A Selection Framework for Cyber Risk Management

State: completed by Maximilian Huwyler
Published: 2022-05-23

Cybersecurity Risk Management provides businesses with a structured approach toward security that allows them to move away from the era of "checklist-oriented" best-practise management. Thus, following existing risk management methods and frameworks, organizations can focus their efforts on business-critical assets. However, managing such a risk management program which comprises various activities (e.g., identifying, mitigating, detecting, and responding to risks) is not a trivial task. One of the reasons why the management of cyberrisks is hard is because there is no single one-size-fits-all methodology [1].

The goal of this thesis is to provide a thorough review of existing methodologies, frameworks, and standards [2, 3, 4] and to propose a selection framework. As a potential direction, an automated questionnaire can be envisioned which can propose suitable solutions based on business metrics (e.g., sector, number of employees, or revenue).

[1] Evan Wheeler: "Security Risk Management: Building an Information Security Risk Management Program from the Ground Up", Elsevier, 2011

[2] PwC: "Management of cyber risks: compliance with FINMA's requirements for banks", https://www.pwc.ch/en/publications/2016/management_of_cyber_risks_finma_en_web.pdf

[3] ISO: "ISO/IEC 27001 Information Security Management", https://www.iso.org/isoiec-27001-information-security.html

[4] NIST: "NIST Risk Management Framework", https://csrc.nist.gov/projects/risk-management/sp800-53-controls

30% Literature Review, 20% Design, 30% Implementation, 20% Documentation
Interest in Cybersecurity and/or Risk Management

Supervisors: Jan von der Assen

back to the main page