Business Issues
Security should be addressed by both the business and IT management teams. Business management holds the responsible for decisions relating to the security risk/level that the enterprise is willing to accept at a given time (which involves consideration of potential business impact). IT management holds the responsible for decisions relating to specific controls and application.

By obtaining information from different parts of business units, a Risk Analysis aids communication and facilitates decision making. Risk Analysis relates security directly to business issues.

Security Awareness
A Risk Analysis will actively involve a wide range of staff, and will place security on the agenda for discussion and increase security awareness within the enterprise.

Security should be properly targeted, and directly related to potential impacts, threats, and existing vulnerabilities. Failure to achieve this could result in excessive or unnecessary costs. Risk Analysis promotes a far better understanding of security issues and facilitates related decisions.

This not only applies to which areas of a particular system resources should be directed to, but which business systems. By performing Risk Analysis across multiple business units, it is possible to quickly establish the areas of greatest risk to the enterprise as a whole.

"Problems aside, we are rapidly approaching a situation where risk management is no longer an option. In a highly competitive business environment, companies cannot afford to have costly or inappropriate security. Effective risk management can be nothing less than the defense of company profitability."
- Dr P G Dory, former Head Of Information Security, Barclays Bank PLC