Preparing for the Unexpected: unsure if your organisation is ready to deal with a cyber incident, talk to us! Contact us now
Mike kononov l Fv0 V3 2 H6s unsplash

25 Aug 2019

The 5 Personas Of Cyber Risk Management

Director advisory organisations from around the world have been singing from the same hymn sheet for several years – cyber risk is a key element to enterprise risk

Read More
Home Blog

Director advisory organisations from around the world have been singing from the same hymn sheet for several years – cyber risk is a key element to enterprise risk:

“Guidelines from the National Association for Corporate Directors (NACD) advise that Boards should view cyber risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management, and consider cyberthreats in the context of the organisation’s overall tolerance for risk.”

The New Zealand Institute of Directors have written a Cyber-Risk Practice Guide subtitled “Put cybersecurity on the agenda before it becomes the agenda”

The Institute of Directors in the UK agree “New reports of data breaches and instances of cyber crime appear each year, contributing to an annual loss of around five billion pounds for the UK economy. It is therefore more important than ever to address Cyber issues at board level in order to safeguard our businesses and employees.”

The Australian institute of Company Directors are on board too “Cybersecurity is a critical issue for boards and senior management. A cyber breach can impact your bottom line, brand and reputation. What can organisations do to address cyber risk and embrace opportunity through change?”

Governments too are the same recommendations for businesses of all sizes

The Australian Small Business and Family Enterprise Ombidsman provide the following advice:

“Develop a business-wide policy so everyone knows that cyber security is a priority, and so the business owners can be seen to be actively engaging with cyber security. If cyber security is thought of as a strictly IT issue, it doesn’t send the message that it’s a top priority, and won’t make your business or staff cyber secure. Because cyber attackers target people just as they target hardware, cyber security is for everyone at every level in the business. Establishing and communicating their responsibilities is vital to build a cyber aware business.”

The UK’s National Cyber Security Centre declares “Companies benefit from managing risks across their organisations - drawing effectively on senior management support, risk management policies and processes, a risk-aware culture and the assessment of risks against objectives. There are many benefits to adopting a risk management approach to cyber security”

Is this Advice being heeded?

To some extent, yes. However it is clear from the data and the headlines that the development of cyber responsible cultures, driven by the board has a long way to go.

Recent Breaches

New Zealand

Australian Breaches

US Breaches

So why are organisations not following the unanimous advice and taking heed of the data?

The experience that we have at Cybercraft has lead us in an interesting direction. From working with organisations of all sizes and natures, we have found that it is the attitude of key individuals toward cyber risk as being of key importance. From this, we have identified 5 cyber risk personas:





Does not See that cyber risk applies to them because they are:

  • Too small
  • Too far away
  • Not of interest

Cyber risk is very egalitarian – much of cyber crime is perpetrated on small businesses who have not taken the risk seriously. On the internet, there is no such thing as too far away, and if you have information and a bank account, you are of interest.


Is vaguely aware of cyber risk, but assumes that the IT guys have it under control

Cyber is “somebody else’s problem”.

This lack of due care ensures that the real risks are not being addressed.


Feels like they have things under control – they have told IT to make sure that they are secure, but do not take an organisational wide approach to cyber responsibility

Without a considered risk appetite, robust policies and a supportive cyber responsible culture, even the best firewall and antivirus is of little use.


This person may be inside the organisation, or outside such as a trusted business advisor. Without understanding cyber risk, they either tell the organisation not to worry, or prevent good cyber risk advice from being provided

This person has taken the decision about cyber risk away for those who are directly responsible for it, i.e. the directors.

They are making the call, without carrying the can.


Understands that cyber risk is enterprise risk. Drives a cyber responsible culture.

Sees opportunity in being at the front of the pack. Cyber as part of the business strategy.

Understands the ethical responsibility around holding data.

Share this article

More articles