Communicating Risk

Feb 2021 - Updated Jun 2021

Communicating risk is one of the most important things you can do, however not everyone understands or wants to believe there is risk. How you approach the situation will dictate the outcome, so when communicating risk it is imperative we make it as simple as possible, focusing on who’s in front of us. If we can explain the risk in a way that the person in front of us feels that the risk affects him/her, then we will be able to have a good conversation about it.

That is the beginning of mitigating security issues: a good, candid, and simple risk conversation. To start that conversation focus on explaining the risk, providing an attack that can attach that risk to the real world, and finally tie it to the business.

Three steps.

1. RISK UNDERSTANDING

Understand what can go wrong and explain it the simplest possible way.

2. ATTACK SCENARIO

Support your explanation with a realistic attack scenario. Provide a pragmatic example of how the risk can result in an actual attack.

3. BUSINESS IMPACT

Explain what is the impact to the business if this risk becomes true.


---------

Note: This is part of The Laws Of Security website.

© 2009-2024 Modern Adversary. No tracking or visit logs.