Cyber security risk culture: a telecommunications risk reporting study

Cyber security risk culture: a telecommunications

risk reporting study

GP Maritz

orcid.org 0000-0003-1741-1968

Mini-dissertation submitted in partial fulfilment of the

requirements for the degree

Master of Commerce in Applied Risk Management

at the North-West University

Supervisor:

Mr. E Mulambya

Graduation ceremony: April 2019

Student number: 29420563

i

PREFACE

This mini-dissertation is the final deliverable in the Centre for Applied Risk Management (UARM)'s taught master’s degree programme. The mini-dissertation was written in article format and consists of three sections: Research project overview, Article and Reflection.

This mini-dissertation is the student's work. The student was responsible for the final concept, set up, execution of the research project and writing of the mini-dissertation. The members of the supervisory team contributed in an advisory and technical support capacity on study conception and design, analysis and interpretation of data and critical revision of the manuscript. The mini-dissertation was language edited before submission.

The main study supervisor gave the student permission to submit this mini-dissertation for examination.

ii

ABSTRACT

In a digital world, telecommunications companies provide computer-based technology (referred to as cyber technology) that allows people and businesses to communicate and conduct business. To protect these users against the dangers and threats associated with cyber technology, cyber security must ensure that the technology is operating as expected, cannot be tampered with, and is available when required. The present risk culture study investigated the perceptions of internal risk reporting for decision making of two groups: cyber security practitioners working in a cyber security unit, and senior management responsible for cyber security but not working directly in the cyber security unit. The research used a qualitative approach within a telecommunications company based on a review of the literature, document analysis, and semi-structured interviews, and underpinned by qualitative data analysis. Coding the literature, documents and interview data provided a basis for critical comparison of the literature with the findings from the document analysis and interviews; this allowed for a substantiated interpretation of the theoretical requirements and practical application of risk reporting in the context of cyber security governance, risk management and compliance. Cyber risk reporting that fails to meet the objective of enhancing decision making could result in risks to the organisation and its customers. The findings showed that although the cyber security unit had all the textbook policies and procedures in place for risk reporting, in practice the guidelines for risk reporting seemed to be lacking. It is recommended that organisations such as this one invest in a risk reporting guideline for risk data aggregation and reporting. As this was an exploratory study on internal cyber risk reporting, the findings highlighted interesting areas for further research. These include challenges in cyber risk reporting, the monitoring of the contribution of cyber risk reporting to enable decision making, the importance of the accuracy of information gathered, risk reporting to internal audiences, and organisational structure and responsibilities for risk reporting.

Keywords: Risk reporting, Risks data, Risk management, Risk culture, Risk awareness, Governance, Communication, Cyber security

iii

ACKNOWLEDGEMENTS

I would like to thank the cyber security practitioners and the senior managers in the telecommunications company under study who participated in this risk culture study for their valuable contribution in this research.

I am grateful to my research supervisor, Mr Emmanuel Mulambya, and all the other members of the UARM team at the Centre for Applied Risk management of the North-West University for their support, assistance and guidance over the past two years. I am immensely grateful to the Kerlick editorial team for their patience and assistance with the writing of this article.

Competing interest

The author declares that he has no financial or personal relationships that may have inappropriately influenced him in writing this article.

Author’s contributions

G. P. Maritz was responsible for conducting the literature review and collecting the data as well as for writing the article.

iv

TABLE OF CONTENTS

PREFACE... i

ABSTRACT ... ii

ACKNOWLEDGEMENTS ... iii

RESEARCH PROJECT OVERVIEW ... vi

ARTICLE ... 1 1. Abstract ... 1 2. Introduction ... 2 3. Background ... 4 4. Method ... 7 4.1. Research approach ... 7

4.2. Sampling and data collection ... 7

4.3. Data analysis ... 8

4.4. Ethical considerations ... 8

5. Results and discussion ... 9

5.1. Demographic statistics of interview participants ... 13

5.2. Perceptions of risk reporting within the cyber security unit ... 14

5.3. Comparative overview ... 19

6. Conclusion ... 21

6.1. Summary ... 21

6.2. Limitations and suggestions for future research ... 21

6.3. Future recommendations ... 22

7. References ... 23

REFLECTION ... 27

v

LIST OF TABLES

Table 1: Definitions ... 2

Table 2: Principles of risk data aggregation and risk reporting ... 9

Table 3: Codebook from the literature study on risk data aggregation and risk reporting... 9

Table 4: A comparison of the findings from the document analysis and interviews with the principles of risk data aggregation and risk reporting ... 14

Table 5: Indication of level of agreement ... 19

LIST OF FIGURES

Figure 2: Roles of participants... 13

Figure 3: Age of participants ... 13

Figure 4: Experience of participants ... 13

Figure 5: Qualifications of participants ... 13

LIST OF APPENDICES

Appendix 2: The principles of risk data aggregation and risk reporting based on the literature ... 32

Appendix 3: Codebook for the analysis of risk data aggregation and risk reporting based on the literature review ... 33

Appendix 4: Aggregation of codes into code categories (principles) of risk data aggregation and risk reporting based on the literature review ... 35

Appendix 5: Codebook for the analysis of literature study, document analysis and interview data on risk data aggregation and risk reporting ... 36

vi

RESEARCH PROJECT OVERVIEW

Statistics published in July 2018 reveal that over 4.1 billion people in the world form part of a global digital or cyber population and two-thirds of the world’s 7.6 billion inhabitants now own a mobile phone (Mcdonald, 2018). At the same time, the 2018 Global Risk Report by the World Economic Forum listed cyberattacks as the number three risk in the world, after extreme weather events and natural disasters (WEF, 2018).

Cyber security in a telecommunications setting has become one of the priority risks for cyber practitioners and senior management (IoDSA, 2016). Risk reporting is important in the cyber security environment, especially because it assists decision making with the objective to ensure the safety and security of the organisation and its customers.

There appears to be no published risk reporting study undertaken in a cyber security environment. Risk reporting within the cyber security domain of the telecommunications company under study had never been tested against reporting best practices. According to the Institute of Risk Management (IRM, 2012b) transparent and timely reporting as well as the encouragement of risk reporting are indicators of a good risk culture in an organisation. This study, therefore, investigated how internal risk reporting was perceived within a telecommunications cyber security environment and compared the findings with reporting best practices published in the literature. It also provided insight into the risk culture of the cyber security unit in the study, with particular emphasis on risk reporting.

Expected contribution of this study

I could not find any published research in the academic literature that examined internal risk reporting within a cyber security environment. The research findings presented here are expected to be relevant to cyber security practitioners, risk management practitioners, organisational management responsible for cyber security, academics, and others seeking to strengthen risk reporting in their organisations. The study aimed to identify weaknesses and strengths in the risk reporting of the cyber security unit of the targeted organisation and in its current risk culture. The results provide valuable input to the organisation’s cyber security risk reporting; they also provide a basis for assessing the current status of its risk (reporting) culture, thereby informing plans to strengthen the risk (reporting) culture where needed.

Selected journal

Acta Commercii, an independent journal in the management sciences, was chosen for potential

publication of this article because of its stated intention to foster interest within the South African arena and to seek to understand the possibilities that can be achieved through an African-international dialogue between researchers. Given that the telecommunications organisation examined in the

vii present research has multiple African subsidiaries, and that a risk reporting culture in cyber security is an essential management requirement, writing for Acta Commercii could be beneficial. Other topics of interest for Acta Commercii include: Strategic management, Organisational behaviour, Organisation theory, Corporate governance, Managerial economics, Cross-cultural management and Business ethics. Further details about the selected journal can be accessed using the following link:

https://actacommercii.co.za/index.php/acta/pages/view/submission-guidelines#part_1

Next steps and recommendations

Organisation-specific next steps are discussed in the reflection section of this mini-dissertation.

References

IoDSA. (2016). Draft King IV Report on Corporate Governance for South Africa 2016. Retrieved from http://www.pcb.org.za/wp-content/uploads/2015/04/King_IV_Report_draft.pdf

IRM. (2012c). Risk Culture: Under the Microscope Guidance for Boards. IRM Executive Summary

on Risk Culture, 1-20. Retrieved from www.theirm.org website:

https://www.theirm.org/media/885907/Risk_Culture_A5_WEB15_Oct_2012.pdf

Mcdonald, N. (2018). Digital in 2018: world’s internet users pass the 4 billion mark. Retrieved from

1

ARTICLE

Cyber security risk culture: a telecommunications risk reporting study

1. Abstract

In a digital world, telecommunications companies provide computer-based technology (referred to as cyber technology) that allows people and businesses to communicate and conduct business. To protect these users against the dangers and threats associated with cyber technology, cyber security must ensure that the technology is operating as expected, cannot be tampered with, and is available when required. The present risk culture study investigated the perceptions of internal risk reporting for decision making of two groups: cyber security practitioners working in a cyber security unit, and senior management responsible for cyber security but not working directly in the cyber security unit. The research used a qualitative approach within a telecommunications company based on a review of the literature, document analysis, and semi-structured interviews, and underpinned by qualitative data analysis. Coding the literature, documents and interview data provided a basis for critical comparison of the literature with the findings from the document analysis and interviews; this allowed for a substantiated interpretation of the theoretical requirements and practical application of risk reporting in the context of cyber security governance, risk management and compliance. Cyber risk reporting that fails to meet the objective of enhancing decision making could result in risks to the organisation and its customers. The findings showed that although the cyber security unit had all the textbook policies and procedures in place for risk reporting, in practice the guidelines for risk reporting seemed to be lacking. It is recommended that organisations such as this one invest in a risk reporting guideline for risk data aggregation and reporting. As this was an exploratory study on internal cyber risk reporting, the findings highlighted interesting areas for further research. These include challenges in cyber risk reporting, the monitoring of the contribution of cyber risk reporting to enable decision making, the importance of the accuracy of information gathered, risk reporting to internal audiences, and organisational structure and responsibilities for risk reporting.

Keywords: Risk reporting, Risks data, Risk management, Risk culture, Risk awareness, Governance,

2

2. Introduction

In a world where the media increasingly features cyber security attacks, breaches and threats, decision making under difficult circumstances requires timely, accurate and comprehensive reporting.

Such “risk reporting” forms an integral part of decision making. However, the academic literature does not seem to containclear guidelines on risk reporting for decision making related to cyber security risk management in a telecommunications environment. Formulating risk reporting standards within the cyber security risk management framework could strengthen governance, risk management and compliance through risk-based decision making.

Telecommunications service providers connect and enable the world to communicate and interact through email and social media, and to use technology to transact and conduct day-to-day business. Technology supported by people and processes needs, from a cyber security perspective, to adhere to the ‘Confidentiality, Integrity and Availability Triad’ (CIA triad) (Gordon, 2015, pp. 7-8) as core security concepts or controls identified by the Federal Information Security Management Act of 2002 (FISMA, 2002). Their function is to mitigate or reduce the risks of loss, disruption, or corruption of information (FISMA, 2002). In summary, the CIA triad represents the following: (1) confidentiality – ensuring that only the intended authorised people have access to the information; (2) integrity – providing assurance that information is accurate and cannot be tampered with; and (3) availability – assurance that systems and information are always in working order when required (FIPS PUB 199, 2004). These three cyber security principles apply to risk management people, processes, and technology (SABS, 2009).

Risk management is a coordinated process with activities designed to understand, direct and control the potential threats to an entity’s attempts to achieve its corporate objectives (CIMA, 2008; ISO, 2009). Risk in the context of the present paper refers to uncertainties that could negatively or positively impact on business objectives (Purdy, 2010). Table 1 provides further definitions used in this study.

Table 1: Definitions

Terms Explanation Source

Cyber Refers to anything which relates to, or the characteristic of, the culture of computers, information technology, and virtual reality.

(Gcaza, von Solms, Grobler, & van Vuuren, 2017) Cyber security The collection of tools, policies, security concepts, security safeguards,

guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organisation and users’ assets.

(von Solms & van Niekerk, 2013)

Cyber security risk management

Refers to the identification of the requirements (asset values, threats, vulnerabilities, existing safeguards, etc.); the analysis of threats, vulnerabilities and the scenario, the risk measurement; the acceptance test; and the safeguard selection and implementation.

(Fenz, Heurix, Neubauer, & Pechstein, 2014)

3 Data Facts, opinions and statistics or things used or collected together and

recorded for reference or for analysis or reckoning.

(Collis & Hussey, 2013, pp. 5, 44-45; Saunders & Lewis, 2012, p. 25) Information The knowledge created by organising data into a useful form which

could affect behaviour, a decision, or an outcome.

(Collis & Hussey, 2013, p. 196; Saunders & Lewis, 2012, pp. 96-97) Risk culture The understanding regarding the risk shared by individuals with a

common purpose, particularly the employees of an organisation or of teams or groups within an organisation, is referred to as an

organisation’s risk culture. Variables for effective communication or reporting and the active consideration of risk during decision making relate to existing values, beliefs, and data.

(IRM, 2012a)

To manage risks in a landscape with ever-increasing cyber security threats, reporting could be the vehicle for transforming risk data into usable information by ensuring that the right information is available for decision making to manage and act on security risks.

According to the Institute of Risk Management (IRM, 2012a), risk reporting refers to the development and implementation of a risk measurement, performance and reporting framework. Despite decades of research and various security risk frameworks, the security risk management domain still faces numerous challenges (Fenz et al., 2014). Various important variables have been identified as requirements for cultivating a cyber security culture (Gcaza et al., 2017). Transparent and timely reporting as well as the encouragement of risk reporting is one of these variables, and an indicator of a good risk culture (IRM, 2012b).

The objective of the present risk culture study in a telecommunications organisation was to assess the perceptions of internal risk reporting for decision making as it applies to (1) cyber security practitioners working in a cyber security unit; and (2) senior management not working directly in the cyber security unit, but responsible for business decisions based on the reporting from the cyber security unit.

Reporting requirements differ for cyber security practitioners and senior management because of the nature of their functions. Security practitioners need reporting from a governance, risk management and assurance perspective to ensure compliance and coverage of all the cyber security controls. They further need real-time reporting on cyber incidents to actively and proactively manage and address security risks as and when they occur. Senior management has a supporting role concerned with the general health of the company’s cyber security posture. From a logistical perspective, they drive regulatory requirements and need to ensure that the security unit is governed adequately. Together with the cyber security practitioners, senior management must make certain that the organisation follows a comprehensive security risk framework to cultivate a security-aware culture (Da Veiga & Eloff, 2010).

In the world of cyber security, it is a known fact that you are as safe and secure as the weakest link within your armour. It is therefore important to ensure that the organisation’s investment in cyber security is built on a risk culture of best practice risk reporting.

4 This study aimed to improve cyber security risk culture through the application of best practice risk reporting, thereby enhancing decision making by cyber security practitioners and senior management. As what seems to be the first study on risk culture within a cyber security environment, this research was designed to contribute to the maturity of the cyber risk framework for risk data and reporting in the organisation and to demonstrate the value of risk reporting.

This article is structured as follows. A literature review of best practices for risk reporting is presented as part of the background in the next section. Thereafter, the research methodology is described, followed by the results and discussion. The final section summarises the key issuesand draws conclusions from the document analysis, literature study and interviews.

3. Background

In February 1903, shortly after London’s St James Gazette reported that the Italian radio (telecommunications) pioneer Guglielmo Marconi had claimed that his new wireless invention was secure, the first instance of a cyber-attack took place (Marks, 2011). Nevil Maskelyne (the hacker), who breached the wireless invention, publicly acknowledged in The Times of London that his motivation had been to prove that his prank (hack) was for the public good, warning them of the holes (risks) in the “secure” Marconi network (Marks, 2011).

A century later, telecommunications and information technology (IT) have evolved and provide 24/7 communication and data services on a global scale to millions of users. In South Africa, the two largest telecommunication operators service approximately 70% of the population, which amounts to almost 60 million subscribers (BusinessTech, 2017). With such a huge subscriber base and the fact that cyber criminals and attacks escalate by the day, cyber security is currently viewed as one of the top ten risks (threats) to organisations globally (IRMSA, 2018).

Technology within a telecommunications environment requires more than just applying security controls to govern an organisation’s cyber security requirements (Da Veiga & Eloff, 2010). It also requires a security-aware culture to minimise technology-specific security risks, address people-specific risks relating to employee misbehaviour, and assist with the protection of information assets by applying risk driven processes (Da Veiga & Eloff, 2010). Furthermore, organisations need to assess and regularly report the state of their internal security culture within the organisation (Da Veiga & Eloff, 2010). The basis for any organisational risk reporting used for internal and external decision making starts with the risk framework used to perform risk management (Epstein & Rejc, 2006). Risk reporting therefore has the important function of providing guidance and support to practitioners and management for decision making and could therefore have a significant impact on an organisation’s security culture (Knapp Kenneth J, Marshall Thomas E, Kelly Rainer R, & Nelson Ford F, 2006).

To manage cyber security efficiently, it is important to “build a strong organisational risk culture in cyber security” (Corradini & Nardelli, 2018). This is especially important from a regulatory perspective, and regulators within the financial sector support and promote a risk culture based on voluntary

5 disclosure and reporting (BIS, 2012; OECD, 2014). Telecommunicationin South Africa is regulated by the Independent Communications Authority of South Africa (ICASA, 2018) from a communications, broadcasting and postal service perspective (ICASA, 2018) while integrated frameworks addressing corporate risk disclosure for cyber security have been defined by regulators in the Payment Card Industry Data Security Standard (PCI, 2018), by the Sarbanes-Oxley Act (SOX, 2002), and by the International Organisation for Standardization (ISO, 2018). The Protection of Personal Information Act (POPIA) (POPIA, 2013), and the Cybersecurity Bill (Bill 40487, 2017) to be enacted, will formalise disclosure and reporting of cyber security within South Africa. Until such time, the key risk culture guidelines for business are taken from the Financial Services Board (FSB) (FSB, 2014) and the Basel Committee on Banking Supervision (BCBS) (BIS, 2015). The guidelines they provide for risk culture became effective in July 2015 (BIS, 2015) and the Principles for effective risk data aggregation and risk reporting (“the Principles”) became effective in January 2016 (BIS, 2017).

The FSB and BCBS emphasise the responsibility of senior management for setting the tone within an organisation to facilitate a risk culture (BIS, 2011, 2017; FSB, 2013, 2014, 2017). This is done by management defining a governance framework with a formal risk management strategy consisting of a policy, risk framework and risk appetite for the organisation (Epstein & Rejc, 2006; ISO, 2009). The function of a policy in this context is to define the framework for a cyber security risk programme, thereby ensuring that roles and responsibilities have been defined while communicating the organisation’s cyber security goals and objectives (Gordon, 2015, p. 119).

To enable management to take the right decisions in a timely manner, the BCBS (BIS, 2012, 2013, 2017) published Standard 239 in January 2013, also referred to as “the Principles”. The objectives of the Principles are to manage data and enable reporting needed for decision making based on key risks identified across the organisation (BIS, 2017). Good decision making could be achieved by ensuring that a supporting IT infrastructure is in place and by striving to reduce the probability and severity of possible losses resulting from weaknesses in risk management processes (BIS, 2017). By improving the requirements to provide reporting sooner rather than later for quicker decision making, the quality of operational, tactical and strategic planning could enable stakeholders to manage the risk of new products and services (BIS, 2017).

It is noteworthy that when management reports on measurable facts, such as commercially sensitive information, they tend to report generically to avoid and protect themselves against competitors, rather than to report on company-specific risk requirements (Linsley & Shrives, 2005). This results in unclear communication, especially when management is defending and promoting organisational reputation, rather than recognising how the organisational activities impact multiple capitals within the organisation (Haji & Hossain, 2016). Consequently, risk reports do not always provide a complete picture of the actual risks facing organisations, which implies that concise reporting seems to be more symbolic than instrumental (Hrasky & Smith, 2008). A South African study that investigated reporting over a ten-year period found that corporate risk disclosures immediately before and after the 2007/2008 global financial crisis were largely ‘non-financial’, ‘historical’, ‘good news’ and

6 ‘qualitative’ in nature (Ntim, Lindop, & Thomas, 2013). Failure to integrate risks fully into strategic and operational decisions could therefore be linked directly to inadequate risk reporting (Epstein & Rejc, 2006). Automated tools used more frequently for reporting large amounts of data could assist with the improvement of reporting, but could also lead to a false sense of security if the content and context of the reporting are incorrectly analysed (Finn, M., Eliot, & J., 2007). In addition, harmonizing reporting standards could improve the comparability and reliability of information, making reports easier for investors and decision makers to analyse and to understand (Daniel & Michael, 2014). It could also provide the organisation with the opportunity to interpret and manage its risks (PWC, 2016).

The “Principles”, effective January 2016 as a regulatory requirement for banking and as a leading instrument in this field, provided guidelines that were used as the basis for best practice reporting (BIS, 2017).

Even though much has been written and published on reporting within the financial world (BIS, 2013), no specific material or research could be found specifically relating to the sphere of cyber security, where reporting is vital to manage the danger of cyber threats.

The present study therefore investigated the alignment of risk reporting to recommended best practice in the cyber security unit of a South African telecommunications company and sought to obtain a better understanding of the associated risk culture. The aim was to improve the risk culture through improved risk reporting, thereby enhancing decision making in the cyber security unit within the company.

7

4. Method

4.1. Research approach

This exploratory study followed a qualitative approach based on a literature review, document analysis, and interviews. The literature review established best practice in risk reporting. The findings from the document analysis and interviews were then compared with the reporting best practices established from the literature.

4.2. Sampling and data collection

4.2.1. Participants

The study employed purposive sampling (Lewis & Saunders, 2012, pp. 138-139) for the interviews targeting the six senior cyber security practitioners and five senior managers directly associated with the cyber security unit. These participants were selected because they could (purposefully) offer information based on their professional qualifications, roles and executive experience in the cyber security domain. The demographic description of the participants is provided in the findings section of the paper. The roles and functions of the participants in the workplace included the creation, analysis, and interpretation of risk reporting for decision making. This was an important consideration for the present study given the serious nature of cyber security threats and the focus here on risk reporting.

4.2.2. Literature review

The review of the academic literature was conducted to situate the study in terms of best practice risk reporting. Special attention was placed on Standard 239, used as a reporting guideline in the financial sector to provide specific principles for risk data aggregation and risk reporting (BIS, 2011, 2012, 2017). The following key items provided substantiation for the principles of risk reporting established from Standard 239: ‘The reporting of organisational risks for internal and external decision making’ (Epstein & Rejc, 2006); ‘Risk culture Resources for practitioners‘ (IRM, 2012a); ‘Guidance on supervisory interaction with financial institutions on risk culture: a framework for assessing risk culture‘ (FSB, 2014); ‘Guidance on supervisory interaction with financial institutions on risk culture: a framework for assessing risk culture’ (FSB, 2014); ‘Supervision of behaviour and culture: foundations, practice & future developments’ (DNB, 2015) and ‘Information paper – Risk Culture’ (APRA, 2016).

8

4.2.3. Document analysis

As suggested by Bowen (2009), document analysis was performed on existing internal risk data and reporting practices within the cyber security unit to contextualise the research and to provide institution-specific supplementary research data. The information derived from these documents was compared with the findings from the literature review.

4.2.4. Interviews

Semi-structured interviews with the cyber security practitioners and senior managers were conducted so as to obtain their perceptions about risk data and risk reporting. Open-ended questions, based on a pre-defined interview guide (Appendix 1), were employed to gain detailed understanding of their views. Prior to the actual interviews, three pilot interviews were conducted to test the data collection process and to make adjustments where necessary.

4.3. Data analysis

The interviews were voice recorded and later transcribed for the purpose of data analysis. Coding was used to identify structures and patterned uniformities and to determine inferences on the basis of keywords and themes identified from the literature (Collis & Hussey, 2013, p. 171). A three-step process was employed as follows:

1. Establishing from the literature prescribed best practice requirements for internal risk reporting; Aggregating the codes or principles from the literature into themes or code categories. Themes or code categories are broad units of information that consist of several codes aggregated to form a common idea (Creswell, 2014, p. 99).

2. Document analysis on internal documentation governing the cyber security unit and comparing the results to the prescribed best practices established from the literature;

3. Coding the interview data and comparing the transcribed results to the prescribed best practices established from the literature.

The coding of the interview data was conducted by using Quirkos (Quirkos, 2018), a qualitative data analysis software application (Stuckey, 2015). Further statistical analytics were done using “Microsoft Excel” (Meyer & Avery, 2009).

4.4. Ethical considerations

The ethical requirements prescribed by the Faculty of Economic and Management Science of the North-West University were followed. These included the approval of the Faculty Ethics Committee as well as informed consent from the participant (see Appendix 1). Owing to the sensitivity of cyber security, special permission was granted by the company to conduct the study.

9

5. Results and discussion

For the purpose of explanation and analysis, four key themes were identified (Table 2). These align with the Principles (BIS, 2017) defined for reporting in financial institutions and were used as a baseline for the present risk reporting study (Appendix 2).

Table 2: Principles of risk data aggregation and risk reporting

Primary risk data and reporting topics Source

A. Risk Governance Framework and IT Infrastructure (BIS, 2012, 2013, 2017) B. Risk Data Aggregation Capabilities and Quality (BIS, 2012, 2013, 2017) C. Risk Communication and Reporting Practices (BIS, 2012, 2013, 2017) D. Decision Making and Risk Culture (BIS, 2012, 2013, 2017)

Standard 239 (BIS, 2012, 2013, 2017) defined 14 Principles (see Appendices 3 and 4) associated with the four themes in Table 2. These principles, presented in Table 3, formed the main codes for comparison (provided in the comparative overview) with the document analysis and the coding of the interview data and were expanded to 20 codes after examination of further literature supporting these principles (Appendix 4).

Table 3: Codebook from the literature study on risk data aggregation and risk reporting

No. Principle code

(best practice)

Description (BIS, 2012, 2013, 2017) Examples from the literature study

1. Risk Governance Framework

‘An organisation should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.’ (BIS, 2017).’

‘A key element of any risk governance framework is ensuring that the right information is provided to management and boards to enable informed decision making with respect to risk issues.’ (IRM, 2012a)

2. IT Infrastructure ‘An organisation should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.’ (BIS, 2017).’

‘As the rate of change in business activities accelerates, and information technology reduces the cost of collecting and providing updated information, internal real-time risk reporting will likely be even faster. Further, as regulatory frameworks move towards real-time disclosure, management must see the information as quickly as possible.’ (Epstein & Rejc, 2006)

3. _Governance ‘An organisation’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.’ (BIS, 2017)

‘A sound risk culture bolsters effective risk management, promotes sound risk-taking, and ensures that emerging risks or risk-taking activities beyond the institution’s risk appetite are recognised, assessed, escalated and addressed in a timely manner.’ (FSB, 2014)

10

No. Principle code

(best practice)

Description (BIS, 2012, 2013, 2017) Examples from the literature study

4. Risk Management ‘Foundations include your risk

management policy, objectives, mandate, and commitment. And arrangements include the plans, relationships,

accountabilities, resources, processes, and activities you use to manage your

organisation’s risk.’ (ISO, 2009)

‘The board and senior management are committed to establishing, monitoring, and adhering to an effective risk appetite framework, supported by appropriate risk appetite statement(s) that underpin the financial institution’s risk management strategy, and is integrated with the overall business strategy.’ (FSB, 2014)

5. Compliance and Regulations

‘Risk management reports should include exposure and position information for all significant risk and all significant components of those risk areas. Risk management reports should also cover risk-related measures like regulatory and economic capital.’ (BIS, 2012)

‘Risk management and compliance considerations have a say in

compensation, promotion, hiring, and performance evaluation within the business units (FSB, 2014). Regulatory culture-based supervision may have governance and staffing consequences, leading e.g. to the dismissal of board members.’ (DNB, 2015)

6. Risk Data: Quality of Risk-Related Information

‘Information be sufficient and accurate, it must also be presented so that all group members can understand it, and it should include a summary of various decision alternatives and their consequences. Even if information requirements are satisfactory, impending group behavioural patterns and insufficient challenge may still result in poor decision-making.’ (DNB, 2015)

‘Develop and maintain strong risk data aggregation capabilities to ensure that risk management reports reflect the risks in a reliable way (i.e. meeting data aggregation expectations is necessary to meet

reporting expectations).’ (BIS, 2012)

7. Risk Data: Accuracy and Integrity

‘…should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy

requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.’ (BIS, 2017)

‘Thus, organisations need to control risk reporting channels and ensure accurate and reliable information.’ (Epstein & Rejc, 2006)

8. Risk Data: Completeness

‘…should be able to capture and aggregate all material risk data across the group. Data should be available by business line, legal entity, asset type, etc. and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.’ (BIS, 2017)

‘Internal and external audiences need more complete information on the risks organisations face and how they intend to manage those risks.’ (Epstein & Rejc, 2006)

9. Risk Data: Timeliness

‘An organisation should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability.’ (BIS, 2017)

‘Reporting risks relate to the reliability, accuracy, and timeliness of information systems, and to reliability or completeness of information used for either internal or external decision-making.’ (Epstein & Rejc, 2006)

10. Risk Data: Adaptability

‘An organisation should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.’ (BIS, 2017)

‘As the rate of change in business activities accelerates, and information technology reduces the cost of collecting and providing updated information, internal real-time risk reporting will likely be even faster.’ (Epstein & Rejc, 2006)

11

No. Principle code

(best practice)

Description (BIS, 2012, 2013, 2017) Examples from the literature study

11. Risk Data: Aggregation

‘The term “risk data aggregation” means defining, gathering and processing risk data according to the bank’s risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite. This includes sorting, merging or breaking down sets of data.’ (BIS, 2013)

‘The internal risk report’s ability to report across the organisation will allow internal users to identify risks in the aggregate, and determine gaps in the risk management strategy.’ (Epstein & Rejc, 2006)

12. Risk

Communication / Reporting Practices

‘A culture of open communication and collaboration is constantly promoted to ensure that each employee’s view is valued, and the institution works together to strengthen risk-related decision making (FSB, 2014).’

‘Today, the premise is not just that senior management should base the risk reporting communication policy on trust to be more accountable; organisations can also expect tangible benefits from fair and broad disclosure of organisational risk management.’ (Epstein & Rejc, 2006)

13. Reporting: Accuracy and Integrity

‘Risk management reports should accurately and precisely convey

aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.’ (BIS, 2013)

‘Although reports on internal control over financial reporting may be instrumental in restoring confidence in the integrity of financial reporting, the reporting of organisational risks must satisfy needs for improved internal and external decision making.’ (Epstein & Rejc, 2006)

14. Reporting:

Comprehensiveness

‘Risk management reports should cover all material risk areas within the organisation. The dept and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.’ (BIS, 2017)

‘Organisations should leverage the Sarbanes-Oxley Act compliance efforts and investments to build a comprehensive risk management and risk reporting system and drive significant new business value from a complex and mandatory process.’ (Epstein & Rejc, 2006)

15. Reporting: Clarity and Usefulness

‘Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative

explanations.’ (BIS, 2017)

‘In practice, disclosure by listed companies varies widely in detail and clarity, and is spread throughout the Management Discussion and Analysis and the notes to financial statements.’ (Epstein & Rejc, 2006)

16. Reporting: Frequency and Availability

‘Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.’ (BIS, 2013)

‘Internal risk reports can be either real-time or periodic. Reporting frequency therefore importantly influences the content, format, placement, distribution, and

communication of risk reports.’ (Epstein & Rejc, 2006)

17. Reporting: Distribution and Confidentiality

‘Risk management reports should be distributed to the relevant parties and while ensuring confidentiality is maintained.’ (BIS, 2017)

‘Draft internal periodic reports should be provided to the audit committee for review and comment before distribution.’ (Epstein & Rejc, 2006)

18. Decision Making

and

Risk Culture

‘Risk behaviour comprises external observable risk-related actions, including risk-based decision-making, risk

processes, risk communications etc.’ (IRM, 2012a)

‘Risk culture influences the decisions of management and employees during the day-to-day activities and has an impact on the risks they assume.’ (BIS, 2015)

12

No. Principle code

(best practice)

Description (BIS, 2012, 2013, 2017) Examples from the literature study

19. Risk Leadership: Tone

‘The central role of leadership in shaping and driving both organisational and risk culture. The role of leadership also

features prominently in academic literature. The FSB’s Guidance on Supervisory Interaction with Financial Institutions on Risk Culture refers to this as ‘tone from the top.’ (APRA, 2016)

‘Supervisors will have an important role to play in monitoring and providing incentives for a bank’s implementation of, and ongoing compliance with the Principles.’ (BIS, 2012)

20. Risk Accountability ‘The FSB refers to accountability as the ‘Relevant employees at all levels understand the core values of the institution and its approach to risk, are capable of performing their prescribed roles, and are aware that they are held accountable for their actions in relation to the institution’s risk-taking behaviour.’ (FSB, 2014)

‘Full accountability is accomplished only when an organisation combines broad public disclosures with extensive internal performance reporting. By doing so, organisations create value for the stakeholders whose support is needed to prosper.’ (Epstein & Rejc, 2006)

The 20 codes were used for the document analysis of the institution-specific cyber security documentation relating to risk reporting, thereby providing supplementary research data relating to the existing processes in place for risk reporting in the organisation, and a baseline for understanding the perceptions of the practitioners that emerged in the interviews (summarised in Appendix 5).

13

5.1. Demographic statistics of interview participants

The selection criteria for the cyber security practitioners in the study compared closely to those for the senior managers; a high standard was required in terms of qualifications as well as more than 5 years’ experience in their current role. Cyber security still seems to be predominately male orientated, as distinct from senior management where males and females were more equally represented.

Figure 1: Gender of participants Figure 2: Roles of participants

Figure 3: Age of participants Figure 4: Experience of participants

Figure 5: Qualifications of participants

The experience and the qualifications of the participants of the cyber security practitioners and senior managers confirms global trends that cyber security is a highly specialised area which requires knowledge and experience (Kennedy, 2018).

27% 73% Female Male Gender 45% 55% Senior management Cyber practitioner Role function 27% 18% 45% 9% 50 to 59 40 to 49 30 to 39 20 to 29 Age 45% 27% 18% 9% 10 to 15 years 5 to 10 years 3 to 5 years 1 to 3 years Experience 27% 73%

University postgraduate degree University bachelor’s degree

14

5.2. Perceptions of risk reporting within the cyber security unit

Table 4: A comparison of the findings from the document analysis and interviews with the principles of risk data aggregation and risk reporting

No Principle code

(best practice)

Description (BIS, 2012, 2013, 2017)

Example from document analysis

Examples from interviews

1. Risk Governance Framework

‘An organisation should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.’ (BIS, 2017).’

‘This implies that

information assets shall be identified, valued, assessed for risk and protected cost effectively from threats.’

‘I think from a framework point of view, from what risk is and a risk and controls point of view, we have proper governance with a team that looks at what is required from a strategy point of view, set programs that ensure we are at the best practise level from a security point of view.’

2. IT Infrastructure ‘An organisation should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.’ (BIS, 2017).’

‘…to apply an effective and consistent level of security to all Technology Systems used over the organisations Technology infrastructure.’

‘We do have tooling in place to assist with this process, we have information covering our infrastructure and from an assurance perspective, we build some validation processes in to assure we scan what we need to and if not, we can identify the gaps, where they are and manage it to make our coverage and information as accurate as possible.’

3. Governance ‘An organisation’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles.’ (BIS, 2017)

‘Information Security and Technology Security policies, standards, guidelines and procedures shall be developed to communicate security requirements and guide the selection and

implementation of security control measures.’

‘If I had to put it on scales say 1 to 3, with 1 properly governed and 3 poorly governed, I’ll put it at a 1.5 Reason being we do have processes in place, but we don’t have an overview of the processes in place managing risk data.’

4. Risk Management ‘Foundations include your risk management policy, objectives, mandate, and commitment. Arrangements include the plans,

relationships,

accountabilities, resources, processes, and activities you use to manage your organisation’s risk.’ (ISO, 2009)

‘The following security management aspects shall be addressed: Technology Risk Management.’

‘What we do have from an operational perspective is a risk management process which assess projects, identify and assess risks, create a risk register as form of report to the business owner who needs to decide how we are going to manage the risks identified. From this perspective we cover all our deliverables throughout the delivery cycle.’

15

No Principle code

(best practice)

Description (BIS, 2012, 2013, 2017)

Example from document analysis

Examples from interviews

5. Compliance and Regulations

‘Risk management reports should include exposure and position information for all significant risk and all significant components of those risk areas. Risk management reports should also cover risk-related measures like regulatory and economic capital.’ (BIS, 2012)

‘In protecting its information assets, the company shall obey all applicable laws and regulations and charges its employees to meet the highest ethical standards and compliance.’

‘Reporting speaks specifically on compliance and I do not think that we cover all areas adequately.’

6. Risk Data: Quality of Risk-Related Info

‘Information be sufficient and accurate, it must also be presented so that all group members can understand it, and it should include a summary of various decision alternatives and their consequences. Even if information requirements are satisfactory, impending group behavioural patterns and insufficient challenge may still result in poor decision-making.’ (DNB, 2015)

‘information is an important asset that shall be protected according to its value and the degree of damage that could result from its misuse, unavailability, destruction, unauthorised disclosure or modification.’

‘The biggest criticism is usually around techno jargon since I have to work with the teams to write up a report of press release, we are not necessarily technical inclined which requires the information to be translated or explained in simple terms to understand.’

7. Risk Data: Accuracy and Integrity

‘…should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.’ (BIS, 2017)

‘Information owners are the business owners who require that information be available as and when it is required for business decisions, accurate in terms of the integrity of the information ‘

‘The fact that human intervention is still quite predominant is a problem - it impacts both accuracy and integrity since reporting is interpreted and adjusted according to the reporters understanding.’

8. Risk Data: Completeness

‘…should be able to capture and aggregate all material risk data across the group. Data should be available by business line, legal entity, asset type, etc. and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and

emerging risks.’ (BIS, 2017)

‘Complete, updated manuals / documentation / data shall be available to operators, programmers, users and auditors as applicable.’

‘We use a lot of checks and balances like record checks and hash values for both completeness, accuracy and integrity of the data. From my job’s perspective, even though I trust, we always check or verify the data.’

9. Risk Data: Timeliness

‘An organisation should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability.’ (BIS, 2017)

‘Information owner requires that the system owner provide accurate information at the time it is required for business decision making.’

‘We get the data/reporting in real time and we have all the screens and so on, however by the time it is presented or reaches the executives so much time has transpired that the decisions they need to make is based on old data.’

16

No Principle code

(best practice)

Description (BIS, 2012, 2013, 2017)

Example from document analysis

Examples from interviews

10. Risk Data: Adaptability

‘An organisation should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis

situations, requests due to changing internal needs and requests to meet

supervisory queries.’ (BIS, 2017)

‘To conduct the independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure

compliance with established policy and operational procedure, and to recommend any indicated changes in controls, policy or procedures.’

‘We are not adaptable enough to report quicker - we mostly report on old data making decision making difficult.’

11. Risk Data: Aggregation

‘The term “risk data aggregation” means defining, gathering and processing risk data according to risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite. This includes sorting, merging or breaking down sets of data.’ (BIS, 2013)

‘All aspects of technology that are used to manage and support the efficient gathering, processing, storing and dissemination of information as a strategic resource.’

‘From a technical perspective very

comprehensive, but from an aggregation of data not on the same level yet, room for improvement.’

12. Risk

Communication / Reporting Practices

‘A culture of open communication and collaboration is constantly promoted to ensure that each employee’s view is valued, and the institution works together to strengthen risk-related decision making (FSB, 2014).’

‘and communications systems at the company shall provide information within a reasonable time’

‘I do not feel that the

reporting is comprehensive enough and this relates again to the source which is the design of the report, the design of the information which is requested, it is the design in which the information is sourced, and that is why I am a big fan of automation.’

13. Reporting: Accuracy and Integrity

‘Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.’ (BIS, 2013)

‘…information be available as and when it is required for business decisions, accurate in terms of the integrity of the information, and that confidentiality be maintained.’

‘The fact that human intervention is still quite predominant is a problem - it impacts both accuracy and integrity since reporting is interpreted and adjusted according to the reporters understanding.’

14. Reporting:

Comprehensiveness

‘Risk management reports should cover all material risk areas within the

organisation. The dept and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.’ (BIS, 2017)

‘All aspects of technology that are used to manage and support the efficient gathering, processing, storing and dissemination of information as a strategic resource.’

‘We have different reports from various areas in business and they tend to provide the bigger picture however the reporting from the cyber security unit does not provide the full picture.’

17

No Principle code

(best practice)

Description (BIS, 2012, 2013, 2017)

Example from document analysis

Examples from interviews

15. Reporting: Clarity and Usefulness

‘Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet

comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative

explanations.’ (BIS, 2017)

‘Applications and systems to support the business while utilising information

technology as an enabler or tool’

‘I believe the cyber team should go and sit and think about this and address this. Board members are only interested in two things: assurance that things are going well and highlight the problems. They are not interested in the amount of attacks, etc. it is irrelevant to them.’

16. Reporting: Frequency and Availability

‘Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.’ (BIS, 2013)

‘To preserve the availability, integrity and confidentiality of information systems and information according to affordable security practices’

‘In terms of the security management aspect, I think there is much more to do in terms of maturing - first of all the report itself, the frequency thereof, and the relevance of what we report.’

17. Reporting: Distribution and Confidentiality

‘Risk management reports should be distributed to the relevant parties and while ensuring confidentiality is maintained.’ (BIS, 2017)

‘Recognising that some information is intended for specific individuals and shall not be appropriate for general distribution.’

‘There is a formal

classification process in the organisation and reporting is handled on this basis with a need to know to the relevant stakeholders.’

18. Decision Making and

Risk Culture

‘Risk behaviour comprises external observable risk-related actions, including risk-based decision-making, risk processes, risk

communications etc.’ (IRM, 2012a)

‘who require that information be available as and when it is required for business decisions, accurate in terms of the integrity of the information, and that confidentiality be maintained.’

‘You can do the work but if it does not feed into a standard clear

communication to people, you will not be able to make the right decisions if there is a need for it.’

19. Risk Leadership: Tone

‘The central role of leadership in shaping and driving both organisational and risk culture. The role of leadership also features prominently in academic literature. The FSB’s Guidance on Supervisory Interaction with Financial Institutions on Risk Culture refers to this as ‘tone from the top.’ (APRA, 2016)

‘It is the responsibility of the Risk Committee to support and ensure that the necessary’

and

‘The following security management aspects shall be addressed’

‘I would imagine that executive input might be highly required because then there would be comfort that in everything that we can look at, what sits in the final report, is really the key and important stuff, we did not leave anything behind that could have been required by executives to make a call as to whether things are red, amber or green and that everything was considered.’

18

No Principle code

(best practice)

Description (BIS, 2012, 2013, 2017)

Example from document analysis

Examples from interviews

20. Risk Accountability ‘The FSB refers to accountability as the ‘Relevant employees at all levels understand the core values of the institution and its approach to risk, are capable of performing their prescribed roles, and are aware that they are held accountable for their actions in relation to the institution’s risk-taking behaviour.’ (FSB, 2014)

‘Personal accountability and accountability for Cyber Security shall be incorporated in the organisational structures to ensure that every individual applies the applicable security policies, principles, procedures and practices in his/her daily work-related activities.’

‘We all have a responsibility within the organisation around security for example. And it starts with having the right risk data in place, have our risk reporting in place in order to report correctly to make informed decisions.’

19

5.3. Comparative overview

5.3.1. Assessment of agreement between the risk reporting literature, document analysis and interview data

Table 5 provides a comparative assessment of agreement between the best practices established from the literature (baseline requirements), the internal institution-specific risk reporting document analysis, and the interview data. A three-level scale is employed to describe the comparative result: Low = [0–33%], Medium = [34–66%] and High = [67–100%].

Table 5: Indication of level of agreement

No. Codes based on themes and principles Document analysis

level of agreement with the literature

Participant interviews’ level of agreement with the literature

A Risk Governance framework and IT Infrastructure

• Governance Medium High

• Data architecture and IT infrastructure Medium Medium

• Risk management Medium Medium

• Compliance and regulations Medium Low

B Risk Data aggregation Capabilities and Quality

• Accuracy and integrity Medium Medium

• Completeness Medium Medium

• Timeliness Medium Medium

• Adaptability Medium Medium

• Risk data aggregation Medium Low

C Risk Communication and Reporting Practices

• Accuracy and integrity Medium High

• Comprehensiveness Medium Medium

• Clarity and usefulness Medium Medium

• Frequency and availability Medium Medium

• Distribution and confidentiality Medium Medium

D Decision Making and Risk Culture

• Risk leadership: tone Medium Low

• Shared risk understanding Medium Low

• Risk accountability Medium Low

The document analysis performed on the policies governing the institution’s cyber security unit indicated that the unit complied on a “Medium” level to the best practice requirements in the literature as related to risk reporting. The perceived perceptions of the 11 participants interviewed suggested that the maturity of risk reporting may require improvement in the areas that did not achieve a “High” score.

20

5.3.2. Implications of results for the organisation

Risk and risk management focus on the uncertainties that could affect business objectives and influence decision making capabilities. In the case of cyber risk reporting, the objective is “decision making” that assists the decision makers to secure the cyber technology used by the organisation and its customers. Cyber risk reporting that fails to meet this objective can result in vulnerability (risk) for the organisation and its customers from the study. It was evident that the technical aspects of the reporting and the language used by cyber security practitioners posed challenges for the clarity and ease of use of the reports. Although senior managers proposed the automation of reporting, cyber security practitioners indicated that most technical reports are already automated. They emphasised the importance of having skilled practitioners to analyse the data and translate it into meaningful and understandable information for decision making. A challenge identified by senior management related to the design and definition of the reports themselves, especially since these depend on the audience, classification and purpose. Suggestions were made for the cyber security practitioners and senior managers to work closely together to ensure that reports produce the information required based on the reporting objectives. This interaction could address requirements where additional information might be needed by means of a drill down capability to be included. Frequency and availability of reporting was highlighted as another area for improvement, as reports become outdated and less usable for effective decision making if they are not generated in real time.

In summary, as informed by the literature and confirmed by the institution-specific document analysis, the cyber security unit was found to possess the theory of best practice risk reporting requirements. However, from a practical perspective, the results from the interviews highlighted areas where gaps (risks) may exist. Working with the potential risks and vulnerabilities identified in the study could assist the institution’s cyber security unit and senior management to address the gaps and improve the cyber security reporting, which in turn could ensure the best possible decision making in this crucial technological area. Ultimately however, the excellence of risk reporting is an activity that both affects the quality of the organisation’s risk culture and reflects this quality.