Abstract
The ability to determine the amount of risk that an organisation can manage, conveyed through its risk appetite, is noted as important aspect when aligning risk management with the its strategic objectives. Given the different terminology used to define and describe risk, the way it is perceived, communicated and interpreted, it is clear that establishing a coherent risk appetite that truly reflects the organisation’s culture is not a straightforward task.The need to express risk appetite is coupled with the growing requirement for organisations to demonstrate that they are able to ensure information security and promote stakeholder trust; both of which support the need for organisations to be able to establish their information security risk tolerance. How an organisation might do this, and capture it within the
information security policy, was identified as a gap in existing research, to be addressed by this thesis. Using a theoretical framework to construct the literature review, and application of a subsequent conceptual framework that was developed during the course of this research, it enabled the relationships, and interactions between the key risk themes, to be captured and highlighted a gap in the research into the relationship between risk perception and appetite. The research was conducted using a case study organisation, where during a prolonged engagement with the organisation it was possible to analyse four distinct groups of data, including interviews, by using three methods; application of a risk maturity model, thematic analysis and a survey. This enabled the exploration of the mechanisms that were in place to capture the organisations risk exposure, and to identify the tools used in capturing and expressing its risk tolerance.
The findings highlighted that a paradigm shift, away from sole reliance on certification to an ISO Standard, would be required for an organisation to develop a risk environment that is mature enough, to articulate its relationship with risk, that would enable it to establish a risk appetite. Significantly the research identified the relationship between risk perception and risk appetite, and the need for risk appetite theory, which is reflected in practice with the observed and documented difficulties for organisations in articulating and expressing their risk appetites.
| Date of Award | Oct 2021 |
|---|---|
| Original language | English |
| Awarding Institution |
|
| Supervisor | Martina Battisti (Supervisor) & Xiaoti Hu (Supervisor) |