In the context of operational risk, an issue is a noun. Oxford dictionary defines an issue primarily as an important topic or problem for debate or discussion. The example provided is global warming. Merriam Webster’s dictionary defines an issue as a vital or unsettled matter, providing the example of economic issue. Both dictionaries have several secondary meanings. Oxford’s secondary definition translates issue directly to problem or difficulty. An example is: users are experiencing connectivity issues. Merriam Webster’s secondary definition also directly translates issue to concern or problem (e.g., issues with a person’s behavior).

These are all in the ballpark of the way cybersecurity risk issues are viewed through the lens of a cybersecurity risk framework. However, the secondary meaning is more germane to a risk issue. A risk issue is a circumstance that provides evidence of the enterprises’ vulnerability to risk. They are typically control weaknesses but may be any circumstance that indicates potential for an increase in risk. A topic for debate or discussion does not qualify as an identified difficulty or concern, and it is only when concern is undoubtably justified that an issue receives the adverb “risk.” That said, a cybersecurity issue debated or discussed via scenario analysis can be the starting point for the identification of one or more cybersecurity risk issues.

The distinction between a potential concern and a highly probable event often confuses ...