Risk Impact: Understanding the Cost

While confidentiality, integrity, and availability are all important parts of how we examine the impact of a security event or risk, there is one last step we need to take. We need to translate these systems, or process-level impacts, into the overall effect that this event will have on our organization, data, or customers. This is a less technical, more business-focused assessment that is often used to communicate risk to senior leaders and directors. You should consider the following factors.

• Loss of revenue. Your organization makes less money.

• Increased operating costs. It costs more to keep your business operating than it did before, which will impact its decisions about hiring and buying new things.

• Reputational damage. People trust your organization less, so they might not sign on or may churn, or they might give your business a different risk rating or change their behavior with you.

• Increased legal and audit obligations and costs. Governments and regulators often increase controls when organizations have repeated security vulnerabilities.

• Harm to health or loss of life. People are hurt or killed.

Be honest when you look at this list of impacts. For most of us, if the company makes a loss or less money, we don’t want this to happen long term, but we’re probably still going to sleep at night.

However, if the result or the impact of a security vulnerability was loss of life or harm to human health, we might be more worried. Whatever context you’re in, you need to understand and make sure you’re focusing on the right impact.

Understanding impact is essential to calculating risk and communicating why it is important that we act. The better you can understand the impact that it would have on your organization, the easier it will be to communicate to the team why you need to act and what you need to do. If you can communicate this well, they will be able to support you with budget, team members, or any other resources you might need.