Module 3

MODULE 3 - RISK COMMUNICATION

The decision-makers and various other stakeholders should discuss information regarding a risk.

An appropriate communication plan should be developed to ensure that:
• Risks are understood.
• Security policies are known and applied correctly.
• The risk treatment plan is known.

Risk communication is essential for the following:
• The risk assessment results are shared and the risk treatment plan is presented.
• Decision-making gets support.
• For the collection of information related to risk.
• For the improvement of awareness.
• A sense of responsibility about a risk is given to the decision makers and stakeholders.
• An organization’s risk management outcome can be assured.
• Latest information security knowledge can be obtained.
• For reducing the impact of any incident by coordinating with others and planning risk
responses.
• The understanding among stakeholders can be increased, and hence, both the
happening and the impact of security events can be avoided or reduced.

Importance of communication

• An agreement can be achieved on ways to manage a risk through risk communication as it
allows the discussion of information, such as the form, probability, severity, etc., regarding
the risk among the decision-makers and other stakeholders.

• Great impact can be put on the decisions that require to be made if the communication
among the stakeholders is effective and efficient. Hence, risk communication is important
among the stakeholders.

• The people responsible for implementing risk management, and those with a conferred
interest will be made to understand properly the basis on which the decisions are made and
the necessity of particular actions.

• It is bi-directional in nature.
• Insights regarding a risk can be different because of the divergence in concepts, issues,

assumptions, concerns and needs of stakeholders as pertaining to the risk under discussion.
• The perception of a risk is the basis on which stakeholders make decisions regarding the

acceptability of a risk. Identification and documentation of these perceptions, and any
perceptions regarding benefits can be done. The understanding and addressing of the
reasons underlying these perceptions can also be done.

Challenge of communication

• The communication is required by the business executives in a language that is understood
by them. The language should focus on risk, financial gain or loss.

• There is an issue because security professionals tend to convey the message in technical
language, which can be hard to comprehend by the business executives.

• It is necessary for business executives, even if they have minor security knowledge, to
understand what is happening so that they can make appropriate, risk informed decisions.
However, translating security metrics into risk statements is difficult by using a language
understood by the business executives.

• It should not be expected that executives will have even a little understanding of
engineering that is essential for having an in-depth security discussion.

• As the understanding of risk metrics, descriptions and details put an impact on the future
of a an organisation's business, security risk professionals should translate all this relevant
information into a language that is understood by the leaders of the concerned organisation.

Risk communication plan

• An organization should develop risk communication plans for normal operations
(continually) as well as for emergency situations.

• Co-ordination between decision makers and stakeholders may be achieved by the
formation of a committee where discussion about risks take place.

• It is important to cooperate with the appropriate public relations or communications (if they
exist in the organisation).

• As a result of the risk management plan, a better understanding of the organization’s
information security risk management process is expected.

Key things to consider

• Who are the stakeholders that are required to approve the risk treatment plan?
• Who are the decision makers that are required to approve the risk treatment plan?
• What messages do they need to receive?
• Which are the methods that will be used to communicate the risks? (e.g. risk reports,

presentations, meetings, etc.)
• What reactions are expected?
• What behaviour do we need from the stakeholders?
• It is necessary that they take action. What sort of action?

• Timing: date when the action takes place/starts
• Audience: recipient of the message
• Sender: the one who needs to send the message
• Key message: the information that is needed to be communicated
• Desired Outcome: what should be achieved through this action?
• Medium: type of communication channel (e.g. email, post on web site, newsletter, a

virtual meeting, daily scrum, meeting)
• Frequency: define the regularity of the messages, such as monthly, weekly or one time

messages