A growing number of organizations have been the target of hacking attacks, or cyberattacks, in recent years. High-profile examples in the U.S. include Target Corp., Home Depot Inc., the Internal Revenue Service, and other government agencies such as the Office of Personnel Management. Companies and governments need to consider the risks of a cyberattack, and consider backup plans in the event a cyberattack results in a loss of hardware, software, or data. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a thought paper, COSO in the Cyber Age, to help organizations assess and mitigate risks associated with cybersecurity through the existing COSO Framework. Visit the COSO Web site (www.coso.org), and refer to the "Guidance" tab. Read the thought paper to answer the following questions:
Required
a. The COSO guidance acknowledges that "cyber risk is not something that can be avoided; instead it must be managed." Why is cyber risk unavoidable? Does this acknowledgement make it more or less difficult to address and mitigate cyber risk?
b. At the control environment level (the first of the five components of internal control), what should organizations do to address cyber risk?
c. The paper identifies five broad categories of cyberattack perpetrators and motivations. Briefly describe each group of perpetrators and their motivation.
d. What types of control activities are recommended to address cyber risks?