1.11 Risk Awareness
· The ultimate objective of a risk management program is to enable risk-aware business decisions.
· Primary objective of creating a risk aware culture is to:
§ improve the ethics of the organization
§ enhance risk reporting procedure
§ suspected behavior is reported at the earliest
§ risk is well understood and known
· Following are the mode of risk awareness programs:
§ Training and workshop
§ Periodic bulletins and magazine
§ Quizzes
§ Control self-assessment programs
§ Awareness messages through emails and SMS
· All the employees and associated vendors should be trained to identify vulnerabilities, suspicious activity and possible attacks and report the same at the earliest. Risk aware business decisions depends on availability of accurate and timely information.
· Risk awareness program should be customized to address the needs and requirements of the individual groups within an organization and deliver content suitable for that group. Prime consideration when developing a risk awareness program is to ensure that process owner is able to understand how risk can impact their process as well as overall business.
· A risk awareness program should not give too much details of the vulnerabilities or investigations that can further expose the organization.
· Risk awareness, education and training helps to improve the risk and security in most cost effective way.
· Employees and third party service providers should be made aware about organization’s security policies and procedures.
· Training effectiveness can be measured through use of testing or quiz or some other metrics. For example, effectiveness of an incident reporting training can be determined by number of incidents reported subsequent to training. Increased reporting of valid indicates that users are aware of the security rules and know how to report incidents.
· Training need identification is an important aspect that can be derived through various sources such as help desk activity, operational errors, security events and audits.
· A separate risk awareness program should be arranged for senior management with more emphasis on need for compliance, due care and due diligence and the need to create the tone and culture of the organization through policy and good practice. They should be reminded their roles and responsibility for determining risk acceptance levels.
· Employees and vendors should be made aware of the risk related to social engineering attacks. Social engineering is a technique by which hacker attempts to manipulate the people and gather confidential information. No logical control can address the social engineering attacks. It can be only controlled through security awareness amongst the employees.
Key aspects from CRISC exam perspective
CRISC Question |
Possible Answer |
Greatest benefit of a risk-aware culture | Suspected behaviour is reported at the earliest |
Prime consideration when developing an risk awareness program |
Process owner should able to understand how risk can impact their process as well as overall business. |
Best approach when conducting an risk awareness campaign |
Customized and tailored program addressing different business group |
Risk aware business decisions depends on |
Availability of accurate and timely information |
Social engineering risk can be reduced by |
Security awareness programs |
Main objective of risk management process |
Risk aware business decisions |
Effectiveness of an incident training can be determined by |
Increase in valid incident reporting |
Most effective method to ensure that user comply with BYOD policies and procedures |
Educating users on acceptable and unacceptable practices |
Video Tutorial - 1.11 Risk Awareness