Governing the Dark Side of Digitalization: Cyber Risk (DSD-Governance)

Basic data for this project

Description

Digitalisation as a Board-level Responsibility Digitalisation is a socio-economic process driven by the rapidly advancing potential of digital technologies. Digital technologies change the way we live and the way we do business alike. They are at the heart of doing business today. Digital technologies are so critical to company success and survival that researchers even argue against the traditional separation of business and information technology strategies. They demand an integrated digital business strategy in lieu thereof, making technology a direct top management concern. Boards are increasingly aware of their responsibility for digital technology, but they are still lagging in building digital competence on the board levels. Many organizations still have their technology representatives report to the managerial board rather than offering them a seat there. Even less common are technology-savvy representatives on the Boards of Directors. This scarcity of digital competence on boards is even more critical for the downside of digitalization: cyberrisk. Cyberrisk or the Dark Side of Digitalization Exploiting the potential of digital tech technologies for business is the upside of digitalisation and organizations are increasingly investing into new technologies and innovation. Unfortunately, there is a downside of digitalisation that even more challenging for boards: dealing with the accelerating risks involved in doing businesses digitally. The boards are ultimately accountable for the organisation success. This involves tapping into the business potential of digital technologies. However, digitalising business also increases technological risks referred to as information risks or cyberrisks. Boards have to weigh cyberrisk against the potential of digital business and ultimately delimit risks for the organisation. Taking responsibility for cyber risk is not only an economic necessity, but also strongly enforced by legislation in response to accelerating cyberrisks. Accordingly, cybersecurity is also a compliance concern for board members. According to the Companies Act in the US and the NIS2 Act for the EU, just to give two prominent examples, executive teams and board members may even be held personally liable for damages caused by cyberrisks if taken imprudently or managed recklessly. Board-level Cybersecurity Governance Boards are in charge of governing cybersecurity, i.e. exerting oversight over cyberrisk and measures to mitigate such risks, yet they are hardly equipped to do so. Research on cybersecurity thus far is mostly technical, giving little practical advice on how to understand and respond to cyberrisk on the aggregate level. The few practitioners' guidelines available provide some hands-on general advice but offer little concrete guidance or practical tools that could help boards analyse cyberrisks, document them, or address them effectively on a company level. Our research aims at engaging boards actively in strategic cybersecurity planning. We intend to achieve this by developing tools congenial to understand cyberthreats on a corporate level, analyse risk scenarios, evaluate risks, identify adequate measures and overlook their implementation. We expect such tools (1) to further boards’ understanding of cyberrisks and the sutiability of measure to counter them, (2) to promote and facilitate discussions between the board, executive team, the Information Security Officer, and related executives including Data Privacy or Chief Risk Officers and (3) to help boards document the results of such analyses, discussions, and decisions to achieve compliance with cybersecurity legislation.