Risk Communication for People Who Do Not Read Risk Registers for Fun
Explaining security risk to non-technical stakeholders without turning every issue into smoke, sirens, and theatre.
Most people do not read risk registers for fun. This is healthy behaviour.
When explaining security risk, I try to start with impact instead of jargon. What could happen? Who would care? What would it interrupt? What decision is needed?
Likelihood is harder. Nobody owns a crystal ball, and pretending otherwise makes the whole conversation weaker. It is better to explain the signals: exposure, existing controls, known activity, business impact, and how much uncertainty remains.
The language should stay calm even when the issue is serious. Panic makes people defensive. Vague comfort makes people careless. Clear treatment options are usually more useful than another paragraph of technical smoke.