The operational risk associated with attacks on a web application should be owned by the individual in charge of the business function, because they are the primary stakeholder and beneficiary of the web application, and they are responsible for defining and achieving the business objectives and requirements that the web application supports or enables. An operational risk is a risk of loss or damage resulting from inadequate or failed internal processes, people, or systems, or from external events. An attack on a web application is a type of operational risk that involves a malicious or unauthorized attempt to compromise the confidentiality, integrity, or availability of the web application, such as a denial-of-service attack, a SQL injection attack, or a cross-site scripting attack. A web application is an application that runs on a web server and can be accessed or used through a web browser, such as an online shopping site, a social media platform, or a web-based email service. A business function is a set of activities or tasks that support or enable the organization's vision, mission, and strategy, such as marketing, sales, or customer service. A risk owner is a person or role that has the authority and accountability to manage a specific risk, and to implement and monitor the risk response and controls. The individual in charge of the business function should be the risk owner, as they have the best understanding and interest of the web application and its business value and impact, and they have the ability and responsibility to manage the operational risk associated with the attacks on the web application. The individual in charge of network operations, the cybersecurity function, or application development are all possible candidates for the risk owner, but they are not the best choice, as they may not have the same level of stake and influence in the web application and its business objectives and requirements, and they may have different or conflicting priorities or perspectives on the operational risk and its management. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, page 101

The risk practitioner's best course of action after identifying risk scenarios related to noncompliance with new industry regulations is to escalate to senior management, as they have the authority and responsibility to decide on the appropriate risk response and allocate the necessary resources. Transferring the risk, implementing monitoring controls, and recalculating the risk are possible risk responses, but they require senior management approval and direction. References = Risk Scenarios Toolkit, page 19; CRISC Review Manual, 7th Edition, page 107.