Bibi van den Berg (LEI): Why traditional risk management falls short in cyber security

Summary

• Cybersecurity demands a multidisciplinary approach
  Traditional methods borrowed from safety science and engineering don’t fully apply in cybersecurity. Bibi van den Berg argues for incorporating philosophy, behavioral science, and law into security governance.

• Limitations of risk management in cyberspace
  Unlike aviation or automotive sectors, cybersecurity lacks robust data, standardized incident reporting, and high predictability. These gaps make it difficult to quantify threats and communicate real risks to decision-makers effectively.

• Data and simulation gaps create uncertainty
  There’s limited historical data on cyber incidents, and no centralized databases exist akin to those in aviation. Additionally, organizations can’t reliably simulate cyber environments, making predictive risk analysis inherently flawed.

• Intentionality adds complexity
  Unlike safety issues, many cyber threats are intentional and designed to evade detection. Attackers choose the path of least resistance, often where monitoring is weakest, rendering traditional risk calculations insufficient.

• Need for value-driven decision-making
  Organizations should shift toward value-based governance, deciding what principles—such as transparency, security, openness—guide decisions, and tailoring cybersecurity to those values rather than unreliable numerical risk estimates.

• Contextualizing cybersecurity strategy
  A coffee shop might accept open Wi-Fi as a tradeoff for customer service, while a nuclear power plant demands airtight control. This illustrates how aligning risk tolerance with organizational values leads to more informed, defensible decisions.

• Core values help frame security strategy
  By mapping systems and assets to organizational values (e.g., resilience, transparency, trust), leaders can better prioritize protections. This clarity helps justify trade-offs and prepares organizations for incident response.

• Real-world examples support the argument
  From smart ovens misidentifying as steam ovens to unintentional software glitches, Bibi highlights how non-malicious actions can still lead to significant cybersecurity failures—underscoring the limitations of current frameworks.

• Boards must elevate their understanding
  Leadership needs to see cybersecurity not as an IT problem, but a core business concern. This includes recognizing that today’s companies are essentially technology companies, regardless of their primary product or service.

• Reputation risks often overstated
  Contrary to popular belief, research shows that companies often recover quickly in the stock market after breach disclosures. Transparency and resilience, not secrecy, protect long-term trust and brand value.