Developing a Mechanism for Assessing Cyber Risks in Digital Technology Projects Implemented in an Industrial Enterprise

Abstract

This study discusses the development of a mechanism for assessing cyber risks in investment projects aimed at digitalizing industrial enterprises. The relevance of the study is determined by the increasing susceptibility of companies to cyber risks due to the introduction of innovations, as well as by the growing complexity and frequency of cyber threats. The study focuses on eliminating the methodological and functional problems of cyber risk assessment described in literature. The results include the development of a concept for the mechanism and its architecture, the structural and logical scheme of the mechanism, and the specifications of the blocks it comprises. The theoretical and methodological basis of the research is formed on the works of foreign and Russian researchers in the field of corporate finance, risk management and cyber security. When building the mechanism, risk control approaches were used to ensure an inextricable connection between the risk factors and the goals of a project. The following tools were used: (1) a bow-tie chart for risk identification; (2) statistical data analysis methods; (3) risk-oriented budgeting and simulation modelling using the Monte-Carlo method; and (4) the “Micromort” method for evaluating the probability distribution parameters. In comparison to analogues, the mechanism represents an integrated approach to risk management and ensures integration and coordination of risk management actions between project management and other information security services. It allows the confidence intervals of return on invested capital values to be calculated for a project with due regard of cyber risks at the planning stage, as well as to identify and prioritize the degree of influence the main sources of threats have, which, as a result, provides a comprehensive and objective assessment of cyber risks. The calculation data can be used by project managers to enhance risk management actions. The functionality of the mechanism includes the analysis of how individual cyber risks affect the goals of a project, consideration of correlations between risks, calculation of the expected, unexpected and critical level of losses and forecasting in circumstances where information is limited. These advantages make the risk assessment process dynamic, iterative, and reactive to the changes in the environment and to the appearance of new threats.