Articulating the University's information risk appetite involves a series of strategic activities and

requires specific resources to effectively carry out these tasks. Here's a breakdown of the
activities and the resources needed:

1. Risk Assessment and Analysis:

 Activity: Conducting comprehensive risk assessments to identify and evaluate potential
cyber threats and vulnerabilities.
 Resources:
 Skilled cybersecurity professionals or consultants to perform the assessments.
 Risk assessment tools and frameworks to facilitate the analysis.
 Access to relevant data and documentation regarding the university's ICT
infrastructures and information assets.
2. Stakeholder Engagement and Consultation:
 Activity: Engaging key stakeholders across different departments and levels of the
university to understand their perspectives on information risk and gather input on risk
appetite.
 Resources:
 Communication and collaboration tools for facilitating discussions and gathering
feedback.
 Time and effort from stakeholders to participate in meetings and provide input.
 Facilitation skills to ensure productive discussions and consensus-building.
3. Policy Development and Documentation:
 Activity: Developing formal policies and guidelines that define the university's
information risk appetite, including acceptable levels of risk tolerance and mitigation
strategies.
 Resources:
 Expertise in cybersecurity policy development and regulatory compliance.
 Access to templates and best practices for drafting effective policies.
 Legal review to ensure alignment with relevant laws and regulations.
4. Risk Appetite Definition and Articulation:
 Activity: Defining and articulating the university's information risk appetite based on the
findings from risk assessments and stakeholder consultations.
 Resources:
 Analytical skills to interpret risk assessment results and align them with
organizational goals and priorities.
 Communication skills to effectively convey the risk appetite to stakeholders and
decision-makers.
 Documentation tools for formalizing the risk appetite statement.
5. Education and Awareness Training:
 Activity: Providing training and awareness programs to educate staff and students about
the university's information risk appetite and their roles in maintaining cyber resilience.
 Resources:
  Training materials and resources on cybersecurity best practices and risk
management.
 Training facilitators or subject matter experts to deliver sessions.
 Communication channels to disseminate information and updates about the risk
appetite.
6. Monitoring and Review Mechanisms:
 Activity: Implementing mechanisms to monitor and review adherence to the defined risk
appetite, track changes in the risk landscape, and update risk management strategies
accordingly.
 Resources:
 Monitoring tools and technologies for detecting cybersecurity threats and
incidents.
 Data analytics capabilities to analyze trends and patterns in cyber threats.
 Regular review meetings involving relevant stakeholders to assess the
effectiveness of risk management efforts and adjust strategies as needed.

By allocating the necessary resources and undertaking these strategic activities, the university
can effectively articulate its information risk appetite and enhance its cyber resilience posture.