Risk appetite assessment and agreement is one of the most challenging aspects of risk management. In the security space is more so, as without understanding the impacts of either a breach or a changed course of action, it is difficult to set the bar for alerting or reporting where it has not been set by an external agency or law (such as GDPR).
When assessing risks and control effectiveness, how does a business then identify where the bar should be set? Is it the number of security events? Is it the impacts? Is it a combination? Is it a total in a given period, or just one? If it is a total, then is it the last event that gets reported which tips the balance over the bar, or do all preceding events then become reportable?
CSR solutions can help by developing a quantitative approach to risk management, enabling a business to adopt a better understanding of the potential impacts of events and drive out a restructure of their appetite statements to reflect a less qualitative and aggregate approach to measurement.