**3.4 Penetration testing reports**

As risk management is still clearly its own type of innovation phase within the technology adoption life-cycle, risk researchers are finding a need to communicate risk through standardized language. For example, let us consider a penetration test report. Historically, there is none of the following: (1) a fixed template, (2) a fixed-strategy, or (3) fixed-finding language. Such non-standardization is subject to extreme bias and misrepresentation. In fact, if every internal or external penetration test is written differently, how can any organization fully understand their own risks? Similarly, if every employee in an organization spoke their own verbal language, how could anything be communicated? Historically, industry has focused on standardizing software vulnerabilities and malicious code patterns. A major gap still exists for risk management components, including budgeting for financial penalties and legal ramifications.
