Skip to main content

1.11 Risk Awareness

1.11 Risk Awareness


·         The ultimate objective of a risk management program is to enable risk-aware business decisions.



·         Primary objective of creating a risk aware culture is to:


§  improve the ethics of the organization

§  enhance risk reporting procedure

§  suspected behavior is reported at the earliest

§  risk is well understood and known


·         Following are the mode of risk awareness programs:


§  Training and workshop

§  Periodic bulletins and magazine

§  Quizzes 

§  Control self-assessment programs

§  Awareness messages through emails and SMS


·         All the employees and associated vendors should be trained to identify vulnerabilities, suspicious activity and possible attacks and report the same at the earliest. Risk aware business decisions depends on availability of accurate and timely information.



·         Risk awareness program should be customized to address the needs and requirements of the individual groups within an organization and deliver content suitable for that group. Prime consideration when developing a risk awareness program is to ensure that process owner is able to understand how risk can impact their process as well as overall business.


·         A risk awareness program should not give too much details of the vulnerabilities or investigations that can further expose the organization.


·         Risk awareness, education and training helps to improve the risk and security in most cost effective way.


·         Employees and third party service providers should be made aware about organization’s security policies and procedures.


·         Training effectiveness can be measured through use of testing or quiz or some other metrics. For example, effectiveness of an incident reporting training can be determined by number of incidents reported subsequent to training. Increased reporting of valid indicates that users are aware of the security rules and know how to report incidents.


·         Training need identification is an important aspect that can be derived through various sources such as help desk activity, operational errors, security events and audits.


·         A separate risk awareness program should be arranged for senior management with more emphasis on need for compliance, due care and due diligence and the need to create the tone and culture of the organization through policy and good practice.  They should be reminded their roles and responsibility for determining risk acceptance levels.


·         Employees and vendors should be made aware of the risk related to social engineering attacks. Social engineering is a technique by which hacker attempts to manipulate the people and gather confidential information. No logical control can address the social engineering attacks. It can be only controlled through security awareness amongst the employees.  


Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

Greatest benefit of a risk-aware culture

Suspected behaviour is reported at the earliest

Prime consideration when developing an  risk awareness program

Process owner should able to understand how risk can impact their process as well as overall business.

Best  approach when conducting an risk awareness campaign

Customized and tailored program addressing different business group

Risk aware business decisions depends on

Availability of accurate and timely information

Social engineering risk can be reduced by

Security awareness programs

Main objective of risk management process

Risk aware business decisions

Effectiveness of an incident training can be determined by

Increase in valid incident reporting

Most effective method to ensure that user comply with BYOD policies and procedures

Educating users on acceptable and unacceptable practices



Video Tutorial - 1.11 Risk Awareness



Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates