Defined criteria are used to prioritize cyber risks (for example, impact to the organization, impact to the community, likelihood, susceptibility, risk tolerance)

Potential consequences and other aspects of identified risks should be evaluated and prioritized using the risk criteria in a consistent manner. Risks may be categorized by source, type of threat, or another commonality. This analysis helps determine which risks merit the most attention given the organization’s unique operating circumstances, as well as how quickly they should be addressed. A relative priority should be assigned to each risk (perhaps by category) using a consistent prioritization scheme. The intent of prioritization is to determine the cyber risks that most need attention because of their potential to affect operations. Typical components of an approach for risk prioritization include flow diagrams depicting the prioritization process, inputs to and outputs of the process, a list of relevant stakeholders involved in risk prioritization, and a scheme for ranking risks (high, medium, low, etc.). Categorization and prioritization of risks help to right-size the number of risks being managed, as well as the amount of time and effort that an organization devotes to the management of identified cyber risks.

Related Practices · Progression: This practice is part of multiple practice progressions. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in the first progression include: RISK-3a, RISK-3b. · The practices in the second progression include: RISK-3b, RISK-3c, RISK-4c, RISK-4d.