KERANGKA TATA KELOLA RISIKO SIBER UNTUK PERUSAHAAN NON-TEKNIS

Abstract

As digitalization increases and reliance on information systems grows, cyber threats have evolved into significant strategic risks—especially for non-technical organizations that often lack adequate IT resources or in-depth expertise. This study aims to develop a cyber risk governance framework relevant to non-technical companies by drawing on principles from AICD & CSCRC and the defensive social engineering approach proposed by MIT Sloan. The proposed framework includes stakeholder identification, risk management procedures, and integrated reporting and evaluation mechanisms. The theoretical foundation highlights the importance of treating cyber risk as a strategic risk. Therefore, strengthening a security culture through employee education and training is emphasized as a vital non-technical approach. Appointing a Chief Information Security Officer (CISO) is also discussed as a way to bridge the gap between technical needs and managerial governance, covering policy, training, and readiness evaluation. The research employs a qualitative methodology using literature study, with qualitative analysis mapped to five main components: leadership and accountability, education and training, risk management, policies and procedures, and collaboration and reporting. The findings indicate that a systematic approach is necessary to internalize a security culture across the organization. In conclusion, non-technical organizations should adopt strategic steps in cyber risk governance to minimize potential financial and reputational losses.