Enterprise risk management: how do firms integrate cyber risk?

Purpose The purpose of this study is to examine how companies integrate cyber risk into their enterprise management practices. Data breaches have become commonplace, with thousands occurring each year, and some costing hundreds millions dollars. Consequently, has one the gravest risks facing organizations, attracted boardroom-level attention. On other hand, already manage many kinds difficult growing risks, that firms lose less than 1% annual revenues as a result incidents. Therefore, should appropriately address risk? Is it indeed materially different kind area, or simply just more can seamlessly be integrated existing (ERM) practices? Design/methodology/approach authors performed thematic analysis based on semi-structured interviews, non-probabilistic, purposive sampling, answer two main questions. First, do generally? And second, are they integrating these processes? Findings find there considerable variation in approach sophistication ERM practices, such whether driven like an auditing function, champion. also despite novelty risk, most often seen operational (similar workplace accidents fraud), rather strategic emerging from, for example, technology innovation R&D. Research limitations/implications generalization results limited by sample size interviewed. While attempted interview managers across wide firms, were clear limitations scope. That being said, fortunate able practices small large, private publicly traded companies, from variety business sectors. Practical implications believe finding important because present evidence while may new, does not require specialized handling processes track at level. choose provide special accommodations attention data collection neither necessary nor required all situations. Originality/value This research only papers that, best authors’ knowledge, examines