A survey has found that 95% of organisations will be performing a cyber security risk assessment in the next 12 months. It’s no wonder this figure is so high, given that risk assessments are essential to identifying potential sources of cyber attacks, data breaches or other disasters.
An effective risk assessment will consider:
- Specific scenarios that can affect various business activities;
- How damaging each of these scenarios will be; and
- The probability that these scenarios will occur.
Each scenario that you identify should be given a ‘risk score’ based on its potential damage and probability of occurring. This can be calculated by assigning a number to progressively damaging/probable scenarios. You should end up with a system for scoring risks that looks like this:
Organisations should use this scoring system to determine their ‘risk appetite’, i.e. the level of risk they are willing to accept. Very few organisations have the means to address every risk, so this system helps them dedicate appropriate time and money to the biggest priorities. In the example above, organisations would almost certainly address any risk that scored 12 or more but accept risks that scored 3 or less. Their decision-making for risks in between would be influenced by the nature and size of the organisation and their resources.
Risk appetites should be reviewed regularly and whenever there are changes to the organisation’s cyber security budget or resources. If you have the means to address a risk, there is no reason to continue considering it ‘acceptable’. However, if you find yourself struggling to resolve problems that are in your risk appetite, you should consider raising your threshold (or budget) to make sure the highest priorities are dealt with sufficiently.
Source: IT Governance