What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Shubham Patil says
According to ISACA Reading 1: “Risk IT Framework”
Acceptance means that no action is taken relative to a particular risk, and loss is accepted when/if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known, i.e., an informed decision has been made by management to accept it as such.
If an enterprise adopts a risk acceptance stance, it should carefully consider who can accept the risk—even more so with IT risk.
IT risk should be accepted only by business management (and business process owners) in collaboration with and supported by IT, and acceptance should be communicated to senior management and the board. If a particular risk is assessed to be extremely rare but very important (catastrophic) and approaches to reduce it are prohibitive, management can decide to accept it.
Using the established IT risk tolerance thresholds as a guide, decide whether to accept the remaining risk exposure level. Consider relevant information from risk analysis reports such as loss probabilities and ranges, risk response options, cost/benefit expectations, and the potential effects of risk aggregation. Discuss with impacted business process owners and together examine the risk-return ratios, and determine where to spend the risk budget on ‘known’ risks to allow acceptance of the unknown risk. Obtain business agreement on risk acceptance or, if no acceptance, the appropriate risk response requirements. Document how risk was considered in the decision and the rationale for any exceptions to risk tolerance (e.g., significant strategic business opportunity). Ensure that risk acceptance decisions and risk response requirements are communicated across organizational lines in accordance with established enterprise risk and corporate governance policies and procedures.
According to VACCA Chapter 34 “Risk Management”
Risk acceptance criteria depend on the organization’s policies, goals, and objectives, and the interest of its stakeholders. When developing risk acceptance criteria, the organization should consider business criteria, legal and regulatory aspects, operations, technology, finance, and social and humanitarian factors. Key roles in this organization are the senior management, the chief information officer, the system and information owners, the business and functional managers, the information systems security officers, the IT security practitioners, and the security awareness trainers (security/subject matter professionals). Additional roles that can be explicitly defined are those of the risk assessor and of the security risk manager.
Elizabeth Gutierrez says
Hi Shubham,
I like how you pointed out the difference between being ignorant of a risk and accepting one. You also mentioned the idea of risk tolerance which we discussed in class. To add to your discussion, acceptable information system security risk is reflective of the “risk appetite” or risk tolerance an enterprise has in relation to internal and external risks. Basically, I view it as a benefit-cost analysis. I also pointed out that another way an organization can determine risk is through magnitude and frequency. If the magnitude is high, but the frequency is low, then it is acceptable, on the contrary, if the magnitude is low, but the frequency is high, then it is unacceptable.
Elizabeth Gutierrez says
Acceptable information system security risk can be defined as “that risk for which the probability of a hazard related incident or exposure occurring and the severity of harm or damage that may result are as low as reasonably practicable and tolerable in the setting being considered.” The purpose of acceptable information system security risk is to mitigate said risk to a tolerable level that the company can control and have an action plan for how to handle it. Within the organization, I believe that the chief information officer / director of IT determines what is an acceptable level of risk because their role is to create and maintain the security policies for their organization. Additionally, it is the responsibility of security professionals to work with management to have a clear understanding on what is the maximum overall exposure to risk that should be accepted. For every company, risk acceptance differs because it depends on the organization’s policies, goals, and objectives, and the interest of its stakeholders. An organization determines what is an acceptable level of risk by measuring magnitude and frequency and by using the following formula: Risk = Threat x Vulnerability x Impact.
Shubham Patil says
Elizabeth,
I like the points you made, id also like to add that an employee’s ability to intentionally or inadvertently compromise the security of your company is one of the biggest reasons to consider implementing an acceptable use policy. An acceptable use policy ensures employees understand their responsibilities and rights as well as the company’s expectations of them regarding technology in the workplace. It also helps educate employees on how to identify potential threats and keep themselves safe from cybercriminals.
Yangyuan Lin says
Hi Elizabeth,
I agree with your assessment of the acceptable level of risk for the organization. The organization establishes an acceptable threshold for IT risks and determines the extent to which information system security risks can cause damage to the organization. I think that costs should also be taken into consideration, because when organizations encounter high-frequency but low-cost risks, I think the company can accept the risks.
Yangyuan Lin says
Acceptable information system security risk is a measure of the entity’s ability to bear the potential risks of information system operation. When the security of an enterprise’s information system is potentially affected and threatened by the confidentiality, integrity, and availability of the information/information system, the enterprise is willing to bear the damage caused by the loss of benefits, reputation, and functions caused by the potential risk threat.
The determination of the acceptable level of information system risk within an organization is usually determined by the organization’s top management, such as CRO, CISO, CEO, CFO, and the board of directors. Also, the IT manager of the organization will participate.
The organization will determine the risk evaluation standards for measuring the information system’s security and determine the harm caused by different risks. The level of acceptable risk is determined by judging the cost of the organization to mitigate the risk and the harm caused by the risk.
Oluwaseun Soyomokun says
The term “acceptable risk” describes the likelihood of an event whose probability of occurrence is small, whose consequences are so slight, or whose benefits (perceived or real) are so great, that high level management are willing to take or be subjected to the risk that the event might occur. The concept of acceptable risk evolved partly from the realization that absolute safety is generally an unachievable goal, and that even very low exposures to certain toxic substances may confer some level of risk. The notion of safety corresponding to an acceptable level of risk emerged as a risk management objective in cases where such exposures could not be completely or cost-effectively eliminated.
Information security risk comprises the impacts to an organization and its stakeholders that could occur due to the threats and vulnerabilities associated with the operation, misconfigurations and use of information systems and the environments in which those systems operate.
The responsibility for identifying a suitable asset valuation scale lies with the organization. Usually, a three-value scale (low, medium, and high) or a five-value scale (negligible, low, medium, high, and very high) is used.
One of the most significant guide to managing risk is to use the recognized guidelines to make their scope and presentation sensitive to all aspects of the problem and to the desires of as many shareholders as possible.