Cyber risk management should primarily become shared risk management

Cybercrime. The number of hacks is growing, and their nature is becoming increasingly ingenious. The question is not if an organization will fall victim to it, but how that organization has organized its resilience. Peter Roelofsma observes that society is calling for more knowledge on cybersecurity risk management. That is precisely his field of research as a professor of Risk Management & Cyber Security. An introduction to a passionate scientist who is eager to talk about his unique Cyber Security Living Lab. 

If you wake him up in the middle of the night, he would still enthusiastically talk about his major research challenge: making sure cyber risk management becomes shared risk management. It's not primarily about innovative technology. It’s about people. Peter: “To achieve shared risk management, there must be a shared mental model. All the professionals involved need to learn to look at the world in the same way and see the same cause-and-effect relationships. To be resilient, we need to collaborate optimally. For that, we need technology that facilitates us.” 

Cyber Security Living Lab  

Peter Roelofsma has an impressive track record. As a scientist, he has been active at Vrije Universiteit, Leeds University Business School, Erasmus University, and TU Delft. “The common thread in my career is the combination of risk management and human decision-making. The research group Risk Management & Cyber Security, embedded in the Centre of Expertise Cyber Security, conducts research at the Dutch Innovation Factory in Zoetermeer. “We are going to establish something unprecedented in the Netherlands: the Cyber Security Living Lab.” 

“In the Cyber Security Living Lab, students gain comprehensive educational, research, and practical work experience. They build, work, learn, and conduct research in a security operations centre (SOC), where real-time 24/7 cybersecurity threats are detected and monitored, and incident response occurs. This is the future of research and education in cybersecurity.” 

Sailing in a boat 

“I come from Friesland. There, we learn to sail in a boat, not from a book. It’s the same at The Hague University of Applied Sciences and in my research group. Students from mbo, hbo, and university work together in this living lab. What’s unique is that research and education are integrated in this learning and development environment. When students spend a few months in our living lab, they learn more than in a year on a workplace elsewhere. In the living lab, we conduct joint research with companies and organizations. When you do it together, you are much stronger in cybersecurity.” 

When students spend a few months in our living lab, they learn more than in a year on a workplace elsewhere

“Security operation centres are often a bit spooky. No one is allowed to know they exist. All doors closed, no one may enter. This can lead to obscurity. That needs to change. Security by obscurity is not optimal cyber risk management. In the shared mental model, openness is very important. The companies we collaborate with want to be transparent about their cybersecurity policies because they realize they cannot manage it alone.” 

Dealing with rules 

“When you look at risk management and cybersecurity, you find yourself between rules and reality. What are the rules? Where do they come from? How do you create rules that actually work? How do you integrate information into your judgment and decision-making? One of the main reasons we are building and maintaining a security operation centre here in the Cyber Security Living Lab is that it is often unclear how things actually work in the world of cybersecurity, despite or even because of all the rules. There is a significant need to observe the behaviour of teams and organizations in everyday practice. For example, how does a chief information security officer (CISO), their team, and other decision-makers handle those rules? What mistakes are made in the SOC process by teams and organizations? How can these be prevented? And what goes well? That is what we will conduct practice-oriented research on.” 

Free and independent 

For Peter Roelofsma, it is clear that we will be attacked at some point. “What about the latent resilience? How is your risk management? Do you have the right resources in place? How is communication about cybersecurity in your organization? What culture surrounds cybersecurity: do people feel comfortable speaking up? How have you organized cybersecurity management? What technologies do you use to support important decision-making? What is the role of AI?” 

‘As a scientist, you must always be able to work in an environment where you are allowed to ask critical questions

Research on risk management in cybersecurity can only take proper shape if the scientist is absolutely free. Peter: “I notice that cybersecurity is currently too driven by the profits and power of companies. If a measure does not benefit the company, then it is considered ineffective. But that’s not how it works. Market-driven principles cannot determine what is good or bad. As a scientist, you must always be able to work in an environment where you are allowed to ask critical questions.” 

He is not against third-party funding. “On the contrary, I support it. It strengthens the connection to practice. But if your research is funded by third parties, you must have the freedom to conduct your research in an independent manner.” 

Waiting for the blow 

He emphasizes that his research group is highly relevant to society. “We are waiting for the big blow. You cannot prevent it; you must be prepared for it. What do you do when it happens? It is dangerous to focus solely on damage control in the moment and in the short term. The real disaster often comes from the second incident, after your response to the first incident or accident has proven inadequate. A cyber disaster often starts in a small corner. So, look ahead. If you see the tide turning, adjust your course in the process. Learn to deal with loss. This is challenging in our society. But a hack often leads to a loss experience. You can either dwell on it or take proactive measures. It is better to have predetermined how you want to handle the risks of that loss, including for the long term. Take responsibility for the actions you then implement. So, ensure that your latent resilience is in order. Everyone will be hacked at some point. Still, too many companies don’t know what to do when a cyber emergency arises.” 

If that doesn't spark passion... 

On Thursday, November 14, Peter Roelofsma will deliver his inaugural address, titled ‘Cascade Cyber Risk Management - Between Rule and Reality’. “In my inaugural address, I want to showcase what I have done and where I aim to go. I hope to find individuals and organizations that want to align with my vision. Companies see that they need this kind of research—research that is highly relevant to society. If that doesn’t spark passion, I don’t know what will.” 
 

Check the program and sign up now!

Ongoing projects 

The research group Risk Management & Cyber Security is affiliated with the Faculty of Governance, Law & Safety and is part of the Centre of Expertise Cyber Security. The professorship conducts research in the following projects: 

• Cyber Safe Together: Research on the learning components necessary to understand risk management and cybersecurity. 
• Together Digitally Secure: An evaluation of a digital platform for SMEs to raise awareness about the risks they face and changing regulations. 
• C-Side Project: Research aimed at making software developers aware of the human aspect of cybersecurity in software design. 
• Cyber Risk Management Simulation and Gaming: Research that simulates and manages risk issues. 
• Learning in Advance of the Threat (LIAT): Building a learning community focused on answering pressing questions such as: how to support innovation teams; how to scale up; how to design a learning community as a network of values; how to implement innovations; and how to respond productively to threats? 
• AI Coach for Shared Cyber Risk Management: Research into the steps necessary to achieve effective threat awareness.