This is a guest post by Rapid7 customer Steven Maske, the Information Security Manager of a manufacturing, retail, and distribution company.
Like any endeavor there is a degree of risk in operating a company—there is always a certain level of risk that must be remediated or accepted. The key is to assess the probability and impact and communicate it to the risk owners and executive leadership. In this post, we’ll discuss how risk can be defined within an organization, the differences between risks, threats, and vulnerabilities, and how to effectively communicate this to risk owners and leadership teams.
How to assess and define an acceptable level of risk
Risk is a measurement of probability and impact—what’s the chance that something bad will happen and how bad will it be? How a company measures risk needs to be determined by weighing the probability of the risky outcome against the cost of resolution. For example, let’s say you have proprietary data that, if stolen, could cost your company $100,000. If the cost to remediate the issue is $1 million, you wouldn’t spend that on the potential that you could lose a fraction of the amount.
Different industries also face different levels of risk. For example, say a retailer and a newspaper are both compromised by a database exploit that leaks names and email addresses. For the retailer, it’s a list of names and emails, but for the newspaper, it’s a list of sources. While embarrassing to the retailer it does not have the same impact if the data becomes public. The breach at the newspaper could lead to physical harm should the list of sources fall into the wrong h ..