Foreword by Ron Hale xxiii

About the Editor xxxi

List of Contributors xxxiii

Acknowledgments xxxv

CHAPTER 1 Introduction 1
Domenic Antonucci, Editor and Chief Risk Officer, Australia

CHAPTER 2 Board Cyber Risk Oversight 11
Tim J. Leech, Risk Oversight Solutions Inc., Canada Lauren C. Hanlon, Risk Oversight Solutions Inc., Canada

CHAPTER 3 Principles Behind Cyber Risk Management 23
RIMS, the risk management society Carol Fox, Vice President, Strategic Initiatives at RIMS, USA

CHAPTER 4 Cybersecurity Policies and Procedures 35
The Institute for Risk Management (IRM) Elliot Bryan, IRM and Willis Towers Watson, UK Alexander Larsen, IRM, and President of Baldwin Global Risk Services Ltd., UK

CHAPTER 5 Cyber Strategic Performance Management 67
McKinsey & Company James M. Kaplan, Partner, McKinsey & Company, New York, USA Jim Boehm, Consultant, McKinsey & Company, Washington, USA

CHAPTER 6 Standards and Frameworks for Cybersecurity 81
Stefan A. Deutscher, Principal, Boston Consulting Group (BCG), Berlin Germany William Yin, Senior Partner and Managing Director, Boston Consulting Group (BCG), Hong Kong

CHAPTER 7 Identifying, Analyzing, and Evaluating Cyber Risks 97
Information Security Forum (ISF) Steve Durbin, Managing Director, Information Security Forum Ltd.

CHAPTER 8 Treating Cyber Risks 109
John Hermans, Cyber Lead Partner Europe, Middle East, and Africa at KPMG, The Netherlands Ton Diemont, Senior Manager at KPMG, The Netherlands

CHAPTER 9 Treating Cyber Risks Using Process Capabilities 123
ISACA Todd Fitzgerald, CISO and ISACA, USA

CHAPTER 10 Treating Cyber Risks Using Insurance and Finance 143
Aon Global Cyber Solutions Kevin Kalinich, Esq., Aon Risk Solutions Global Cyber Insurance Practice Leader, USA

CHAPTER 11 Monitoring and Review Using Key Risk Indicators (KRIs) 159
Ann Rodriguez, Managing Partner, Wability, Inc., USA

CHAPTER 12 Cybersecurity Incident and Crisis Management 171
CLUSIF Club de la Sécurité de l Information Français Gérôme Billois, CLUSIF Administrator and Board Member Cybersecurity at Wavestone Consultancy, France

CHAPTER 13 Business Continuity Management and Cybersecurity 185
Marsh Sek Seong Lim, Marsh Risk Consulting Business Continuity Leader for Asia, Singapore

CHAPTER 14 External Context and Supply Chain 193
Supply Chain Risk Leadership Council (SCRLC) Nick Wildgoose, Board Member and ex–Chairperson of SCRLC, and Zurich Insurance Group, UK

CHAPTER 15 Internal Organization Context 207
Domenic Antonucci, Editor and Chief Risk Officer, Australia Bassam Alwarith, Head of the National Digitization Program, Ministry of Economy and Planning, Saudi Arabia

CHAPTER 16 Culture and Human Factors 243
Avinash Totade, ISACA Past President UAE Chapter and Management Consultant, UAE Sandeep Godbole, ISACA Past President Pune Chapter, India

CHAPTER 17 Legal and Compliance 255
American Bar Association Cybersecurity Legal Task Force Harvey Rishikof, Chair, Advisory Committee to the Standing Committee on Law and National Security, USA Conor Sullivan, Law Clerk for the Standing Committee on National Security, USA

CHAPTER 18 Assurance and Cyber Risk Management 271
Stig J. Sunde, Senior Internal Auditor (ICT), Emirates Nuclear Energy Corporation (ENEC), UAE

CHAPTER 19 Information Asset Management for Cyber 281
Booz Allen Hamilton Christopher Ling, Executive Vice President, Booz Allen Hamilton, USA

CHAPTER 20 Physical Security 289
Radar Risk Group Inge Vandijck, CEO, Radar Risk Group, Belgium Paul Van Lerberghe, CTO, Radar Risk Group, Belgium

CHAPTER 21 Cybersecurity for Operations and Communications 309
EY Chad Holmes, Principal, Cybersecurity, Ernst & Young LLP (EY US) James Phillippe, Principal, Cybersecurity, Ernst & Young LLP (EY US)

CHAPTER 22 Access Control 321
PwC Sidriaan de Villiers, Partner Africa Cybersecurity Practice, PwC South Africa

CHAPTER 23 Cybersecurity Systems: Acquisition, Development, and Maintenance 335
Deloitte Michael Wyatt, Managing Director, Cyber Risk Services, Deloitte Advisory, USA

CHAPTER 24 People Risk Management in the Digital Age 347
Airmic Julia Graham, Deputy CEO and Technical Director at Airmic, UK

CHAPTER 25 Cyber Competencies and the Cybersecurity Offi cer 359
Ron Hale, PhD, CISM, ISACA, USA

CHAPTER 26 Human Resources Security 369
Domenic Antonucci, Editor and Chief Risk Offi cer, Australia

Epilogue 375

Becoming CyberSmart TM: a Risk Maturity Road Map for Measuring Capability Gap–Improvement
Domenic Antonucci, Editor and Chief Risk Officer (CRO), Australia Didier Verstichel, Chief Information Security Offi cer (CISO) and Chief Risk Officer (CRO), Belgium

Background 375

Becoming CyberSmartTM 376

About Domenic Antonucci 392

About Didier Verstichel 392

Glossary 393

Index 399

DOMENIC ANTONUCCI is a practicing international chief risk officer overseeing cybersecurity and a former counter–terrorist officer. Based in Dubai, UAE, he specializes in bringing organizations "up the risk maturity curve." He is the content author for the Benchmarker Risk Maturity Model software and author of Risk Maturity Models.

Praise for The Cyber Risk Handbook

"Domenic Antonucci and his outstanding collection of contributors have produced a most timely and comprehensive reference and teaching guide on one of the most potentially impactful and evolving risks facing organizations (and governments) today. This book should be an extremely valuable resource for directors, executives, chief information officers, risk managers, auditors, and all concerned with this critical topic. I particularly like how the risks and controls are presented in the context of overall governance and enterprise risk management."
John R. S. Fraser, FCPA, FCA, Retired Chief Risk Officer and Adjunct Professor, York University

"Domenic makes a most practical and valuable contribution he curates a wide–ranging body of knowledge on this most vexing topic from a globally diverse group of subject matter experts. Unlike books written by IT experts for IT practitioners, Mr. Antonucci provides an invaluable resource for management to enable them to ask the right questions of their IT experts so as to assure themselves that the matters that should be keeping them awake at night are being addressed and that reporting systems are providing them with the management information they need to know rather than what they want to hear. Mr. Antonucci and his contributors are to be commended for their work."
Kevin W. Knight, AM, Immediate Past Chairman, ISO/TC 262 Risk Management and Adjunct Professor, University of Queensland Business School

"This timely cyber security reference guide, structured on a maturity model to aid comprehension of current capabilities, addresses what has become, for many organizations, their priority risk management activity. Cyber security is evolving in nature and becoming more prevalent, sophisticated, and invasive. The book rightly identifies cyber security as a C–Suite responsibility with enterprise–wide implications not for delegation to the IT department. The way an organization addresses cyber–crime (as seen in the financial sector) has a direct bearing on its reputation, customer base, profitability, and indeed its very longevity."
Dr. Robert Chapman, Managing Director, Dr. Chapman & Associates

"The Cyber Risk Handbook provides comprehensive and practical guidance. One of the key pluses of this book is its holistic focus on the importance of people, behavior, and processes, rather than just technological solutions. Domenic Antonucci has assembled a team of experts, all of whom are uniquely qualified to contribute to the ongoing discussion regarding this capricious and exponentially significant risk. I found The Cyber Risk Handbook an easy read, and I particularly liked the comprehensive overview of the key developments in cyber risk management. This book will appeal to a wide audience enabling them to learn solutions to critical issues and formulate a good practice methodology that ensures they stay ahead of the latest threats."
Nicola Crawford, Chair, The Institute of Risk Management (IRM) and Managing Director, i–Risk Europe Ltd

"Very thorough and comprehensive. A wide variety of experts describing all facets of cyber risks a necessary focus on top management involvement. Information and systems as the new risk frontier."
Franck Baron, Chairman and VP, Pan Asia Risk & Insurance Management Association (PARIMA)