Reporting cyber security to management and board of directors

Johto- ja hallitustason kyberturvaraportoinnin tärkeys on kasvanut ja kasvaa edelleen. Kyberturvahyökkäykset lisääntyvät ja kehittyvät, ja yleinen näkemys on, etteivät johto ja hallitukset ole valmistautuneita rooliinsa organisaationsa kyberturvallisuuden varmistamisessa. Haasteita kyberturvallis...

Full description

Bibliographic Details
Main Author:	Kyrölä, Alina
Other Authors:	Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Format:	Master's thesis
Language:	eng
Published:	2022
Subjects:	Tietojärjestelmätiede Information Systems Science 601 kyberturvallisuus raportointi tietoturva turvallisuus hallitukset (yhteisöt) riskienhallinta verkkohyökkäykset johtokunnat turvallisuusjohtaminen visualisointi cyber security reporting data security safety and security executive boards risk management cyber attacks boards of directors safety and security management visualisation
Online Access:	https://jyx.jyu.fi/handle/123456789/82524

_version_	1826225753296994304
author	Kyrölä, Alina
author2	Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet	Kyrölä, Alina Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Kyrölä, Alina Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort	Kyrölä, Alina
datasource_str_mv	jyx
description	Johto- ja hallitustason kyberturvaraportoinnin tärkeys on kasvanut ja kasvaa edelleen. Kyberturvahyökkäykset lisääntyvät ja kehittyvät, ja yleinen näkemys on, etteivät johto ja hallitukset ole valmistautuneita rooliinsa organisaationsa kyberturvallisuuden varmistamisessa. Haasteita kyberturvallisuuden tehokkaassa raportoinnissa johto- ja hallitustasolla on jo tunnistettu, mutta tällä hetkellä tarjotut ratkaisut, ja jo olemassa olevat viitekehykset ja mallit, eivät vastaa kaikkien organisaatioiden tarpeisiin. Tämä Pro Gradu -tutkielma tutkii johto- ja hallitustason kyberturvaraportointia, mukaan lukien sen historiaa, nykytilannetta, ongelmia, ja puollettuja käytäntöjä. Tutkielman motivaatio on johdon ja hallituksen kyberturvaraportoinnin kasvava merkittävyys, ja realiteetti sen tason kyvyttömyydestä vastata organisaatioiden tarpeisiin. Tutkielman tarkoitus on pyrkiä tarjoamaan ratkaisu, joka mahdollistaa kyberturvallisuuden raportoinnin johdolle ja hallitukselle tehokkaasti. Tunnistettuja johto- ja hallitustason kyberturvaraportoinnin ongelmia ovat muun muassa liian harvoin raportoiminen, aiheista raportoiminen, jotka eivät tarjoa kohderyhmälle heidän tarjoamaa informaatiota, sekä epätehokkaasti kommunikoiminen. Raportoidut aiheet keskittyvät usein liian tekniseen dataan, ja metriikoihin, jotka eivät ole evidenssiperusteisia. Epätehokas kommunikointi liittyy yleensä visuaalisuuden puutteeseen, tai sen vääränlaiseen käyttöön, sekä liian teknisen kielen käyttöön kohderyhmään nähden. Tässä tutkielmassa tarkastellaan myös visualisuuden merkittävyyttä johto- ja hallitustason kyberturvaraportoinnin yleisen kehityksen lisäksi. Tässä tutkielmassa esitetään malli, jonka avulla voidaan luoda tehokas raportointimetodi johdon ja hallituksen kyberturvaraportoinnille. Esitetty malli tarjoaa uuden, iteratiivisen tavan toimivan raportointimetodin kehittämiseen, ja sen pitämiseen ajan tasalla. The importance of cyber security reporting on board and management level has been and is still increasing constantly. Cyber security incidents are growing and evolving, while the common view is that the boards and management are not prepared for their role of ensuring cyber security in their organisations. There are recognised challenges with organisations having issues in reporting about cyber security to their boards and management efficiently. However, currently offered solutions, and the already existing reporting frameworks and models do not fit the needs of all organisations in this matter. This Master’s thesis studies board and management level cyber security reporting, including its history, current state, issues, and practices that are ad vocated for. The motivation for this study is the rising importance of board and management level cyber security reporting, and the fact that the level of it does not generally meet the needs of organisations. This research aims to offer a solu tion on how to report cyber security to boards and management effectively. There are recognised issues with reporting too rarely, reporting about top ics that do not provide the boards and management with the information they need, and communicating ineffectively. The topics reported are often too fo cused on overly technical data, and metrics that are not necessarily based on evidence. The ineffective communication is commonly related to the lack of visuality, or using it wrong, or using language that is too technical for the audi ence. In this research paper the significance of visuality is studied, in addition to the general evolution of cyber security reporting on board and management level. This thesis presents a process model for creating an effective reporting method for board and management level cyber security reporting. The model offers a new, iterative way to form an operating reporting method, and to keep it up to date.
first_indexed	2022-08-15T20:00:27Z
format	Pro gradu
free_online_boolean	1
fullrecord	[{"key": "dc.contributor.advisor", "value": "Siponen, Mikko", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.advisor", "value": "Ylh\u00e4isi, Teemu", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Kyr\u00f6l\u00e4, Alina", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2022-08-15T06:42:16Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2022-08-15T06:42:16Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2022", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/82524", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Johto- ja hallitustason kyberturvaraportoinnin t\u00e4rkeys on kasvanut ja kasvaa \nedelleen. Kyberturvahy\u00f6kk\u00e4ykset lis\u00e4\u00e4ntyv\u00e4t ja kehittyv\u00e4t, ja yleinen n\u00e4kemys \non, etteiv\u00e4t johto ja hallitukset ole valmistautuneita rooliinsa organisaationsa \nkyberturvallisuuden varmistamisessa. Haasteita kyberturvallisuuden tehokkaassa raportoinnissa johto- ja hallitustasolla on jo tunnistettu, mutta t\u00e4ll\u00e4 hetkell\u00e4 tarjotut ratkaisut, ja jo olemassa olevat viitekehykset ja mallit, eiv\u00e4t vastaa \nkaikkien organisaatioiden tarpeisiin.\nT\u00e4m\u00e4 Pro Gradu -tutkielma tutkii johto- ja hallitustason kyberturvaraportointia, mukaan lukien sen historiaa, nykytilannetta, ongelmia, ja puollettuja \nk\u00e4yt\u00e4nt\u00f6j\u00e4. Tutkielman motivaatio on johdon ja hallituksen kyberturvaraportoinnin kasvava merkitt\u00e4vyys, ja realiteetti sen tason kyvytt\u00f6myydest\u00e4 vastata \norganisaatioiden tarpeisiin. Tutkielman tarkoitus on pyrki\u00e4 tarjoamaan ratkaisu, \njoka mahdollistaa kyberturvallisuuden raportoinnin johdolle ja hallitukselle \ntehokkaasti.\nTunnistettuja johto- ja hallitustason kyberturvaraportoinnin ongelmia ovat \nmuun muassa liian harvoin raportoiminen, aiheista raportoiminen, jotka eiv\u00e4t \ntarjoa kohderyhm\u00e4lle heid\u00e4n tarjoamaa informaatiota, sek\u00e4 ep\u00e4tehokkaasti \nkommunikoiminen. Raportoidut aiheet keskittyv\u00e4t usein liian tekniseen dataan, \nja metriikoihin, jotka eiv\u00e4t ole evidenssiperusteisia. Ep\u00e4tehokas kommunikointi \nliittyy yleens\u00e4 visuaalisuuden puutteeseen, tai sen v\u00e4\u00e4r\u00e4nlaiseen k\u00e4ytt\u00f6\u00f6n, sek\u00e4 \nliian teknisen kielen k\u00e4ytt\u00f6\u00f6n kohderyhm\u00e4\u00e4n n\u00e4hden. T\u00e4ss\u00e4 tutkielmassa tarkastellaan my\u00f6s visualisuuden merkitt\u00e4vyytt\u00e4 johto- ja hallitustason kyberturvaraportoinnin yleisen kehityksen lis\u00e4ksi.\nT\u00e4ss\u00e4 tutkielmassa esitet\u00e4\u00e4n malli, jonka avulla voidaan luoda tehokas raportointimetodi johdon ja hallituksen kyberturvaraportoinnille. Esitetty malli \ntarjoaa uuden, iteratiivisen tavan toimivan raportointimetodin kehitt\u00e4miseen, ja \nsen pit\u00e4miseen ajan tasalla.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "The importance of cyber security reporting on board and management level has \nbeen and is still increasing constantly. Cyber security incidents are growing and \nevolving, while the common view is that the boards and management are not \nprepared for their role of ensuring cyber security in their organisations. There \nare recognised challenges with organisations having issues in reporting about \ncyber security to their boards and management efficiently. However, currently\noffered solutions, and the already existing reporting frameworks and models \ndo not fit the needs of all organisations in this matter.\nThis Master\u2019s thesis studies board and management level cyber security \nreporting, including its history, current state, issues, and practices that are ad vocated for. The motivation for this study is the rising importance of board and \nmanagement level cyber security reporting, and the fact that the level of it does \nnot generally meet the needs of organisations. This research aims to offer a solu tion on how to report cyber security to boards and management effectively.\nThere are recognised issues with reporting too rarely, reporting about top ics that do not provide the boards and management with the information they \nneed, and communicating ineffectively. The topics reported are often too fo cused on overly technical data, and metrics that are not necessarily based on \nevidence. The ineffective communication is commonly related to the lack of \nvisuality, or using it wrong, or using language that is too technical for the audi ence. In this research paper the significance of visuality is studied, in addition \nto the general evolution of cyber security reporting on board and management \nlevel.\nThis thesis presents a process model for creating an effective reporting \nmethod for board and management level cyber security reporting. The model \noffers a new, iterative way to form an operating reporting method, and to keep \nit up to date.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2022-08-15T06:42:16Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2022-08-15T06:42:16Z (GMT). No. of bitstreams: 0\n Previous issue date: 2022", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "93", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.title", "value": "Reporting cyber security to management and board of directors", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202208154068", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Tietoj\u00e4rjestelm\u00e4tiede", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Information Systems Science", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.collaborator", "value": "finance", "language": "", "element": "contractresearch", "qualifier": "collaborator", "schema": "yvv"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "yvv.contractresearch.initiative", "value": "business", "language": "", "element": "contractresearch", "qualifier": "initiative", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "raportointi", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tietoturva", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "turvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "hallitukset (yhteis\u00f6t)", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "riskienhallinta", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "verkkohy\u00f6kk\u00e4ykset", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "johtokunnat", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "turvallisuusjohtaminen", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "visualisointi", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "reporting", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "data security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "safety and security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "executive boards", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "risk management", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber attacks", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "boards of directors", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "safety and security management", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "visualisation", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.type.okm", "value": "G2", "language": null, "element": "type", "qualifier": "okm", "schema": "dc"}]
id	jyx.123456789_82524
language	eng
last_indexed	2025-02-18T10:55:07Z
main_date	2022-01-01T00:00:00Z
main_date_str	2022
online_boolean	1
online_urls_str_mv	{"url":"https:\/\/jyx.jyu.fi\/bitstreams\/8d27570c-2192-4c17-9619-7a3ddc19260c\/download","text":"URN:NBN:fi:jyu-202208154068.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate	2022
record_format	qdc
source_str_mv	jyx
spellingShingle	Kyrölä, Alina Reporting cyber security to management and board of directors Tietojärjestelmätiede Information Systems Science 601 kyberturvallisuus raportointi tietoturva turvallisuus hallitukset (yhteisöt) riskienhallinta verkkohyökkäykset johtokunnat turvallisuusjohtaminen visualisointi cyber security reporting data security safety and security executive boards risk management cyber attacks boards of directors safety and security management visualisation
title	Reporting cyber security to management and board of directors
title_full	Reporting cyber security to management and board of directors
title_fullStr	Reporting cyber security to management and board of directors Reporting cyber security to management and board of directors
title_full_unstemmed	Reporting cyber security to management and board of directors Reporting cyber security to management and board of directors
title_short	Reporting cyber security to management and board of directors
title_sort	reporting cyber security to management and board of directors
title_txtP	Reporting cyber security to management and board of directors
topic	Tietojärjestelmätiede Information Systems Science 601 kyberturvallisuus raportointi tietoturva turvallisuus hallitukset (yhteisöt) riskienhallinta verkkohyökkäykset johtokunnat turvallisuusjohtaminen visualisointi cyber security reporting data security safety and security executive boards risk management cyber attacks boards of directors safety and security management visualisation
topic_facet	601 Information Systems Science Tietojärjestelmätiede boards of directors cyber attacks cyber security data security executive boards hallitukset (yhteisöt) johtokunnat kyberturvallisuus raportointi reporting risk management riskienhallinta safety and security safety and security management tietoturva turvallisuus turvallisuusjohtaminen verkkohyökkäykset visualisation visualisointi
url	https://jyx.jyu.fi/handle/123456789/82524 http://www.urn.fi/URN:NBN:fi:jyu-202208154068
work_keys_str_mv	AT kyröläalina reportingcybersecuritytomanagementandboardofdirectors

Reporting cyber security to management and board of directors

Similar Items