A Ponemon Institute survey has found that 95% of organisations will be performing a cyber security risk assessment in the next 12 months. It’s no wonder this figure is so high, given that risk assessments are essential to identifying potential sources of cyber attacks, data breaches or other disasters.
An effective risk assessment will consider:
- Specific scenarios that can affect various business activities;
- How damaging each of these scenarios will be; and
- The probability that these scenarios will occur.
Each scenario that you identify should be given a ‘risk score’ based on its potential damage and probability of occurring. This can be calculated by assigning a number to progressively damaging/probable scenarios. You should end up with a system for scoring risks that looks like this:
Organisations should use this scoring system to determine their ‘risk appetite’, i.e. the level of risk they are willing to accept. Very few organisations have the means to address every risk, so this system helps them dedicate appropriate time and money to the biggest priorities. In the example above, organisations would almost certainly address any risk that scored 12 or more but accept risks that scored 3 or less. Their decision-making for risks in between would be influenced by the nature and size of the organisation and their resources.
Risk appetites should be reviewed regularly and whenever there are changes to the organisation’s cyber security budget or resources. If you have the means to address a risk, there is no reason to continue considering it ‘acceptable’. However, if you find yourself struggling to resolve problems that are in your risk appetite, you should consider raising your threshold (or budget) to make sure the highest priorities are dealt with sufficiently.
Get help with risk assessments
Our ISO22301 BCMS Documentation Toolkit features a risk assessment template to help you evaluate your organisation’s level of security and measure your risk appetite. It also includes a Risk Register/Treatment Plan to help you manage risks after you’ve identified them.
The toolkit is designed to help you comply with ISO 22301, which sets out the requirements for a business continuity management system (BCMS).
You can learn more about ISO 22301 on our website or by reading our free green paper: Business Continuity Management – The nine-step approach.
Our vsRisk is a comprehensive leading risk assessment tool that delivers fast, accurate, auditable and hassle-free risk assessments.
When you’re ready, you can take a free trial of our toolkit >>