The document discusses the concepts of cyber security resilience and risk aggregation, defining key terms and their interrelationship. It highlights the importance of effective IT governance in achieving cyber security resilience and outlines the processes involved in risk aggregation. Additionally, it emphasizes the growing risks associated with the Internet of Things (IoT) and the necessity for organizations to improve their cyber security measures accordingly.

1. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Ramiro Cid | @ramirocid
Cyber Security Resilience
&
Risk Aggregation

2. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
2
Index
1. Defining previous concepts Slide 3
2. Cyber Security Resilience Slide 4
3. Risk Aggregation Slide 5
4. The relationship between both concepts Slide 7
5. Sources used to expand knowledge Slide 8

3. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
3
1. Defining previous concepts
Before start talking about the relationship between Cyber Security Resilience and Risk Aggregation, it is
necessary to do a short definition of some previous concepts:
 Cyber Security: also known as “IT security” or “Computer security” is information security applied to
computing devices such as servers, computers and mobile devices (as smartphones, tablets), etc., as well
as computer networks such as private and public networks, including the whole Internet.
The 3 principles of Information, confidentiality, integrity and disponibility are protected by Cybersecurity.
 Resilience: This concept coming from the physical characteristics of materials (is a physical concept),
where resilience is the ability of a material to absorb energy when it is deformed elastically, and release
that energy upon unloading. Proof resilience is defined as the maximum energy that can be absorbed
within the elastic limit, without creating a permanent distortion.
 Organizational Resilience: As an analogy, organizational resilience, is the ability of an organization to
anticipate, prepare for, and respond and adapt to incremental change and sudden disruptions in order to
survive and prosper.

4. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
4
2. Cyber Security Resilience
Now we understand what Cyber Security, Resilience means, we are ready to understand the meaning of
‘Cyber Security Resilience’
The same concept used on ‘Organizational Resilience’ can also be used for Cyber Security, where an
organization is protected with different ‘Cyber controls’ (part of IT Security controls) to get an adequate
‘Cyber Security Resilience’ according the organization risk appetite.
Adding more controls and developing them we can improve our Cyber Security Resilience.
In the other hand, to have a big number of Cyber controls will not guarantee to have an adequate Cyber
Security Resilience if we have a low maturity IT Security Governance.
Having a good IT Security Governance can give good options to reach a good IT Security management which
is the most important topic to get a good Cyber Security Resilience (as a consequence of it).

5. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
5
3. Risk Aggregation
According to the Basel Committee’s BCBS 239, Risk Aggregation is defined as the process of defining,
gathering and processing risk data.
There are three primary reasons for aggregating risk data:
• Satisfy all the risk regulatory reporting requirements
• Enable measurement of portfolio performance against risk tolerances
• Enable the analysis of a firm’s risk data whether its sorting it, merging it, slicing it or dicing it
Risk aggregation refers to efforts by firms to develop quantitative risk measures that incorporate multiple
types or sources of risk.
The most common approach is to estimate the amount of economic capital that a firm believes is necessary
to absorb potential losses associated with each of the included risks. So when they are talking about risk
aggregation, they are taking into consideration of different risk measures in a company and making a single
risk term for that company.

6. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
6
3. Risk Aggregation
There are different methodologies stated to aggregate risk. One of these approaches is given by Christian
Cech, who argued about copula-based top-down approaches in financial risk aggregation.
The definition of top-down approach from this paper: "Top down approaches do not try to identify common
single risk factors that influence different types of risk, but rather start from aggregated data, e.g. the profits
or losses of different lines of business, such as the returns of credit portfolio or the market portfolio“.
Risk aggregation is used mainly in banks and financial organizations.

7. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
7
4. The relationship between both concepts
Both concepts have a near relationship because Risk aggregation refers to efforts done by firms to develop
quantitative risk measures that incorporate multiple types or sources of risk.
Cyber Security Resilience is the capacity to have different Cyber controls which can provide the organization
an adequate resilience according the organization risk appetite by doing risk management of the aggregation
of multiple types or sources of risk.
One interesting topic is Internet of Things (IoT) which is increasing in our personal and professional life. The
more assets are “shared” (including Critical Infrastructures and Smart Cities IT assets) the more risk we are
assuming in our organization. All these risk is added using Risk Aggregation, so more effort we will need to do
to improve our security to get an adequate Cyber Security Resilience level.
We can do a resume of the actual/future status like this:
Critical Infrastructure + Internet of Things = Risk Aggregation, so Cyber Security Resilience
References:
= Increment = Produce = Reduction

8. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
 “Risk Aggregation” | Aggregation Wiki - Wikia
URL: http://aggregation.wikia.com/wiki/Risk_Aggregation
 “Cyber Security” | Wikipedia
URL: https://en.wikipedia.org/wiki/Computer_security
 Improving Risk Aggregation and Reporting Poses Major Challenges to Banks | Forbes
URL: http://www.forbes.com/sites/steveculp/2013/05/08/improving-risk-aggregation-and-reporting-poses-major-challenges-to-
banks/#8dd5cd1ea1b4
 “Risk aggregation and reporting more than just a data issue” | Accenture
URL: https://www.accenture.com/us-en/insight-risk-aggregation-reporting-data-issue
 BCBS 239 – Principles for effective risk data aggregation and reporting | Risk.net
URL: http://www.risk.net/risk-magazine/advertisement/2388628/bcbs-239-principles-for-effective-risk-data-aggregation-and-reporting
5. Sources used to expand knowledge

9. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
 Principles for effective risk data aggregation and risk reporting | Basel Committee
URL: http://www.bis.org/press/p130109.htm
 2016 Risk Data Aggregation Deadline Approaching | KPMG
URL: https://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/regulatory-
announcements/Documents/2016%20Risk%20Data%20Aggregation%20Deadline%20Approaching_July%202015.pdf
 Catastrophe risk aggregation | The Actuarial Profession
URL: https://www.actuaries.org.uk/documents/catastrophe-risk-aggregation-slides
5. Sources used to expand knowledge

10. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Questions?
Many thanks !
Ramiro Cid
CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL
ramiro@ramirocid.com
@ramirocid
http://www.linkedin.com/in/ramirocid
http://ramirocid.com http://es.slideshare.net/ramirocid
http://www.youtube.com/user/cidramiro