Communicating Risk
Originally written on Jun 2021, and as part of The Laws Of Security website.
Communicating risk is one of the most important things you can do, however not everyone understands or wants to believe there is risk. How you approach the situation will dictate the outcome, so when communicating risk it is imperative we make it as simple as possible, focusing on who’s in front of us. If we can explain the risk in a way that the person in front of us feels that the risk affects him/her, then we will be able to have a good conversation about it.
That is the beginning of mitigating security issues: a good, candid, and simple risk conversation. To start that conversation focus on explaining the risk, providing an attack that can attach that risk to the real world, and finally tie it to the business.
Three steps.
1. RISK UNDERSTANDING
Understand what can go wrong and explain it the simplest possible way.
2. ATTACK SCENARIO
Support your explanation with a realistic attack scenario. Provide a pragmatic example of how the risk can result in an actual attack.
3. BUSINESS IMPACT
Explain what is the impact to the business if this risk becomes true.