Improving cyber risk governance through storytelling

Abstract

This paper addresses the critical challenge of cyber risk governance faced by executives, security committees and boards of directors in the rapidly changing digital landscape. Cyber security complexity, characterised by data deluges and the translational gap between technical jargon and business risk, significantly hinders effective cyber risk messaging and governance. Drawing on five years of research and interviews with chief information security officers (CISOs), the paper highlights the struggle in establishing trust and confidence in governance bodies due to these complexities. It introduces three constructs that aim to simplify cyber security messaging to enhance cyber risk governance: the intelligence to risk (I2R) pyramid, five risk impacts, and resilience and proximity graph. Each construct, illustrated with practical examples, is designed to provide clarity and foster understanding between cyber security professionals and governance bodies, ensuring a cohesive approach to cyber risk management. Readers can expect to gain valuable insights into overcoming the limitations of traditional risk communication tools such as risk registers. By adopting the presented storytelling approach, the paper promises strategies for building trust through transparency and accountability, bridging the communication gap between technical and executive levels, and facilitating informed decision making for improved governance outcomes in the face of cyber security threats.