Risk appetite assessment and agreement is one of the most challenging aspects of risk management. In the security space is more so, as without understanding the impacts of either a breach or a changed course of action, it is difficult to set the bar for alerting or reporting where it has not been set by an external agency or law (such as GDPR).
When assessing risks and control effectiveness, how does a business then identify where the bar should be set? Is it the number of security events? Is it the impacts? Is it a combination? Is it a total in a given period, or just one? If it is a total, then is it the last event that gets reported which tips the balance over the bar, or do all preceding events then become reportable?
CSR solutions can help by developing a quantitative approach to risk management, enabling a business to adopt a better understanding of the potential impacts of events and drive out a restructure of their appetite statements to reflect a less qualitative and aggregate approach to measurement.
Whilst security is often expressed as the need to maintain confidentiality, integrity and availability, for many businesses this results in a less focused approach to control.
Read moreQuantitative risk assessment, when done well, will allow a business to assess the financial impact of a risk, both in terms of the costs of making changes to the security posture and the potential impacts of a security breach.
Read more