Understanding cyber risk

Published on October 31, 2021   32 min
Hello, my name is Daniel Dobrygowski, I'm an attorney, and the head of governance and trust for the World Economic Forum's Center for Cybersecurity. The World Economic Forum is the international organization for public-private cooperation. The Center for Cybersecurity is a think-tank within the forum, coordinating a global response to systemic cybersecurity challenges, and working to improve digital trust. This lecture is meant to be an introduction for general audiences, and business leaders who are not cybersecurity experts, to enable them to better understand cyber risk as it impacts their organization and their strategy. It's also meant for cybersecurity practitioners, when it comes to helping their board or CEO understand what cyber risk is, and what they can do about it.
We're going to cover four broad topics in this lecture. First, what exactly is cyber risk? Second, we'll talk about the importance of leadership, in making determinations of what kind of risks we're willing to take, and how. Third, we'll cover how to think strategically about cyber risk. Finally, I will provide some resources, so that going forward you can deal with cyber risk in your own organization.
There are a few things, that by the end of this lecture, I hope you'll take away. First, is that cyber risk is a pervasive, existential organizational risk. That means that it's not just a risk to the IT infrastructure, but rather there is risk to the business as a whole. Second is that because this is a strategic risk, there is a leadership role in understanding cyber risk, and it's incumbent on experts to help leaders set organization-wide strategy. Third is that we can set risk appetite for cyber risk, just as we do for other risks, for example, financial risk or reputational risk. Additionally, these risks are intertwined with cyber risk in a number of ways, that need to be addressed at the strategic level. Finally, cyber risk needs to be understood and communicated, in organization or business-relevant terms. That means, depending on the nature of your organization, depending on the nature of your business, you must understand cyber risk either in economic terms, or in terms of impact on individuals, or groups, or for other organizations, especially for government organizations or organizations that government institutions rely upon. It might also mean national security terms.