Balancing Risk Appetite And Risk Attitude In Requirements: A Framework For User Liberation

The tendency to throw controls at perceived and real system vulnerabilities, coupled with the likelihood of these controls being technical in nature, has the propensity to favour security over usability. However there is little evidence of increased assurance and it could encourage work stoppages or deviations that keep honest users from engaging with the system. The conflicting balance of trust and controls, and the challenge of turning that balance into clear requirements, creates an environment that alienates users and feeds the paranoia of actors who assume more ownership of the system than necessary. Security therefore becomes an inhibitor rather than an enabler for the community. This paper looks at measuring the balance of an organisation’s or a community’s risk appetite with the risk attitudes of its members in the early stages of IS development. It suggests how the dials of assurance can be influenced by the levers of good systems practice to create a cultural shift to trusting the users.