RSA: Organisations need to determine their ‘Cyber Risk Appetite’


Report outlines new framework designed to create stronger cybersecurity objectives by calculating the impact risk has on an organisation


  • New paper highlights ability to quantify and manage cyber risk appetite could determine organisations’ success or failure in marketplace
  • Companies need to identify potential cyber risks, quantify the impacts, prioritise, and constantly re-evaluate
  • Group of stakeholders to shape policy should include much wider array of technical and business personnel

RSA_LogoRSA, The Security Division of EMC, has announced a new framework designed for companies to inventory and prioritise cyber risks. The framework, issued in a report RSA prepared with support from Deloitte Advisory Cyber Risk Services, gives organisations a new way not only to factor cyber risk into their overall risk appetite but to define the level of cyber risk they are willing to accept in the context of their overall business strategy.

As businesses strive to improve performance, many of the fundamental moves they undertake expose them to new cyber risks. Since organisations can’t turn the clock back on globalisation, outsourcing, extending their third-party networks and moving to the cloud, they will need to realign their thinking about risk. The report, entitled “Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise,” concludes that organisations need a systematic process for defining and comprehensively categorising sources of cyber risk, a new accounting of key stakeholders and risk owners, and a new way to calculate cyber risk appetite.

First, organisations need to redefine the term “cyber risk.” The term extends beyond hacks – planned attacks on information systems. While hacks are an important part of the equation, cyber risk encompasses a wider range of events that lead to potential loss or harm related to technical infrastructure or the use of technology within an organisation.

The paper provides a practical framework for inventorying and categorising cyber risks across two dimensions of intent. Cyber risk events could be the result of deliberately malicious attacks, such as a hacker carrying out an attack with the aim of compromising sensitive information. They could also be unintentional, such as user error that makes a system temporarily unavailable. Risk events may come from sources outside the organisation, such as cybercriminals or supply chain partners, or sources inside the organisation such as employees or contractors.

To effectively assess their cyber risk appetite, the report recommends that organisations take a comprehensive inventory of these cyber risks, quantify their potential impact and prioritise them. Organisations need to ask the right questions, such as what losses would be catastrophic, and what information absolutely cannot fall into the wrong hands or be made public. They need to prioritise the risk according to impact, ranking mission- and business-critical systems ahead of facets like core infrastructure and extended ecosystem (supply chain management applications and partner portals) and external public facing points of interaction. Prioritisation needs to be an ongoing process involving constant evaluation and re-evaluation.

The report concludes that an organisation’s ability to quantify cyber risk and make informed decisions about their cyber risk appetite will put them in a position to succeed. Some costs can be easily quantified: costs that include fines, legal fees, lost productivity and mitigation remediation and incident response. Other costs can be more difficult to determine – like diminished brand equity, reduced goodwill and the loss of intellectual property. Organisations need to develop the ability to demonstrate that the investments they are making align with the risks they face.


David Walter, RSA GM, Global GRC

“Cyber risk is a critical issue in today’s organisations, touching aspects of business risk, regulation and technology. To effectively deal with these risks, executive decision-makers need to understand their organisations’ cyber risk appetites’ – balancing the nature and magnitude of those risks against the benefits a strategic shift would deliver. Then they can make more informed decisions.”


About RSA
RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA’s award-winning products, organisations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime. For more information, go to