Cyber Risk. The New Enemy for Risk Management in the Age of Globalisation


The present paper is a theoretical study on the topic of cyber risk and cyber risk management. This research represents the first step of a far deeper analysis on this topic that aims at underlining the main characteristics of cyber risk, delineating future developments in managing it and strengthening the importance of sharing information and creating a shared knowledge between countries.

Good situational awareness and cyber risk analytics are vital in helping firms identify weaknesses, rank threat scenarios, identify countermeasures and set priorities for intelligence gathering. There emerges the need to improve the traditional risk management process, by considering the necessity to manage not only risks, but also uncertainties, by implementing Business Continuity Management systems with the aim to build business resilience.

To do that, one possible solution might be represented by the intervention of governments with laws and frameworks that might help companies fight cyber threats.

Keywords: Cyber Risk Management, Cyber Risk, Business Continuity Management, Theoretical Paper, Globalisation, Resilience

  1. Abbott A. (2004), Methods of Discovery: Heuristics for the Social Sciences. New York, W. W. Norton.
  2. ACFE (2011), Fundamentals of Computer and Internet Fraud, [Last accessed: May, 2017].
  3. Alvesson M., Kärreman D. (2007), Constructing mystery: empirical matters in theory development, Academy of Management Review, 32, pp. 1265–81. Doi:10.5465/AMR.2007.26586822.
  4. Alvesson M., Kärreman D. (2011), Qualitative Research and Theory Development. Mystery as Method, London, Sage. Doi:org/10.4135/9781446287859.
  5. Alvesson M., Sandberg J. (2011), Generating research questions through problematization, Academy of Management Review, 36, pp. 247–71. Doi:10.5465/amr.2009.0188.
  6. Alvesson M., Sandberg J. (2013), Constructing Research Questions: Doing Interesting Research, London, Sage. Doi:org/10.4135/9781446270035.
  7. Amaduzzi A. (1961), La pianificazione nell’economia dell’azienda industriale, Torino, Giappichelli.
  8. Bernoulli D. (1954), Exposition of a new theory on the measurement of risk, Econometrica, 22(1), pp. 23-36. Doi:org/10.2307/1909829.
  9. Bertini U. (1987). Introduzione allo studio dei rischi nell’economia aziendale, Milano, Giuffrè.
  10. Beyer H., Sendhoff B. (2007), Robust optimization – a comprehensive survey, Computer Methods in Applied Mechanics and Engineering, 196 (33–34), pp. 3190–3218. Doi:10.1016/j.cma.2007.03.003.
  11. Biener C., Eling M., Wirfs J.H. (2015), Insurability of Cyber Risk: An Empirical Analysis, Working Paper of Finance, University of St. Gallen, no. 2015/3.
  12. Boin A. (2010), Designing Resilience: Leadership Challenges in Complex Administrative Systems, in Comfort L. K., Boin A. and Demchak C. eds, Designing Resilience: Preparing for Extreme Events, 129–141, Pittsburgh, PA, Pittsburgh University Press.
  13. Boin A., Hart P., Stern E., Sundelius B. (2005), The Politics of Crisis Management: Public Leadership Under Pressure, Cambridge, Cambridge University Press.
  14. Boin A., van Eeten J.G. (2013), The resilient organisation, Public Management Review, 15(3), pp. 429-445. Doi:org/10.1080/14719037.2013.769856.
  15. Brusa L. (2012), Sistemi manageriali di programmazione e controllo, Milano, Giuffrè.
  16. Capaldo P. (1965), La programmazione aziendale, Milano, Giuffrè.
  17. Chapman C.B., Cooper D.F. (1983), Risk engineering: Basic controlled interval and memory models, Journal of the Operational Research Society, 34(1), pp. 51-60. Doi:org/10.1057/jors.1983.7.
  18. Chessa F. (1929), La teoria economica del rischio e dell’assicurazione, Vol. I, Padova, Cedam.
  19. CIS Sapienza, CINI (2015), Italian Cyber Security Report. Un report nazionale per la cyber security, [Last accessed: February, 2017].
  20. Comfort L.K., Boin R.A., Demchak C., eds (2010), Designing Resilience: Preparing for Extreme Events, Pittsburgh, PA, Pittsburgh University Press.
  21. Committee of Sponsoring Organizations of the Treadway Commission (COSO), (2004). Enterprise Risk Management – Integrated Framework, Vol. 2. [Last accessed June 18, 2016].
  22. Corsani G. (1941), La gestione delle imprese mercantili e industriali, Padova, Cedam.
  23. Davis M. S. (1971), That’s interesting! Towards a phenomenology of sociology and a sociology of phenomenology, Philosophy of Social Sciences, 1, pp. 309–44.
  24. D’Onza G. (2008), Il sistema di controllo interno nella prospettiva del risk management, Milano, Giuffrè.
  25. Drennan L., McConnell A. (2007), Risk and Crisis Management in the Public Sector, Abingdon, Routledge.
  26. Ferrero G. (1968), Istituzioni di economia d’azienda, Milano, Giuffrè.
  27. Ferrero G. (1987), Impresa e Management, Milano, Giuffrè.
  28. Fisher I. (1919), Nature of capital and income, New York, MacMillan.
  29. Foster H. (1993), Resilience Theory and System Evaluation, in Wise J. A., Hopkin V. D., Stager P. eds, Verification and Validation of Complex Systems: Human Factor, Issues 35–60, NATO Advanced Science Institutes, Series F: Computer and Systems Sciences, Vol. 110, New York, Springer.
  30. Giannessi E. (1960), Le aziende di produzione originaria – Le aziende agricole, Vol. I., Pisa, C. Cursi.
  31. Gigerenzer G., Hertwig R., Pachur T. (2011), Heuristics: The foundations of adaptive behaviour, 1st edition, New York, Oxford University Press
  32. Gobbi U. (1919), Trattato di Economia, Milano, Società editrice Libraria.
  33. Hardy C.O. (1931), Risk and Risk-bearing, Chicago, The University of Chicago Press.
  34. Head L.G. (2009), Risk Management – Why and How, Dallas, Texas, International Risk Management Institute.
  35. Hieb J.L. (2007), Cyber security risk assessment for SCADA and DCS networks, ISA Transactions, 46, pp. 583-594
  36. Hoffmann A., Ramaj H. (2011), Interdependent risk networks: the threat of cyber attack, International Journal of Management and Decision Making, 11(5/6), pp. 312-323. Doi:10.1504/IJMDM.2011.043406.
  37. Kaplan R.S., Mikes A. (2012), Managing Risks: A New Framework, Harvard Business Review, 90(6), 16.
  38. Kendra J., Wachtendorf T. (2003), Elements of Resilience After the World Trade Center Disaster: Reconstituting New York City’s Emergency Operations Center, Disasters, 27(1), pp. 37–53. Doi: 10.1111/1467-7717.00218.
  39. Knight F.H. (1921), Risk, Uncertainty and Profit, Boston, Houghton Mifflin Co..
  40. Laurence A.G., Loeb M.P., Sohail T. (2003), A Framework for Using Insurance for Cyber-risk Management, Communications of the ACM, 46(3), pp. 81-85. Doi:10.1145/636772.636774.
  41. MMC Cyber Handbook (2016), Increasing Resilience in the digital economy, Global Risk Center, [Last accessed: February, 2017].
  42. Mousavi S., Gigerenzer G. (2014), Risk, uncertainty and heuristics, Journal of Business Research, 67(2014), pp. 1671-1678. Doi:org/10.1016/j.jbusres.2014.02.013.
  43. Mukhopadhyay A., Chatterjee S., Saha D., Mahanti A., Sadhukan S.K. (2013), Cyber-risk decision models: To insure IT or not?, Decision Support Systems, 56, pp. 11-26. Doi:org/10.1016/j.dss.2013.04.004.
  44. Mukhopadhyay A., Saha D., Chakrabarti B.B., Mahanti A., Podder A. (2005), Insurance for Cyber-risk: A Utility Model, Decision, 32(1), pp. 153-169.
  45. National Institute of Standards and Technology (2017), Framework for Improving Critical Infrastructure Cybersecurity, [Last accessed: February, 2017].
  46. Oberparleiter K. (1955), Funktionen und Risiken des Warenhendels, Wien, Spaeth & Linde.
  47. Öğüt H., Menon N. (2005), Cyber insurance and IT security investment: impact of interdependent risk, Fourth Workshop on the Economics of Information Security (WEIS), Harvard.
  48. Öğüt H., Raghunathan S., Menon N. (2011), Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection, Risk Analysis, 31 (3), pp. 497–512. Doi: 10.1111/j.1539-6924.2010.01478.x.
  49. Power M. (2004), The risk management of everything : rethinking the politics of uncertainty, London, Demos.
  50. Power M. (2009), The risk management of nothing, Accounting, Organizations and Society, 34, pp. 849-855. Doi:10.1016/j.aos.2009.06.001.
  51. PricewaterHouseCoopers (2015), Enhancing business resilience: Transforming Cyber risk management through the role of the Cief Risk Officer (CRO), December,
  52. Reid R., and Courtenay Botterill L. (2013), The Multiple Meanings of ‘Resilience’: An Overview of the Literature, Australian Journal of Public Administration, 72(1), pp. 31-40. Doi:10.1111/1467-8500.12009.
  53. Ruan K. (2017), Introducing cybernomics: A unifying economic framework for measuring cyber risk, Computers & Security, 65, pp. 77–89.
  54. Sandberg J., Tsoukas H. (2011), Grasping the logic of practice. Theorizing through practical rationality, Academy of Management Review, 36, pp. 338–60. Doi:10.5465/AMR.2011.59330942.
  55. Sassi S. (1940), Il sistema dei rischi d’impresa, Milano, Vallardi.
  56. Soin K., Collier P. (2013), Risk and risk management in management accounting and control, Management Accounting Research, 24(2), pp. 82–87. Doi:10.1016/j.mar.2013.04.003.
  57. Spencer M., Siegelman L. (1964), Managerial Economics. Decision Making and forward planning, Homewood, Irvin.
  58. Sullivan-Taylor B. and Wilson D.C. (2009), Managing the Threat of Terrorism in British Travel and Leisure Organizations, Organization Studies, 30(2–3), pp. 251–276. Doi: 10.1177/0170840608101480.
  59. Torabi S.A., Giahi R., and Sahebjamnia N. (2016), An enhanced risk assessment framework for business continuity management systems, Safety Science, 89 (2016), pp. 201-218. Doi:org/10.1016/j.ssci.2016.06.015.
  60. Vale L. J., Campanella T. J. (2005), The Resilient City: How Modern Cities Recover From Disaster, Oxford, Oxford University Press.
  61. Wildavsky A. (1988), Searching for Safety, New Brunswick, NJ, Transaction Books.
  62. Willet A.H. (1901), The economic theory of risk and insurance, in Studies in History, Economics and Public Law, Vol. XIV, New York, The Columbia University Press.
  63. Woods D. D., Hollnagel E. (2006), Joint Cognitive Systems: Patterns in Cognitive Systems Engineering, Boca Raton, FL, Taylor and Francis.
  64. Zappa G. (1927), Tendenze nuove negli studi di ragioneria, discorso inaugurale dell’anno accademico 1926-27 nel R. Istituto Superiore di Scienze economiche e commerciali di Venezia.
  65. Zappa G. (1956), Le produzioni nelle economie delle imprese, Tomo I, Milano, Giuffrè.