How to define and assess your cyber risk appetite


Slim pickings or an all you can eat buffet?

Every organisation, regardless of size or vertical, must manage its exposure to risk. Risk comes in many different forms – including financial, environmental and operational – and cyber risk is recognised as one of the most immediate and potentially damaging threats to businesses today. 

Some organisations are willing to accept a higher level of risk than others, particularly if the potential rewards and opportunities are high enough. It is a balancing act, and in the case of cyber it is further complicated by the fact that the very initiatives that organisations undertake in order to drive efficiencies and grow the business are the very same things that create cyber risk. Expansion into new markets, bringing on new partners and suppliers, mergers and acquisitions, digitalisation, and the adoption of Cloud and mobility technologies all drive higher levels of cyber risk. Which means that they must all be planned and executed with a view to defining and managing the risk incurred. 

What is cyber risk? 

But how do you decide how much cyber risk you are willing to take on? First of all, you need to define what cyber risk actually is. In simple terms, cyber risk is the potential loss or harm related to the use of technology or technical infrastructure. 

This is a broad definition, and encompasses a wide variety of possible scenarios. Many organisations categorise cyber risks according to two key factors – intent and source: 

Internal malicious – deliberate acts of sabotage, theft or disruption committed by employees and other insiders. An example would be a disgruntled employee deleting sensitive data before leaving the organisation. 

Internal unintentional – loss or compromise of systems or data as a result of human error. For example, an internal user clicking on a link in a phishing email. 

External malicious – by far the most well-publicised source of cyber risk. These are premeditated, deliberate attacks perpetrated by hackers, cyber criminals and state actors. Examples include ransomware, DDoS (Distributed Denial of Service) and phishing attacks amongst many others. 

External unintentional – these can cause loss and/or damage to an organisation but are not deliberate. For example, a partner or external contractor that is comprised by an email attack may inadvertently allow a cyber criminal to infiltrate partner and customer networks via lateral movement. 

Rather than considering every possible scenario in each of the categories above, organisations need to consider what is most likely to happen to them given how they operate, the technology they use and the information they process. 

Who is responsible for managing cyber risk? 

Historically the responsibility for managing and mitigating cyber risk fell squarely onto the shoulders of technology leaders. Most midsize and large organisations now have a CISO in place, and/or a CIO/CTO, and the buck has traditionally stopped with them. That is no longer the case, as even the smallest oversights and misdemeanours can have ramifications for all Board-level executives – including the CEO. 

Just as everyone is a potential source of cyber risk, so everyone has a role to play in managing it. Cyber security is repeatedly cited as a Board-level concern, and rightly so, yet many Boards have yet to acknowledge that they have a collective responsibility to shape how the organisation assesses and manages cyber risk. In today’s digital and data-driven corporate world, almost every department will be undertaking activities that are a potential source of cyber risk for the entire organisation. They should therefore be part of the conversation and understand how they influence and impact the cyber risk profile as a whole. 

The committee of cyber risk policy makers and stakeholders has expanded, and should include: 

Cyber risk decision makers: CEO, CISO, CIO, CTO, COO and CFO. 

Cyber risk stakeholders: LoB managers, Legal Counsel, GRC leaders, Product Management, Research & Development, Engineering, major shareholders and investors. 

Key considerations for cyber security risk decision makers and stakeholders 

The cyber risk stakes have never been higher, and that trend is going to continue. It is also a problem that cannot be solved. Cyber risk cannot be completely eliminated, merely managed in orientation with the threats faced. Some questions for cyber risk decision makers include: 

  • Which systems would we be unable to operate without? 
  • Which systems could we operate without and for how long? 
  • What personal and sensitive information do we store/process? 
  • What level of financial impact would we be able to absorb as a result of a cyber breach? 
  • What cyber risk management measures are we required to have in place by suppliers, customers and partners? 
  • What are the information security and data protection standards we are required to comply with by law? 

Given the almost endless sources of cyber risk, and the differing levels of potential impact, prioritising where to allocate resources (technological, financial and personnel) is both crucial and complicated. Variables include governance and regulatory obligations, legal and contractual commitments and internal comfort levels. 

A sensible first step is to identify and classify applications, databases, systems and information according to: 

  • Business Critical Systems – the vital systems that allow the organisation to function and which contain the most sensitive information. This also includes systems without which there would be a threat to life. 
  • Core infrastructure – operating systems and directory services, industrial control systems and key applications such as Supply Chain Management. 
  • Public facing systems and services – the most obvious example here is a website, but it includes any system with an IP address which is accessible via the internet. 

The priority is to identify which systems would cause the most damage if they were forced offline or were compromised. While being unable to process customer orders would inevitably mean a financial hit, the mission critical internal systems are what allows an organisation to operate and should be addressed first. There’s little point in allowing customers to place orders that cannot be fulfilled because of an internal production or supply chain failure. 

Defining your cyber risk appetite 

Your cyber risk appetite will set the boundaries for prioritising which cyber risks need to be addressed. In order to define your cyber risk appetite, you first need to know the level of cyber risk you face today across the whole organisation, and according to the three core elements of an effective cyber defence – people, process and technology. Far too often companies deploy a selection of common point solutions which they believe will protect them against cyber threats, without actually knowing whether they are having an impact on cyber risk. Most products have some level of reporting built in, and will also generate alerts and notifications. But they can’t tell you what impact they’re having on your cyber risk profile as a whole unless they are viewed in context with all of the other measures you have in place. 

Knowing your current level of cyber risk is vital to calculating the level of cyber risk you’re willing to accept and figuring out how you get from where you are today, to where you want to be on the cyber risk spectrum in the future. 

While a single number on a scale of 1 – 100 can never tell you the whole story, it can represent the amalgamation of all of the measures you’re taking to manage your cyber risk profile, and give you a high level view of how well protected you are against cyber attacks. 

Once you have discovered where you sit on the cyber risk spectrum today, and agreed how much risk you are willing to tolerate in the future, you can then decide how much you are willing to invest in managing that risk and the best way to go about it. 

At first glance it may seem as though managing cyber risk is purely a concern for technical teams. This is absolutely not the case anymore, namely because cyber risk is intrinsically connected to other types of risk – operational, financial and legal, to name just three. It is up to the Board to agree on the level of cyber risk that the organisation is willing to take on, and the controls it puts in place to manage it. In order to do this, Board members need complete visibility into how effective their current measures are, and the impact that further measures would have. Cyber risk management is an ongoing endeavour, and the strategic conversation can’t stop when a certain level is achieved. As the business, markets and customers change, so cyber risk management and mitigation must change with them. Which means that companies need a way of assessing and defining it on an ongoing basis. 

Why cyber risk management matters 

For modern organisations, the ability to define, manage and mitigate cyber risk can mean the difference between success and failure – it really is as simple as that. Those who place the appropriate emphasis on cyber risk will be far better positioned to take advantage of opportunities to expand into new markets, forge stronger relationships with their customers and compete in the digital age. They are also far less likely to expose their organisation to the potentially catastrophic fall out of a major cyber breach. Organisations must take a full inventory of potential cyber risks, quantify their potential impact, and prioritise them effectively. This process must involve stakeholders from across the organisation to gain perspective and agreement, and it needs to be an ongoing endeavour involving constant assessment and evaluation. 

To learn more about how to define and assess your own appetite for cyber risk, get in touch with the team… 

Peter bowers

Written by Pete Bowers
Pete Bowers is COO at norm. where he is responsible for the overall operational and financial functions of the business. He also oversees customer innovation and success, and plays a pivotal role in the ongoing development of cyber security and data protection services which deliver transparency and tangible value to norm.’s growing client base.