Engagement with Corporate Decision-Makers in Security Risk Management

This study is a technical report that investigates the engagement of security professionals with corporate decision-makers in the context of security risk management. It examines 27 standards and guidelines related to security and risk management to identify common themes and limitations. The findings indicate that many existing models do not explicitly identify the decision maker, leading to an assumption that security professionals themselves are the decision makers. The report highlights that senior executives, rather than security managers, typically hold the decision-making authority regarding security risk management. It emphasizes the need for security professionals to engage more effectively with these decision makers to align their risk assessments with organizational objectives. The study also points out that current models lack clear guidance on how to identify and communicate with key decision makers, which can lead to incongruences in the information presented to them. Overall, the report calls for adjustments to security risk models to better reflect the organizational structure and decision-making processes.