How do you communicate security risks to your stakeholders without coming across like a scare tactic?

By first communicating in a common, business oriented language that all stakeholders can understand. Then it's about proper context that security risks are not static, but elastic and it's not a binary situation of either being 'secure' or 'not secure', but rather how resilient your systems, networks, and employees are and having crisp plans of communication and remediation.

Use FAIR. It is a powerful methodology and helps the CSO/CIO/CTO speak and communicate to the board and senior management in a language they understand.

 

https://www.amazon.com/gp/product/0124202314/ref=as_li_tl?ie=UTF8&tag=benrothkswebp-20&camp=1789&creative=9325&linkCode=as2&creativeASIN=0124202314&linkId=7fd85f49d934fa56b8adaec873bf290c

I typically break it down to a conversational level that they can easily understand. Like using their household as an example of a potential breach, or vehicle locking mechanism. etc..  You have to be able to connect with the audience or you lose them.. Hopefully when you have to relay risk, you have already built a relationship with them to have those conversations.

I clearly state to “Respect the mountain”.

We can do everything right and still be unable to fully ascend. How do we communicate COVID-19 risks without coming across like a scare tactics? Same idea. Threats can be mitigated not necessarily neutralized.