To improve risk management within corporate structures, this paper argues that Security and Risk Managers replace their cybersecurity risk management with Business Impact Analyses (BIA). Relying on the principle of an attack’s probability, this article emphasizes that cyber attacks have a 100% probability. Instead organization should redefine risk management as threat exposure management, under the assumption that a cyber attack may occur at any point in time or organizational node. Security and risk managers should restructure their relationships with business executives to identify vulnerable processes rather than report risk model results. By creating a prioritization structure for security and risk managers, threat assessments become more valuable. The focus of security and risk managers ultimately more emphasizes threat exposure management rather than risk management and will improve the effectiveness of security and risk management teams.
Author:
Andrew Walls, Leigh McMullen, Jay Heiser, Deepti Gopal
