It is very important for risk scenarios to be realistic and unbiased so that the management feel assured while taking decisions. According to COBIT (2014), a risk scenario should have the following characteristics to add real value to risk analysis.
• Relevance – Scenarios should be result in derivation of meaningful information that would help support decision making. The scenarios needs to be customized as per the market and industry in which the organization operates to improve the relevance of the scenario.
• Consistency – Each scenario must be complete and convincing by itself.
• Plausibility – The risk scenarios should be believable.
• Likelihood – There should be certain probability for the scenario …show more content…
Reporting
The success of a security and risk metric framework is dependent on effective reporting of the measurement of various metrics. If these metrics are not clearly understood by the stakeholders involved then the framework is considered to be ineffective. Different stakeholders have different expectations from metrics gathered. Hence, it is important to customize the reports based on their expectations. This ensures effective utilization of the reports generated.
6.1 Tiered Reporting Model
Adopting a tiered reporting model would be an effective method to present the information to different audiences in an organization. For example, the senior leadership at the top tier of an organization would be more interested to know about costs and benefits associated with implementing information security controls, while a middle tier manager would be more concerned about the effectiveness of controls implemented (Pironti, …show more content…
But, the constantly evolving information security landscape makes it challenging for organizational leaders to formulate strategies and rationalize investments needed to mitigate new risks and threats. Hence, it is critical for organizations to regularly re-evaluate the security metrics and measures that have been established to assess the effectiveness of the security controls and the information security program. Having a flexible and adaptable metrics and measures that will help organizations identify new threats and vulnerabilities and ensures effectiveness of their security