Board-level Reporting on Cybersecurity

The Corporate Executive Board (CEB) is responsible for driving, measuring, and overseeing business value generation and assuring long-term success. While value generation is essential, boards must also account for the risks and threats that may impede business success and survival. With ongoing digitalization, cybersecurity has become the top risk for companies in Germany and worldwide (Allianz Risk Report 2024). In addition, and as a response, the latest legislation has made CEB’s of companies operating in critical sectors personally liable for overseeing corporate cybersecurity and, in particular, assessing cyberthreats, taking action, and supervising the implementation of cybersecurity measures.

The literature, however, primarily deals with cyber risk as a technical and operational concern, making it difficult to understand and judge for CEBs. Interviews we conducted with big companies’ Chief Information Security Officers (CISO) corroborate difficulties for CISOs to present the cyberthreats a company faces, its vulnerabilities, and the effectiveness of potential security measures to the CEB coherently.

In response, we invite master candidates to develop recommendations for reporting on a company’s relative cyberthreat situation, vulnerabilities, and the effectiveness of proposed measures to the CEB.

Candidates may focus on specific aspects of cybersecurity reporting, e.g., presenting threats, risk scenarios, or vulnerabilities to top management. For each thesis on this topic, we offer a partner company from a sector that places high demands on cybersecurity (healthcare, telecommunications, utility provider) to allow for the empirical evaluation of developed recommendations.