What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Justin Chen says
The term “acceptable information system security risk” refers to the level of risk that an organization is willing to tolerate in its information systems without taking further actions to mitigate it, which I think strongly connect with an organization’s “Risk Appetite”, the amount of risk an entity is prepared to accept in order to achieve its objectives. According to the guide regarding risk appetite and risk tolerance “Risk appetite and risk tolerance are defined at the enterprise level, reviewed and/or influenced by the board of directors, and reflected in strategy and policies set by executives.”
Based on Risk-IT-Framework by NIST, there are three major factors that determine the risk appetite levels for the enterprise: The objective capacity of the enterprise to absorb loss; The (management) culture or predisposition towards risk taking; The nature of the business and the type of risk involved.
Lily Li says
Hi Justin,
I liked how you found similarities between “acceptable information system security risk” and “risk appetite”. Both refer to an organization’s tolerance to risk and they can be closely connected as you mentioned. For example, if an organization has a higher risk appetite they might have a higher “acceptable information system security risk”. Why might an organization have a higher risk appetite and why might that risk appetite affect their “acceptable information security risk”?
Parth Tyagi says
Hi Justin,
Appreciate how you brought in a reference from the NIST IT Risk Framework to highlight the three factors for determining risk appetite. All mentioned factors are very important and have to be rightly understood by the business leaders, managers, and lastly the auditors/assessors when they go on to audit/assess the organization’s systems and processes.
Sara Sawant says
The term “acceptable information system security risk” means the level of risk which the organistion is ready to accept without mitigating the risk. chief information officer (CIO), system and information owners, business and functional managers, and information systems security officers determine the acceptance level of information security risk. An organization determines acceptable risk by evaluating business goals, legal compliance, and stakeholder expectations. It conducts risk assessments, weighing potential impacts against mitigation costs. Using risk evaluation criteria, risks are classified based on their likelihood and potential impact (low, medium, high). The acceptable level is where risk is aligned with business objectives while minimizing legal, financial, and reputational damage
Lily Li says
“Acceptable information system security risk” is the amount of risk that an organization is willing to tolerate/accept in its information systems. The chief information officer, network engineer, and network administrator are all key figures within an organization that determine the acceptable amount of risk through different risk assessment processes. Risk assessment contains three subprocesses; risk identification, risk analysis, and risk evaluation. Risk identification allows an organization to determine the potential losses within the business; how, where, and why the loss might happen. This step encompasses different steps including identification of assets/threats, identification of existing security measures and identification of consequences. A qualitative or quantitative risk analysis is performed next so risks can be determined on a scale whether that’s from a ranking ranging from low, medium, high, or using a numerical scale. In the risk evaluation process, risks determined in risk assessment will be looked at further to determine action for future processes.
Charles Lemon says
Hey Lily,
I appreciate your response and your connection with an organization performing a risk assessment. I find the relationship between qualitative and quantitative interesting because it can be difficult to decide which type of analysis to perform in a given scenario. In my view a qualitative analysis is best suited when analyzing assets such as the people of an organization. Which assets do you think would be best suited for a quantitative risk analysis?
Daniel Akoto-Bamfo says
The term “acceptable information system security risk” refers to the risk an organization is willing to absorb taking into consideration its risk capacity and its risk appetite as against its objectives. The board or management of the organization defines the acceptable level of information security risk, and it is reflected in the strategy and policy set by them for the organization. The capacity of an organization to absorb risk without posing a threat to its existence and how much risk is desirable by the organization determines its acceptable level of risk.
Sarah Maher says
Hi Daniel!
I liked how you mentioned that a company must gauge its risk appetite to decide what the acceptable information system security risk is. How do you think a company could go about doing that or what guidelines could they utilize? Also you mentioned an organization’s capacity to absorb risk without posing a threat to its existence, but do you think there are instances where an organization may have to accept the risk regardless like a new small company?
Daniel Akoto-Bamfo says
Hello Sarah
I like your question, and I think a new small company will absorb a potential risk when the risk has a limited or no impact on its core operations and survival whereby the benefit from its operations outweighs the potential risk.
Haozhe Zhang says
Hey Daniel
Your explanation of “acceptable information system security risk” is clear. It emphasizes the importance of aligning risk tolerance with the organization’s capacity and strategic goals, as defined by the board or management. This balance ensures security measures support broader objectives while staying within acceptable risk limits.
Aaroush Bhanot says
The term “acceptable information system security risk” indicates the maximum risk that an organization is ready to tolerate (Risk Tolerance) to achieve the business objectives aligned with their mission and strategy. This concept acknowledges that while complete elimination of risk is often impractical or impossible, organizations can implement controls to reduce risk to a manageable or acceptable level that depends on the risk apetite of the company. Acceptable risk typically means that the cost and effort required to further reduce the risk outweigh the potential benefits.
The acceptable level of risk is defined by senior management, including Chief Information Officer, Chief Information Security Officer, Chief Risk officer, or executive leadership. They work closely with IT, cybersecurity teams, and other stakeholders to evaluate risks, understand their potential impact on business objectives, and decide how much risk is tolerable. Risk management committees, legal advisors, and auditors may also play key roles in the decision-making process.
The acceptable level of risk is determined by a Risk assessment of the organization. Organizations first conduct a thorough quantitative or qualitative risk assessment to identify threats, vulnerabilities, and potential impacts on their information systems using a combination of Top Down and Bottom Up methods. With the assessment of different types of risks, the organization classifies the critical assets needed to meet business objectives. The cost of implementing additional security controls is weighed against the potential loss from a security incident. Compliance requirements influence the acceptable form of risk since the failure to comply could lead to legal fines or reputational damage. Lastly, reviewing industry standards and comparing risk levels with similar organizations helps determine what risks are generally acceptable.
Clement Tetteh Kpakpah says
An acceptable information system security risk refers to a range of risks that can be appropriately handled without extreme adverse effects to a firm and using various laid down mitigation controls stated in the information risk portfolio of a firm.
The Board of Directors decides on the acceptable level of information system risk for a firm however it takes the collaborative input of key stakeholders such as the technology compliance committee, risk management committee, department heads, information security officer, and internal audit to arrive at the decision.
The acceptable level of risk for an organization is determined by analyzing data on the risk level, capacity, risk appetite, risk tolerance, and risk treatment to determine the acceptable level of risk for a firm.
Haozhe Zhang says
Hey Clement
This explanation effectively outlines how an organization determines its acceptable level of information system security risk. The collaborative approach, involving key stakeholders such as the compliance committee, department heads, and internal audit, is essential for making informed decisions. Additionally, the analysis of risk capacity, appetite, and tolerance ensures that the organization strikes the right balance between risk management and its operational goals, using established mitigation controls from its risk portfolio.
Sarah Maher says
Acceptable information system security risk is the level of risk an organization decides to accept or retain. Some risks are too costly or impractical to fully manage, so the organization must accept a certain level of risk. The Chief Information Officer (CIO) or Director of IT initially determines the acceptable risk level and coordinates with engineers and administrators to ensure they are aware of the risks being accepted. To determine the acceptable risk level, the organization first establishes context by establishing policies related to risk evaluations, impact criteria, and risk acceptance criteria. Then, it identifies and analyzes risks. The risk can be analyzed qualitatively, or quantitatively to determine what risks are high impact and low probability. Finally, using the established context, the organization evaluates whether to accept the identified risks (or modify, avoid, or share the risk).
Sara Sawant says
Hi Sarah,
I totally agree with you response. To elaborate on the term “acceptable information system security risk,” it is necessary to highlight the fact that risk management is a continuous procedure. As new risks develop and technologies advance, organizations frequently reevaluate their level of risk tolerance. Organizations additionally manage their review processes with various risk management frameworks, including COBIT, ISO 27001, and NIST. These frameworks support risk monitoring and help define the organization’s appetite for risk, enabling it to adjust to changing cyber environments. Lastly, proficient risk communication at all levels guarantees that staff members are aware of their responsibility for handling security threats.
Lili Zhang says
Acceptable information system security risk is a risk level that an organization is willing to tolerate without further mitigation. Business management, often in collaboration with IT departments and roles like the CRO or CISO, decides what this level is, based on the organization’s environment, business needs, and the costs of mitigation versus potential losses.
To determine what constitutes an acceptable level of risk, an organization evaluates various factors, including its business requirements, operational environment, and the potential impact of threats. This assessment can involve reducing the likelihood of threats, decreasing vulnerabilities, or minimizing potential impacts. Organizations also consider constraints such as cost, legal frameworks, or cultural factors. If risk mitigation is too costly or not feasible, risk acceptance or sharing (e.g., through insurance or outsourcing) may be considered. The decision-making process should be documented and reviewed to ensure all stakeholders are aware of the organization’s risk posture.For example, an organization might decide to accept a risk if the cost of implementing security measures is higher than the potential loss from a security breach. Alternatively, if the risk is minimal and the impact on operations is negligible, it might also be accepted without further action.
Aaroush Bhanot says
Hey Lili,
Great response! I think you provided a clear explanation of acceptable information system security risk and the factors involved in determining it. I would add that risk prioritization also plays a key role in decision-making. An organization should not only evaluate costs versus potential losses but also focus on risks that could impact its critical assets or disrupt essential operations. In addition, regular reviews, monitoring and updates to the organization’s risk tolerance and mitigation strategies can be beneficial to ensure that the risk posture remains aligned with business goals and external changes, such as new regulations or emerging threats.
Rohith says
The term “acceptable information system security risk” refers to the level of risk that an organization is willing to tolerate regarding it’s sensitive information.
Within an organization, the senior management team, typically including the CEO and the Chief Information Security Officer (CISO), is ultimately responsible for determining the acceptable level of information system risk, taking into account the organization’s risk appetite and business priorities.
Organizations determine acceptable risk levels by
-Setting risk appetite and tolerance.
-Assessing potential risks.
-Choosing risk treatment strategies.
-Monitoring and controlling risks.
Justin Chen says
Hi Rohith,
I agree with your view on acceptable information system security risk. Based on your view and knowledge about acceptable security risk, which one (or both) do you think the management should accept if considering the alignment with the business objectives and strategies, risk with low impact but could happen very frequently, or risk with moderate to catastrophic impact but has very low chance of occurrence (might be destructive if happens)?
Rohith says
Risk with low impact probably Justin.
Steven Lin says
When we talk about “acceptable information system security risk,” we’re referring to how much risk a company is comfortable with while still protecting its data and systems. It’s not always practical or affordable to get rid of every single risk, so companies usually focus on managing risks to a level that won’t lead to big disruptions. Senior leaders, like the Chief Information Security Officer (CISO) and other top executives, figure out what that level of risk should be. They look at what risks the company faces overall, pinpoint the biggest threats, and decide which ones can be handled without causing major problems. This way, companies can stay secure without burning through too many resources.
Elias Johnston says
“Acceptable information system security risk” is the amount of risk an organization is willing to accept before mitigating actions need to be taken. Generally, mitigating risk will come at a certain level of cost to an organization, and a line needs to be drawn as to how far the organization is willing to go to prevent that risk. An acceptable risk is usually one that would cost more to prevent than the consequences that the outcome of the risk could impose on the organization. Ultimately, the decision of determining the acceptable level of risk falls on the executive leadership (CEO, CIO, CRO), however it is the responsibility of risk management or security team to ensure that the executive leadership is fully aware of the risk, the consequences of the risk, and the cost to mitigate those risks. They do this by creating a risk assessment, which identifies potential security threats to the organization, the impacts those threats may have, and the likelihood of them occurring. They then create a cost-benefit analysis to determine if certain risks are worth preventing from a financial point of view.
Rohith says
Great Response Elias, I do feel Big Organizations must Implement segregation of duties (Sod), to reduce risk exposure and employees would perform their work with due diligence without making biased decisions, What do you feel?
Clement Tetteh Kpakpah says
Hi Rohith,
I do agree with your line of thought since the segregation of duties is truly essential for reducing risk and ensuring unbiased decision-making in large organizations, as it prevents conflicts of interest and enhances accountability.
Haozhe Zhang says
The concept of acceptable information system security risk pertains to the amount of risk an organization is willing to accept in its information systems before deciding to implement further risk mitigation strategies. This concept is closely linked to the organization’s Risk Appetite, which defines the extent of risk an entity is ready to endure to achieve its goals. According to guidance on risk appetite and tolerance, these concepts are established at the enterprise level, are subject to review and influence by the board of directors, and are incorporated into the strategies and policies set by executives. According to the Risk-IT Framework by NIST, three primary factors shape an enterprise’s risk appetite levels: the enterprise’s capacity to withstand potential losses, the management’s attitude or tendency towards risk-taking, and the nature of the business and associated risks.
Steven Lin says
Hi Haozhe, I agree with your insights on acceptable information system security risks and their connection to the organization’s acceptable level of risk. You mentioned how the board of directors and executives play a role in setting risk strategies, but do you think they always have a comprehensive understanding of cybersecurity risks, or could there be an issue between their strategic decision and the actual risks IT teams face? Overall, great points!
Elias Johnston says
Hey Steven, I was reading through the responses when I saw your point about whether or not the board is fully literate when making IT security decisions. I would assume they are at least briefed on it before they make crucial decisions, but I cant imagine that the majority of the board is as qualified as they probably should be. It’s a very interesting question and one I hope we go over in class.
Cheers,
Elias
Charles Lemon says
Acceptable information security risk is the level of risk an organization is willing to tolerate. This is an intentional decision typically agreed upon by senior level stakeholders and the chief information security officer. This decision is determined by many different factors including the assets an organization holds, the vulnerabilities these assets contain, and possible threat actors that seek to exploit the assets. An organization determines their acceptable level of risk by establishing their risk appetite. An organization establishes a risk appetite by considering factors such as business objectives, the impact and likelihood of identified risks, and even the industry the organization is involved in.
Yash Mane says
The “acceptable risk of information system security risk is the level of risk that the organization is ready to accept after it has put security controls in place. This is set by senior management, including the CISO or other information security experts, as well as business leaders. It involves weighing the security needs against the objectives of the enterprise. With this in mind, you should decide “the Tool for acceptable risk.” What is the maximum risk your company is ready to accept? This factor is influenced by business risk assessments, business impact analysis, understanding the risk appetite, as well as compliance and cost-effective analysis, to manage risks consistent with the enterprise goals and legal requirements.
Rohith says
I agree that establishing an acceptable risk level is crucial for effective security management. However, I’d like to add a few that given the ever-evolving threat landscape, it’s essential to regularly reassess acceptable risk levels. A dynamic approach ensures that security measures remain aligned with current business needs and emerging threats. What do you feel yash?
Parth Tyagi says
Acceptable information system security risk defines the level of risk that the organization is willing to accept, considering the damage and repercussions of the same to the business and processes. In another words, it is the level of residual risk to the assets, operations or personnel that an organization considers reasonable and is willing to bear with in order to achieve their business goals.
The organization’s acceptable level of information system security risk can be divided into two components – RISK APPETITIE and RISK TOLERANCE.
1. Risk Appetite is the amount of risk an organization is willing to tolerate in order to achieve their goals
2. Risk Tolerance is the amount of acceptable risk pertaining to a particular category of risk or specific business function.
3. Both attributes are set by the board of directors and are managed by the Chief Information Security Officer with support from the board.
The acceptable level of risk varies subject to the industry, regulatory environment, and organizational priorities. Acceptable level of risk is decided by the board of directors by weighing the context of organization, business objectives, goals/objectives alongside the risk appetite, risk tolerance, assessment, treatment and monitoring. The organization also needs to consider factors like the return on investment, impact and likelihood of risk, regulations, stakeholder support and resources.
Lili Zhang says
Hi Parth,
I agree with this statement but would like to raise some questions. The distinction between *risk appetite* and *risk tolerance* is clearly stated, which helps to outline how much risk an organization is willing to bear and in what specific areas. However, the idea that these attributes are “set by the board of directors” may be too narrow. While the board often provides oversight, the practical management of risk typically involves collaboration between the board, senior management, and business process owners, with input from IT departments, such as the Chief Information Officer (CIO), in addition to the CISO. Could the role of other key stakeholders, especially in industries where regulatory compliance is crucial, be more prominent in this decision-making process?