10 risk factors no one talks about

These risk factors might not show up on an official risk assessment report, but every security professional should be thinking about them.

The traditional risk management factors you are all taught include the staid process of categorizing potential threats and risks, evaluating their likelihood of occurrence, and estimating the damage that would result from them if not mitigated. The costs of the potential mitigations and controls are measured against the potential damage. Mitigations are put in place if they are cheaper and better to implement than allowing the risks and threats to occur.

You have all fretted about the difficulty of calculating both the likelihood of an event and its potential damages. They have always been more like a best guess than an insurance actuarial table. How can anyone estimate the chances that a sophisticated ransomware, DDoS or insider attack will occur to their organization in a given year or what assets it might be able to take out with any accuracy? Can anyone prove that likelihood is 20% versus 60% in a given year?

We all struggle with those large estimation issues, but there are a ton of other factors that impact risk management. Here are ten that are rarely discussed openly.

1. Fighting over “might happen” risk

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!