On the role of the Facilitator in information security risk assessment

In organisations where information security has historically been a part of management and for which the risk assessment methodologies have been designed there are established methods for communicating risk. This is the case for example in the banking and military sectors. However in organisations where information security is not embedded into management thinking and where the relationship between information security and the business is less clear-cut, communicating the risks to the business is less straightforward. In such circumstances it has been observed during field research that information security risk assessments frequently output findings to which the business cannot relate and the process is consequently often viewed as a “tick box” exercise, as opposed to one that provides real value to the business. In such a situation the information security risk assessment is divorced from the business process and not embedded into the organisation’s processes or thinking. The research for this paper was undertaken in order to identify what needs to be done in order to ensure that businesses of this type find the risk assessment process valuable in practice.