15 September Blog

​Who Decides the Seriousness of a Cyber Breach or Near Miss?

​In today’s hyper-connected world, cyber incidents are inevitable. From near misses to full-scale breaches, organisations must decide quickly: is this a minor inconvenience or a critical event with far-reaching consequences? The answer lies in more than technical analysis—it is anchored in an organisation’s risk appetite.
The Role of Risk Appetite in Cybersecurity
Risk appetite defines the level and type of risk an organisation is prepared to accept in pursuit of its goals. Far from being just a boardroom term, it is a practical tool for evaluating incidents and shaping responses.
A clearly defined risk appetite provides the framework to:

1. Categorise incidents – Distinguish between tolerable risks and those demanding immediate escalation.
2. Prioritise responses – Direct resources where they matter most.
3. Evaluate impact – Understand whether an event threatens strategic objectives.

Who Assesses Seriousness?
Determining the seriousness of a breach or near miss cannot rest with IT alone. It requires a multidisciplinary view, bringing together:

• Cybersecurity teams to analyse technical details and recurrence risks.
• Risk management teams to measure incidents against risk thresholds.
• C-Suite and the Board to decide if an event exceeds the organisation’s tolerance.
• Legal and compliance teams to ensure regulatory obligations are met.
• HR and culture leads to gauge the impact on employee trust and resilience.

Key Criteria for Assessment
When integrating risk appetite into decision-making, leaders should consider:

1. Alignment with tolerance levels
   • Acceptable: Falls within agreed thresholds.
   • Unacceptable: Requires escalation to senior leadership or external experts.
2. Nature and scope
   • Confidentiality: Was sensitive data accessed or exposed?
   • Integrity: Could confidence in data accuracy be undermined?
   • Availability: Did systems fail or risk downtime?
3. Potential business impact
   • Financial: Does the cost exceed acceptable loss limits?
   • Operational: Has a core process been disrupted?
4. Regulatory and reputational consequences
   • Regulatory: Does the event trigger reporting obligations?
   • Reputation: Could customer trust or brand perception suffer?
5. Human-centric impact
   • Employees: Has staff confidence or personal data been affected?
   • Customers: Has the organisation’s security posture been undermined?

Near Misses: Lessons Waiting to Be Learned
Near misses are not “non-events.” They are early warnings that deserve attention. By analysing them through the lens of risk appetite, organisations can:

• Identify vulnerabilities before they become breaches.
• Adjust thresholds if threat trends evolve.
• Strengthen a proactive, learning-based security culture.

Who Makes the Final Call?
While technical and compliance teams provide essential input, the final decision rests with leadership and the board. Guided by risk appetite, they determine whether an incident is minor, manageable, or business-critical.
A Framework for Consistency
To avoid confusion, organisations should formalise a risk-aligned classification model:

• Critical – Far beyond risk appetite; jeopardises continuity or safety.
• High – Exceeds risk appetite; requires urgent action.
• Moderate – Within risk appetite but demands monitoring.
• Low – Fully tolerable, minimal intervention required.

This structured approach ensures both breaches and near misses are assessed in context, rather than in isolation.
Conclusion
Determining the seriousness of a cyber incident is not just a technical exercise—it is a strategic decision. By embedding risk appetite into incident evaluations, organisations can respond in ways that align with their operational priorities, compliance requirements, and cultural values.
The key question for leaders is this: Does your organisation actively apply its risk appetite when assessing cyber incidents—or are near misses slipping by as missed opportunities?