Assessment and Management of Cyber Risk
On Thursday, June 15, the last popular science lecture of the ASEF Speaker Series 2022/2023 season took place. At this event, where ASEF professors present their research areas and findings on a monthly basis, Dr. Sergeja Slapničar held a lecture entitled Assessment and Management of Cyber Risk.
Dr. Sergeja Slapničar is an associate professor of accounting at the Business School of the University of Queensland. She investigates the effects of accountability, performance measurement, and incentives on employee motivation, risk-taking, and cognition; more recently, she has been interested in how this is used in cybersecurity risk management. She has published in accounting, finance and psychology journals. She held directorial and advisory roles in several entities of public interest, was a member of the board of the Agency for Public Auditing of the Republic of Slovenia and president of the Slovenian Dispute Resolution Authority.
The lecture began with a brief presentation of the activities of dr. Slapničar at the University of Queensland, where she researches cyber risk in businesses. She immediately defined that she does not only investigate cyber attacks, but that her work covers all cyber incidents. As many as 30% of these incidents are committed by company employees by mistake. She stated that the biggest motive for the cyber attackers are, of course, finances.
The lecturer listed and presented the most common types of attacks, namely: phishing, hacking and ransomware. The data that the attackers get their hands on are mostly credentials, sensitive personal data and bank data. In the next part of the lecture, she presented the lines of defense, which include the company’s IT sector, information security managers, internal auditors, management and the supervisory board.
She emphasized that there is no exact answer to how to financially assess cyber risks, but companies can help themselves with various processes that lead them to reach an approximation. In the next part of the lecture, she talked about the value of data and said that assigning value to it is very difficult. She also presented the stages that companies must go through to carry out a risk assessment. She devoted time to explain qualitative and quantitative risk analysis techniques and emphasized that none of them are completely objective.
After the lecture, Dr. Slapničar answered a series of interesting questions. To the question “How to convince the administration that investing in cyber and information security makes sense?” she responded by claiming that according to her research, administrations are ready to invest in cyber security, the only problem is that they don’t know how much money needs to be invested. Dr. Sergeja Slapničar concluded her lecture by saying that developing security is expensive, so it must be thought about before it is too late.
The event was held in a hybrid format, both in the Club Room at the School of Economics and Business, University of Ljubljana and via Zoom, and was moderated by 2023 Junior Fellow Tim Vidmar.
The event was organized with the support of the Government Office for Slovenians Abroad and the Office of the Republic of Slovenia for Youth.