A CONCEPTUAL FRAMEWORK

Abstract

The current phenomenon of the interconnected digital world has heightened exposure to cyber risks, emphasising the critical need for robust cybersecurity risk management within organisations. Cybersecurity risk management encompasses identifying, assessing, and mitigating threats to protect individuals, organisations, and nations from cyber risks. Central to this process is the cybersecurity risk assessment, a fundamental exercise aimed at understanding and mitigating potential cyber threats. There are two primary risk assessment approaches: event-based and asset-based approaches. While current literatures are mostly focused on an asset-based approach, this study delves into the event-based approach by exploring potential cyber-attacks that could compromise the confidentiality, integrity, and availability of digital data, posing significant cybersecurity risks to organisations. Despite technological advancements and the increasing complexity of cyber threats, organisations’ predominant reliance on an asset-based approach to cybersecurity risk assessment may not adequately address the evolving nature of cyber risks. Furthermore, there is a lack of harmonisation between scholarly and established cybersecurity frameworks based on international standards, such as those by the National Institute of Standards and Technology (NIST) and the International Organisation for Standardization (ISO). This paper synthesises existing frameworks from ISO, NIST and academic research and proposes recommendations to guide organisations in implementing an event-based approach to cybersecurity risk assessment.