What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Wilmer Monsalve says
Acceptable information system security risk signifies the risks that are willing to be made within the information system for an organization without any action. The roles deemed responsible within an organization for determining the acceptable level of risk can be allocated to the business management and business process owners with the collaboration of CRO, IT, and senior management. This is due to the reason that they are the ones who allocate the resources of the organization, so after evaluation based on their budget and perception of their claim is an acceptable level of risk is up to them to decide. The factors that go into deciding acceptability level of risk include probability, risk/response options, budget cost benefits, and potential effects of risk aggregations.
Michael Galdo says
Hello Wilmer,
I think you make good points about acceptable information system security risk. Acceptable IS security risk is the amount of risk a company is willing to accept when it comes a specific situation. Who makes the decisions regarding acceptable IS security risk usually lies in the hands of higher management such as the CEO, CIO, CFO or an IT Manager/Director. Making sure that these decisions are factoring in the company’s needs is a prioritized goal for the person making these decisions.
Ornella Rhyne says
I like how your definition is straightforward and precise. Specifically, the persons responsible to determine the acceptable risk is the CIO or the Director of IT. To me, I would say the IT department ( all members) will work together to create and maintain the policies of an acceptable risk. Acceptable risk means zero risk so no further action is taken. Based on their evaluation by doing a risk management/assessment, they agree that this type of asset is secure enough and will not cause any problems to the system so this would be classified as an acceptable risk.
Dan Xu says
Hi Wilmer,
I agree with what you said, the factors that determine the acceptable degree of risk may be probability, budgetary cost benefit, and the potential impact of risk aggregation. This is very important for the enterprise. It is possible to effectively and quickly quantify the risk by assessing the risk level every time it faces a risk, the method and time of the system processing.
Kelly Sharadin says
Acceptable information system security risk refers to a metric by which an entity (enterprise, organization) has determined what risks they are willing to tolerate insofar as the potential consequences of such events. These decisions are made by executive management (CISO, CEO, CFO) and the board, as these decisions directly affect the success of the business and relevant stakeholders. An organization determines these risks by doing business impact analysis (BIA) and risk assessments. BIA and risk assessments aim to identify the organization’s crown jewels, the impact of business operation interruptions or downtimes. “When developing risk acceptance criteria, the organization should consider business criteria, legal and regulatory aspects, operations, technology, finance, and social and humanitarian factors” (Vacca, 2017).
These assessments help quantify the costs associated with different risks, and the business then chooses to prioritize certain risks over others based on the likelihood of occurrence. We can never be risk-free, but we can reduce highly probable incidents that can harm the business. An example of an acceptable information security risk would be permitting basic authentication protocols on business-critical services. The organization accepts the risk that bad actors may abuse these protocols, but the service utilizing them are mission-critical and cannot be disabled. Therefore the entity accepts the possibility of a threat actor exploiting this vulnerability.
Vacca, J., 2017. Computer and Information Security Handbook. 3rd ed. Cambridge: Morgan Kaufmann.
Wilmer Monsalve says
I agree cost is definitely a huge factor when deciding how much an organization is willing to invest for its own security measures and like how you mentioned you can never be risk free. As long as the risk is known and doesn’t have much of a potential impact on the business then it is worth not prioritizing it and give other risks the proper attention.
Antonio Cozza says
It is always about cost vs benefits in any business, as is the case with information security. It is undeniably difficult to have to be able to mitigate varying types of risks across different technology resources. Perhaps one good outcome of this is that for security vendors, the competition has forced them to offer more features. As a result, we now have UTMs, or unified threat management devices, which cover many different aspects of security like an IPS, Firewall, bandwidth management, spam filters, routing capabilities, etc. all as one device. This could be a cost-effective solution to mitigate a large area of impact from a variety of risks.
Andrew Nguyen says
Acceptable information system security risk means the level of risk an organization is willing to accept when it comes to a particular risk. For example, when faced with a nonzero risk (a risk that has an impact on the company), an organization focuses on reducing the risk to acceptable levels by reducing the likelihood of the threat occurring or the likelihood of the vulnerability being exploited successfully or the impact if the threat succeeds.
The level of acceptable risk that an organization is willing to take on is a business decision that should be made by either the CIO/Director of IT, or whoever is in charge for creating and maintaining the security policies for the organization.
An organization can determine an acceptable level of risk depending on the business requirements, environment, and circumstances in which the organization needs to operate. Cost may also play a factor here in determining how much an organization is willing to invest to protect itself from risk.
Joshua Moses says
Hello Andrew, I appreciate your response. It definitely makes me consider mitigation a little more. Reducing a risk to the point of making it at an acceptable level is definitely something we should consider as Information Security Professionals. When we successfully mitigate risks, it doesn’t necessarily mean that the threat has been eliminated completely… but certainly the impact won’t be as severe as it initially was.
Also I agree that upper management should be at the forefront of determining what is an acceptable level of a information system risk. However, do not forget the owners and the organization’s board should also be included in this decision making.
zijian ou says
There are specific risk vulnerabilities in the software, and there is a possibility that an attack could damage it, but the consequences of these possibilities are predictable and bearable. The management team, consisting of the president (chairman) and the heads of each business area, assumes responsibility for implementing risk management, monitoring business risks, and risk-related measures. Risk assessment is the entire process of identifying all the risks of an activity and assessing the potential impact of each risk. It determines the potential impact of individual risks by measuring or otherwise evaluating the likelihood that they will occur and the effect. It then combines the results according to agreed rules to give a single measure of potential impact.
kofi bonsu says
I agree with you in regard to your explanation on information security risk but you need to be aware that the act of manipulating people into performing actions or divulging confidential information for malicious purposes can have devastating implications on .security issues within an organization. Phishing emails are the most common example.
kofi bonsu says
Acceptable information security risk can defined the magnitude of risk impact an organization and its stakeholders can tolerate when faced with certain pattern of risk in organization. when organization is confronted with the likelihood of an event of that might disrupt an efficiency and effectiveness of organization’s operations then the management would put in measures to mitigate the risk to an acceptable level. When the impact of threat and vulnerability within organization appear to be high, the management use the selection, implementation and continuous monitoring of preventive, detective, and corrective controls to mitigate the risk to an acceptable limit. The amount of risk that an organization is willing to pursue or retain is certainly fall within their risk appetite. And the risk appetite allows organization to determine how much they are willing to take risks in order to innovate in pursuit of objectives.. The management of organization determines if the risk level is in the safety, caution or danger zone. Once management calibrate and understand the nature of the risk, they align it with organization’s strategy..
Realistically speaking, the organization’s risk capacity determines its ability to assume the impact of adverse risk event. When setting organization tolerance then its financial capacity to absorb losses connected to the adverse risk event must be considered.
The acceptable risk that organization can retain is primarily contingent on the business needs at a particular point in time, environment, and the manner in which the organization needs to operate. Cost might also play a pivotal role in deciding how much an organization is capable to invest sustain itself from potential risk.
kofi bonsu says
Acceptable information security risk can be defined as the magnitude of risk impact an organization and its stakeholders can tolerate when faced with certain pattern of risk in organization. when organization is confronted with the likelihood of an event that might disrupt an efficiency and effectiveness of organization’s operations then the management would put in measures to mitigate the risk to an acceptable level. When the impact of threat and vulnerability within organization appear to be high, the management use the selection, implementation and continuous monitoring of preventive, detective, and corrective controls to mitigate the risk to an acceptable limit. The amount of risk that an organization is willing to pursue or retain is certainly fall within their risk appetite. And the risk appetite allows organization to determine how much they are willing to take risks in order to innovate in pursuit of objectives.. The management of organization determines if the risk level is in the safety, caution or danger zone. Once management calibrate and understand the nature of the risk, they align it with organization’s strategy..
Realistically speaking, the organization’s risk capacity determines its ability to assume the impact of adverse risk event. When setting organization tolerance then its financial capacity to absorb losses connected to the adverse risk event must be considered.
The acceptable risk that organization can retain is primarily contingent on the business needs at a particular point in time, environment, and the manner in which the organization needs to operate. Cost might also play a pivotal role in deciding how much an organization is capable to invest sustain itself from potential risk.
Madalyn Stiverson says
Acceptable risks are those which are low frequency and low magnitude. Typically, there is no additional action you must take in order to mitigate this risk, beyond continuing to implement those controls that are already in place. Each enterprise determines its own risk map and risk appetite. Risk is mapped by multiplying frequency and magnitude. High frequency and high magnitude risks would be unacceptable. Low frequency and low magnitude risks are considered opportunities. Slightly more frequency and slightly higher magnitude over opportunities is where the acceptable information system security risks fall.
The Chief Risk Officer, likely in conjunction with the CISO and other senior executives, would determine what the acceptable level of information system risk for the organization is.
Victoria Zak says
Madalyn,
During audits, my team and I rate the risks from low to high. As you said in your discussion, high level risks are unacceptable. We push companies to try and fix those risks because it is very important to do so.
Mohammed Syed says
Acceptable Information security risk basically stands for an agreement between two parties. An agreement that adheres to specific rules and standards in regards to the use of computer services. It is popularly called an acceptable information security risk due to the fact that organizations are prepared for an unforeseen risk and have strategies in place if any issues arise. To take any action prior to the incident occurring is not profitable for an organization, thus organizations are willing to accept some risk in their security system.
Most organizations divide or categorize the personnel who will help determine the risk, and how much impact it has on the organization’s business. Often organizations have senior business management, or the business owners with supported IT staff, senior management and the board to help determine what is acceptable risk to their organization.
The organization divides risk into the following levels:
High: Its impact on business is critical, especially the business operations on high level. The possibility can be loss of consumer trust and damage to the organization’s goodwill or reputation in business.
Medium: It’s impact is on the business key process and operations on a medium level. The possibility is that fewer consumers will be interested in the organization, and a change in organization reputation with consumers.
Low: Impact on business process and business operation is low. Low effect on consumer interest in the organization, and minimal impact on the organization’s business
Michael Galdo says
What is meant by the term “acceptable information system security risk”? Who within the organization determines what is acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
Acceptable information system security risk stands for the amount of risk a company is willing to accept when it comes a specific situation. The decision on what is acceptable information system security risk and how much risk is the company willing to take on is usually determined by either the highest management such as the CEO, CFO, or CIO or also could be the IT Manager/Director. A couple of things come into play when it comes to deciding what is an acceptable level of risk. The main factors in determining what is acceptable risk lies upon what the company’s needs are at the time, as well as how the environment would be effected and the probability of this risk occurring.
Antonio Cozza says
You make a good point in regards to risk changing based on an organization’s needs, Michael. I think this is perhaps a common oversight; risks should be re-evaluated in accordance to the defined risk management policy in place. Risks can be dynamic in the sense that, their impact or relevance can increase and decrease as the company’s business direction and strategy changes.
Andrew Nguyen says
Hey Michael,
I like your point about acceptable information security risk being the amount of risk a company is willing to accept when it comes to a specific situation. Two different companies may have the same vulnerability; but how they approach the risk may be different. Each company may have a different risk tolerance when it comes to information security, and I think that your post highlights this really well.
Thanks for sharing your thoughts!
Andrew
kofi bonsu says
I agree with you wholeheartedly on your assertion that” The main factors in determining what is acceptable risk lies upon what the company’s needs are at the time, as well as how the environment would be effected and the probability of this risk occurring” . However, in today’s computerized world, new risks emerge every hour of every day. Connecting to the Internet opens up the possibility of a hacker targeting your organization. Cybercrime is becoming big business and cyber risk a focus of organizations and governments globally. Monetary and reputational risks are high if organizations don’t have an appropriate cybersecurity plan to contain these emerging risks and therefore should be a major concern to all business establishments.
Ornella Rhyne says
An acceptable information system security risk is a decision made by an organization after doing a risk assessment and concludes that the security measures taken to protect their assets are good and have a low impact of vulnerabilities. In other terms, the cost of an incident is zero when the value of the implicated asset is zero or the impact to the organization is zero. Therefore, if one or more of these conditions is found to hold during the risk assessment process, it is meaningless to take security measures.
The Chief Information officer or the director of IT is the person responsible to create and maintain the security policies for the organization.
The organization determines an acceptable level of risk by setting risk evaluation criteria, the organization should consider the strategic value of the business information process; the criticality of the information assets involved; legal and regulatory requirements and contractual obligations; operational and business importance of the attributes of information security; and stakeholders’ expectations and perceptions, and negative consequences for goodwill and reputation.
Vacca, J., 2017. Computer and Information Security Handbook. 3rd ed. Cambridge: Morgan Kaufmann
Ryan Trapp says
An “acceptable information system security risk” is a risk of which a company is willing to accept the full consequences. When a company determines that an information system security risk is acceptable, they have identified and acknowledged the risk and potential impact and make the conscious choice to accept the potential outcome if that risk were to happen. Typically, the individuals who are deciding the acceptable level of information system risk are the management of the company. People like the CIO or CTO and potentially a group of the higher executives at a company would decide what level of risk is okay to accept. They could determine what constitutes an acceptable risk by performing a quantitative risk analysis. If the likelihood of the risk or the estimated impact is low enough for the company’s risk tolerance, then they would decide to accept the risk and take the chance that the event would not happen or if it does its impact would be negligible enough for the business to not be interrupted or affected significantly.
Richard Hertz says
Ryan – I like the fact that you introduced the concept of ‘Risk Tolerance’ at a company. Clearly not all organizations are the same in this dimension and it has a huge impact on how risk is managed. The tone/tenor of how risk is managed affects decision making all the time – e.g. why do some companies pursue a deal while a competitor does not? The Risk Tolerance of a company is a major driver of those decisions!
Christopher Clayton says
“Acceptable information system security risk” is when an organization accepts, or is willing to accept the level of risk after a security risk analysis has been executed. The organization’s senior management team normally determines what the acceptable level of information system risk is, and they do so based on the organization’s operations. In determining what is acceptable level of risk, a qualitative amd quantitative analysis is performed in evaluating costs. It involves numerous of steps, such as assessing costs (through calculating assets), assesses the possibility of an incident, and determines the risk level.
Michael Jordan says
Christopher,
I like how you mentioned that both qualities of a risk and the quantity (expected $ loss) of a risk should be taken into account.
For example, an internal risk from an employee could pose a bigger threat than an external risk from a hacker (with a larger single-occurrence expected $ loss) because it has the chance of happening again if it is not addressed and employees are not educated correctly.
Losses can also occur from different outcomes. One loss outcome can be a ransomware payment, while another could be a legal settlement. The different types of these losses have different reputational implications, even if they had the same quantitative $ loss.
Miray Bolukbasi says
For an organization to determine the level of the risk, risk assessment with its three subprocesses is necessary as an initial step. After the risk identification, analysis, and evaluation company can consider as completed the risk calculation. After, the goal can be performed where the company aims to select security measures and define a risk treatment plan.
Unfortunately, there is no such thing as zero risks considering any threats faced is “dynamic and hence highly variable environment”.Regardless of the assessment or treatment plan, every organization tries to reduce to risk to an acceptable level when they face a nonzero risk. “Reducing the likelihood of the threat occurring or vulnerability being exploited successfully or the impact”, risk can get closer to being acceptable.
During the assessment and treatment of the risk process, everything should be documented so management is aware of its risk levels. For most of the cases, the management roles become key players to decide the risk level once auditors and the IT team complete the documentation of risk assessments. CIO, CFO, CEO might be the ones who determine the level of the risk company faces.
Vacca, J., 2017. Computer and Information Security Handbook. 3rd ed. Cambridge: Morgan Kaufmann
Vraj Patel says
Hello Miray, that was a great post. I do agree that everything in the process of identifying the risk of a system should be documented. It would be valuable at the moment of identifying the risk and in the future when determining why would that system possess a certain level of risk that it has. However, I would say that the CIO would be the most appropriate person to identify the risk that the system would have then the CFO and CEO. As the CFO and CEO would not have much knowledge as the CIO on the IT infrastructure within the company.
Michael Duffy says
Hey Miray,
I was wondering on terms of “zero risk”. For example; I’m wondering if it is arguable that if we disconnect certain systems away from the internet if certain vulnerabilities or threats actually do induce zero risk. For example; many control systems typically have policy to remain off the network due to the risk being much greater than having internet access. However; because of this they are usually littered with vulnerabilities due to it being much more difficult to manually update each machine; especially for systems that due not utilize standard fiber/ethernet connections.
But one can argue that vulnerabilities due still exist; and that they always exist even when disconnected – they just become very VERY unlikely to be exploited. I suppose the only true way to reach absolute zero is to merely patch the vulnerability.
Olayinka Lucas says
Hello Micheal,
In the absence of internet connectivity, infrastructure is still highly vulnerable. Data is never fully deleted until the hard disc is either degaussed or destroyed. A host can still be harvested without internet connectivity for its components that hold data. This can, in turn, be harvested when the component is rebuilt or configured into another device. There is no scenario where zero risks occur. This is why we have residual risk. Whenever data is present, a threat is lurking to create a risk.
Michael Duffy says
Hey Miray,
I was wondering on terms of “zero risk”. For example; I’m wondering if it is arguable that if we disconnect certain systems away from the internet if certain vulnerabilities or threats actually do induce zero risk. For example; many control systems typically have policy to remain off the network due to the risk being much greater than having internet access. However; because of this they are usually littered with vulnerabilities due to it being much more difficult to manually update each machine; especially for systems that due not utilize standard fiber/ethernet connections.
But one can argue that vulnerabilities due still exist; and that they always exist even when disconnected – they just become very VERY unlikely to be exploited. I suppose the only true way to reach absolute zero is to merely patch the vulnerability.
Michael Jordan says
The term “acceptable information system security risk” refers to how some risk is acceptable, because risk (theoretically) can never be fully eliminated, but it can be reduced. Some risk exposures are more serious than others because of the specific sensitive information at hand. The acceptable level of information system risk is determined by the CIO and SVP/head of IT. They determine what the acceptable level of risk is by assessing the potential loss of certain information security events and the probability that these event will occur. This is exemplified in the equation R = L x I from chapter 24 in the Vacca textbook. R = risk, L = likelihood of security incident occurring , I = impact.
Matthew Bryan says
An acceptable information system security risk is a scenario where the risk is retained by the business as the options to implement appropriate measures outweigh the cost of the incident (Vacca, 2017). Acceptable risks are an outcome of the risk assessment process, in which an organization surveys their assets, threats, and vulnerabilities against risk acceptance criteria. Senior leaders, e.g. CEO, CIO, CFO, and other stakeholders help define what is acceptable risk in accordance with business criteria, legal and regulatory aspects, operations, technology, finance, and social and humanitarian factors.(Vacca, 2017) Cost benefit analysis is a common approach used when determining acceptable risks and whether they align with the organization’s tolerances. Risk appetite can also be defined in terms of combination of frequency and magnitude of risk (Risk IT Framework, 2nd Edition, 2021). Said another way, remediating a vulnerability may be more costly (e.g. financial expenditures, opportunity costs, etc.) than the impact of the threat exploiting the vulnerability on the organization’s assets; therefore, the risk is accepted.
Lauren Deinhardt says
Great points Matthew! It is enlightening that risk appetite can be assessed throughout so many different methods. The ISACA framework, like you mentioned, does an excellent job of highlighting and explaining the variety of methods risk can be classified through.
Olayinka Lucas says
Hello Mathew,
It is pertinent to note that acceptable risks are an outcome of the risk assessment process, based on the organization’s effort to identify issues that may disrupt their daily business activities within the confines of what they can and can not accommodate. Truly, the decision-making and identification process resides in the hands of C Suite officers and all stakeholders within their risk universes poised with the responsibility of navigating the company? We are, however, all stakeholders within the risk universe of the organizations we work for.
Olayinka Lucas says
Information security risk comprises impacts that may occur to an organization because of threats and vulnerabilities inherent in using information systems regardless of their environment. Risk tolerance is the level of risk acceptable to an organization in line with the business it operates. Acceptable risk is the permitted level of impact or exposure that an entity may take as low as reasonably practicable (ALARP) within its area of operation due to its interface with information systems.
The Employer/Management and those responsible for the various business areas involving the monitoring, measuring and implementing risk and appropriate controls within an organization hold the responsibility of determining the acceptable level of information system risk within that organization.
When organizations identify instances that may facilitate harm to people and process and then determine the probability and likelihood of consequences, the organization proceeds to categorize the risk. Then, it determines whether such an outcome falls within the tolerable safety net without disrupting critical business activities. The Risk management Framework NIST sp 800-37 serves as the guide on risk management. Thus, risk management, which involves risk identification, review, and mitigation, is how every organization identifies the adequate level of risk.
Antonio Cozza says
Mitigating risk is directly correspondent to a cost for the security defined as needed to properly reduce that specific risk. All risks cannot be mitigated maximally as this is impossible: it would cost too much, make systems unusable for non-technical personnel and employees, too inefficient time-wise, and ultimately people will always remain a vulnerable aspect involved in any organization. Therefore, some risks must be accepted. The acceptable information systems security risk is the level at which the risk of safeguarding and securing information systems is accepted based on the likelihood of possible threats having impact on the organization. Information systems risk can usually be quantified to a certain extent, and a major formula used is R=P*C, or risk = annual probability of exploitation * Cost, or “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization” (ISO 27001) in which the assets described are information systems.
In terms of information systems, this risk is effectively the potential of breached security policy in some way, leading to a compromise of an organization’s information security which is described by a net cost of securing against this. Risks are at an acceptable level when it is decided by the CIO/Director of IT and the Board of Directors that the impact does not outweigh the cost of mitigating this risk. This method, and extensive risk analyses which observe the likelihood of a threat appearing, that threat successfully exploiting a vulnerability, the cost of the information systems at stake, and the business impact, together display the risk at a high level (R=f(A,T,V,I)), enabling the organization to choose if it is more cost-effective to mitigate or not.
Dhaval Patel says
Hi Antonio,
I agree with your statement. Cost is a large factor, as you said there is a direct relationship between mitigating a risk and the cost associated with it. The risk formula is a great tool to better understand the quantitative side of the risk which ultimately allows the organization to ehnace their policies.
Olayinka Lucas says
Hello Antonio,
In consonance with what you point above. If a threat compromises a vulnerability, a risk will emerge, indicative of loss, damage, theft, or destruction. Whatever form it takes is still a loss to the organization in either financial or nonfinancial terms. Secondly, if. a risk is not adequately mitigated due to the cost implication to the organization, the result is still a loss; truly, it is accurate to state that cost is a large factor and has a direct relationship to risk, whether mitigated or not.
Bryan Garrahan says
1. No risk can be completely avoided so the idea of acceptable information security risk is the amount or level of risk an organization is willing to accept or allow with the expectation that the impact and likelihood of an event/incident is low and/or will not have an adverse impact on the organization. In the business world, it’s an unfortunate reality that the way we do business will require us to take on or put ourselves in some sort of risk. The process of identifying risks should be facilitated by the Chief Risk Officer and should require input from all members of executive management across the organization. Risks to the organization could go unidentified and even worse unmitigated if all members do not participate in the risk identification process. The textbook reiterates that technologies, or secondary assets, are ever changing and, in some cases, so are an organizations processes, or primary assets. Therefore, it’s important to consistently perform risk assessments of critical processes to ensure new or even existing risks are being controlled. I believe and the textbook states, organizations who can actually quantify how proposed safeguards, for example an anti-virus or DLP solution, can mitigate information security risks (i.e. malware) in terms of dollars will have a better chance of obtaining support from executive level of management. Unfortunately, this isn’t easy to do since in most cases information security is viewed only as supplemental to the business process and not actually a part of it.
Miray Bolukbasi says
Hello Bryan,
Good mention on the fact that we cannot avoid risk completely as an organization. Unfortunately, most of the risk elements are dynamic related to IT and subject to be changed all the time by sudden events and unpredictable factors such as human impact or environmental issues.
Ryan Trapp says
Hi Bryan,
I think it was good to point out first that no risk should be avoided. It would be completely egregious for a company to avoid a risk. Risk avoidance shows that there is not a risk analysis process that is followed at the company. At the very least it should be that risks are analyzed and it is decided that the risk will be accepted. Like you’ve pointed out, it is important to consistently perform risk assessments, especially for critical processes.
Olayinka Lucas says
Hello Bryan,
I beg to disagree with your comment that “No risk can be completely avoided, so the idea of acceptable information security risk is the amount or level of risk an organization is willing to accept or allow with the expectation that the impact and likelihood of an event/incident are low and/or will not harm the organization. In the business world, it’s an unfortunate reality that the way we do business will require us to take on or put ourselves at some risk.”… Risks are dynamic in nature and are synonymous with the business an organization does. Organizations can fully avoid risks if they choose totally and effectively discontinue the activities leading to the risk. Risk transferencee is also a means of avoiding risk to enable the organization to concentrate on the more rewarding critical business objectives.
Lauren Deinhardt says
The ISACA Risk IT Framework highlights ‘acceptable information system security risk’ through risk appetite: the amount of information security risk an organization/entity is willing to accept in pursuit of goals and objectives. Risk is not transferred via insurance, nor it is avoided or mitigated; the entity assumes risk as the cost of business. This type of risk-aware business decision is categorized and determined by appropriately assigned risk owners, which would be determined by conducting a strategic risk analysis (i.e. CIO, company Legal team, etc.). During an enterprise level risk analysis, accepting risk can be determined through examining quantitative risk-return ratios, assessing the probability/impact of specific risk occurrence, and evaluating the cost of risk allocation. When risk owners determine that the cost of mitigating/transferring/avoiding a particular risk is either impossible or outweighed by losses, an organization should classify it as acceptable risk.
Bryan Garrahan says
Hi Lauren thanks for sharing – when you mentioned the idea of risk transfer it stuck out to me. I’ve found in my experience working that a lot of times to business users within the process and even some business process owners tend to believe IT system risks is transferred specifically in cases where a third-party vendor system is used. People tend to think it’s not our system or we aren’t responsible for maintaining it so therefore the controls supporting these risks don’t really apply to us. Unfortunately from my personal experience this is a common occurrence and organizations don’t inspect assessments (i.e. SOC repots) to gain comfort that the third-party vendors controls are operating effectively. I think it’s extremely important for members of IT management to understand and familiarize themselves with risks that can be introduced to a network as a result of utilizing third-party systems.
Michael Duffy says
An acceptable information system security risk is defined by Vacca as an option chosen to modify the risk and applying appropriate security measures to the level that is deemed acceptable by organizational standards. Risks often identified can have mitigations to target likeliness to occur or the cost of the exploitation. This develops residual risk and can by seen as organizational stakeholders as acceptable.
Senior management such as the Chief Executive Officer, Chief Information Officer, Information System Owners, IT security professionals, etc all play a role in determining acceptable risk. In business legislation and decisions must be derived from security experts that can reciprocate the necessary controls that are needed and their impacts. Information System Owners must report the technical feasibility and cost necessary to business executives and IT security professionals in order to develop the company’s acceptable risk. This is the importance of generating a risk assessment report for determining if additional mitigations are necessary to implement or if the risk is acceptable in relation to the function the process being assessed.
Joshua Moses says
There are many different ways to respond to business risks; risk avoidance, transference through insurance, acceptance and mitigation. Acceptable risk levels should only be determined by management and business process owners. When risk is accepted, that means that the risk is known and an informed decision has been made in reference to it. It is imperative that this acceptance is openly communicated to senior management and the board.
An organization determines what an acceptable risk is by using established IT risk tolerance thresholds as a guide. The effect the risk will have on loss of revenue or an inability to carry on production should be all taken into consideration. Moreover, relevant information from risk analysis reports is sure to be critical in this process. Whatever conclusion or acceptance decisions are made should be consistent with established enterprise risk and corporate governance policies and procedures.
Miray Bolukbasi says
Hello Jashua,
I liked the way how you mentioned the impact on revenue and product, we can simply call that also CIA. It is really important that the threat is assessed by its confidentiality, integrity and availability with framework levels. That way risk assessment report can be presented clearly to management and treatment methods against risk can be more effective.
Joshua Moses says
Hello Miray,
Yes, when thinking of production or a lack thereof… availability should automatically come to mind. I am not sure where loss of revenue will align in the CIA triad, but I’m sure it is at the very top of the list for ‘the worst things that can happen to an organization’!
So in my opinion, when we are discussing risk, vulnerabilities and the possible impact, those two things (loss of production and loss of revenue) should ultimately be considered!
Vraj Patel says
Acceptable information system security risk is risk that the organization is willing to accept for a system. This risk could be arisen from the loss of CIA (Confidentiality, Integrity, and Availability). The organization leaderships (Senior Leader) are responsible for determining to the level to which they can accept the risk of an information system. The organization determines the acceptable level of risk based on the impact rating of that system. The impact rating is measured by the how the system’s confidentiality, integrity, and availability could affect the organization processes.
Reference: https://www.sciencedirect.com/topics/computer-science/information-security-risk
Christopher Clayton says
Hi Vraj, good point in mentioning the CIA triad should the acceptable security risk arise. The CIA triad is the main foundation for the development of security systems and policies for organizations. It also plays a crucial role in keeping data secure from cyberthreats, and is vital to information security since it helps organizations stay compliant with regulations and ensures business continuity.
Dhaval Patel says
Acceptable information system security risk is the risk an organization is willing to take within IS in order to meet its desired goal. Risk threats are broken up into levels of low medium and high and ultimately at the end of the day, it will come down to the executives (head of information security, CIO, CTO) to determine what risk the organization is willing to take to please its stakeholders. When determining the acceptable level of risk, an organization needs to take into consideration their policies, goals and objectives, and other factors of the business. Along with the business factors, the risk formula can help come up with a quantitative value of the security risk.
Vacca, J. R. (2017). Computer and information security handbook (3rd ed.).
Miray Bolukbasi says
Hello Dhaval,
I agree with your points, but I would like to add something regarding the goal of the risk assessment and treatment. I believe that executives also invest in these not to just satisfy the stakeholders but also protect the company value and not to break any laws. As we learned from the frameworks as well, there are lots of responsibilities regarding the data and the information systems that should be protected.
Richard Hertz says
Acceptable Information Security Risk – is the level of business risk related to information an organization is willing to operate under. This risk can come in many different ‘flavors’, but ultimately it is risk associated with information inside an organization.
The acceptable level of risk is determined by the sr mgmt. of the organization and should be approved (formally or informally) by the board of directors.
Information Security Risk can be quantified as the product of the adverse impact of an event or occurrence multiplied by the probability of that event occurring. This cost/risk is then assessed in the context of the operations of the organization and a decision is made to accept or attempt to mitigate the risk.
Jason Burwell says
Hey Richard,
Yes I agree with your point at the end about cost/risk being accessed in the context of the operations and then a decision being made to accept or mitigate. In the end it normally comes down $ for a business
Jason Burwell says
What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
I believe the term means in basic terms, information is an asset to any business, and if the business evaluates the risks to the information asset and decides it can function without having to mitigate the risks, that would be an acceptable information system security risk.
Those in upper management of the business would be determining what this acceptable level of information system security risk is. They would know the structure of the business and have the necessary knowledge to make such a decision. Senior IT would most likely also be involved.
When determining the acceptable level of risk for the business, its going to come down to what hurts any business, Losing Money. If the cost/impact of the risk is minimal enough, it may be in the best interest of the business to accept the risk, on the other hand if the cost to mitigate the risk is too steep for the business, one option would be to accept the risk.
Alexander William Knoll says
Acceptable information system security risk is best defined, in my opinion, as a risk to an information system which has minimal consequences and minimal probability of occurring. The reason acceptable risk exists is because risk cannot be completely eliminated, but very low exposure levels are generally acceptable and cost-effective. The people in an entity who determine what is an acceptable level of risk are generally the people at the top of the business, such as the CIO, the CFO, the CEO, along with the board of directors and the head of IT. In order for an entity to determine what is an acceptable level of risk, they need to look at the risk formula, which is threat x vulnerability x cost. If the level of risk is low, it can be determined as an acceptable level of risk.
Victoria Zak says
Alexander,
Most banks do accept the risk because it is out of their budget. A bank will not spend over $100,000 if a risk will cost them $30,000. It is unfortunate that banks turn down and accepts the risk because of how costly some risks are.
Dan Xu says
Information security system risks include the possible impact on the organization and its stakeholders due to threats and vulnerabilities related to the operation and use of information systems and the environment in which these systems operate. The acceptable information system security risk refers to the degree to which an organization and its stakeholders can bear risks under such conditions. Usually, the organization and its stakeholders (executive management) determine what is the acceptable level of information system risk, such as CEO, CFO or professional IT technicians. With regard to determining an organization determine what is an acceptable level of risk, it is determined by cost and business capability. Secondly, the risk level is evaluated by the way and time of the system processing each time when facing a risk.
Victoria Zak says
An acceptable information security risk is a risk accepted by a business in a situation and deals with the full consequences. The most common risks are from malware to password parameters. Within the organization, the executives such as the CEO, CFO, & CIO as well as the IT director can determine the acceptable level of a risk.
An organization determines what an acceptable risk is by looking at the security risk analysis. If the company believes that in order to fix the risk is out of their budget, avoidance, or limitations to the risk.
For example, auditors push on banks that the multi factor authentication is very important for their clients and employees. However, most banks accept the risk because it is out of their budget and accepts the consequences knowing it is easier for a hacker to get into their server.
Bernard Antwi says
@Vic, I largely agree with your example of how auditors push for a risk control but get rejected or mitigated by companies due to cost constraint. Information Risks refer to the vulnerabilities and threats that may impact the function of the services should those vulnerabilities be exploited by known and unknown threats. An example of an information security risk could be the likelihood of breach/unauthorized exposure of client data.
Corey Arana says
The term acceptable information system security risk: It is the level of risk that an organization or business is willing to accept. Management will determine what the level of acceptable information system security risk is. Management will determine if risk a risk is high, medium or low. An organization will determine what is an acceptable level of risk by running different tests to see how each risk will impact the business. By running tests, the organization can figure out the level of each risk and the amount of damage the risk can potentially do to the business.
Bernard Antwi says
Information security risk management is the systematic application of management policies, procedures, and practices to the task of establishing the context, identifying, analyzing, evaluating, treating, monitoring, and communicating information security risks. Even though the first and most important responsibility of an IT security manager is taking ownership of existing risk management policies, understanding what processes are in place, and adjusting them to meet best practices, management should be responsible. Determining whether a risk is acceptable requires one to consider many variables. ISO/IEC Guide 51 (1999) speaks to the concept of designing and operating for risk levels as low as reasonably practicable. Tolerable risk [acceptable risk] is determined by the search for an optimal balance between the ideal of absolute safety and the demands to be met by a product, process or service, and factors such as benefit to the user, suitability for purpose, and cost effectiveness.