2a: Risk Evaluation
What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?
How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?