Saved by Chad Hudson
Home / Resources / ISACA Journal / Issues / 2020 / Volume 3 / Communicating Technology Risk to Nontechnical People
It is important to clearly communicate to the target audience which items on the list are threats, assets and controls (however weak they may be). Executives must understand how the combination of these categories of things can be manipulated to cause harm to the enterprise.
ISACA • Home / Resources / ISACA Journal / Issues / 2020 / Volume 3 / Communicating Technology Risk to Nontechnical People
The next step is to connect the loss scenarios to the relevant technology assets. To accomplish this, it is necessary to identify the inherent attributes of those assets that connect them to the scenario.
ISACA • Home / Resources / ISACA Journal / Issues / 2020 / Volume 3 / Communicating Technology Risk to Nontechnical People
Although such labels are helpful for grouping risk, these categories need to be decomposed one more level to get a fully qualified risk scenario that provides a greater degree of precision in the risk assessment. For instance, “Theft of data from critical applications” is a useful category, but it does not provide enough detail about what is happen
... See moreISACA • Home / Resources / ISACA Journal / Issues / 2020 / Volume 3 / Communicating Technology Risk to Nontechnical People
Finally, and most important, the simple risk formula does not contain guidance on exactly of what one should assess the probability and impact. Knowing what to measure is just as important as knowing how to measure it. Risk is about loss, so whatever is being measured must be a complete statement of loss relevant to the enterprise. The list of tech
... See moreISACA • Home / Resources / ISACA Journal / Issues / 2020 / Volume 3 / Communicating Technology Risk to Nontechnical People
This statement reveals several critical things. First, it states who is taking the action. Next, it states how they are accomplishing it. In this case, the enterprise has already granted these individuals the tools they need to perpetrate bad acts, which are also clearly identified as stealing data from critical applications. Most important is that
... See moreISACA • Home / Resources / ISACA Journal / Issues / 2020 / Volume 3 / Communicating Technology Risk to Nontechnical People
Some business processes are enabled by simple applications, such as email. In this case, the supporting infrastructure that enables email is also aligned with the business process and, ultimately, with the products and services that process enables. This provides a sense of what kind of technology-related problems can arise and how they can affect
... See moreISACA • Home / Resources / ISACA Journal / Issues / 2020 / Volume 3 / Communicating Technology Risk to Nontechnical People
For those who are uncomfortable with statistics, it is better to ask them how often something might happen rather than the probability of its happening. Second, this variable is better able to capture events that occur more than once per year (or period). A frequency of two per year is easy to comprehend, whereas a 200 percent probability is not on
... See more