The business approach to cyber risks
Before considering cyber risk, it is essential to understand how management performs and maintains the business impact analysis.
Based on the above, the standard risk questions to ask given that cyber is only one of the risks businesses must consider.
•What are you trying to achieve?
•What technology do you depend on to achieve those objectives?
•How would a breach affect you? How likely is an effect that would inhibit your success?
•Where’s the risk to the business?
•Is it acceptable?
•Can we take (realise the opportunities presented by the risk) some risk?
•If the risk cost is too high, then what should we be doing about it?
Cyber risks must not be considered in a silo. It is part of the ‘ business system,’ the components that make up the ‘system’ for consideration is:
•The nature of the business and its purpose, including how it is changing
•Its objectives
•How a breach might affect the business and the achievement of its objectives. The range of potential effects and their likelihoods, the impact on other sources of risk, such as compliance etc.
•Whether that is acceptable
•The options for addressing the risk and whether any investment would have an acceptable return, especially given the changing nature of threats
•The competition for scarce resources, given that any investment in cyber is at the cost of investing in other business risks and opportunities