The aim of this paper is to analyze the effectiveness of internal audit of cybersecurity. We developed a Cybersecurity Audit Index composed of three dimensions – planning, performing and reporting – to address this question. We hypothesize that cybersecurity audit effectiveness is positively related to cyber risk management maturity and negatively to the probability of a successful cyber attack. We tested our hypotheses in a survey with auditors and Chief Audit Executives from various countries and industries. We found that Cybersecurity Audit Index scores significantly vary, with a mean of 58 on a scale from 0 to 100. While the planning and performing phases are strongly and positively correlated, they are less strongly related to reporting about cyber risk management effectiveness to the Board of Directors. As predicted, the Cybersecurity Audit Index is positively associated with maturity, but contrary to expectations, it is not related to the probability of a successful cyber attack. This is the first paper that comprehensively measures the effectiveness of cybersecurity audit and its effects on cyber risk management.

本文旨在分析网络安全内部审计的有效性。我们开发了一个由三个维度组成的网络安全审计指数——规划、执行和报告——来解决这个问题。我们假设网络安全审计的有效性与网络风险管理成熟度呈正相关，与网络攻击成功的概率呈负相关。我们在与来自不同国家和行业的审计师和首席审计执行官的调查中检验了我们的假设。我们发现网络安全审计指数得分差异很大，平均为 58，范围从 0 到 100。虽然规划和执行阶段之间存在强正相关，但它们与向董事会报告网络风险管理有效性的相关性较低董事。正如预测的那样，网络安全审计指数与成熟度呈正相关，但与预期相反，它与网络攻击成功的概率无关。这是第一篇全面衡量网络安全审计的有效性及其对网络风险管理的影响的论文。