Scribd Logo
Upload

Welcome to Scribd!

  • Why Are Some Risks Acceptable

    Uploaded by

    Kawn Soni
    3 views2 pages
    Senior management, especially the Chief Information Security Officer (CISO) and executive team, are typically authorized to determine what risks are acceptable to an organization. They strategically evaluate risks and match them to the company's goals and risk tolerance. Legal and compliance departments may also be involved in decisions regarding risks that could impact regulatory compliance. While most risks can be mitigated, some vulnerabilities are unavoidable, such as those in widely used third-party software that companies rely on. When vulnerabilities are discovered in such third-party products, the organization has little influence over the vendor's response. Proactive monitoring and vulnerability assessments can help reduce the impact of unavoidable vulnerabilities.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Senior management, especially the Chief Information Security Officer (CISO) and executive team, are typically authorized to determine what risks are acceptable to an organization. They strategically evaluate risks and match them to the company's goals and risk tolerance. Legal and compliance departments may also be involved in decisions regarding risks that could impact regulatory compliance. While most risks can be mitigated, some vulnerabilities are unavoidable, such as those in widely used third-party software that companies rely on. When vulnerabilities are discovered in such third-party products, the organization has little influence over the vendor's response. Proactive monitoring and vulnerability assessments can help reduce the impact of unavoidable vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views2 pages

    Why Are Some Risks Acceptable

    Uploaded by

    Kawn Soni
    Senior management, especially the Chief Information Security Officer (CISO) and executive team, are typically authorized to determine what risks are acceptable to an organization. They strategically evaluate risks and match them to the company's goals and risk tolerance. Legal and compliance departments may also be involved in decisions regarding risks that could impact regulatory compliance. While most risks can be mitigated, some vulnerabilities are unavoidable, such as those in widely used third-party software that companies rely on. When vulnerabilities are discovered in such third-party products, the organization has little influence over the vendor's response. Proactive monitoring and vulnerability assessments can help reduce the impact of unavoidable vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Why are some risks acceptable?

    Some risks are seen as acceptable inside companies because they either have a low likelihood of
    happening or because their potential effect is too little to call for considerable mitigation measures.
    Risks are considered acceptable when the expense of managing them is more than the possible
    damage they may cause. In the paper, it is stated, for instance, that a business may tolerate the risk
    of modest data breaches in circumstances where the sensitivity of the data is minimal since the
    expense of putting in place strong security measures may exceed the possible damage brought on by
    such breaches (Hindmoor & McConnell, 2013).

    Organizations strategically accept risks after analyzing the risk landscape. It usually involves a cost-
    benefit analysis. A business may tolerate the risk of a modest data breach in a non-critical system
    because the high cost and resource-intensive nature of adopting strong security measures for that
    system outweighs the possible damage. For a mission-critical system with sensitive customer data,
    even a little compromise would be unacceptable and strict security measures would be taken.

    Who, within an organization or on a management team, should be authorized to determine why or


    what risks are acceptable?

    Typically, top management, especially the Chief Information Security Officer (CISO) and the executive
    team, should have the power to decide what risks are acceptable. They are in charge of strategically
    evaluating risks and matching them to the goals and risk tolerance of the company. Legal and
    compliance departments could sometimes be involved in decisions on risk acceptance. For instance,
    senior management may decide to take the risk and go through with the necessary monitoring and
    mitigation steps after consulting with legal counsel if a new product launch has a security
    vulnerability but postponing the launch might cause significant financial losses (Karanja, 2017).

    Senior management and important stakeholders who understand the organization's objectives, risk
    tolerance, and compliance requirements evaluate acceptable risks. The CISO advises top
    management on security risks and mitigation. When legal duties and regulatory compliance are at
    issue, legal and compliance departments have a say. If a data breach might result in large penalties
    under data protection laws, the legal team's participation is crucial in risk acceptance choices. Risk
    committees or boards may oversee and make educated judgments in challenging situations.

    In what ways are some vulnerabilities unavoidable?

    Because of outside influences, certain vulnerabilities cannot be prevented by an organisation.


    Utilizing third-party software and services is one such aspect. For instance, a business can depend on
    a widely used software platform, and if a vulnerability in that platform is found, the firm might have
    little influence over how soon the software supplier issues a fix (Patel, Ranabahu, & Sheth, 2009).
    Additionally, zero-day vulnerabilities are inescapable until they are found and fixed since they are
    unknown to the software manufacturer or security community. The possibility of human mistake,
    which may cause vulnerabilities even in well-structured security processes, is also mentioned in the
    text. For instance, a worker may unintentionally send confidential material.

    Organizations commonly use third-party software, services, and providers. If a vulnerability is found
    in a popular third-party product, the company may have little influence on the vendor's response and
    fix release. If a widely used operating system has a significant vulnerability, companies using it must
    wait for the vendor's fix. In such instances, companies must prioritize early discovery and action.
    Proactive monitoring, vulnerability assessments, and incident response strategies reduce
    vulnerabilities outside their control.

    Hindmoor, A., & McConnell, A. (2013). Why didn't they see it coming? Warning signs, acceptable
    risks and the global financial crisis. Political Studies, 61(3), 543-560.
    Karanja, E. (2017). The role of the chief information security officer in the management of IT security.
    Information & Computer Security, 25(3), 300-329.
    Patel, P., Ranabahu, A. H., & Sheth, A. P. (2009). Service level agreement in cloud computing.

    You might also like