Think about an adversary who can understand asymmetric cyber risk management and is capable of leveraging cognitive capabilities to conduct hacks. Hence future digital organizations warrant a cognitive risk framework for cyber security to remain operating and deliver business in the new era of cyber risks. The Cognitive Risk Framework (CRF) components may encompass elements such as, but not limited to, decision science, psychology, philosophy, cognitive computing and systems engineering, etc.
The need is to build a connexion with current IT and risk frameworks to next generation risk management based on cognitive elements. No organization would like to experience cyber paradox in which one is investing in cyber security capabilities without achieving any risk mitigation. Experts believe, “A CRF is an evolutionary step from intuition and hunches to quantitative analysis and measurement of risks”.
The CRF framework conceptualization and implementation is incomplete without integrating internal controls, risk management practice, cognitive security capabilities and the workforce who are running enterprise risk management. The lagging factor in cyber security program in most of the organizations is to protect the most vulnerable target, the human mind. Organizations are understanding with different use cases that cognitive security is three dimensional and not unidimensional. For this a cognitive risk framework would provide procedural guidance. The six pillars of guidance are as follows, internal controls design, security informatics, cognitive risk governance, cybersecurity intelligence, active defence strategies and legal efforts in cyberspace.
The crucial step is to build a cognitive map which is nothing but ‘a tool which risk professionals are leveraging to initiate discussions on risks and build agreements on cyber security’. The discussions and risk communications as keywords sound easy, but in reality it is not. It is a known fact that cyber risks have varied meanings and interpretations. The risk framework which is supported by cognitive elements warrants an understanding and consensus on importance of data management, analytics for decision making, tackling uncertainties, correlation of technology and bounded rationality. The next step is to define the goal of cognitive risk framework, i.e., the framework should broaden the knowledge of workforce on cognitive hacks and understanding of caveats due to which one is not able to demystify cyber paradox. It should also include analysis of decision making under risks.
To propel advances in cyber security and risk management concurrently, cognitive risk framework can be looked as a prospect. The fusion of technology, behavioural, data science and computational power are not a utopia, it is for real. So risk framework which is cognitive would change the risk management landscape fundamentals and is on the journey of finding distinct ways to derive robust cyber risk mitigation models for the future.