Cybersecurity Risk Management provides businesses with a structured approach toward security that allows them to move away from the era of "checklist-oriented" best-practise management. Thus, following existing risk management methods and frameworks, organizations can focus their efforts on business-critical assets. However, managing such a risk management program which comprises various activities (e.g., identifying, mitigating, detecting, and responding to risks) is not a trivial task. One of the reasons why the management of cyberrisks is hard is because there is no single one-size-fits-all methodology .
The goal of this thesis is to provide a thorough review of existing methodologies, frameworks, and standards [2, 3, 4] and to propose a selection framework. As a potential direction, an automated questionnaire can be envisioned which can propose suitable solutions based on business metrics (e.g., sector, number of employees, or revenue).
 Evan Wheeler: "Security Risk Management: Building an Information Security Risk Management Program from the Ground Up", Elsevier, 2011
 PwC: "Management of cyber risks: compliance with FINMA's requirements for banks", https://www.pwc.ch/en/publications/2016/management_of_cyber_risks_finma_en_web.pdf
 ISO: "ISO/IEC 27001 Information Security Management", https://www.iso.org/isoiec-27001-information-security.html
 NIST: "NIST Risk Management Framework", https://csrc.nist.gov/projects/risk-management/sp800-53-controls
Supervisors: Jan von der Assenback to the main page