Cyber security (CS) is one of the top business risks. The recent global pandemic has only intensified it by telecommuting, expanding work environment with videoconferencing software, adding personal devices, and private WiFi networks to organization’s systems. Despite orchestrated efforts in CS risk management, the number of successful attacks is still growing. Principles of sound risk management warrant that cyber security risk management is organised in the three lines model. Business units together with the information technology function represent the first line. The information security risk management represents the second line of cyber security. An independent assurance that CS risk management strategy, policies, procedures and controls are effective if is provided by the third line the internal audit function (IAF). Yet, many IAFs lack expertise and resources in the area of cyber security. This Workshop reports the findings of a joint research project of the University of Queensland (Australia) and the University of Split (Croatia) about the effectiveness of cyber security risk assurance. An original Index of CS assurance effectiveness has been developed and measured it on a large-scale international sample (Chief Audit Executives and IT auditors from 20 different countries, organizations of various sizes and industries participated in the survey).
