Next steps

Technology and project management domains have adopted positive risks into their risk assessment processes, but the cybersecurity industry has historically excluded them. Positive risks can result in positive business outcomes, and the cybersecurity industry must transition to embrace positive risk and realize the benefits.

You can start communicating positive risks immediately in all communications. For instance, risk assessments, security assessments, or status reports should include a section on positive risks. Funding requests to executive leadership should include positive risks, communicate the potential benefits to the business and highlight any potential business advantages gained by approving the request.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cybersecurity risk response

FAQ