Dates: September 2019 – September 2021
Lead researchers: Professor Madeline Carr, UCL
The role of boards in contributing to a broader agenda of national cyber security is well established. 83% of UK critical infrastructure is in private hands, so boards of private sector organisations have been identified as essential to enhancing cyber security and resilience. The relevance of cyber risk assessment is expected to increase in scale and in scope as technological ecosystems become increasingly complex. This project investigated how corporate boards assess cyber risk and make decisions about investments in cyber security, working with the assertion that board-level approaches to cyber risk cannot be understood in isolation of other business risks. The aim of this project was to extend existing research on board responses to cyber in order to identify, understand, and account for broader internal and external decision-making factors.
The project had three key objectives:
• To elicit and describe factors influencing current cyber risk decision-making at board level in order to develop a model for evaluating and improving this.
• To develop an understanding of the broader landscape on cyber risk decision-making that includes, but goes beyond, the cyber security executive level / board interaction.
• To evaluate and refine interventions for board development and improvement in cyber risk decision-making.
The project developed a range of practical and actionable interventions to improve board decision-making about cyber risk which is relevant to NCSC guidance for boards and the DCMS cyber security breaches work, as well as for the next cyber security strategy beyond 2021.
Outputs include briefings for policy audiences to communicate key findings, a joint report with Axelos (a leading provider of board level training on cyber risk assessment) on improvements for board training, and written guidance for boards.
Outputs will be disseminated to relevant audiences in early 2022.
Interviews, surveys, qualitative and quantitative data analysis, literature review
Funders: RISCS, Lloyds Register Foundation
External collaborators: Axelos, The Access Group. Other organisations, as well as board members, non-executive board members and senior cyber security practitioners were also involved.