editione1.0.0
Updated October 9, 2023Definition Once we have assessed the likelihood and impact of our risk, the result is known as the criticality. This is often a numerical value or label that we give to a risk that communicates how serious it is and how quickly we need to act.
While the exact terminology and labels may vary between companies, the general principle is captured in this diagram.
Figure: A commonly used set of labels for risk criticality.
Criticality is a scale ranging from critical to informational. Each stage of this scale has a set of criteria such as how many customers are affected, how much money would be lost, how long would the issue take to resolve, and how many systems would be at risk.
The higher the criticality in your risk assessment, the more urgent the need to act. As you drop down the levels, the urgency decreases and you may be able to address risks as part of normal prioritized processes.
important Define your own criticality levels before you need them. It is important to define your organization’s definitions for these levels in advance. By defining them in advance (when you aren’t dealing with an issue or incident), you can calmly discuss their values with the wider team. The last thing you want to spend time on during a security event is defining your criteria for assessing risk!
Much like your business is rapidly changing, the world in which it operates is changing too. In fact, all of the elements that you used to calculate your risk will change. We should consider a risk calculation to be correct for a particular moment in time, rather than something final that will remain unchanged forever.
Many factors can cause risk to change. Try to find ways to identify these changes and how they might affect risk for your company.
Increased brand awareness and publicity. For those of us who are building product- or marketing-led businesses, this is the security curse of our approach. The more well known we become, the more at risk we are. Simply put, attackers have to know you exist before they will try to cause you harm. You may find your success leads to increased security pressure and risk.