Cyber security risk culture: a telecommunications risk reporting study

Abstract

In a digital world, telecommunications companies provide computer-based technology (referred to as cyber technology) that allows people and businesses to communicate and conduct business. To protect these users against the dangers and threats associated with cyber technology, cyber security must ensure that the technology is operating as expected, cannot be tampered with, and is available when required. The present risk culture study investigated the perceptions of internal risk reporting for decision making of two groups: cyber security practitioners working in a cyber security unit, and senior management responsible for cyber security but not working directly in the cyber security unit. The research used a qualitative approach within a telecommunications company based on a review of the literature, document analysis, and semi-structured interviews, and underpinned by qualitative data analysis. Coding the literature, documents and interview data provided a basis for critical comparison of the literature with the findings from the document analysis and interviews; this allowed for a substantiated interpretation of the theoretical requirements and practical application of risk reporting in the context of cyber security governance, risk management and compliance. Cyber risk reporting that fails to meet the objective of enhancing decision making could result in risks to the organisation and its customers. The findings showed that although the cyber security unit had all the textbook policies and procedures in place for risk reporting, in practice the guidelines for risk reporting seemed to be lacking. It is recommended that organisations such as this one invest in a risk reporting guideline for risk data aggregation and reporting. As this was an exploratory study on internal cyber risk reporting, the findings highlighted interesting areas for further research. These include challenges in cyber risk reporting, the monitoring of the contribution of cyber risk reporting to enable decision making, the importance of the accuracy of information gathered, risk reporting to internal audiences, and organisational structure and responsibilities for risk reporting.