- Risk Tolerance is the acceptable level of variation from the risk threshold; Risk Threshold is the line between acceptable and unacceptable risk; Risk Appetite is how much risk the organization is willing to accept.
- Risk is calculated as Occurrence Likelihood (OL) × Impact Effect (IE) to quantify the potential magnitude of a risk materializing.
- Materiality determines which risks actually matter to your organization and how to communicate them to executives and boards.
- Risks can be managed by avoiding, reducing, transferring, or accepting - the appropriate management level must make these decisions.
- In practical terms, a risk is associated with a control deficiency - if the control fails, what risk(s) is the organization exposed to?
Risk Tolerance vs Risk Threshold vs Risk Appetite
The alternative to risk management is crisis management. The information on this page exists to provide practical guidance on Enterprise Risk Management (ERM) for cybersecurity and data privacy practitioners, specifically focused on how to align risk appetite, risk tolerance and risk thresholds with an organization's strategic, operational and tactical business planning activities. What is presented is a holistic approach that has practical applications. There are a lot of terms in cybersecurity and three (3) of the top misused terms are:
Risk Appetite
The amount and type of risk that an organization is willing to pursue or retain in order to achieve its strategic objectives. This is a strategic-level decision made by executive leadership and the board. It defines the organization's overall comfort level with risk-taking.
Risk Threshold
The specific boundary or line between acceptable and unacceptable risk. The threshold is the measurable point at which risk levels trigger escalation, remediation, or executive decision-making. It operationalizes the risk appetite into actionable criteria.
Risk Tolerance
The acceptable level of variation from the risk threshold that the organization can sustain. Tolerance acknowledges that risk is not perfectly controllable and allows for some fluctuation around the threshold without triggering a crisis response.
The concepts of risk appetite, risk tolerance and risk thresholds are not independent terms that are meant to stand by themselves, since they share a dependency that needs to be understood to create a coherent risk management strategy. Likewise, those terms are also directly linked to strategic, operational and tactical decision making.
Organizations invest in cybersecurity and data privacy as a necessity. This necessity is driven in large part by statutory, regulatory and contractual requirements. It is also driven by the desire to protect the organization's brand from acts that would harm its public image. Regardless of the reason, the base expectation is that those charged with developing, implementing and governing the cybersecurity and data privacy functions are doing so in a reasonable manner that would withstand scrutiny that could take the form as an external auditor, regulator or prosecuting attorney.
Risk appetite is set by the board, risk threshold operationalizes it into measurable criteria, and risk tolerance allows for acceptable variation. Without clearly defining all three, organizations cannot make consistent risk management decisions.
Before diving into that discussion, it is important to baseline some underlying concepts that come into play when describing "What is meant by managing risk?" Risk management involves coordinated activities that optimize the management of potential opportunities and adverse effects. The alternative to risk management is crisis management. Risk management provides a way of realizing potential opportunities without exposing an organization to unnecessary peril.
The following whitepaper delves into a viable method to align risk appetite, risk tolerance and risk thresholds with your organization's strategic, operational and tactical business planning activities:
What Is A Risk?
In the context of cybersecurity risk management practices, “risk” is defined as:
Noun
A situation where someone or something valued is exposed to danger, harm or loss.
Verb
To expose someone or something valued to danger, harm or loss.
In the context of this definition of risk, it is important to define underlying components of this risk definition:
Danger
State of possibly suffering harm or injury.
Harm
Material / physical damage.
Loss
Destruction, deprivation or inability to use.
What Is A Threat?
In the context of cybersecurity risk management practices, “threat” is defined as:
Noun
A person or thing likely to cause damage or danger.
Verb
To indicate impending damage or danger.
How Is A Risk Different From A Threat?
Risks and threats both tie into cybersecurity and data protection controls, but it is important to understand the differences:
Risks
Exist due to the absence of or a deficiency with a control.
Threats
Affect the ability of a control to exist or operate properly.
If you want to learn for about threats vs vulnerabilities vs risks, we have a page that describes that in greater detail.
What Is Risk Tolerance?
Unlike risk appetite, risk tolerance is objective in nature. While risk appetite is conceptual, risk tolerance is based on objective criteria. Defining objective criteria is a necessary step to be able to categorize risk on a graduated scale.
Establishing objective criteria to quantify the impact of a risk enables risk assessments to leverage that same criteria and assist decision-makers in their risk management decisions (e.g., accept, mitigate, transfer or avoid).
From a graduated scale perspective, it is possible to define "tolerable" risk criteria to create a few useful categories of risk:
- Low risk;
- Moderate risk;
- High risk;
- Severe risk; and
- Extreme risk.
The objective criteria that goes into defining what constitutes a low, moderate, high, severe or extreme risk includes:
- Impact Effect (IE); and
- Occurrence Likelihood (OL)
The six (6) categories of OL are:
- Remote possibility;
- Highly unlikely;
- Unlikely
- Possible;
- Likely; and
- Almost certain.
The six (6) categories of IE are:
- Insignificant;
- Minor;
- Moderate;
- Major;
- Critical; and
- Catastrophic.
There are three (3) general approaches are commonly employed to estimate OL:
- Relevant historical data;
- Probability forecasts; and
- Expert opinion.
What Is A Risk Threshold?
Risk thresholds are directly tied to risk tolerance. As the graphic at the top of the page depicts, there is a threshold between the different levels of risk tolerance. By establishing thresholds, it brings the "graduated scale perspective" to life.
What Is Risk Appetite?
Risk appetite is more of a management statement, where it is subjective in nature. Similar in concept to how a policy is a "high-level statement of management intent," an organization's stated risk appetite is a high-level statement of how all, or certain types of, risk are willing to be accepted. Risk appetites exist as a guiderail from an organization's executive leadership to inform personnel about what is and is not acceptable, in terms of risk management. Using a review of current risk status vs target risk appetites can be useful to see how well cybersecurity practices operate to clearly see what practice areas deviate from expectations.
Examples of an organization stating its risk appetite:
- "[organization name] is a low-risk organization!"
- "[organization name] will avoid any activities that could harm its customers."
It is important to know that in many immature risk programs, risk appetite statements are divorced from reality. Executive leaders mean well when they put out risk appetite statements, but the Business As Usual (BAU) practices routinely violate the risk appetite.
Examples of an organization violating its risk appetite:
- Technical debt;
- Dysfunctional management decisions;
- Insecure practices;
- Inadequate funding/resourcing;
- Improperly scoped support contracts (e.g., MSPs, consultants, vendors, etc.); and
- Lack of pre-production security testing.
In a mature risk program, the results of risk assessments are evaluated with the organization's risk appetite in mind. For example, if the organization has a "moderate risk appetite" and there are several findings in a risk assessment that are high risk, then action must be taken to reduce the risk, since it cannot be accepted. Accepting a high risk would violate the moderate risk appetite set by management. In reality, that leaves remediation, transferring or avoiding as the remaining three (3) options.
From the previous graphic, when you look at it from a risk appetite perspective, For an organization that wants to follow a "moderate risk appetite," that establishes constraints for allowable and prohibited activities, based on the potential harm to the organization:
How Is Risk Tolerance Different From A Risk Threshold Or Risk Appetite?
According to NIST's glossary:
Risk Appetite is defined as:
"the types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value."
Risk Tolerance is defined as:
"the level of risk an entity is willing to assume in order to achieve a potential desired result."
Risk Threshold is defined as:
"the values used to establish concrete decision points and operational control limits to trigger management action and response escalation."
The Risk Calculation Formula
Not all controls are weighted equally. It is vitally important that personnel representing the Risk Management function are involved in assigning weight to each control. For example, a fully-patched border firewall should be considered a more important control than end-user awareness posters. This weighting is necessary to ensure risk assessment results accurately support the organization's risk tolerance threshold.
Risk is often quantified using a straightforward formula that attempts to measure the potential magnitude of a risk instance materializing:
Occurrence Likelihood (OL)
The probability that a given threat will exploit a vulnerability or that a control deficiency will be exploited. This considers the threat landscape, existing controls, historical data, and environmental factors. Often expressed on a scale (e.g., 1–5 or Low/Medium/High).
Impact Effect (IE)
The potential negative consequences if the risk materializes. This considers financial loss, reputational damage, operational disruption, legal/regulatory penalties, and harm to individuals. Must be evaluated in the context of the organization's specific business operations.
Occurrence Likelihood (OL) × Impact Effect (IE) = Risk Magnitude
Risk Treatment Options
While it is not possible to have a totally risk-free environment, risks can be managed through four treatment options. The appropriate level of management must make the risk treatment determination.
While it is not possible to have a totally risk-free environment, risks can be managed through four treatment options. The appropriate level of management must make the risk treatment determination.
Reduce
Implement additional controls or strengthen existing ones to reduce the risk to an acceptable level within the organization's threshold.
Avoid
Eliminate the risk entirely by discontinuing the activity, process, or technology that creates the exposure.
Transfer
Shift the risk to another party through insurance, outsourcing, contractual arrangements, or other mechanisms.
Accept
Formally acknowledge the risk and accept it within the organization's risk tolerance. Must be documented and approved by appropriate management level.
Let's take a look at a theoretical company, ACME, that is experimenting with Artificial Intelligence (AI) to strengthen its products and/or services, ACME's long-standing risk appetite is relatively conservative, where ACME draws a hard line that any risk over moderate is unacceptable. Additionally, ACME has no tolerance for any activities that could harm its customers.
Given the changes necessary to ramp up both talent and technology to put the appropriate solutions in place to meet ACME's deadlines, there are gaps/deficiencies. When the risk management team assesses the associated risks, the results identify a range of risks from high to extreme. The reason for this is simply due to the higher occurrence likelihood of emergent behaviors that potentially could harm individuals (e.g., catastrophic impact effect). The results were objective and tell a compelling story that there is a realistic chance of significant damage to ACME's reputation.
With those results, it is a management decision. What does ACME's CEO / Board of Directors (BoD) do?
- Dispense with its long-standing risk appetite for this specific project so that a potentially lucrative business opportunity can exist?
- Is the AI project cancelled, due to the level of risk?
If the CEO/BoD proceeds with accepting the risk, is it violating its fiduciary duties, since it is accepting risk it previously deemed unacceptable? Additionally, would ACME be considered negligent for accepting high, severe or extreme risk (e.g., would a rational individual under similar circumstances make the same decision?)?
These are all very real topics that need to be considered and how risk is managed has significant legal and financial implications.
What Is Cybersecurity Materiality?
This brings up the concept of "cybersecurity materiality" as it pertains to the governance of an organization's cybersecurity and data privacy controls.
With the recent statement on public company cybersecurity disclosures by the US Security and Exchange Commission (SEC), the concept of cybersecurity materiality has taken on an enhanced sense of importance. The new SEC requirements affect publicly traded companies in two (2) ways:
- Periodic disclosures of the company's cybersecurity-related risk management, strategy and governance practices; and
- Disclosure of material cybersecurity incidents (disclosure will be via a Form 8-K filing).
Specific to cybersecurity and data protection, the Secure Controls Framework (SCF) defines a material weakness as: "A deficiency, or a combination of deficiencies, in an organization's cybersecurity and/or data protection controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance."
What Is A Material Weakness?
A material weakness is a deficiency, or a combination of deficiencies, in an organization's cybersecurity and/or data privacy controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.
- When there is an existing deficiency (e.g., control deficiency) that poses a material impact, that is a material weakness (e.g., inability to maintain access control, lack of situational awareness to enable the timely identification and response to incidents, lacking pre-production control validation testing, etc.).
- A material weakness will be identified as part of a gap assessment, audit or assessment as a finding due to one or more control deficiencies.
- A material weakness should be documented in an organization's Plan of Action & Milestones (POA&M), risk register, or similar tracking mechanism used for remediation purposes.\
What Is A Material Control?
When a deficiency, or absence, of a specific control poses a material impact, that control is designated as a material control. A material control is such a fundamental cybersecurity and/or data protection control that:
- It is not capable of having compensating controls; and
- Its absence, or failure, exposes an organization to such a degree that it could have a material impact.
What Is A Material Risk?
When an identified risk that poses a material impact, that is a material risk. A material risk:
- Is a quantitative or qualitative scenario where the exposure to danger, harm or loss has a material impact (e.g., significant financial impact, potential class action lawsuit, death related to product usage, etc.); and
- Should be identified and documented in an organization's "risk catalog" that chronicles the organization's relevant and plausible risks.
What Is A Material Threat?
When an identified threat poses a material impact, that is a material threat. A material threat:
- Is a vector that causes damage or danger that has a material impact (e.g., poorly governed Artificial Intelligence (AI) initiatives, nation state hacking operations, dysfunctional internal management practices, etc.); and
- Should be identified and documented in an organization's "threat catalog" that chronicles the organization's relevant and plausible threats.
What Is A Material Incident?
When an incident poses a material impact, that is a material incident. A material incident is an occurrence that does or has the potential to:
- Jeopardize the Confidentiality, Integrity, Availability and/or Safety (CIAS) of a system, application, service or the data that it processes, stores and/or transmits with a material impact on the organization; and/or
- Constitute a violation, or imminent threat of violation, of an organization's policies, standards, procedures or acceptable use practices that has a material impact (e.g., malware on sensitive and/or regulated systems, emergent AI actions, illegal conduct, business interruption, etc.).
