10 risk factors no one talks about

These risk factors might not show up on an official risk assessment report, but every security professional should be thinking about them.

A shoe about to step on a banana peel, stopped by a small superhero.
RetroRocket / Getty Images

The traditional risk management factors you are all taught include the staid process of categorizing potential threats and risks, evaluating their likelihood of occurrence, and estimating the damage that would result from them if not mitigated. The costs of the potential mitigations and controls are measured against the potential damage. Mitigations are put in place if they are cheaper and better to implement than allowing the risks and threats to occur.

You have all fretted about the difficulty of calculating both the likelihood of an event and its potential damages. They have always been more like a best guess than an insurance actuarial table. How can anyone estimate the chances that a sophisticated ransomware, DDoS or insider attack will occur to their organization in a given year or what assets it might be able to take out with any accuracy? Can anyone prove that likelihood is 20% versus 60% in a given year?

We all struggle with those large estimation issues, but there are a ton of other factors that impact risk management. Here are ten that are rarely discussed openly.

1. Fighting over “might happen” risk

Every risk assessment is a fight between something that might happen and doing nothing, especially if it hasn’t happened before. Many people believe it’s cheaper to do nothing, and those who fight to do something might be seen as wasting money. “Why waste the money? That’s never going to happen!”

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.