Kholekile L. Gwebu,Jing Wang,Li Wang

DOI: https://doi.org/10.1080/07421222.2018.1451962

IF: 7.582

2018-01-01

Journal of Management Information Systems

Abstract:Despite the significant financial losses associated with data breaches, little is known about the (in)effectiveness of the tools that firms have to protect their value following a breach. Drawing on cognitive dissonance theory and the research on cue diagnosticity and crisis management, this study examines the relative efficacy of firm reputation and a range of post-breach response strategies. The results indicate that firm reputation is an important asset in protecting firm value. However, only certain response strategies are found to mitigate the negative financial impact of a breach on lower-reputation firms, and response strategies are found to matter less for high-reputation firms. These findings offer practitioners evidence-based guidance for protecting firm value following data breaches and underscore the need for developing more nuanced strategies for managing breaches. The theoretical arguments developed here serve as a conceptual base for examining the efficacy of various data breach response strategies.

Kholekile L. Gwebu,Jing Wang,Wenjuan Xie

2014-01-01

Abstract:To estimate the cost of a data breach to the inflicted firm, this study examines the relationship between a breach incident and changes in the inflicted firm’s profitability, perceived risk, and the inflicted firms’ information environment transparency. Profitability is measured as reported earnings and analysts’ earnings forecasts. Perceived risk is measured as reported stock return volatility and dispersion among analysts’ forecasts. Although a number of studies have investigated the stock market reaction surrounding the disclosure of a breach incident to quantify the cost associated with breaches, we argue that there exists information uncertainty and deficiency in the disclosure of the breach incident and stock market reaction surrounding a security breach announcement date may not be the best measure for the cost of security breaches. And research using other complementary measures is warranted. Our preliminary finding suggests that data breaches negatively impact firm profitability, perceived risk and information transparency. Nevertheless, the damage of a breach most likely stems from direct costs such as compensation and litigation costs rather than indirect costs such as tarnished reputation and a decrease in market share and sales. More sophisticated analysts are also found to add value in estimating the real cost of a security breach.

Shuili Du,Jing Wang,Kholekile L. Gwebu

DOI: https://doi.org/10.1109/CyberSA.2017.8073393

2017-01-01

Abstract:This study explores the potential role of corporate social responsibility (CSR) in mitigating the damage of data breach, a topic that has received scant attention from the literature. Drawing upon the literatures on CSR, stakeholder theory, and the resource-based view (cites), we conceptualize that firms with greater CSR activities accumulate goodwill and cultivate stronger stakeholder relationships, and thus during times of a crisis, such as a data breach, stakeholders are more likely to give the socially responsible firm "the benefit of doubt" and temper their sanctions, mitigating the damage of the breach.

Nandita Pattnaik,Jason R. C. Nurse,Sarah Turner,Gareth Mott,Jamie MacColl,Pia Huesch,James Sullivan

2023-07-06

Abstract:As cyber-attacks continue to increase in frequency and sophistication, organisations must be better prepared to face the reality of an incident. Any organisational plan that intends to be successful at managing security risks must clearly understand the harm (i.e., negative impact) and the various parties affected in the aftermath of an attack. To this end, this article conducts a novel exploration into the multitude of real-world harms that can arise from cyber-attacks, with a particular focus on ransomware incidents given their current prominence. This exploration also leads to the proposal of a new, robust methodology for modelling harms from such incidents. We draw on publicly-available case data on high-profile ransomware incidents to examine the types of harm that emerge at various stages after a ransomware attack and how harms (e.g., an offline enterprise server) may trigger other negative, potentially more substantial impacts for stakeholders (e.g., the inability for a customer to access their social welfare benefits or bank account). Prominent findings from our analysis include the identification of a notable set of social/human harms beyond the business itself (and beyond the financial payment of a ransom) and a complex web of harms that emerge after attacks regardless of the industry sector. We also observed that deciphering the full extent and sequence of harms can be a challenging undertaking because of the lack of complete data available. This paper consequently argues for more transparency on ransomware harms, as it would lead to a better understanding of the realities of these incidents to the benefit of organisations and society more generally.

Cryptography and Security,Computers and Society

Svetlana Abramova,Rainer Böhme

2023-08-01

Abstract:Media reports show an alarming increase of data breaches at providers of cybersecurity products and services. Since the exposed records may reveal security-relevant data, such incidents cause undue burden and create the risk of re-victimization to individuals whose personal data gets exposed. In pursuit of examining a broad spectrum of the downstream effects on victims, we surveyed 104 persons who purchased specialized devices for the secure storage of crypto-assets and later fell victim to a breach of customer data. Our case study reveals common nuisances (i.e., spam, scams, phishing e-mails) as well as previously unseen attack vectors (e.g., involving tampered devices), which are possibly tied to the breach. A few victims report losses of digital assets as a form of the harm. We find that our participants exhibit heightened safety concerns, appear skeptical about litigation efforts, and demonstrate the ability to differentiate between the quality of the security product and the circumstances of the breach. We derive implications for the cybersecurity industry at large, and point out methodological challenges in data breach research.

Cryptography and Security

Titis Pandan Wangi Reformasi,Hasrul Buamona

DOI: https://doi.org/10.55927/jlca.v3i3.10376

2024-08-06

Abstract:In the ever-evolving digital era, an in-depth exploration of the cybersecurity legal framework is a must. This article examines the background and discussion of personal data protection in 2023. It provides a comprehensive overview of the current cybersecurity landscape, identifying key trends and threats faced by individuals, businesses, and governments. The focus then shifts to regulatory and compliance analysis, exploring potential changes and evaluating the adequacy of current regulations. Next, we outline the latest technologies used in data protection, detailing the role of artificial intelligence (AI) to blockchain in strengthening cybersecurity. Ethical aspects are also highlighted, exploring how efforts to improve security can be balanced with individuals’ right to privacy and preventing abuse of power by authorities. Through analysis of key cases in 2023, this article highlights real-world experiences related to personal data breaches. From here, readers can gain a deeper understanding of how cybersecurity law is evolving and addressing the ever-growing threats in this digital era. This article aims to provide a holistic view, educating readers about the current challenges and innovations in personal data protection and contributing to a deeper understanding of the field.

Brenda Wells-Dietel,Asligul Erkan-Barlow

DOI: https://doi.org/10.52227/26579.2023

2023-01-01

Journal of Insurance Regulation

Abstract:This manuscript systematically reviews several strands of literature on cybersecurity and draws attention to the possible moral hazard problem associated with managers’ choices on information security-related investments. First, a careful synthesis of the literature shows that managers have incentives to behave myopically and to defer investments in data security to meet the financial market’s earnings expectations. Second, although adequate cyber risk management involves both risk mitigation and risk transfer, risk transfer through the purchase of cyber insurance is problematic. Despite the increase of insurers and written premiums suggesting growth in the cyber insurance industry, the most recent industry reports point out the increase in loss ratios, the decrease in available cyber insurance limits, and the implementation of more restrictive coverage as a sign of insurers controlling their risk exposure. Finally, existing regulatory frameworks in the U.S. and the European Union (EU) do not negate the trend of increasing numbers of cyberattacks. In conclusion, we argue that an optimal level of regulation is needed but has yet to be enacted to reduce the cyber risk exposure of businesses and insurers, as well as to protect consumers and the overall economy.

Amir Atapour-Abarghouei,Stephen Bonner,Andrew Stephen McGough

DOI: https://doi.org/10.48550/arXiv.1911.08364

2019-11-19

Abstract:With the recent growth in the number of malicious activities on the internet, cybersecurity research has seen a boost in the past few years. However, as certain variants of malware can provide highly lucrative opportunities for bad actors, significant resources are dedicated to innovations and improvements by vast criminal organisations. Among these forms of malware, ransomware has experienced a significant recent rise as it offers the perpetrators great financial incentive. Ransomware variants operate by removing system access from the user by either locking the system or encrypting some or all of the data, and subsequently demanding payment or ransom in exchange for returning system access or providing a decryption key to the victim. Due to the ubiquity of sensitive data in many aspects of modern life, many victims of such attacks, be they an individual home user or operators of a business, are forced to pay the ransom to regain access to their data, which in many cases does not happen as renormalisation of system operations is never guaranteed. As the problem of ransomware does not seem to be subsiding, it is very important to investigate the underlying forces driving and facilitating such attacks in order to create preventative measures. As such, in this paper, we discuss and provide further insight into variants of ransomware and their victims in order to understand how and why they have been targeted and what can be done to prevent or mitigate the effects of such attacks.

Cryptography and Security

Chukwuka Elendu,Eunice K. Omeludike,Praise O. Oloyede,Babajide T. Obidigbo,Janet C. Omeludike

DOI: https://doi.org/10.1097/md.0000000000039887

IF: 1.6

2024-09-29

Medicine

Abstract:In recent years, integrating digital technologies in healthcare has revolutionized medical practice, enhancing patient care, data management, and operational efficiency. However, this digital transformation has also exposed healthcare systems to significant cybersecurity threats, leading to legal and ethical challenges for clinicians. [ 1–3 ] The increasing frequency and sophistication of cyber-attacks, such as ransomware, data breaches, and hacking incidents, pose substantial risks to patient privacy, data integrity, and overall healthcare delivery. [ 1–3 ] These incidents jeopardize patient safety and implicate healthcare professionals in potential legal liabilities. Emerging technologies, including artificial intelligence (AI) and quantum computing, are at the forefront of cybersecurity innovations and challenges. AI, for instance, offers promising applications in detecting and mitigating cyber threats through advanced algorithms and machine learning (ML) techniques. However, deploying AI systems in healthcare raises concerns regarding data security, privacy, and ethical implications. If not properly managed, AI systems can introduce biases that may result in discriminatory practices or inaccurate decision-making. [ 4 , 5 ] Moreover, quantum computing, potentially breaking traditional encryption methods, further complicates the cybersecurity landscape, necessitating new cryptographic approaches and legal frameworks to safeguard sensitive health information. [ 6 ] The global nature of cybersecurity threats underscores the importance of international cooperation and regulatory harmonization. Countries have adopted varying approaches to managing cybersecurity incidents in healthcare, influenced by their legal systems, cultural values, and technological infrastructures. For example, the European Union's General Data Protection Regulation (GDPR) imposes stringent data protection requirements, including reporting data breaches within 72 hours. [ 7 ] In contrast, the United States has a more fragmented regulatory landscape, with laws such as the Health Insurance Portability and Accountability Act (HIPAA) providing a framework for protecting patient information. Still, varying state laws complicate compliance. [ 8 ] A comparative analysis of these international regulations reveals best practices and highlights areas where further harmonization is needed to protect healthcare data globally. The legal implications of cybersecurity incidents extend beyond compliance with data protection regulations. As custodians of patient data, clinicians may face legal consequences in data breaches or unauthorized access to sensitive information. These legal responsibilities necessitate a thorough understanding of cybersecurity best practices and implementing robust security measures. For instance, clinicians must ensure secure communication channels, regular updates to software systems, and adherence to data encryption standards. [ 9 ] Furthermore, clinicians should be aware of their obligations to report cybersecurity incidents and cooperate with investigations, as failure can result in legal penalties and damage to professional reputations. [ 10 ] Ethical considerations are also paramount in the context of cybersecurity in healthcare. The principle of patient autonomy, which underpins informed consent and confidentiality, is challenged when cybersecurity incidents compromise patient data. Healthcare professionals must navigate these ethical dilemmas, balancing the need to protect patient information with the necessity of using digital tools for medical care. [ 11 ] Moreover, deploying AI in healthcare introduces questions about the transparency and accountability of decision-making processes. Ensuring that AI systems are transparent, explainable, and free from biases is crucial to maintaining public trust and ensuring equitable healthcare outcomes. [ 12 ] Case studies of cybersecurity incidents in healthcare provide valuable insights into the practical challenges and consequences clinicians face. For example, the WannaCry ransomware attack in 2017 severely disrupted the UK's National Health Service (NHS), affecting numerous hospitals and clinics and leading to the cancelation of thousands of appointments. [ 13 ] This incident highlighted the vulnerability of healthcare systems to cyber threats and underscored the importance of proactive cybersecurity measures. Similarly, the breach of patient data at Ant -Abstract Truncated-

medicine, general & internal

Paulius Jurcys,Marcelo Corrales Compagnucci,Mark Fenwick

2024-07-30

Abstract:The General Data Protection Regulation contains a blanket prohibition on the transfer of personal data outside of the European Economic Area unless strict requirements are met. The rationale for this provision is to protect personal data and data subject rights by restricting data transfers to countries that may not have the same level of protection as the EEA. However, the ubiquitous and permeable character of new technologies such as cloud computing, and the increased inter connectivity between societies, has made international data transfers the norm and not the exception. The Schrems II case and subsequent regulatory developments have further raised the bar for companies to comply with complex and, often, opaque rules. Many firms are, therefore, pursuing technology-based solutions in order to mitigate this new legal risk. These emerging technological alternatives reduce the need for open-ended cross-border transfers and the practical challenges and legal risk that such transfers create after Schrems. This article examines one such alternative, namely a user-held data model. This approach takes advantage of personal data clouds that allows data subjects to store their data locally and in a more decentralised manner, thus decreasing the need for cross-border transfers and offering end-users the possibility of greater control over their data.

Computers and Society

Timothy McIntosh,Teo Susnjak,Tong Liu,Dan Xu,Paul Watters,Dongwei Liu,Yaqi Hao,Alex Ng,Malka Halgamuge

DOI: https://doi.org/10.1145/3691340

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:Ransomware has grown to be a dominant cybersecurity threat by exfiltrating, encrypting, or destroying valuable user data and causing numerous disruptions to victims. The severity of the ransomware endemic has generated research interest from both the academia and the industry. However, many studies held stereotypical assumptions about ransomware, used unverified, outdated, and limited self-collected ransomware samples, and did not consider government strategies, industry guidelines, or cyber intelligence. We observed that ransomware no longer exists simply as an executable file or limits to encrypting files (data loss); data exfiltration (data breach) is the new norm, espionage is an emerging theme, and the industry is shifting focus from technical advancements to cyber governance and resilience. We created a ransomware innovation adoption curve, critically evaluated 212 academic studies published during 2020 and 2023, and cross-verified them against various government strategies, industry reports, and cyber intelligence on ransomware. We concluded that many studies were becoming irrelevant to the contemporary ransomware reality and called for the redirection of ransomware research to align with the continuous ransomware evolution in the industry. We proposed to address data exfiltration as priority over data encryption, to consider ransomware in a business-practical manner, and recommended research collaboration with the industry.

computer science, theory & methods

Rina Patil,Gayatri Pise,Yatin Bhosale

DOI: https://doi.org/10.48550/arXiv.2311.16303

2023-11-27

Cryptography and Security

Abstract:A data breach in the modern digital era is the unintentional or intentional disclosure of private data to uninvited parties. Businesses now consider data to be a crucial asset, and any breach of this data can have dire repercussions, including harming a company's brand and resulting in losses. Enterprises now place a high premium on detecting and preventing data loss due to the growing amount of data and the increasing frequency of data breaches. Even with a great deal of research, protecting sensitive data is still a difficult task. This review attempts to highlight interesting prospects and offer insightful information to those who are interested in learning about the risks that businesses face from data leaks, current occurrences, state-of-the-art methods for detection and prevention, new difficulties, and possible solutions.

Farshid Javadnejad,Ahmed M. Abdelmagid,Cesar A. Pinto,Michael Mcshane,Rafael Diaz

DOI: https://doi.org/10.1080/17517575.2024.2369952

2024-06-25

Enterprise Information Systems

Abstract:This study comprehensively assesses ransomware/malware risks using the Advisen cyber loss dataset. It classifies malware types by frequency and financial impact, revealing that low-frequency attacks can cause significant economic damage. Some malware types incur extensive losses despite their rarity. The analysis highlights cybersecurity technologies like AI-based tools and Zero Trust Architecture (ZTA) for combating attacks. Large organizations and small businesses can adopt these defensive approaches across various industries. The study underscores the need for robust cybersecurity measures to prevent or mitigate future attacks, offering valuable insights into malware and ransomware patterns and trends, stressing adherence to frameworks, policies, and regulations.

computer science, information systems

Long Cheng,Fang Liu,Danfeng Yao,Danfeng Daphne Yao

DOI: https://doi.org/10.1002/widm.1211

2017-06-09

Abstract:A data breach is the intentional or inadvertent exposure of confidential information to unauthorized parties. In the digital era, data has become one of the most critical components of an enterprise. Data leakage poses serious threats to organizations, including significant reputational damage and financial losses. As the volume of data is growing exponentially and data breaches are happening more frequently than ever before, detecting and preventing data loss has become one of the most pressing security concerns for enterprises. Despite a plethora of research efforts on safeguarding sensitive information from being leaked, it remains an active research problem. This review helps interested readers to learn about enterprise data leak threats, recent data leak incidents, various state‐of‐the‐art prevention and detection techniques, new challenges, and promising solutions and exciting opportunities. WIREs Data Mining Knowl Discov 2017, 7:e1211. doi: 10.1002/widm.1211 This article is categorized under: Application Areas > Business and Industry Fundamental Concepts of Data and Knowledge > Key Design Issues in Data Mining Technologies > Prediction There are multiple points and opportunities for an enterprise to deploy effective protections to secure sensitive data against inadvertent or malicious leak threats that may appear during data storage, usage, or movement. The challenge is to understand the threats, and more importantly, the security capabilities and limitations of various prevention and detection solutions, in order for administrators to make informed security choices and decisions in practice. This review paper analyzes major data breach incidents and systematizes the body of knowledge on prevention and detection. It also points out the exciting new research opportunities related to deep learning, cloud service, privacy, and experimental reproducibility.

computer science, artificial intelligence, theory & methods

Frank Cremer,Barry Sheehan,Michael Fortmann,Arash N Kia,Martin Mullins,Finbarr Murphy,Stefan Materne

DOI: https://doi.org/10.1057/s41288-022-00266-6

Abstract:Cybercrime is estimated to have cost the global economy just under USD 1 trillion in 2020, indicating an increase of more than 50% since 2018. With the average cyber insurance claim rising from USD 145,000 in 2019 to USD 359,000 in 2020, there is a growing necessity for better cyber information sources, standardised databases, mandatory reporting and public awareness. This research analyses the extant academic and industry literature on cybersecurity and cyber risk management with a particular focus on data availability. From a preliminary search resulting in 5219 cyber peer-reviewed studies, the application of the systematic methodology resulted in 79 unique datasets. We posit that the lack of available data on cyber risk poses a serious problem for stakeholders seeking to tackle this issue. In particular, we identify a lacuna in open databases that undermine collective endeavours to better manage this set of risks. The resulting data evaluation and categorisation will support cybersecurity researchers and the insurance industry in their efforts to comprehend, metricise and manage cyber risks. Supplementary information: The online version contains supplementary material available at 10.1057/s41288-022-00266-6.

Alison Cool

DOI: https://doi.org/10.1177/0306312719846557

2019-05-06

Social Studies of Science

Abstract:On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) came into force. EU citizens are granted more control over personal data while companies and organizations are charged with increased responsibility enshrined in broad principles like transparency and accountability. Given the scope of the regulation, which aims to harmonize data practices across 28 member states with different concerns about data collection, the GDPR has significant consequences for individuals in the EU and globally. While the GDPR is primarily intended to regulate tech companies, it also has important implications for data use in scientific research. Drawing on ethnographic fieldwork with researchers, lawyers and legal scholars in Sweden, I argue that the GDPR’s flexible accountability principle effectively encourages researchers to reflect on their ethical responsibility but can also become a source of anxiety and produce unexpected results. Many researchers I spoke with expressed profound uncertainty about ‘impossible’ legal requirements for research data use. Despite the availability of legal texts and interpretations, I suggest we should take researchers’ concerns about ‘unknowable’ data law seriously. Many researchers’ sense of legal ambiguity led them to rethink their data practices and themselves as ethical subjects through an orientation to what they imagined as the ‘real people behind the data’, variously formulated as a Swedish population desiring data use for social benefit or a transnational public eager for research results. The intentions attributed to people, populations and publics – whom researchers only encountered in the abstract form of data – lent ethical weight to various and sometimes conflicting decisions about data security and sharing. Ultimately, researchers’ anxieties about their inability to discern the desires of the ‘real people’ lent new appeal to solutions, however flawed, that promised to alleviate the ethical burden of personal data.

history & philosophy of science

Frederik Zuiderveen Borgesius,Hadi Asghari,Noël Bangma,Jaap-Henk Hoepman

2024-10-08

Abstract:The General Data Protection Regulation (GDPR) requires an organisation that suffers a data breach to notify the competent Data Protection Authority. The organisation must also inform the relevant individuals, when a data breach threatens their rights and freedoms. This paper focuses on the following question: given the goals of the GDPR's data breach notification obligation, and we assess the obligation in the light of those goals. We refer to insights from information security and economics, and present them in a reader-friendly way for lawyers. Our main conclusion is that the GDPR's data breach rules are likely to contribute to the goals. For instance, the data breach notification obligation can nudge organisations towards better security; such an obligation enables regulators to perform their duties; and such an obligation improves transparency and accountability. However, the paper also warns that we should not have unrealistic expectations of the possibilities for people to protect their interests after a data breach notice. Likewise, we should not have high expectations of people switching to other service providers after receiving a data breach notification. Lastly, the paper calls for Data Protection Authorities to publish more information about reported data breaches. Such information can help to analyse security threats.

Cryptography and Security,Computers and Society

Akashdeep Bhardwaj,G.V.B. Subrahmanyam,Vinay Avasthi,Hanumat Sastry

DOI: https://doi.org/10.48550/arXiv.1512.01980

2015-12-07

Cryptography and Security

Abstract:This article attempts to discover the surreptitious features of ransomware and to address it in information systems security research. It intends to elicit attention with regard to ransomware, a newly emerged cyber threat using such encryption technology as RSA, and to help both academic researchers and IT practitioners understand the technological characteristics of ransomware, along with its severity analysis. As ransomware infections continue to rise and attacks employing refined algorithm become increasingly sophisticated, data protection faces serious challenges. The article discusses future trends and research directions related to ransomware, and provides prevention strategies for SMEs.

Varda Mone,Sadikov Maksudboy Abdulajonovich,Ammar Younas,Sailaja Petikam

DOI: https://doi.org/10.1017/jli.2024.22

2024-10-06

International Journal of Legal Information

Abstract:The world is witnessing an increase in cross-border data transfers and breaches orchestrated by State and non-State actors. Cross-border data transfers may lead to friction among States to localize or globalize data and to provide regulatory frameworks. "Data warfare" or information-war operations are often not covered under conventional rules; however, they are categorized as acts of espionage and subject to domestic regulations. As such, the operations are used to achieve a variety of objectives, including stealing sensitive information, spreading propaganda, and causing economic damage. Notable instances of the theft of sensitive information include the recent Bangladesh government website breach, exposing 50 million records, and the Unique Identification Authority of India (UIDAI) website hack. Regulating the "data war" under the existing principles of international law may be unsuccessful in creating robust international legal frameworks to address the associated challenges. These developments further accentuate the global divide between data-rich regions in the Global North, with strong data protection mechanisms (such as the GDPR and the California Privacy Rights Act), and regions in the Global South, where there is a lack of comprehensive data protection laws and regulatory regimes. This disparity underscores the urgent need for global cooperation for substantial international regulatory mechanisms. This article examines the complexities surrounding data warfare; it highlights the imperative need for establishing a robust global legal framework for data protection, delving into the concept of data war. It also acknowledges the growing influence of advanced technologies like data computing and mining and their ongoing threats to the fundamental rights of individuals associated with exposed personal data. The authors address the deficiencies in international legal provisions and advocate for a global regulatory approach to data protection as a critical means of safeguarding personal freedoms and countering the escalating threats in the digital age.

Sasha Romanosky,Elizabeth Petrun-Sayers

DOI: https://doi.org/10.1108/mrr-10-2021-0774

2023-05-25

Management Research Review

Abstract:Purpose The purpose of this study is to examine how companies integrate cyber risk into their enterprise risk management practices. Data breaches have become commonplace, with thousands occurring each year, and some costing hundreds of millions of dollars. Consequently, cyber risk has become one of the gravest risks facing organizations, and has attracted boardroom-level attention. On the other hand, companies already manage many kinds of difficult and growing risks, and that firms lose less than 1% of annual revenues as a result of cyber incidents. Therefore, how should firms appropriately address cyber risk? Is it indeed a materially different kind of risk area, or is it simply just one more risk that can seamlessly be integrated into existing enterprise risk management (ERM) practices? Design/methodology/approach The authors performed thematic analysis based on semi-structured interviews, with non-probabilistic, purposive sampling, to answer two main questions. First, how do firms manage enterprise risks, generally? And second, how are they integrating cyber risk into these existing processes? Findings The authors find that there is considerable variation in the approach and sophistication in ERM practices, such as whether they are driven more like an auditing function, or as a risk champion. The authors also find that despite the novelty of cyber risk, it can be integrated like other enterprise risks, and that cyber risk is most often seen as an operational risk (similar to workplace accidents or fraud), rather than a strategic risk, emerging from, for example, technology innovation and R&D. Research limitations/implications The generalization of the results is limited by the sample size and variation of firms interviewed. While the authors attempted to interview enterprise risk managers across a wide variation of firms, there were clear limitations in the scope. That being said, the authors were fortunate to be able to examine ERM and cyber risk practices across small and large, private and publicly traded companies, from a variety of business sectors. Practical implications The authors believe these finding are important because they present evidence that while cyber risk may be new, it does not require specialized handling or processes to track it at the enterprise level. While some firms may choose to provide special accommodations or attention because of their data collection or business practices, this approach is neither necessary nor required of all firms in all situations. Originality/value This research is one of the only papers that, to the best of the authors' knowledge, examines how cyber risk is integrated at an enterprise level.