For example, when we’re talking about “likelihood,” we also need to know about the likelihood of what – and from whom. We need this extra context so we can complete the equation.
The same is true of impact, which is commonly thought to be something that we CISOs control. But impact is a business decision, and therefore should be determined by business stakeholders who can define the importance of information within an IT system. The job of CISOs is to provide business teams with the framework and methodology for classifying the value of information, without confusing teams with esoteric cyber-babble.
Adding to the challenge of contextualizing risk is that it can be hard to know who’s attacking us and why. Sensational media coverage of high-profile ransomware and DDoS attacks tends to blur the true picture of risk – in other words, which attacks an organization should worry about. As security departments, we need to contextualize the threats applicable to our environments.