Risk Appetite Considerations
Defining an organization’s risk appetite is a crucial first step in creating a cybersecurity strategy. When determing appetite level, a number of considerations exist that can impact how much risk an organization can or may be forced to accept. You may also need to understand the following:
- Risk Capacity: The total amount of risk your organization can withstand
- Risk Threshold: Trigger levels beyond defined appetite
- Risk Tolerance: Risk range an organization is willing to accept
Examples include regulatory and contractual requirements, security budgets, and cultural and external drivers.
Regulatory and Contractual Requirements
Regulatory and contractual requirements play a major role in determining an organization’s risk appetite. Depending on the industry in which a company operates and the type of data it collects, stores, and processes, a number of requirements may already be in place that govern its approach to cybersecurity.
For example, organizations in the financial and healthcare industries are heavily regulated with a number of government-mandated security controls. When determining risk appetite, an organization must consider the potential costs of regulatory non-compliance, such as regulatory penalties and lawsuits.
Companies may also be forced to mitigate or transfer a certain level of risk as part of contractual obligations. Those operating under contract may have service level agreements (SLAs) regarding service availability and data security. Failing to properly manage risk can place the company in breach of contract.
While an organization’s risk appetite should affect the size of the security budget, the inverse can also be true. No company has infinite resources, and many have a limited budget that’s able to be allocated to security. These budget constraints may force an organization to accept a higher level of risk than preferable.
Cultural and External Drivers
In the wake of COVID-19, many organizations are considering an extended or permanent transition to telework. This change in how organizations plan to carry out daily business, highlights the impact workplace culture and external factors have on risk appetite.
In general, teleworkers pose a greater threat to an organization’s cybersecurity than on-site employees. Teleworkers often work from untrusted devices and networks, increasing their exposure to cyber threats. Additionally, they may also use unapproved technologies (such as personal cloud accounts) to achieve job responsibilities. These factors must be taken into consideration when defining an organization’s risk appetite and cybersecurity strategy.