Acceptable Risk
Definition:
Acceptable risk refers to the level of risk that an organization or individual is willing to tolerate in the context of security, operations, or financial decisions. It is a key consideration in risk management strategies, where risks are weighed against the benefits and costs of mitigating them.
Use Cases:
- Organizations setting security policies that balance potential losses with operational efficiency, especially within the context of potential loss/disruption for IT systems.
- Deciding which vulnerabilities need immediate attention versus those that can be tolerated based on risk assessment.
Related Terms:
- Risk Assessment
- Mitigation Strategies
Questions and Answers:
- What factors should be considered when determining acceptable risk?
Factors include potential financial loss, operational impact, regulatory requirements, and the likelihood of the risk materializing. Should the risk materialize and a decision has to be made to determine mitigation strategies, factors such as breach severity, business significance, exposure to other IT resources and time should be considered. Overall, acceptable risk must consider both inherent and contextual factors for risk to be adequately assessed and accepted. - How can acceptable risk be determined?
Acceptable risk can be determined using risk assessment models that combine impact and likelihood metrics, often resulting in a risk score. The most common methods include assessing risk via quantitative, qualitative, threat-based, vulnerability and asset-based methods.
Companies usually adhere to a specific standard when assessing risk. For example, US-based companies tend to follow the National Institute of Standards and Technology (NIST) framework while international organizations may follow the International Organization for Standardization’s template (IOS) instead. - What are the consequences of setting an acceptable risk level incorrectly?
Setting an acceptable risk level too high could result in significant financial or operational damage if a risk materializes, as mitigation efforts might be inadequate.
Setting an acceptable risk level too low is also undesirable as it may hamper business operations and efficiency if the security measures are too stringent.
Organizations may also wish to be careful about how they reveal the level of risk quantified as over-sharing may affect user behavior. Users who learn about risk may choose to act irrationally, resulting in riskier behavior, affecting the accuracy of the acceptable risk level.