Home // SECURWARE 2025, The Nineteenth International Conference on Emerging Security Information, Systems and Technologies // View article
Authors:
Alexander Lawall
Maik Drozdzynski
Keywords: Cyber Risk Management; Enterprise Risk Management (ERM); Risk Controlling in SMEs; Management Control Systems; Cybersecurity Metrics; Balanced Scorecard.
Abstract:
Cyber threats pose a growing strategic challenge for German Small and Medium-Sized Enterprises (SMEs), yet existing management control systems offer limited tools to integrate cybersecurity into executive steering. This paper introduces the Balanced Chance & Cyber-Risk Card (BCCR-Card) - an extension of Reichmann's multidimensional controlling framework - designed to embed cyber-specific Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) into a five-dimensional control structure. By aligning operational metrics (e.g., Mean Time To Detect (MTTD), patch latency) with strategic indicators (e.g., Cyber Value at Risk (CyVaR), Expected Annual Loss (EAL)), the BCCR-Card bridges technical cybersecurity telemetry and C-level decision-making. The framework supports role-specific dashboards and maps directly to standards, such as ISO 31000, National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, and Corporate Stabilisation and Restructuring Act (StaRUG) compliance requirements. A tiered KPI logic and scenario-based stress testing ensure traceability and audit readiness. The model transforms cybersecurity from a siloed IT concern into a board-level control dimension, enabling risk-informed leadership and resilience planning. While further empirical validation is needed, the BCCR-Card offers a scalable foundation for integrating cyber risk into enterprise performance management.
Pages: 76 to 82
Copyright: Copyright (c) IARIA, 2025
Publication date: October 26, 2025
Published in: conference
ISSN: 2162-2116
ISBN: 978-1-68558-306-4
Location: Barcelona, Spain
Dates: from October 26, 2025 to October 30, 2025