Risk Tolerance

[David Eilken <david.eilken () DOMAIL MARICOPA EDU>]

All,

I'm looking to better understand an appropriate level of risk tolerance for
educational institutions; in particular for a large sprawling college that
does not do much research (lots of PII, little IP).

I thought it be good to ask two simple questions. First, what do you feel
is your org's risk tolerance on a scale of 1-10. Ten being that you have
information security concerns but don't allocate specific budget for it and
are comfortable accepting high levels of cyber risk.

Second, although the Educause Security Almanac states an average of 3.6% of
IT budget is allocated to IS, it would be interesting to know if you feel
that you have the resources to obtain/maintain a reasonable level of PPT
(People, Processes, and Technology) for IS that appropriately balances the
costs of reducing cyber risks.

As always thanks,
Dave

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community