Risk Appetite Assessment Algorithm : A Starting Point for Small And Medium Size Organisation for Understanding Information Security Requirements

Abstract

Risk appetite is an important element of any effective risk management process. It is the foundation on which risk decisions are made, but unfortunately it is not often given the attention it deserves. This could be because of the lack of appreciation of its importance. Without a well-defined risk appetite analysis in place, it is very likely for an organization’s risk assessment process to result in over- or under measured security solutions, or risk decisions that are not in line with the organization's business objectives. This thesis focuses on the importance of risk appetite assessment at an early stage of risk management process. Although risk management will be discussed in brief, our main focus is risk appetite. This thesis examines the importance of risk appetite, the reasons why it should be given more attention in organizations, and presents a risk appetite assessment model that can be used by organizations to assess their businesses for an initial high-level description of their risk appetite: how much security is expected, where to focus security resources, etc. This general model can be adapted by small and medium sized organizations for decision making during their risk management process. Towards the end of the thesis, a sample predictive analysis for an organization’s risk appetite is presented. This model is built and adapted through a supervised machine learning algorithm which learns through experience from the trained data in order predicts the future risk appetite of an Organization. Though the accuracy of this prediction model is limited by the small data size, it can be seen that, risk appetite is inversely proportional to risk.