which has been built together with the University of Luxembourg for matching these requirements. This program proposes a holistic approach to information security management by including organization, human and technical security risks within the context of regulations and norms.

This research aims to provide information to the society related to the information openness and transparency of Blitar Government and Village Government in the implementation of Memorandum of Understanding (MoU) of Village Fund Allocation. Several issues stated in MoU include safety and orderliness, action, investigation, apparatus source, society protection, and connection. Other issues include prevention, supervision, and security of village fund. This research employed qualitative method with descriptive approach. The data were obtained from the document of interactive dialog broadcast named “Hallo Bupati-- aired by Local Public Broadcast Department (LPPM) radio, Persada FM, Blitar, edition of Monday, January 23, 2018. The informant of this interactive dialog program was the Regent of Blitar. Data analysis was performed by transcribing the broadcast document, organizing and analyzing data, and interpreting the findings. The result showed that all the village governments getting Village Fund Allocation in Blitar have madeMemorandum of Understanding (MoU) with the Regent and the Chief Police Officer of the Regency Then, it was followed by supervision and evaluation towards the expenditure of the fund in village level.

Purpose This paper aims to explore the impact of organizational culture on information governance (IG) effectiveness at higher education institutions (HEIs). IT professionals, such as chef information officers, chief technology officers, chief information security officers and IT directors at HEIs were surveyed and interviewed to learn about whether organizational culture influences IG effectiveness. Several IG activities (processes) were identified, including information security, the function of an IG council, the presence of a Record Information Management department, the role of a compliance officer and information stewards and the use of an automated system or software to identify and maintain information life-cycle management. Design/methodology/approach This study was conducted using Cameron and Quinn’s (Cameron and Quinn, 2011) competing value framework. To evaluate organizational culture, using the competing value framework, four types of organizational culture profiles were used: collaboration, creation/innovation, controlling/hierarchy, and competition/result-oriented. The methodology included quantitative and qualitative techniques through the use of content analysis of data collected from participants. IT professionals, such as chef information officers, chief technology officers, chief information security officers and IT directors at HEIs were surveyed and interviewed to learn about whether organizational culture influences IG effectiveness. Findings Findings revealed organizational culture may influence IG effectiveness positively, especially from cultures of competition/result-oriented and control/hierarchy. Qualitatively, it also emerged that competition/result-oriented and control characteristics of organizational culture were perceived by IG professionals to produce more accurate information. One of the characteristics of organizational culture that became evident in the current study, coming from more than one subject, was the challenge in IG due to the presence of information silos. Trust, on the other hand, has been highlighted as the glue which can enable and drive governance processes in an organization. Research limitations/implications The current study was conducted based on HEIs. While the current study serves as a baseline for studying IG in other institutions, its results cannot be generalized for other type of institutions. The results cannot be generalized for other types of not-for-profit or for-profit organizations. Many of the characteristics of the sample data were specific to HEIs. For instance, financial, manufacturing and health-care institutions present challenges inherent in those institutions. Originality/value Trust has been highlighted as the glue which can enable and drive governance processes in an organization. Respondents of current study have indicated that trust serving several different factors toward IG effectiveness, including freedom to speak freely in the meeting about impact of organizational culture on IG, wiliness of executives of administration, particularly the CIO, to communicate IG matters to institution, sharing information and being transparent, entrusting help desk staff and technical supervisors so users can communicate with them and share their concerns and perceiving “feeling of trust” in the organization, which would benefit the institution, allowing stakeholders to collaborate and work together to overcome issues when facing IG challenges.

Not so long ago, information technology (IT) risk occupied a small corner of operational risk - the opportunity loss from a missed IT development deadline. Today, the success of an entire financial institution may lay on managing a broad landscape of IT risks. IT risk is a potential damage to an organization's value, resulting from inadequate managing of processes and technologies. IT risk includes the failure to respond to security and privacy requirements, as well as many other issues such as: human error, internal fraud through software manipulation, external fraud by intruders, obsolesce in applications and machines, reliability issues or mismanagement. The World Economic Forum provides best information about this problem. They rank a breakdown of critical information infrastructure among the most likely core global risks, with 10-20 % likelihood over the next 10 years and potential worldwide impact of $250 billion. Sustained investment in IT - almost $1.2 trillion or 29% of 2006 private-sector capital investment in the U.S. alone fuels growing exposure to IT risk. Greg Hughes, chief strategy officer in Symantec Corp. recently claimed "IT risk management is more than using technology to solve security problems. With proper planning and broad support, it can give an organization the confidence to innovate, using IT to outdistance competitors".

PurposeThe purpose of this paper is to investigate the effects of Big Data analytics, data security and service supply chain innovation capabilities on services supply chain performance.Design/methodology/approachThe paper draws on the relational view of resource-based theory to propose a theoretical model. The data were collected through survey of 145 service firms.FindingsThe results of this study found that the Big Data analytics has a positive and significant relationship with a firm’s ability to manage data security and a positive impact on service supply chain innovation capabilities and service supply chain performance. This study also found that most service firms participating in this study used Big Data analytics to execute existing algorithms faster with larger data sets.Practical implicationsA main recommendation of this study is that service firms empower a chief data officer to establish the data needed and design the governance of data in the company to eliminate any security issues. Data security was a concern if a firm did not have ample data governance and protection as the information was shared among members of service supply chain networks.Originality/valueBig Data analytics are a useful technology tool to forecast market preference based on open source, structured and unstructured data.

This research aims to provide information to the society related to the information openness and transparency of Blitar Government and Village Government in the implementation of Memorandum of Understanding (MoU) of Village Fund Allocation. Several issues stated in MoU include safety and orderliness, action, investigation, apparatus source, society protection, and connection. Other issues include prevention, supervision, and security of village fund. This research employed qualitative method with descriptive approach. The data were obtained from the document of interactive dialog broadcast named “Hallo Bupati” aired by Local Public Broadcast Department (LPPM) radio, Persada FM, Blitar, edition of Monday, January 23, 2018. The informant of this interactive dialog program was the Regent of Blitar. Data analysis was performed by transcribing the broadcast document, organizing and analyzing data, and interpreting the findings. The result showed that all the village governments getting Village Fund Allocation in Blitar have madeMemorandum of Understanding (MoU) with the Regent and the Chief Police Officer of the Regency Then, it was followed by supervision and evaluation towards the expenditure of the fund in village level.

Purpose Risk management is an under-explored topic in information systems (IS) research that involves complex and interrelated activities. Consequently, the authors explore the importance of interrelated activities by examining how the maturity of one type of information technology risk management (ITRM) practice is influenced by the maturity of other types of ITRM practices. The purpose of this paper is to explore these relationships, the authors develop a model based on organizational strategy implementation theory and the COBIT framework. The model identifies four types of ITRM practices, namely, IT governance (ITG); communications; operations; and monitoring. Design/methodology/approach The authors use a survey methodology to collect data on senior information technology (IT) executives' perceptions on ITRM practices. The authors use an exploratory factor analysis (EFA) to identify four dimensions of ITR M practices and conduct a structural equation model to observe the associations. Findings The survey of senior IT executives' perceptions suggests that the maturity of ITRM practices related to ITG, communications and monitoring positively influence the maturity of operations-related ITRM practices. Further, the maturity of communications-related ITRM practices mediates the relationship between ITG and operations-related ITRM practices. The aggregate results demonstrate the inter-relatedness of ITRM practices and highlight the importance of taking a holistic view of ITRM. Research limitations/implications Given the content and complexity of the study, it is difficult to obtain senior executives’ responses in large firms. Therefore, this study did not use a separate sample to conduct the EFA to obtain the underlying four constructs. Also, the ITRM practices identified are perceptions. Even though the authors consider this to be a limitation, it also communicates the pressing areas that senior IT professionals are expected to focus given various external and internal pressures. This study focuses on large firms, hence, small to midsize firms are not well represented. Practical implications Given the demanding regulatory and financial reporting requirements and the complexity of IT, there is an increasing possibility that the accounting profession will require IT professionals to focus on operations-related ITRM practices, such as security, availability and confidentially of data and IS are closely related to internal controls. However, as this study demonstrates, the maturity of operations-related ITRM practices cannot be achieved by focusing solely on operations-related IT risks. Therefore, IT practitioners can use this study to raise awareness of the complex interrelationships among ITRM practices among managers to improve the overall ITRM practices in a firm. Social implications The study also shows the importance of establishing proper communication channels among various business functions with regard to ITRM. Extant IT research identifies the importance of the firm’s communication structure on various firm performance measures. For example, Krotov (2015) mentions the importance of communication in improving trust between the Chief Executive Officer and Chief Financial Officer. Firms with established communication channels have the necessary medium to educate and involve other departments with regard to the security of data. Thus, such firms are more likely to have mature risk management practices because of increased awareness of risks and preventive techniques. Originality/value The study contributes to ITG and risk management literature by identifying the role of monitoring-related ITRM practices on improving other areas of risk management. The study also extends the existing ITRM literature by providing an organizational strategy perspective to ITRM practices and showing how ITRM practices follow organizational strategy implementation. Further, the authors identify four underlying ITRM categories. Consequently, researchers could choose between two factors (Vincent et al., 2017) or four factors based on the level of detail required for the particular study.

In 2009, four of the top ten Fortune 500 companies were classified within the oil and gas industry. Organizations of this size typically have an advanced Enterprise Risk Management system in place to mitigate risk and to achieve their corporations objectives. The companies and the article utilize the Enterprise Risk Management Integrated Framework developed by the Committee of Sponsoring Organizations (COSO) as a guide to organize their risk management and reporting. The authors used the framework to analyze reporting years 2009 and 2010 for Fortune 500 oil and gas companies. After gathering and examining information from 2009 and 2010 annual reports, 10-K filings, and proxy statements, the article examines how the selected companies are implementing requirements identified in the previously mentioned publications.Each section examines the companies Enterprise Risk Management system, risk appetite, and any other notable information regarding risk management. One observation was the existence or non-existence of a Chief Risk Officer or other Senior Level Manager in charge of risk management. Other observations included identified risks, such as changes in economic, regulatory, and political environments in the different countries where the corporations do business. Still others identify risks, such as increases in certain costs that exceed natural inflation, volatility and instability of market conditions. Fortune 500 oil and gas companies included in this analysis are ExxonMobil, Chevron, ConocoPhillips, Baker Hughes, Valero Energy, and Frontier Oil Corporation.An analysis revealed a sophisticated understanding and reporting of many types of risks, including those associated with increasing production capacity. Specific risks identified by companies included start-up timing, operational outages, weather events, regulatory changes, geo-political and cyber security risks, among others. Mitigation efforts included portfolio management and financial strength. There is evidence that companies in later reports (2013) are more comprehensive in their risk management and reports as evidenced by their 10-K and Proxy Statements (Marathon Oil Corporation, 2013).

In 2009, four of the top ten Fortune 500 companies were classified within the oil and gas industry. Organizations of this size typically have an advanced Enterprise Risk Management system in place to mitigate risk and to achieve their corporations’ objectives. The companies and the article utilize the Enterprise Risk Management Integrated Framework developed by the Committee of Sponsoring Organizations (COSO) as a guide to organize their risk management and reporting. The authors used the framework to analyze reporting years 2009 and 2010 for Fortune 500 oil and gas companies. After gathering and examining information from 2009 and 2010 annual reports, 10-K filings, and proxy statements, the article examines how the selected companies are implementing requirements identified in the previously mentioned publications. Each section examines the companies’ Enterprise Risk Management system, risk appetite, and any other notable information regarding risk management. One observation was the existence or non-existence of a Chief Risk Officer or other Senior Level Manager in charge of risk management. Other observations included identified risks, such as changes in economic, regulatory, and political environments in the different countries where the corporations do business. Still others identify risks, such as increases in certain costs that exceed natural inflation, volatility and instability of market conditions. Fortune 500 oil and gas companies included in this analysis are ExxonMobil, Chevron, ConocoPhillips, Baker Hughes, Valero Energy, and Frontier Oil Corporation. An analysis revealed a sophisticated understanding and reporting of many types of risks, including those associated with increasing production capacity. Specific risks identified by companies included start-up timing, operational outages, weather events, regulatory changes, geo-political and cyber security risks, among others. Mitigation efforts included portfolio management and financial strength. There is evidence that companies in later reports (2013) are more comprehensive in their risk management and reports as evidenced by their 10-K and Proxy Statements (Marathon Oil Corporation, 2013).

Chief information security officers (CISOs) have evolved from technical experts to become business leaders in their own right. They are building relationships and developing strong marketing and communication skills to influence others, and their storytelling is also bringing them closer to the board at a time when cyber security needs to be clearly and simply understood. As a result, CISOs are working differently with their teams, inviting them to look at the bigger picture and consider the real-world impact of projects, and acting as stewards, advisers, mentors and coaches.

It was late on a Friday afternoon. The ReliaQuest Security Operations Center was busy as usual, but nothing was out of the ordinary. ReliaQuest Chief Technology Officer, Joe Partlow, was in his office working on a new technology innovation when his cell phone rang. It was the Chief Information Security Officer (CISO) for ABC Company, one of ReliaQuest’s clients–a company with millions of customers across the United States. ABC Company’s CISO had a crisis on his hands. He had just gotten word from his public relations staff that a journalist had called asking for a comment about a supposed leak of millions of customer records containing personally identifiable information (PTT) that could potentially be used to steal identities. Apparently, the data was listed “for sale” on the “dark web” portion of the Internet by an anonymous hacker. The CISO wanted ReliaQuest’s help figuring out whether the data had, in fact, been stolen. If so, who stole it, and how? And what could be done now to re-procure the data lost? The journalist had given the company a 24-hour window before he said he would post a story. There was also the question of whether the supposed data leak was legitimate at all. ABC Company’s security team had not been able to verify that any of their systems had been breached, and there seemed to be no way to inspect the supposed stolen data without purchasing it from the anonymous hacker–something the company was not comfortable doing on its own. The situation was urgent. The prospect of alleged customer data floating around the dark web was deeply troubling to the CISO and to Joe, yet he knew that finding the underlying cause of the situation could require members of the ReliaQuest team to use tactics outside the scope of work formally agreed upon by ReliaQuest and ABC Company. Joe also knew that if the breach was real, any tactics to identify and secure the data that ReliaQuest used could be subject to discovery in a criminal case. Moreover, Joe worried that if the breach was real and had somehow happened while under ReliaQuest’s watch, the incident could create a public relations crisis not only for ABC Company, but also for ReliaQuest. Joe was at a high stakes crossroad for making a decision and time was of the essence. ReliaQuest prided itself on team members’ willingness to do whatever it took to make security possible for customers. Nonetheless, Joe needed to decide: How far should ReliaQuest go to verify the breach? How would they find the underlying cause of the breach? How would they recover stolen data? And who should he consult with both within and outside of ReliaQuest to solve the problem while protecting stakeholders?

The internet is constantly changing the way we live and conduct business. Global business surroundings impose all organizations across to have a secure digital infrastructure for fighting against cybercrime. Cyber crime is on the raise in this decade. Cyber crime is a criminal activity that is focused against compromising security of information systems in enterprises, in order to acquire certain profits, or to incur damage, theft or loss. Types of cyber crime include theft, evasion, or using information in order to unlawfully obtain profits from them. This paper will present certain information about cyber crime and most common types of it. According to international standards for internal audits, internal auditors are authorized for fight against fraud, which means authorization for fight against cyber crime. Main purpose of this paper is to find model for organizing internal audit for purpose of fighting cyber crime. Therefore, it is necessary to determine: internal audit standards that your organization must adhere to in fight against cybercrime, identify security requirements for standards, determine the goals, risks and security policy of the organization, raise employee awareness of the dangers of cybercrime, involve top management in the orbit against cybercrime, conduct employee training on data security and the like. Cyber security is basically about managing future risk, and requires insight into current and future vulnerabilities and how to prevent or reduce them, the likelihood of threats and costs associated with potential outcomes, and how to mitigate them. Internal auditors must be aware of impending regulatory changes based on IIA standards (The International Standards for the Professional Practice of Internal Auditing) related to computer security. Internal auditors should understand the impact of cyber threats on the organization. In particular, they should include this in their internal audit plan based on the risk of cybercrime. Internal auditors should have a strong partnership with the CIO (Chief Information Officer) and CISO (Chief Information Security Officer), for the sake of a trusted advisor in the fight against cybercrime. Internal auditors should provide an independent overview of the cyber security strategy. Modal will be based on COSO (The Committee of Sponsoring Organizations of the Treadway Commission’s) Internal Control — Integrated Framework and will feature five core principles: 1) creating control environment for fighting against cyber crime, 2) risk assessment for cyber crime, 3) projecting and implementing activities for fighting against cyber crime, and 5) monitoring activities. Research results will show new scientific facts and knowledge about methods for fighting cyber crime worldwide. Managers and internal auditors will have practical benefit from research results for implementing cyber crime prevention programs.

Security was not a major concern of the past in Information Technology Organizations. Butpresently, due to the vast growth in fraud and hacking techniques, the security of organizationsis a great concern. Organizations usually spend millions every year just to protect theirenvironment and to maintain security. Yet, no company claims to be a hundred percent secureas fraudulent techniques are more tricky and latest. As the hackers are becoming hard andtricky, the major Information Technology (IT) Organizations are willing to pay a large sum ofmoney for providers offering services of enterprise security schemes. The hackers are alwaysready to intrude into the company's valuable information sources. As per the recent survey by'Security Week', nearly seventy percentages of respondents have faced a security threat whichended up in the loss of valuable information or the collapse of functioning last year. Anemployer of the company can indeed be a major attacker than an outside intruder. An employeeof the company is already having all privileges to use resources of the company while variousother ways are needed for an outer intruder for accessing the same company's network or data.Cisco, the networking giant has a major focus on Enterprise Security Policies. The companyhas seen a valuable improvement in the last few decades, which shows the importance ofsecurity. Cisco had recently released data that showed a lack of security policies in about 23percentages of companies worldwide. More than 70% of Information Technology persons saythat their organizations lack behind in areas of security policy. Large numbers of IT peoplefail to practice security policies as they are not easily understandable. For every organization,policies are the building blocks. They function as road maps which each employee of thecompany uses in various ways. Developing a well-defined policy requires artistic skill. Federalagencies have a Statutory obligation is available for federal agencies for maintaining day-today security policies. The primary Information Security Officer (ISO) is usually pledged forimplementing these policies and the Chief Executive Officer (CEO) of the Company as well.The best security policies consider the vision and mission of companies, the important assetsthat need security, and security threats imposed against certain factors. All these come underrisk management which needs defect identification by business impact policies. The weaknessof a company has to be identified to find the vulnerability ratio of that company. Designing asecurity policy is not a nightmare once the major scope of policy design is identified. Themajor challenge lies in identifying the scope and threat areas for security policy. The policy isnothing but a collection of guidelines and procedures on what and how it can be implemented.In this paper, we are analyzing how Cognizant Technology Solutions (CTS) maintaining itsstandards, policies, technologies, and management policies which are defined for securing dataof an organization.

The Internet of Things (IoT) is turning into the following Internet-related insurgency. It enables billions of gadgets to be associated and speak with one another to share data that enhances the nature of our day by day lives. Then again, Cloud Computing gives on-request, advantageous and adaptable system which makes it conceivable to share computing assets; surely, this empowers dynamic information integration from different information sources. There are numerous issues hindering the effective implementation of both Cloud and IoT affecting the role of a chief information officer (CIO).The integration of Cloud Computing with the IoT is the best path on which to conquer these issues. The immense number of assets accessible on the Cloud can be to a great degree advantageous for the IoT, while the Cloud can acquire exposure to enhance its confinements with true protests in a more powerful and conveyed way. This paper gives an outline of the integration of the Cloud into the IoT by featuring the integration advantages and implementation challenges. Cloud computing has developed enormously throughout the years. Since the term appeared in mid 90s it was produced and being worked upon to make it a conceivable answer for business information stockpiling and availability issues. Expansive undertakings are progressively discovering cloud an affable arrangement even inside their stringent hierarchical approaches.Cloud has been such advanced that there is a surge of executing virtualization among CIOs. This has prompt a larger number of complexities than arrangements. The issues with cloud implementation are for the most part because of the scurry without legitimate investigation of one's circumstances and necessities previously. Following is a concise dialog on the difficulties looked by organizations amid executing cloud computing.This study focuses on the challenges faced by CIOs in a cloud and IOT based organization. This study will analyze the major challenges in cloud and IOT environments like security, privacy, performance, compliance, governance, portability, interoperability, lack of resources, cost management etc. As part of this study a survey was conducted on 400 plus IT and business leaders from various organizations from almost 30 plus countries and their responses are recorded and analyzed as part of this study

We use a novel dataset extracted from the Society of Information Management’s (SIM) survey of chief information officers (CIOs) and top information technology (IT) executives to examine organizations’ most critical IT management issues during 2014-2017 and their effect on firm profitability. According to the SIM surveys, the top two IT issues management prioritizes are security/cybersecurity/privacy and IT alignment with the business. We find that firms that prioritize these two IT management issues exhibit higher profitability than firms that do not. Our study contributes to the Information Systems (IS) and Accounting Information Systems (AIS) literature on IT business value by providing empirical evidence on IT-business alignment – and to some extent, IT security – positively affecting firm financial performance.

In moments of scepticism and hopelessness, the drive to satisfy collective needs pushes humanity to accomplish incredible feats to ensure our survival on earth. Indeed, the current global crisis caused by the novel coronavirus is no exception. We are struggling with the abrupt spread of this illness and continuously striving to find efficient solutions. This has been André Salem Alégo’s primary inspiration since the crisis hit his country in March 2020. He is the chief executive officer of Blockforce, a blockchain-based SocialTech. Having observed the effects of novel coronavirus, André examined various approaches that could help contain the spread of the virus and keep society safe. He came up with the idea for an innovative service called Desviralize, which supports pandemic crisis monitoring through contact-tracing with the use of blockchain technology. This teaching case covers how an emergent technology evolves amid the pandemic. It draws attention to important facts related to the digital era such as data security and privacy in the context of Desviralize and Blockforce’s chief executive officer’s strategies for boosting platform growth within the constraints imposed by data protection regulation, the critical pandemic situation, and the ethical aspects of the application of technology.

The Internet of Things (IoT) is emerging as a primary enabler of the transformation to digital business services in today’s economy. At the same time, 5th Generation (5G) cellular transport technology is emerging as a viable means to support IoT data requirements. Although 5G is still in its infancy, DoD leaders need to understand the impacts that 5G will have on IoT projects as there are several challenges involved with integrating 5G into IoT. In order to achieve the maximum benefits of high bandwidth, low latency and superior performance, an entirely new grid of cell sites and access units must be installed. A second challenge is with malware and intrusion attacks. 5G is an IP-based network technology that will expose 5G connected devices to common IP-based malware and intrusion risks such as denial-of-service (DOS and DDOS) and intrusion attacks. A third challenge is with standardized security and encryption of data from end-devices. The larger challenge with standardization involves interoperability. In order for 5G to work seamlessly across carriers with device agnostic hardware and compatible software, a holistic approach should be considered. Hardware compatibility will determine interoperability between sensors, platforms and gateways. In addition, software compatibility will be governed by 5G standards as well as industry partnerships. 5G standards are currently still being developed. Organizations, including the DoD Chief Information Officer and Government Accountability Office should specifically address implications of 5G cellular technology for IoT-related studies and use cases in the DoD.

Study level/applicability This case is meant for MBA students as a part of their leadership/information technology and system curriculum. It is suitable for classes in both offline and online mode. Subject area Human resources management/information technology and systems. Case overview The case discusses how Poppy Gustafsson (Gustafsson) (she), Cofounder and Chief Executive Officer of Darktrace plc, one of the world’s largest cyber-AI companies, is reinventing enterprise security by using artificial intelligence (AI) to detect and respond to cyberthreats to businesses and protect the public. Darktrace’s technology leverages the principles of the human immune system to autonomously defend organizations from cyberattacks, insider threats and AI warfare. In addition to leading a cutting-edge cybersecurity company, Gustafsson evangelizes gender diversity at Darktrace where 40% of employees and four C-level executives are women, a number nearly unheard of in the tech sector.The case chronicles the journey of Gustafsson and how she led the company to growth and success. Under her leadership, Darktrace has grown into a market leader in the AI cybersecurity space serving 5,600 customers in 100 countries, as of June 2021. Gustafsson not only redefined the cybersecurity space but also inspired women to pursue a career in the field of cybersecurity. She also collaborated with a social enterprise called WISE to encourage more girls to consider STEM careers.However, along the way, she faced several challenges including growing competition, procuring funds from investors, cybersecurity talent shortage and training personnel. Going forward, some of the challenges before Gustafsson would be to meet the changing cyber protection demands of customers; hire, train and retain highly skilled cybersecurity personnel; beat the competition in a saturated cybersecurity services space; sustain revenue growth; and post profits as Darktrace had incurred losses every year since its inception. Expected learning outcomes This case is designed to enable students to: understand the issues and challenges women face in the field of cybersecurity; understand the qualities required for a woman leader to lead a technology firm; study the leadership and management style of Gustafsson; understand the importance of transformational leadership in management; understand the role of Gustafsson in Darktrace’s growth and success; analyze the traits that Gustafsson possesses as a tech leader in an emerging cybersecurity space; understand the importance of gender diversity in cybersecurity; and analyze the challenges faced by Gustafsson going forward and explore ways in which she can overcome them. Subject code CSS: 11 Strategy.

Purpose The authors examine whether reports of internal control weaknesses (ICWs) under federal single audit (FSA) guidelines are a useful tool for evaluating non-profit (NP) management, using a unique nationwide sample of NP charter schools. While prior research focuses on external stakeholder reactions to reported ICWs, little if any research addresses the utility of these reports for internal users. The authors fill this gap in the literature, finding evidence suggesting that NP charter school decision-makers use internal control (IC) reports when setting executive compensation – awarding lower pay increases when deficiencies are reported. Design/methodology/approach The authors regress executive compensation changes on reported ICWs and likely determinants of NP compensation, including organization size, growth, liquidity and management performance, using a sample of 173 school/year observations representing 113 unique schools for the years 2012–2015. Findings The authors find a negative relationship with executive pay increases subsequent to reports of initial and repeated IC deficiencies, indicating that lower than average pay increases are awarded subsequent to reports of ICWs. Research limitations/implications Interpretation of the authors' results is subject to several limitations, including the possibility of omitted variable bias and the authors' sample, though it comprises all available data for the sample period, and is relatively small and may be considered exploratory in nature. Further, charter schools represent a unique public/private partnership in the educational sector, and the results may not be generalizable to other NPs. Future research could explore the relationship between reported IC deficiencies and governance in other, broader NP sectors. Practical implications The authors' findings are useful to NP organization boards of directors as they consider what factors to evaluate in their chief executive officer (CEO) compensation decisions. In addition to other criteria, inclusion of IC effectiveness in the CEO reward system is prudent, especially in today's environment of increasingly important information security and IC matters. The results suggest such information is being included. This previously undocumented use is also of particular value to regulators when weighing the costs and benefits of mandating single audits for smaller NPs, who are otherwise unlikely to obtain information on the organization's IC environment. Social implications These findings may help inform the debate regarding NP charter schools, a fast-growing, economically significant and highly controversial sector in public education. Charters are predominantly funded by state and local taxes. As such, the quality of governance in NP charter schools is of interest to a wide range of stakeholders including parents, regulators and the public at large. Originality/value While prior research on ICWs and NPs focuses on external stakeholder reactions to reported ICWs, little if any research addresses the utility of these reports for internal users, especially in relatively smaller organizations. The research leverages the existence of charter schools, which are independent but present nationwide, providing a suitable sample of like organizations. Further, no extant research to the authors' knowledge examines the relationship of NP executive compensation and reported ICWs – a topic previously addressed in the for-profit (FP) literature.

AbstractCyber Operational Risk: Cyber risk is routinely cited as one of the most important sources of operational risks facing organisations today, in various publications and surveys. Further, in recent years, cyber risk has entered the public conscience through highly publicised events involving affected UK organisations such as TalkTalk, Morrisons and the NHS. Regulators and legislators are increasing their focus on this topic, with General Data Protection Regulation (“GDPR”) a notable example of this. Risk actuaries and other risk management professionals at insurance companies therefore need to have a robust assessment of the potential losses stemming from cyber risk that their organisations may face. They should be able to do this as part of an overall risk management framework and be able to demonstrate this to stakeholders such as regulators and shareholders. Given that cyber risks are still very much new territory for insurers and there is no commonly accepted practice, this paper describes a proposed framework in which to perform such an assessment. As part of this, we leverage two existing frameworks – the Chief Risk Officer (“CRO”) Forum cyber incident taxonomy, and the National Institute of Standards and Technology (“NIST”) framework – to describe the taxonomy of a cyber incident, and the relevant cyber security and risk mitigation items for the incident in question, respectively.Summary of Results: Three detailed scenarios have been investigated by the working party:∙Employee leaks data at a general (non-life) insurer: Internal attack through social engineering, causing large compensation costs and regulatory fines, driving a 1 in 200 loss of £210.5m (c. 2% of annual revenue).∙Cyber extortion at a life insurer: External attack through social engineering, causing large business interruption and reputational damage, driving a 1 in 200 loss of £179.5m (c. 6% of annual revenue).∙Motor insurer telematics device hack: External attack through software vulnerabilities, causing large remediation / device replacement costs, driving a 1 in 200 loss of £70.0m (c. 18% of annual revenue).Limitations: The following sets out key limitations of the work set out in this paper:∙While the presented scenarios are deemed material at this point in time, the threat landscape moves fast and could render specific narratives and calibrations obsolete within a short-time frame.∙There is a lack of historical data to base certain scenarios on and therefore a high level of subjectivity is used to calibrate them.∙No attempt has been made to make an allowance for seasonality of renewals (a cyber event coinciding with peak renewal season could exacerbate cost impacts)∙No consideration has been given to the impact of the event on the share price of the company.∙Correlation with other risk types has not been explicitly considered.Conclusions: Cyber risk is a very real threat and should not be ignored or treated lightly in operational risk frameworks, as it has the potential to threaten the ongoing viability of an organisation. Risk managers and capital actuaries should be aware of the various sources of cyber risk and the potential impacts to ensure that the business is sufficiently prepared for such an event. When it comes to quantifying the impact of cyber risk on the operations of an insurer there are significant challenges. Not least that the threat landscape is ever changing and there is a lack of historical experience to base assumptions off. Given this uncertainty, this paper sets out a framework upon which readers can bring consistency to the way scenarios are developed over time. It provides a common taxonomy to ensure that key aspects of cyber risk are considered and sets out examples of how to implement the framework. It is critical that insurers endeavour to understand cyber risk better and look to refine assumptions over time as new information is received. In addition to ensuring that sufficient capital is being held for key operational risks, the investment in understanding cyber risk now will help to educate senior management and could have benefits through influencing internal cyber security capabilities.

Introduction Ever-enduring advancements in science and technology promise to offer solutions to problems or simply to make life a bit easier. However, not every advancement has only positive effects, but can also have undesired, negative ramifications. This article will take a closer look at Deus Ex: Human Revolution (DXHR), a dystopian video game which promises to put players in the position of deciding whether the science of human enhancement is a way to try to play God, or whether it enables us “to become the Gods we’ve always been striving to be” (Eidos Montreal, “Deus Ex: Human Revolution”). In this article I will argue that DXHR creates a space in which players can virtually witness future technologies for human performance enhancement without the need to alter their own bodies. DXHR is special particularly in two respects: first, the developers have achieved a high credibility and scientific realism of the enhancement technologies depicted in the game which can be described as being “diegetic prototypes” (Kirby, “The Future Is Now ” 43); second, the game directly invites players to reflect upon the impact and morality of human enhancement. It does so through a story in line with the cyberpunk genre, which envisions not only the potential benefits of an emergent technology, but has an even stronger focus on the negative contingencies. The game and its developers foresee a near-future society that is split into two fractions due to human enhancement technologies which come in the form of neuro-implants and mechanical prosthetics; and they foresee a near-future setting in which people are socially and economically forced to undergo enhancement surgery in order to keep up with the augmented competition. DXHR is set in the year 2027 and the player takes control of Adam Jensen, an ex-SWAT police officer who is now the chief of security of Sarif Industries, one of the world's leading biotechnology companies that produce enhancement technologies. Augmented terrorists attack Sarif Industries, abduct the head scientists, and nearly kill Jensen. Jensen merely survives because his boss puts him through enhancement surgery, which replaces many parts of his body with mechanical augmentations. In the course of the game it becomes clear that Jensen has been augmented beyond any life-saving necessity that grants him superhuman abilities and allows him to find and defeat the terrorists, but the augmentations also challenge his humanity. Is Jensen a human, a cyborg, or has he become more machine than man? DXHR grants players the illusion of immersion into a virtual world in which augmentations exist as a matter of fact and in which a certain level of control can be practiced. Players take up the role of a character distinctly more powerful and capable than the person in control, exceeding the limits of human abilities. The superior abilities are a result of scientific and technological advancements implying that every man or woman is able to attain the same abilities by simply acquiring augmentations. Thus, with the help of the playable character, Adam Jensen, the game lets players experience augmentations without any irreparable damages done to their bodies, but the experience will leave a lasting impression on players regarding the science of human enhancement. The experience with augmentations happens through and benefits from the effect of “virtual witnessing”: The technology of virtual witnessing involves the production in a reader’s mind of such an image of an experimental scene as obviates the necessity for either direct witness or replication. Through virtual witnessing the multiplication of witnesses could be, in principle, unlimited. (Shapin and Schaffer 60) In other words, simply by reading about and/or seeing scientific advancements, audiences can witness them without having to be present at the site of creation. The video game, hereby, is itself the medium of virtual witnessing whereby audiences can experience scientific advancements. Nevertheless, the video game is not just about reading or seeing potential future enhancement technologies, but permits players to virtually test-drive augmentations—to actually try out three-dimensionally rendered prototypes on a virtual body. In order to justify this thesis, a couple of things need to be clarified that explain in which ways the virtual witnessing of fictional enhancements in DXHR is a valid claim. Getting into the Game First I want to briefly describe how I investigated the stated issue. I have undertaken an auto-ethnography (Ellis, Adams, and Bochner) of DXHR, which concretely means that I have analytically played DXHR in an explorative fashion (Aarseth) trying to discover as many elements on human enhancement that the game has to offer. This method requires not only close observation of the virtual environment and documentation through field notes and screenshots, but also self-reflection of the actions that I chose to take and that were offered to me in the course of the game. An essential part of analytically playing a game is to be aware that the material requires “the activity of an actual player in order to be accessible for scrutiny” (Iversen), and that the player’s input fundamentally shapes the gaming experience (Juul 42). The meaning of the game is contingent upon the contribution of the player, especially in times in which digital games grant players more and more freedom in terms of narrative construction. In contrast to traditional narrative, the game poses an active challenge to the player which entails the need to become better in relation to the game’s mechanics and hence “studying games … implies interacting with the game rules and exploring the possibilities created by these rules, in addition to studying the graphical codes or the narration that unfolds” (Malliet). It is important to highlight that, although the visual representation of human enhancement technologies has an enormous potential impact on the player’s experience, it is not the only crucial element. Next to the representational shell, the core of the game, i.e. “how game rules and interactions with game objects and other players are structured” (Mäyrä 165), shapes the virtual witnessing of the augmentations in just an important way. Finally, the empirical material that was collected was analyzed and interpreted with the help of close-reading (Bizzocchi and Tanenbaum 395). In addition to the game itself, I have enriched my empirical material with interviews of developers of the game that are partly freely available on the Internet, and with the promotional material such as the trailers and a website (Eidos Montreal, “Sarif Industries”) that was released prior to the game. Sociotechnical Imaginaries In this case study of DXHR I have not only investigated how augmented bodies and enhancement technologies are represented in this specific video game, but also attempted to uncover which “sociotechnical imaginaries” (Jasanoff and Kim) underlie the game and support the virtual witnessing experience. Sociotechnical imaginaries are defined as “collectively imagined forms of social life and social order reflected in the design and fulfillment of nation-specific scientific and/or technological projects” (Jasanoff and Kim 120). The concept appeared to be suitable for this study as it covers and includes “promises, visions and expectations of future possibilities” (Jasanoff and Kim 122) of a technology as well as “implicit understandings of what is good or desirable in the social world writ large” (Jasanoff and Kim 122–23). The game draws upon several imaginaries of human enhancement. For example, the most basic imaginary in the game is that advanced engineered prosthetics and implants will be able to not only remedy dysfunctional parts of the human body, but will be able to upgrade these. Apart from this idea, the two prevailing sociotechnical imaginaries that forward the narrative can be subsumed as the transhumanist and the purist imaginary. The latter views human enhancement, with the help of science and technology, as unnatural and as a threat to humanity particularly through the power that it grants to individuals, while the former transports the opposing view. Transhumanism is: the intellectual and cultural movement that affirms the possibility and desirability of fundamentally improving the human condition through applied reason, especially by developing and making widely available technologies to eliminate aging and to greatly enhance human intellectual, physical, and psychological capacities. (Chrislenko et al.) The transhumanist imaginary in the game views technological development of the body as another step in the human evolution, not as something abhorrent to nature, but a fundamental human quality. Similar ideas can be found in the writings of Sigmund Freud and Arnold Gehlen, who both view the human being’s need to improve as part of its culture. Gehlen described the human as a “Mängelwesen”—a ‘deficient’ creature—who is, in contrast to other species, not specialized to a specific environment, but has the ability to adapt to nearly every situation because of this deficiency (Menne, Trutwin, and Türk). Freud even denoted the human as a “Prothesengott”—a god of prostheses: By means of all his tools, man makes his own organs more perfect—both the motor and the sensory—or else removes the obstacles in the way of their activity. Machinery places gigantic power at his disposal which, like his muscles, he can employ in any direction; ships and aircraft have the effect that neither air nor water can prevent his traversing them. With spectacles he corrects the defects of the lens in his own eyes; with telescopes he looks at far distances; with the microscope he overcomes the limitations in visibility due to the structure of his retina. (Freud 15) Returning to DXHR, how do the sociotechnical imaginaries matter for the player? Primarily, the imaginaries cannot be avoided as they pervade nearly every element in the game, from the main story that hinges upon human enhancement over the many optional side missions, to contextual elements such as a conference on “the next steps in human evolution” (Eidos Montreal, “Deus Ex: Human Revolution”). Most importantly, it impacts the player’s view in a crucial way. Human enhancement technologies are presented as controversial, neither exclusively good nor bad, which require reflection and perhaps even legal regulation. In this way, DXHR can be seen as offering the player a restricted building set of sociotechnical imaginaries of human enhancement, whereby the protagonist, Adam Jensen, becomes the player’s vessel to construct one’s own individual imaginary. In the end the player is forced to choose one of four outcomes to complete the game, and this choice can be quite difficult to make. Anticipation of the Future It is not unusual for video games to feature futuristic technologies that do not exist in the real world, but what makes DXHR distinct from others is that the developers have included an extent of information that goes beyond any game playing necessity (see Figures 1 & 2). Moreover, the information is not fictional but the developers have taken strategic steps to make it credible. Mary DeMarle, the narrative designer, explained at the San Diego Comic-Con in 2011, that a timeline of augmentation was created during the production phase in which the present state of technology was extrapolated into the future. In small incremental steps the developers have anticipated which enhancement technologies might be potentially feasible by the year 2027. Their efforts were supported by the science consultant, Will Rosellini, who voluntarily approached the development team to help. Being a neuroscientist, he could not have been a more fitting candidate for the job as he is actively working and researching in the biotechnology sector. He has co-founded two companies, MicroTransponder Inc., which produces tiny implantable wireless devices to interface with the nervous system to remedy diseases (see Rosellini’s presentation at the 2011 Comic-Con) and Rosellini Scientific, which funds, researches and develops advanced technological healthcare solutions (Rosellini; Rosellini Scientific). Due to the timeline which has been embedded explicitly and implicitly, no augmentation appears as a disembodied technology without history in the game. For example, although the protagonist wears top-notch military arm prostheses that appear very human-like, this prosthesis is depicted as one of the latest iterations and many non-playable characters possess arm prostheses that appear a lot older, cruder and more industrial than those of Jensen. Furthermore, an extensive description employing scientific jargon for each of the augmentations can be read on the augmentation overview screen, which includes details about the material composition and bodily locations of the augmentations. Figure 1: More Info Section of the Cybernetic Arm Prosthesis as it appears in-game (all screenshots taken with permission from Deus Ex: Human Revolution (2011), courtesy of Eidos Montreal) More details are provided through eBooks, which are presented in the form of scientific articles or conference proceedings, for which the explorative gamer is also rewarded with valuable experience points upon finding which are used to activate and upgrade augmentations. The eBooks also reflect the timeline as each eBook is equipped with a year of publication between 2001 and 2022. Despite the fact that these articles have been supposedly written by a fictional character, the information is authentic and taken from actual scientific research papers, whereby some of these articles even include a proper scientific citation. Figure 2: Example of a Darrow eBook The fact that a scientist was involved in the production of the game allows classifying the augmentations as “diegetic prototypes” which are “cinematic depictions of future technologies … that demonstrate to large public audiences a technology’s need, benevolence and viability” (“The Future Is Now” 43). Diegetic prototypes are fictional, on-screen depictions of technologies that do not exist in that form in real life and have been created with the help of a science consultant. They have been placed in movies to allay anxieties and doubts and perhaps to even provoke a longing in audiences to see depicted technologies become reality (Kirby, “The Future Is Now” 43). Of course the aesthetic appearance of the prototypes has an impact on audiences’s desire, and particularly the artificial arms of Jensen that have been designed in an alluring fashion as can be seen in the following figure: Figure 3: Adam Jensen and arm prosthesis An important fact about diegetic prototypes—and about prototypes (see Suchman, Trigg, and Blomberg) in general—is that they are put to specific use and are embedded and presented in an identifiable social context. Technological objects in cinema are at once both completely artificial—all aspects of their depiction are controlled—and normalized as practical objects. Characters treat these technologies as a ‘natural’ part of their landscape and interact with these prototypes as if they are everyday parts of their world. … fictional characters are ‘socializing’ technological artifacts by creating meanings for the audience, ‘which is tantamount to making the artifacts socially relevant’. (Kirby, “Lab Coats” 196) The power of DXHR is that the diegetic prototypes—the augmentations—are not only based on real world scientific developments and contextualized in a virtual social space, but that the player has the opportunity to handle the augmentations. Virtual Testing Virtual witnessing of the not-yet-existent augmentations is supported by scientific descriptions, articles, and the appearance of the technologies in DXHR, but the moral and ethical engagement is established by the player’s ability to actively use the augmentations and by the provision of choice how to use them. As mentioned, most of the augmentations are inactive and must first be activated by accumulating and spending experience points on them. This requires the player to make reflections on the potential usage and how a particular augmentation will lead to the successful completion of a mission. This means that the player has to constantly decide how s/he wants to play the game. Do I want to be able to hack terminals and computers or do I rather prefer getting mission-critical information by confronting people in conversation? Do I want to search for routes where I can avoid enemy detection or do I rather prefer taking the direct route through the enemy lines with heavy guns in hands? This recurring reflection of which augmentation to choose and their continuous usage throughout the game causes the selected augmentations to become valuable and precious to the player because they transform from augmentations into frequently used tools that facilitate challenge and reduce difficulty of certain situations. In addition, the developers have ensured that no matter which approach is taken, it will always lead to success. This way the role-playing elements of the game are accentuated and each player will construct their own version of Jensen. However, it may be argued that DXHR goes beyond mere character building. There is a breadth of information and opinions on human enhancement offered, but also choices that are made invite players to reflect upon the topic of human enhancement. Among the most conspicuous instances in the game, that involve the player’s choice, are the conversations with other non-playable characters. These are events in the game which require the player to choose one out of three responses for Jensen, and hence, these determine to some extent Jensen’s attitude towards human enhancement. Thus, in the course of the game players might discover their own conviction and might compose their own imaginary of human enhancement. Conclusion This article has explored that DXHR enables players to experience augmentations without being modified themselves. The game is filled with various sociotechnical imaginaries of prosthetic and neurological human enhancement technologies. The relevance of these imaginaries is increased by a high degree of credibility as a science consultant has ensured that the fictional augmentations are founded upon real world scientific advancements. The main story, and much of the virtual world, hinge upon the existence and controversy of these sorts of technologies. Finally, the medium ‘videogame’ allows taking control of an individual, who is heavily augmented with diegetic prototypes of future enhancement technologies, and it also allows using and testing the increased abilities in various situations and challenges. All these elements combined enable players to virtually witness not-yet-existent, future augmentations safely in the present without the need to undertake any alterations of their own bodies. This, in addition to the fact that the technologies are depicted in an appealing fashion, may create a desire in players to see these augmentations become reality. Nevertheless, DXHR sparks an important incentive to critically think about the future of human enhancement technologies.References Aarseth, Espen. “Playing Research: Methodological Approaches to Game Analysis.” DAC Conference, Melbourne, 2003. 14 Apr. 2013 ‹http://hypertext.rmit.edu.au/dac/papers/Aarseth.pdf›. Bizzocchi, J., and J. Tanenbaum. “Mass Effect 2: A Case Study in the Design of Game Narrative.” Bulletin of Science, Technology & Society 32.5 (2012): 393-404. Chrislenko, Alexander, et al. “Transhumanist FAQ.” humanity+. 2001. 18 July 2013 ‹http://humanityplus.org/philosophy/transhumanist-faq/#top›. Eidos Montreal. “Deus Ex: Human Revolution.” Square Enix. 2011. PC. ———. “Welcome to Sarif Industries: Envisioning a New Future.” 2011. 14 Apr. 2013 ‹http://www.sarifindustries.com›. Ellis, Carolyn, Tony E. Adams, and Arthur P. Bochner. “Autoethnography: An Overview.” Forum Qualitative Sozialforschung 12.1 (2010): n. pag. 9 July 2013 ‹http://www.qualitative-research.net/index.php/fqs/article/view/1589/3095›. Freud, Sigmund. Civilization and Its Discontents. Aylesbury, England: Chrysoma Associates Limited, 1929. Iversen, Sara Mosberg. “In the Double Grip of the Game: Challenge and Fallout 3.” Game Studies 12.2 (2012): n. pag. 5 Feb. 2013 ‹http://gamestudies.org/1202/articles/in_the_double_grip_of_the_game›. Jasanoff, Sheila, and Sang-Hyun Kim. “Containing the Atom: Sociotechnical Imaginaries and Nuclear Power in the United States and South Korea.” Minerva 47.2 (2009): 119–146. Juul, Jesper. “A Clash between Game and Narrative.” MA thesis. U of Copenhagen, 1999. 29 May 2013 ‹http://www.jesperjuul.net/thesis/›. Kirby, David A. Lab Coats in Hollywood. Cambridge, Massachusetts: MIT Press, 2011. ———. “The Future Is Now : Diegetic Prototypes and the Role of Popular Films in Generating Real-World Technological Development.” Social Studies of Science 40.1 (2010): 41-70. Malliet, Steven. “Adapting the Principles of Ludology to the Method of Video Game Content Analysis Content.” Game Studies 7.1 (2007): n. pag. 28 May 2013 ‹http://gamestudies.org/0701/articles/malliet›. Mäyrä, F. An Introduction to Game Studies. London: Sage, 2008. Menne, Erwin, Werner Trutwin, and Hans J. Türk. Philosophisches Kolleg Band 4 Anthropologie. Düsseldorf: Patmos, 1986. Rosellini, Will, and Mary DeMarle. “Deus Ex: Human Revolution.” Comic Con. San Diego, 2011. Panel. Rosellini Scientific. “Prevent. Restore. Enhance.” 2013. 25 May 2013 ‹http://www.roselliniscientific.com›. Shapin, Steven, and Simon Schaffer. Leviathan and the Air Pump: Hobbes, Boyle and the Experimental Life. Princeton: Princeton University Press, 1985. Suchman, Lucy, Randall Trigg, and Jeanette Blomberg. “Working Artefacts: Ethnomethods of the Prototype.” The British Journal of Sociology 53.2 (2002): 163-79. Image Credits All screenshots taken with permission from Deus Ex: Human Revolution (2011), courtesy of Eidos Montreal.