Cyber risk management: History and future research directions

Cybersecurity research started in the late 1960s and has continuously evolved under different names such as computer security and information security. This article briefly covers that history but will especially focus on the latest incarnation known as “cyber risk management,” which includes both technical and economic/management dimensions. The main focus of the article is to review research on individual steps of the cyber risk management process and on the overall process to highlight gaps and determine research directions. Two main findings are that cyber risk is difficult to include in the overall enterprise risk management process and that a move toward cyber resilience is necessary to deal with such a complex risk. Both findings require a level of interdisciplinary collaboration that is currently lacking.     

Overcoming failure in infrastructure risk governance implementation: large dams journey

There is ample recognition of the risk inherent in our very existence and modes of social organization, with a reasonable expectation that implementing risk governance will result in enhanced resilience as a society. Despite this, risk governance is not a mainstream approach in the infrastructure sector, regardless of the increasing number of peer-reviewed published conceptualizations, mature procedures to support its application, or public calls to cope with systemic risks in our modern societies. This paper aims to offer a different view on the issue of risk governance, with focus in the analysis of the root causes of its relatively low degree of implementation in the infrastructure sector. We later analyze the impact of such essential causes, which we have grouped and labeled as the ontology, the concerns, the anathemas, and the forgotten, in the specific field of large dams. Finally, we describe the journey toward risk governance in the specific field of large dams, thus supporting the ultimate objective of this paper to facilitate an evidence-based approach to successful risk governance implementation within and outside the dam sector.     

An integrated system for information security management with the unified framework

Information security management plays an essential role for drawing the roadmap of information security; thus, many theoretical methodologies and practical standards are brought into this domain. However, many standards and methodologies are too cumbersome to be adopted by an organization. Additionally, there is no unified framework to systematically handle the tedious tasks of information security management. This study’s primary goal is to design an integrated system for information security management (ISISM) that aims to use current methodologies and standards to solve the above-mentioned issues. Because business impact analysis and risk analysis are the most important areas within this domain, we carefully select the related methods and then integrate them into a unified framework, upon which the proposed ISISM depends. To achieve this outcome for this study, security requirement engineering is adopted, which enables the designed system to support system users in generating risk assessment reports with related information security policies.     

中国银行业经济资本管理的实施路径——从巴塞尔新资本协议获得的启示

经济资本是加强商业银行内部资本管理和风险管理的重要手段。借助经济资本和其他基于风险的管理工具，金融机构可以对其面临的风险进行量化，计算应对这些风险所需的资本及得出根据实际风险进行调整后的收益。对大多数国内银行而言，经济资本的应用已经落后于其他先进国家，本文试图从新资本协议IRB方法的基本思路入手，提出国内银行业在现有条件下提升经济资本计量水平的解决方案。并提出在目前条件下，为实现有效资本管理的最终目标，要尽快开发关键风险参数的量化模型，加强资本管理IT系统建设以及建立资本计划的制定和实施程序。     

中国银行业经济资本管理的实施路径——从巴塞尔新资本协议获得的启示

经济资本是加强商业银行内部资本管理和风险管理的重要手段.借助经济资本和其他基于风险的管理工具,金融机构可以对其面临的风险进行量化,计算应对这些风险所需的资本及得出根据实际风险进行调整后的收益.对大多数国内银行而言,经济资本的应用已经落后于其他先进国家,本文试图从新资本协议IRB方法的基本思路入手,提出国内银行业在现有条件下提升经济资本计量水平的解决方案.并提出在目前条件下,为实现有效资本管理的最终目标,要尽快开发关键风险参数的量化模型,加强资本管理IT系统建设以及建立资本计划的制定和实施程序.     

Liquidity Risk of Private Assets: Evidence from Real Estate Markets

Investment in thinly traded private assets involves liquidity risk. Existing literature provides limited guidance as it mainly focuses on publicly traded security assets such as stocks and bonds. This paper develops an analytical tool for quantifying liquidity risk of private assets. Using commercial real estate as a model asset and under reasonable assumptions, we find that the magnitude of liquidity risk is too large to be ignored, especially in down markets when liquidity risk is a great concern.     

The institutional work of hospital risk managers: democratizing and professionalizing risk management

The growing importance of risk management programs and policies in health care organizations has given rise to a new organizational figure, the risk managers. This paper seeks to better understand their role by looking at their risk work as a form of institutional work. From an inductive study of hospital risk managers in the Quebec health care sector, we provide a situated account of the risk work or ‘the effortful pattern of practices’ accomplished by hospital risk managers at the intra- and extra-organizational levels. The results show that they engage in two broader recursive forms of institutional work. At the intra-organizational level, it is by building bridges, autonomizing teams, legitimizing risk work, and pragmatizing interventions that hospital risk managers contribute to democratizing the risk management practices in their organization. At the extra-organizational level, it is by networking with colleagues, hybridizing knowledge, shaping identity, and debating solutions that they contribute to articulating a professionalization project. We argue that the recursive relationship between these two forms of institutional work, namely democratizing and professionalizing risk management, demonstrates how the risk work done at one level facilitates the risk work accomplished at the other. The paper provides three contributions. First, it opens the black box of the hospital risk managers’ roles by showing the complexity of their risk work, instead of formalizing expectations about their role in a normative way, as is generally the case. Second, this research provides evidence about how actors with limited collective power and resources such as hospital risk managers participate in disseminating risk management programs and policies. Third, the paper offers a multi-level understanding of the ways by which hospital risk managers work to institutionalize risk management program and policies. The paper ends by discussing the importance of gaining a better understanding of the risk managers’ role and their institutional work.     

我国券商风险管理问题及风险控制研究

金融创新的不断深化为我国券商经营发展带来了机遇,也对券商的风险管理提出了更高的要求。本文对我国券商风险管理中存在的问题进行梳理,通过借鉴国外券商风险管理经验,在制度、组织和模型建设上为我国券商风险管理提出对策。     

Determinants of risk behaviour: effects of perceived risks and risk attitude on farmer’s adoption of risk management strategies

The importance of risk perception and risk attitude for understanding individual’s risk behaviour are independently well described in literature, but rarely combined in an integrated approach. In this study, we propose a model assuming the choice to implement certain risk management strategies to be directly driven by both perceptions of risks and risk attitude. Other determinants influence the intention to apply different risk strategies mainly indirectly, mediated by risk perception and risk attitude. This conceptual model is empirically tested, using structural equation modelling, for understanding the intention of farmers to implement different common risk management strategies at their farms. Data are gathered in a survey completed by 500 farmers from the Flanders region in Belgium, investigating attitudes towards farming, perceived past exposure to risk, socio-demographic characteristics, farm size, perceptions of the major sources of farm business risk, risk attitudes and the intention to apply common risk management strategies. Our major findings are: (i) perception of major farm business risks have no significant impact on the intention of applying any of the risk strategies under study, (ii) risk attitude does have a significant impact. Therefore, rather than objective risk faced and the subjective interpretation thereof, it is the general risk attitude that influence intended risk strategies to be implemented. A distinction can be made between farmers willing to take risk, who are more inclined to apply ex-ante risk management strategies and risk averse farmers who are less inclined to implement ex-ante risk management strategies but rather cope with the consequences and diminish their effects ex-post when risks have occurred.     

Effectiveness of cybersecurity audit

The aim of this paper is to analyze the effectiveness of internal audit of cybersecurity. We developed a Cybersecurity Audit Index composed of three dimensions – planning, performing and reporting – to address this question. We hypothesize that cybersecurity audit effectiveness is positively related to cyber risk management maturity and negatively to the probability of a successful cyber attack. We tested our hypotheses in a survey with auditors and Chief Audit Executives from various countries and industries. We found that Cybersecurity Audit Index scores significantly vary, with a mean of 58 on a scale from 0 to 100. While the planning and performing phases are strongly and positively correlated, they are less strongly related to reporting about cyber risk management effectiveness to the Board of Directors. As predicted, the Cybersecurity Audit Index is positively associated with maturity, but contrary to expectations, it is not related to the probability of a successful cyber attack. This is the first paper that comprehensively measures the effectiveness of cybersecurity audit and its effects on cyber risk management.     

Good for one,bad for all: Determinants of individual versus systemic risk

We analyze a sample of large international banks in major advanced economies and examine the impact that bank-specific factors have on an institution's solvency risk and its contribution to systemic risk. We focus on the five categories that the Basel Committee on Banking Supervision has recently proposed as indicators of systemic importance. Our findings suggest that unstable funding is the main factor driving systemic risk. Furthermore, the combination of significant trading activities with global presence appears to exacerbate spillover risks to the global financial system. Interestingly, whereas trading activities contribute to the build-up of correlated or ‘wrong-way’ risk they help to mitigate individual solvency risk. Conversely, a decentralized approach to liquidity management seems to alleviate individual solvency risk but amplifies the transmission of financial distress across the financial system. This suggests that a macro-prudential approach to financial regulation should focus not only on scaling up micro-prudential measures but also on enabling the efficient transfer of risk between financial institutions.     

Risk management,firm reputation,and the impact of successful cyberattacks on target firms

We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target's reputation and post-attack policies. In contrast, when a successful attack involves the loss of personal financial information, there is a significant shareholder wealth loss, which is much larger than the attack's out-of-pocket costs. This excess loss is higher when the attack decreases sales growth more and lower when the board pays more attention to risk management before the attack. Further, an attack decreases a firm's risk appetite, as it beefs up its risk management and information technology and decreases the risk-taking incentives of management. Finally, successful cyberattacks adversely affect the stock price of firms in the target's industry. These results imply that successful attacks with personal financial information loss provide adverse information about cyber risk to target firms, their stakeholders, and their competitors.     

寿险资金运用的风险限额管理

资金运用风险是寿险公司面临的两大最主要风险之一,加强资金运用风险管理对确保寿险公司持续稳健经营至关重要。风险限额管理作为风险管理的核心内容,是风险管理体系中不可或缺的组成部分。建立一个科学、可操作和有效的风险限额管理体系,为寿险资金运用风险管理提供控制标准,是决定风险管理成效的关键环节。本文借鉴风险限额分配模型,总结寿...     

Pseudo resilient supply chains: concept,traits, and practices

Supply chain vulnerability (SCV) and its counterpart supply risk management are increasingly researched in recent years. SCV is often quantifiable and can be effectively monitored if practices are implemented on a systematic basis. It is essentially more important to extend the research in supply chain risk management so as to address certain traits where the companies perform poor or areas where they overlook their performances. Here, we introduce the concept and property, the so-called pseudo resilience in supply chains where supply chains pretend to perform better in its risk management capabilities, but are essentially vulnerable. Pseudo resilience is an incessant nature of many supply chains to overlook concomitant risks. Typical traits of pseudo resilience were identified in this research and a brief analysis of the disruptions and its effects was done. This research is a maiden effort in the direction of addressing the property of pseudo resilience in supply chains. It is imperative for managers to identify the traits of pseudo resilience in their supply chains so as to avoid the ill effects resulting from it. Further quantitative and qualitative researches are recommended for evincing the property of pseudo resilience in supply chains.     

Toward adaptive decision support for assessing infrastructure system resilience using hidden performance measures

The understanding of resilience is an emerging topic within the study of risks affecting distributed infrastructure systems. Although recent studies have explored the quantification of system resilience, there has been limited research aimed at understanding the role of multiple performance measures, spatiotemporal heterogeneities, and modeling uncertainties within the assessment of resilience and associated decision-making. Under real-world conditions, there is an increased burden on analysts for translating observed system data (including human and electronic sensor observations) into system performance estimates that may not be directly observable. This paper addresses these issues using a scenario-based risk modeling approach to understand: (1) resilience of complex systems, often in cases of hidden (not readily observable) measures of performance, (2) resilience sensitivity to modeling uncertainties in event and system characteristics, and (3) resilience sensitivity to the measurement of performance across multiple operational perspectives. The methods in this paper integrate uncertainty-driven risk and probabilistic modeling within a multi-state Markov-based approach. This study contributes to the state-of-the-art by developing methodologies for assessing community perceptions of infrastructure system resilience using observable factors and inferring possibly hidden performance measures for facilitating adaptive decision-support. The methods are demonstrated with hypothetical spatiotemporal data across multiple system performance dimensions. The analysis results are useful for infrastructure security analysts, system decision-makers, and the general public.     

The relationship between conditional value at risk and option prices with a closed-form solution

Options and CVaR (conditional value at risk) are significant areas of research in their own right; moreover, both are important to risk management and understanding of risk. Despite the importance and the overlap of interests in CVaR and options, the literature relating the two is virtually non-existent. In this paper we derive a model-free, simple and closed-form analytic equation that determines the CVaR associated with a put option. This relation is model free and is applicable in complete and incomplete markets. We show that we can account for implied volatility effects using the CVaR risk of options. We show how the relation between options and CVaR has important risk management implications, particularly in terms of integrated risk management and preventing arbitrage opportunities. We conduct numerical experiments to demonstrate obtaining CVaR from empirical options data.     

Risky business—reconceptualizing risk and innovation in public services

This paper explores the relationship between risk and innovation in public services, presenting the state of the literature across different disciplines and the academic and policy literature. It suggests a novel framework to approach risk, emphasising the importance of differentiating between different types of risk and risk management. The paper offers a typology of risk types and management approaches that indicates different effects on the type of public service innovation. It concludes by considering the implications for theory and practice.     

Re-conceptualizing community in risk research

Community is an important concept for determining the factors that influence peoples’ perceptions of and actions surrounding risk. However, there are multiple and conflicting definitions for the concept of community and scholars operationalize it in various ways. In this paper, we argue for a renewed focus on community as a guiding consideration in discussions of risk management and the related concepts of resilience, vulnerability, and adaptive capacity. We outline classic and current conceptions of community to articulate how its conceptualization in ongoing risk research might lead to different outcomes, foci, or recommendations about collective adaptation. This includes a discussion of how historic and emerging methodological approaches for studying risk make implicit choices about what community is or how it influences collective response. We close by providing a set of potential axioms that can help researchers better integrate the complexity of community into studies of risk and understand how populations respond to it. Better integrating community into studies of risk could promote policies and communication that are tailored to the unique local context of diverse populations. Such tailoring is more likely to promote adoption of risk mitigations among local populations and perpetuate adaptation as a part of local culture. We contend that a more holistic and systematic approach to documenting local context better encompasses the variable influences that community can have on collective ability to respond to risks.     

A multilevel framework to enhance organizational resilience

Abstract

Organizational resilience is a capacity that emerges at multiple levels. Although the multilevel character of organizations has been generally acknowledged in existing organizational studies, there is a lack of theoretical and empirical studies that address how it affects organizational resilience. To adress this gap, this article offers a multilevel framework applicable to enhance organizational resilience and presents an empirical study to probe the impact of multilevel elements on organization's capacity for responding to critical situations. More specifically, the new framework will help an organization to enhance its resilience through a process of self-assessment on crisis preparedness and response capacity. This process will allow the organization to identify and remedy potential vulnerabilities in the interaction between its organs as well as environment. We argue that crisis management and organizational resilience are mutually shaped across multiple levels, from individual, organizational, to environmental. These multiple levels are operationalized operationalization in four phases: (1) reviewing and monitoring context, (2) testing preparedness, (3) analysing and assessing responses, and (4) strengthening capabilities. In these phases, we underline that resilience management requires continuous embracing of the dynamic processes within an organizational system and its environment. To validate the framework, we present an empirical study on a security organization, and describe the results to demonstrate how to utilise the tool in practice. In conclusion, we discuss how the multilevel framework can be further applied towards building stronger resilience management.     

Relative Importance of Risk Sources in Insurance Systems

Abstract

Actuaries, and other managers of uncertainty, identify factors in modeling insurance risks because they believe (1) that these factors affect the outcome of a risk or (2) that the factors can be managed, thus allowing analysts a degree of control over the insurance system. This paper shows how to use a statistical measure, the coefficient of determination, for quantifying the relative importance of a source of uncertainty. With a quantitative measure of relative importance, risk managers can sharpen their intuition about the relative importance of risk factors and become better custodians of financial security systems.

This paper shows that the coefficient of determination is intuitively appealing in assessing the effectiveness of basic risk management techniques including risk exchange, pooling, and financial risk management. A single source common to all risks reduces the effectiveness of a pool; the risk measure quantifies the relative importance of this common source. The coefficient of determination is shown to have roots in the economics as well as the statistics literature. This connection provides further motivation for using the coefficient of determination and also suggests alternative measures for quantifying relative importance. The risk measure is useful in multivariate situations in which several factors affect a risk simultaneously. The paper illustrates this usefulness by considering a pool of policies that is subject to mortality, a common disaster, and a common investment environment.