New white paper questions the value of compliance to risk control standards

cyber mis-selling

Commonly used cyber security controls might not be fit for purpose, according to research by the University of Oxford.

Sponsored by Novae Group, the University’s latest white paper ‘The relative effectiveness of widely used risk controls and the real value of compliance’, found that the cyber security standards set by international bodies are often not backed up by objective, empirical research, and so cannot be shown to have quantifiable benefits.

”This shortfall weakens the value of compliance to risk control standards because a compliant organisation may not be protected from cyber harm,” the report said.

“Our study here has shown that a more rigorous risk valuation and risk management environment can only fully exist where transparent and effective collaboration between stakeholders exists. Only through such collaboration can risk be fully understood, modelled, valued and thus managed.”

Professor Sadie Creese, commented: “Instead of simply working to meet standards, organisations must look carefully at the vulnerabilities inherent in the assets they want to protect. Cyber-attackers are creative and aggressive. Both the changing threat and an organisation’s attack surface must be modelled to ensure that cyber controls offer adequate protection from harm.”

Dan Trueman, chief innovation officer and head of cyber at Novae Group, added: “Insurance alone cannot manage cyber risk; we need a holistic approach. As insurers, we may decide a cyber risk is a good risk when the insurance buying firm has put controls in place that meet one of another set of international standards. However, this paper shows that a cyber risk gap may diminish the value of companies’ efforts to protect their assets from cyber harm.”