What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Acceptable information security risk is the risk the company/senior management is willing to accept. The determination of acceptable risk level is done by assigning a value to the assets, and then analyze how important the asset is to the company and also how much that asset would affect the company if lost or compromised.
Hi Jill,
Expanding on the determination of acceptable risk, I would include the necessary committee involved in determining the value of assets as well as other non-tangible factors associated with a risk, such as reputational risk. More than likely, this would include a CTO/CIO or a board of directors.
Hello Jill,
I liked how you expressed that the determination of acceptable risk level is done by assigning a value to the assets. It is critical for every organization to know the value of the assets they own, because it gives them an idea of whether if its worth to take the risk or not. However, it must not end there, assessing the future or the business in it’s entity, kind of assets they own, and even the environment plays a crucial role in making well informed decision.
I would first like to start off by quoting chapter 34. “Substituting the unachievable and immeasurable goal of fully securing the information system with the achievable and measurable goal of reducing the risk that the information system faces to that within acceptable limits.” As the reading states, you cannot remove risk in its entirety. Therefore, you itemize each information security asset and prioritize those assets based on their likelihood of compromise. You mitigate as much risk as feasible that financially makes sense and then accept the remainder of the risk that remains. Often times the risk that is deemed “acceptable” has very little impact or has very little chance of coming to fruition in the first place.
Hey Nicholas,
I completely agree. It’s never a matter of whether or not the information will be leaked but rather when the information will be leaked and as a business you have to accept the unfortunate scenario that every single thing you do can be vulnerable to some kind of an attack.
Acceptable information system security risk is a risk whereby an organization is willing or prepared to accept. This can be a loss, but it is a reasonable amount that an organization is willing to deal with based off the decision made by the management. Usually, it is determined by the business management group which includes business process owners supported by IT and the decision must be communicated to senior management and the board. This begins with whether the organization has chosen to modify the risk and implement appropriate security measures in order to reduce it to an acceptable level. According to Vacca, “Risk acceptance criteria depend on the organization’s policies, goals, and objectives, and the interests of its stakeholders.” Organizations look at various factors like finance, business criteria, technology, legal and regulatory aspects, and operations. This helps the organization to pick reasonable residual risks based on its value, risk impact, and importance.
Hi Shepherd,
I like how you included information regarding the choice of modifying a risk and implementing security measures. Although, I would think that even implementing security measures would be a part of the considerations for acceptable risk.
Hi Shepherd,
It is true that Risk acceptance criteria depend on the organization’s policies, goals, and objectives, and the interests of its stakeholders. Most times when an organization risk appetite is low their risk acceptance is almost low as well.
An acceptable information system security risk is a risk that the company is willing to accept and has very little weight as to the trade secrets or privacy of such a company. The level to which the risk of certain documents is weighed by a specific group of people within the company who can determine how important and crucial the documents are to the company and how much they are worth. Based on the reading, it seems like something that would be seen as an acceptable level of risk is something that would have very little effect on the company should the document be leaked.
Hi Matthew,
Even beyond trade secrets or privacy to a company, a company can choose to accept a risk that simply costs more to mitigate/remove than to deal with the potential consequences later on. Although I do agree that trade secrets or privacy should be considered as a part of the process of determining acceptable risk.
Acceptable information security risk is the point at which the cost and effort of further risk mitigation or reduction efforts outweighs the benefits of of those actions. The is not one-size-fit-all answer to what that point is. It is something that must be determined by the Board or top level management of a company based on the information provided by senior IT, InfoSec, and risk management staff. In a medium to large enterprise, providing that information to top management along with recommendations for risk reduction/acceptance actions would generally fall to the CISO, or CIO/CTO. This determination is made from a combination of information gathering (risk assessments), risk reduction actions (tools and policies in place), insurance (risk transferred), and the overall risk tolerance of the business and leadership.
Hey David,
After having read your post on this question I realized that it never really hit me that companies most definitely choose to not mitigate some risks because the cost of doing so outweighs the sensitivity of that information they are holding. I guess this just adds another strategy to the whole risk mitigation technique.
There is absolutely a point where the cost of protection outweighs the thing being protected. To make a physical analogy, a bank might be willing to spend the money for a huge, complex safe because they store many thousands of dollars of cash and valuables in addition to being a highly visible target for thieves. It would be inadvisable for me to spend nearly that amount to purchase a safe of the same size and complexity for the few hundred dollars in valuables in my apartment.
The “cost” may not be monetary. It might be labor, or opportunity cost, or even a reduction in productivity. Another example of “not worth it” would be spending a lot of developer time to implement the strongest possible encryption on messages sent by a client-server program. If the mesage contains credit cards numbers, it is worth it to put the extra protections in place. However, if it is just a heartbeat status message, the value of the message is so low and the data becomes useless in a few minutes., So in that case there is no upside to encryption.
Acceptable information system security risk is the risks that are accepted in an information system by an organization. To an extent, it’s the point that the costs of a given risk are less than the mitigation efforts to reduce or eliminate a risk. The roles responsible for determining an acceptable level of risk should be made by the board of directors or another high-level manager such as the CIO. This is dependent on the size of an organization, but usually, it should be associated with higher management in a business. Organizations can determine an acceptable level of risk based on a variety of assessments. These include information gathering assessments, business requirements and environments, circumstances required to operate, and costs that can be calculated based on acceptance, mitigation, or otherwise dealing with a risk.
Hey Ken,
Do you think it necessary to include in your definition “frequency of likelihood of occurrence” as a factor in addition to the cost the organization would incur to mitigate the risk? I agree that the cost to mitigate something heavily impacts the decision but I feel frequency or likelihood of it to occur also should be taken into consideration when determining risk mitigation.
The acceptable information system security risk means when an organization decides what is proper risk to accept in exchange of what benefits the organization will have in the future. The board of directors, CIO and IT directors within the organization determines this type to risk. Each organization is different in ratio to an acceptable level of risk because each company is different. The situations may vary and depending on each risk it should be put into different buckets. For example what industry, how big is the company, how many people will it affect? These. factor are huge determination for setting acceptable level of risk.
I agree with your comment on what determines setting acceptable level of risk but would also include additional factors like how much would it cost to mitigate the risk vs. how much it would cost to accept the risk regardless of what size the company is, if there isn’t a cost benefit in mitigation, the risk will be accepted.
An acceptable information system security risk would be an event that is deemed to not be of high enough risk to mitigate. Deeping on the asset at risk, the risk analysis team will assign either a monetary number or another risk metric for less tangible assets, the resulting calculation will help guide the analysis to find an acceptable level of risk. These numbers will be based on a variety of factors like the likelihood of the event happening and the potential damage that would occur if the event occurred. If an event is very unlikely to happen and would cost the company very little, it would most likely be deemed a low-risk incident. Some inexpensive low-risk events may be left unmitigated, this is called risk acceptance. However, if the likelihood of an event was higher and would be very expensive monetarily or by other intangible metrics, this event would be deemed a high-risk incident. High-risk incidents must be managed by avoiding, modifying, or sharing the risk. Managing risk events related to information security and what to do about them is the job of top-level management, particularly the CIO and the director of IT.
According to NIST SP 800-16 the term “acceptable information system security risk”?” is the level of Residual Risk that has been determined to be a reasonable level of potential loss disruption for a specific IT system.” When an organization has metrics for its risk register according to different ratings and their impact on business continuity the top management i.e CIO, Director of IT and Managing directors will usually establish if the cost implication of a vulnerability becoming a risk is worth investing to protect the organization or completely eliminating such vulnerabilities. A good example is legacy tools used by organizations when they are able to make a decision based on End of Life /End of support.
One lesson that acceptance of risk has taught many organizations is that the dynamics of risk keeps changing and an acceptable risk today may not be an acceptable risk tomorrow therefore the risk rating and registers have to be updated to tale cognizance of this dynamics.
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-16.pdf
Acceptable information system security risk is the level of residual risk an organization is willing to take after risk mitigants and countermeasures have been implemented. This should align with an organization’s risk appetite statement and risk tolerance level and consider the acceptable amount of disruption to a specific system or application. This is usually discussed among a number of executives and stakeholders but the ultimate decision makers are the Chief Information Security Officer and the Chief Information Officer. The Chief Risk Officer should also be consulted as well as any data owners whose information resides within the system. In addition to the above considerations, a risk assessment should be performed in order to determine the severity level of risk. Consideration given to the impact and liklihood should also take into consideration how critical the confidentiality, availability and integrity of the data is and what service level agreements and recovery time objectives exist. Once the risks are identified a cost benefit anlysis should beperformed to help determine the number of controls, mitigants, and countermeasures to implement in order to determine the residual risk. Once the level of risk acceptance has been identified, this should be documents along with the rational and shared with senior exeucitves and stakeholders (after approval by the CIO/CISA).
Acceptable information system security risk refers to certain risks whose effect can be tolerated. These risks do not pose a very high magnitude of loss in the business making. The business can take them. This means that individuals or the company are willing to bear the risks. In an organization, the management, in collaboration with the team responsible for information technology, often determines acceptable risks. The organization’s players, who could also be directly affected by the threat, are also involved. They do this by choosing how the risk can affect its operation. An acceptable risk should have minimal effects on the process, and it should also be easy to caution people against it. This risk is reasonable because the benefits it brings are far more than the risk it poses (Xu, Sun, & Chen, 2022). These risks can be tolerated as they enjoy their use.