From Phishing To Advanced Persistent Threats: The Application Of Cybercrime Risk To The Enterprise Risk Management Model

Abstract

This paper examines the issues of cybercrime in the context of risk to organizations.  In particular, it considers the control frameworks most commonly used by U.S. public companies to benchmark their internal controls over financial reporting.  It discusses the market for stolen identities, looking at the sources from which many of those identities are stolen.  It reviews the available internal control frameworks and explains how a firm’s risk of cybercrime might be classified as a material weakness under Sarbanes-Oxley Section 404.  It models how the use of COSO’s Enterprise Risk Management model could improve an organization’s chances of avoiding a serious incident.