The key to understanding the financial risks as well as costs of cyber security is to fully embrace its multidisciplinary nature. Cyber risk is not just a technical problem to be solved by the company's chief technology officer. Nor is it just a "legal problem" to be handed over to the company's chief legal counsel; a "customer relationship problem" to be solved by the company's communications director; a "compliance issue" for the regulatory guru; or a "crisis management" problem. Rather, it is all of these and more.

The first step in understanding a true risk management approach tonetwork security is to understand how risk management professionals understand net financial risk. Net financial risk can be expressed as in Figure C.1.

To successfully analyze and manage financial risk requires a dialogue, sparked by a series of pointed questions directed at the major stakeholders in all corporate domains: the chief legal counsel, chief technology officer and chief risk officer; plus, heads of corporate communications, investor relations, human resources and customer service. Each of these individuals should be "in the room" and the CFO may be surprised to find that individuals with different positions in the company will give very different, sometimes contrary, responses to the same question. Each stakeholder has a different mission and thus their advice will reflect their respective priorities. ...