- Technology and Cyber Risk
This article is a part of Risk Update 5.
How to quantify and monitor your appetite with 6 key indicators
What is a cyber risk appetite?
Risk appetite is the level of risk that an organisation is willing to accept in the interest of reaching its objectives. While organisations will commonly cover financial, legal, reputational or human capital risk as part of their risk appetite statements and metrics, in our experience cyber security risk appetite is often weak or missing. In fact, organisations will often state they have “zero appetite” for cyber security incidents, which aside from being unrealistic in the digital age, does not provide an early warning sign before the organisation is operating out of appetite. Whether you know and can explicitly articulate it, or not, your organisation is always accepting a certain level of cyber security risk exposure.
“Whether you know and can explicitly articulate it, or not, your organisation is always accepting a certain level of cyber security risk exposure.”
Why have a cyber risk appetite?
With the continued digitisation of processes, the march towards a web of cloud services and the rise of big data there is more complexity but also more at stake when it comes to getting cyber security right. While some organisations have understood this shift and are moving from a “maturity based” to a “risk-based” approach for managing cyber risks, many organisations remain with the former.
It takes significant resources, beyond just those in security and IT teams, to manage the cyber security of an organisation and the job is never done as threats change every day. Tough decisions need to be made that balance the cost of mitigations with the reduction in risk exposure they achieve. These are consequential decisions that should be guided by the Board and aligned to existing risk management practices.
How is cyber risk appetite articulated?
From our experience, in addition to qualitative risk appetite statements, cyber security risk appetite is best articulated as quantifiable indicators. To be effective, these indicators should:
- Provide clear boundaries for tolerance, which are re-evaluated often to align to perceived risks.
- Focus on key control effectiveness or outcomes to provide a leading view of risk.
- Be actionable, such that actions can be taken to bring indicators back into tolerance.
- Avoid technical jargon, although some stakeholder education may be required to understand them initially.
What indicators should be prioritised?
Like any articulation of risk appetite, the way you define and measure it should be tailored to your organisation and the specific risks you face. The data you hold, the services you provide and the infrastructure you rely on will guide the conversation.
As a starting point, we have provided some example indicators below based on our experience.