Synopsis of the Article

Posted: August 27th, 2021

Journal Article Review

Name

Institutional Affiliation

Journal Article Review

Synopsis of the Article

The review maps cyber risk management models with management and governance constructs using a questionnaire approach against their current practices using Brazilian energy utilities, revealing several gaps between the current practices and framework. Besides, the evidence established poor governance and patchy risk management protocols at the operational level (Pardini et al., 2017). It also reveals low-level board engagement at the governance level and low monitoring and reporting by regulatory authorities at the operational level(Pardini et al., 2017). Finally, the article established that the companies in the energy industry lacked ICT controls. Their user access was poor, and there were significant HR issues like the absence of standard skillsets and language in addressing cybersecurity risk management.The key assertions are that there are no plans in the Brazilian energy utilities for identification, detection, analysis. As a result, there is an inadequate response to operational cybersecurity threats leading to national security risk. Therefore, the cyberspaces do not meet the NIST standards to foster cybersecurity communications, governance, and management for the external and internal stakeholders.

Organization’s Background, Industry, Cyber Spaces, and Inherent Cyber Risks

The article offers a theoretical and empirical model of dealing with cybersecurity, risk management, and governance and testing the risks with academic experts from Brazil’s energy sector. It analyzes and validates the governance, constructs, and risk management. It provides the nine dimensions and their respective variables in the Brazilian energy utilities to offer cyberspaces protection and security. Additionally, it extrapolates the knowledge on cyberspaces governance and management by developing a methodology to measure energy utilities in the energy industry(Pardini et al., 2017). The article also offers a critical technological structure to protect energy companies’ security systems about cybersecurity management and governance. This case provides the four characteristics of the cyber environment, including entity, global, general, and inter-organizational, as illustrated by figure 1 below. Thus, cyberspace’s inherent cyber risks include people’s actions, technology, system failures, failed internal processes, and external events, as illustrated in figure 2 below.

Figure 1: Cyber environment

Figure 2: Taxonomy of cybersecurity risks

Processes and Elements About Cyber Risk Governance and Management

Critical infrastructure includes assets and systems that can either be physical or virtual, essential to a country where such assets and systems’ incapacity would lead to a debilitating effect on the nation’s security. The elements of cyber risk governance in a country include national public safety and national economic security, or a combination of the two. The industrial control system (ICS) includes supervisory controls and a data acquisition system (SCADA) that increase the vulnerabilities incyber risk governance and management as they are primary targets in the system(Dantas et al.,2018). Equally, purchased software, hardware, and devices may contain malware, thereby increasing the cyber risk governance and management. Finally, the article lists elements and processes about cyber risk governance. These include the lack of international standards, inadequate interactions between the utilities and government, low board involvement in cybersecurity, lack of transparency, and inadequate feedback to shareholders at general meetings. Regarding cyber risk management, these elements include asset and human resources management. Therefore, there is a need for detection, identification, analysis, and response plans to cyber threats and vulnerabilities in the Brazilian energy sector’s operational cybersecurity.

Policy and Process Implications of the Proposed Model

The threat actors such as organized criminal syndicates and nation-states increase the capabilities of expanding internal threats like human errors and dissatisfied staff and contractors, thus increasing the cybersecurity risks. Traditionally, the IT risks manifest in software, hardware, and network during information processing and operational risks for controlling and monitoring devices and processes. However, the current cyber landscape is increasingly becoming complex with the adoption of smart grids to digitize and modernize grids in the electric supply chain in generating,transmitting, and distributing grids. Additionally, the smart grids are controlled, monitored, and reviewed by the interconnection between the device system and ICT infrastructure(Brown et al., 2018). Therefore, policy and process should be developed, monitored, and controlled to reduce cybersecurity risks in the country. The proposed model should include monitoring, information, and communication to the relevant parties, control activities, risk response, and assessment.Therefore, this would affectcyber risk management elements, including strategic planning, risk management, asset management, and human resources management.

Critical Review of the Model and Recommendations

The study provided strategies to structure and evaluate cybersecurity measures in governance and management to Brazilian energy using intelligent grids incontrol systems and industrial automation. It noted that smart grids provide interoperation and accessible systems to handle massive information in transiting complex information technologies in the electric system. Therefore, it is possible to identify normative, transparency, interactionism, and inspection dimensions in corporate governance and across aspects of resource management(Pardini et al., 2017). It is also essential to applysmart grids in cybersecurity to the energy utilities for the cybersecurity infrastructures. There should also be a long-term strategic forecast focused on processesin information and communication technology. This would enhance cybersecurity and improve representatives’knowledge of management and governance (Brown et al., 2018). Therefore, there should be enhanced knowledge in cybersecurity operational management between institutional organs and the board of directors involved in cybersecurity.

Consequently, the board of directors, shareholders, and executivesin energy utilities should actively engage in the operational decision-making process in cybersecurity in corporate governance and management. Therefore, experts should evaluate intelligent grids concerning improving performance and reducing operational risk to enhance management and governance cybersecurity. There should also be proper board involvement in cybersecurity, improved transparency. This should be coupled with adequate feedback to shareholders at general meetings to improve cybersecurity management in the energy industry.Hence, there should be strategic plans to detect, identify, analyze, and respondto threats in operational cyber by the government and other stakeholders.

References

Brown, M. A., Zhou, S., & Ahmadi, M. (2018). Smart Grid Governance: An International Review of Evolving Policy Issues and Innovations. Wiley Interdisciplinary Reviews: Energy and Environment, 7(5), e290.

Dantas, G. D. A., de Castro, N. J., Dias, L., Antunes, C. H., Vardiero, P., Brandão, R., & Zamboni, L. (2018). Public Policies for Smart Grids in Brazil. Renewable and Sustainable Energy Reviews, 92, 501-512.

Pardini, D. J., Heinisch, A. M. C., & Parreiras, F. S. (2017). Cyber Security Governance and Management for Smart Grids in Brazilian Energy Utilities. JISTEM-Journal of Information Systems and Technology Management, 14(3), 385-400.