CONTEXT

Information security risks (ISR) and cyber risks have probably been the greatest concerns for operational risk in recent years. The community of operational risk practitioners, through the yearly risk.net survey, designated cyber risk as the number one risk for three years in a row (2015–2017). In 2018, cyber risk was separated into IT disruption (voted number one), data compromise (voted number two) and fraud and theft (voted number four).

Today's information and data are yesterday's gold bullions. Value has changed and so has the means of transfer and the associated opportunities for crime. Unlike gold or physical values that can be spent only once, information can be used and traded multiple times even when its usage remains invisible to some parties, including its owner. And when it becomes visible, the damage to reputation can be significant, and sometimes fatal.

Contrary to what some people claim, cybersecurity is not all about behavior and people risk. However, cyber risk cannot be minimized through technical solutions alone; cyber criminals will always find ways to profit from the mistakes and carelessness that are part of human behavior. Moreover, information can be lost, disclosed or corrupted by many other means apart from cybercrime.

This chapter explores different types of information security risk and some of the key controls that resulted from a thematic review of information security risks I conducted in a European ...