How to Assess and Communicate Risk in Information Security

In simple terms, risk is the likelihood of something bad taking place, and the resulting business impact if it does in fact occur. We often talk about the bad things that could happen—that is, the threats, vulnerabilities, and exploits, and the technologies that are used to defend against them—but these are not risks. Senior business leaders need their subject-matter experts in cyber security to advise them not about the technical details (the "what"), but about the risk (the "so what"), and about how an incremental investment in recommended security controls quantifiably reduces that risk.

Course syllabus:

  1. How to assess security risks

  2. How to use these risk assessments to make better-informed recommendations

  3. How to communicate these risks more effectively to business decision makers