Earlier this year, the first part of this article was published. It’s a good place to start to learn why you want to understand your company’s attack surface. Websites and online databases tend to over-share – you should aim to limit this. But some...
Almost daily, we hear about how cyber threats and IT risks increase globally across industries. Sadly, the methods and tools used for IT risk management today do not deliver the consistent decision support that organizations need. On March 23rd 2023, we conducted a...
The International Standards Organization recently published an updated version of their guidance for information security risk management, but they have missed the mark entirely on quantitative methods. What is ISO 27005? The ISO/IEC-27005 is one of the key standards...
An important step in any IT risk management process is to clearly define the information assets in scope. But what is an information asset really? How can you best describe your important information assets? And why is it so important to spend time on establishing a...
The last couple of years have reminded us of how dangerous and fluid the world is. It's become our new normal. War in Europe, climate changes, macroeconomic problems and cyber attacks are just some of our society's issues. Now, in Denmark, we talk a lot about...
People are often asked about estimates in investments, the opening of new business areas, projects and budgeting. The estimates given are subject to uncertainty. No one can tell the exact amount, time etc., that will occur in the future. Despite this...
Inherent risk… residual risk… current risk? When your risk manager or regulatory affairs asks about your “inherent risk”, it highlights a fundamental flaw in qualitative risk assessments. Here’s why - and how to fix it. Although most of us engage in some form of risk...
Changing habits and mindsets take time and persistence. Especially within IT risk management. Again and again, we at ACI meet tonnes of objections to changing behaviour despite witnessing the benefits of moving from qualitative to quantitative. So, I felt...
Communication is difficult, also when it comes to the risk of cyberattacks. The board and management need a clear basis for decision-making, but the communication needs to improve because it is often too technical or too high-level and abstract. Both cases are useless...
A skilled offshore engineer with whom I collaborated gave me a very concrete example of the application of risk appetite. The height of a drilling platform is set according to legislation and standards but also according to the company's risk appetite. How big a wave...