What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Acceptable information system security risk is the acceptable level between prevention and threat that a organization has determined necessary for protection of their assets and security. As has been stated by Vacca, there is no guaranteed way to prevent all risk, so a determination must be made as to what preventative measures to put in place and to what degree to attempt to prevent hypothetical risk. These determinations are typically made by higher ups at organizations, such as IT administrators, Network Engineers, and Information officers. Organizations typically use equations and formulas, such as the , R = f(A, T, V, I) formula to calculate risk, R being Risk, A being assets, V being vulnerabilities and I being impact. This can sometimes be harder to calculate depending on the nature of resources, for example, some are measured in dollar value, like physical resources, but resources like data and info may not have such an easy 1-1 value. Once this risk equation has been determined, acceptable risk can be concluded. Though this does not have a clean formula, methods such as asset evaluation, security controls, and data monitoring can all be used to reduce risk to an organization’s determined “acceptable level”, though it is important to remember that, as the ISACA framework states, “there is no absolute norm or standard of what constitutes acceptable and unacceptable risk” so these standards will vary depending on the assets and controls available to the organization and users
Prior to the readings and class, it never really dawned on me that business accepts a certain amount of risk. After your post and this week’s reading it is all about damage control. The other side of me wants to get in there and see the actual risk of being able to make the connection. Like you stated though it does not have a clean formula and makes me think how the reality of all of this is when you are in the field.
The concept of “acceptable information system security risk” refers to the tolerance level an organization has for potential vulnerabilities or threats to its information systems. The determination of this acceptable risk level lies in the hands of individuals tasked with overseeing the organization’s overall security posture. This responsibility typically falls on the decision-makers within the organization, such as executive management or a specifically appointed risk management committee. It is their duty to assess the potential impact and likelihood of threats, weighing them against the organization’s operational needs. In determining the acceptable level of risk, several factors come into play, including the organization’s specific industry standards, legal and regulatory requirements, and its overall risk appetite. Additionally, organizations might consider utilizing frameworks, such as NIST or ISO, to guide their risk management approach. Ultimately, finding the balance between security and operational efficiency is essential in establishing an acceptable level of information system risk.
Michael, you’ve provided a comprehensive and accurate explanation of what acceptable information system security risk means and how it’s determined within an organization. It’s important that organizations have a clear understanding of their risk tolerance and that this responsibility falls to those overseeing security and risk management. That being said, decision-makers need to carefully consider all the various factors, including industry standards, legal requirements, and risk appetite, when establishing this balance between security and operational efficiency. Given the evolving nature of cybersecurity threats, do you think there are any emerging trends or specific challenges that organizations should be particularly on the look out for when determining their acceptable level of information system risk?
Thank you, Alex. Like you rightly pointed out, there must be both security and operational balance as technology keeps evolving. Hence every organization must take its information security seriously.
The details of your summary were on point. The responsibility must be a nice balance of all multiple stakeholders in in the company analyzing and scrutinizing what the risk are, how do they mitigate the risk, ensuring it does not occur again.
The phrase “acceptable information system security risk” alludes to the degree of vulnerability a company deems tolerable within its information system. Parties responsible for defining this acceptable threshold typically comprise organizational entities such as Information Risk and Security Management teams. The process of establishing an acceptable level of risk involves a careful evaluation of potential threats and the corresponding business impact. This procedure includes a balanced analysis of the probable cost of security measures and their effectiveness against the possible detriment of a security breach. Thus, through a dynamic and iterative risk management methodology, an organization shapes its bespoke understanding of an acceptable level of information system risk. Also, by assessing components such as the severity of the outcome of hazard-related events and the probability that the event could occur.
Ikenna, your summary is concise, but I would like to add that the process of establishing an acceptable level of risk is not a one-off event. It needs to also be undertaken whenever there is a significant change in an organization’s activities or the environment in which it operates. That could mean updating some earlier written policies, improving security controls and continuous monitoring to ensure the right balance between risk, security and profit.
a. The goal is always for risk levels to be zero, but this is not always the case due to potential open systems, human behavior, and finite business resources. With a security professional’s focus being primarily on reducing the risk to acceptable levels, it is best to take into account risk tolerance vs risk appetite vs actual risk projections. In a sustainable business model, risk appetite should be lower than risk tolerance and actual risk can exceed risk appetite in various scenarios.
b. Within an organization, it can vary who the upper management personnel is who will determine the acceptable level of information system risk. This can depend on the industry but in many cases the executives of an organization take primary responsibility for risk decisions. The Chief Information Security Officer (CISO), Chief Information Officer (CIO) or Chief Digital Officer (CDO) are responsible and accountable for information security risk management.
c. An organization determines what an acceptable level of risk is by treating the risk after the risk assessment and analysis. Risk analysis is necessary for treating risk. Risk treatment controls the risk so that it remains within acceptable levels. Risk levels are the likelihood that a threat appears, likelihood that the threat can exploit the system vulnerabilities, likely impact the incident will have on the organization as a result of the harm that the org assets will sustain. This results in the function statement R = f(A, T, V, I). Once the risk level on business assets is analyzed, you can measure this against the risk tolerance and appetite of the business. Based on the goals of the organization, the decision-maker(s) can assume a risk disposition out of the 4: modified, shared, avoided, or retained (Mitigate, Transfer, Avoid, Accept). Risk sharing (or transfer) may be the most difficult when reducing risk levels since this entails bringing in a third party to either insure resources, handle business assets directly or both. Once these risk treatment decisions are set and implementation is underway, there may be some remaining residual risks and if these residuals risks are unacceptable, the risk treatment process should be done again.
I agree with your statement that the goal is often for risk levels to be zero, but achieving zero risk is often impractical due to various constraints. Balancing risk tolerance against risk appetite and actual risk projections is highly accurate, but risk management is not just about minimizing risk but doing so in a way that aligns with the organization’s strategic goals and resource availability.
Yes, making sure that the overall risk management strategy ties back to the organization’s goals is monumental. Resource availability is interesting though because, from some of my experience, important members of an organization may not even be fully aware of their resource availability OR, and this is in many cases, are completely unrealistic about what their resource availability actually is. It seems the security professional could bring up a bunch of hard facts within the organization which could lead to various other conclusions.
The process of determining org risk is a fascinating subject to me, as it is stated that there is not a hard equation for calculating this. This creates an interesting dilemma where the process of calculating the risk will vary from organization to organization. I like the way that you incorporated the risk level equation into the process, as that is also where I would start. These methods of more open ended approaches to security are always fascinating to me mostly because it allows us to see others perspectives on these issues
Agreed, Andrew! The equation helps me to analyze this more as a qualitative approach. I am eager to understand the more quantitative approach that goes back to cost analysis.
As defined in Vacca (2017). An acceptable information system security risk is a scenario where the risk is retained by the business as the options to implement appropriate measures outweigh the cost of the incident
An acceptable information system security risk is a decision made by an organization after doing a risk assessment and concludes that the security measures taken to protect their assets are good and have a low impact of vulnerabilities.
Senior leaders, e.g. CEO, CIO, CFO, and other stakeholders help define what is acceptable risk in accordance with business criteria, legal and regulatory aspects, operations, technology, finance, and social factors.
The organization determines an acceptable level of risk by setting risk evaluation criteria, the organization should consider the strategic value of the business information process and if the event happens what is the cost to everything to them staying in business from a financial standpoint to their reputation.
Marc, I like your analysis of the question. You mention that the organization determines the acceptable level of risk, I agree with that however I think you should also consider that a security advisor or consultant will be able to help determine the level of risk and its potential impact better than the management at the organization.
Marc, you pointed out something important that I did not think about. You mentioned social factors which is equally important but not commonly mentioned in these types of conversations. Great analysis and another point that stood out to me is when you mentioned reputation. Organizations would rather lose money rather have mud slung on them. They can make money back but once you name is soiled, it gets difficult to clean.
Acceptable information system security risk is the level of risk an organization is willing to tolerate regarding the possible consequences of an incident. It is a balance between the cost of mitigation and the possible consequences of an incident.
Executive management and the board typically make informed decisions on what levels of risk to accept. These individuals assess the organization’s available resources and risk tolerance.
Organizations typically determine an acceptable level of risk by conducting a risk assessment. A risk assessment identifies the organization’s assets, threats, and vulnerabilities. It also evaluates the likelihood and impact of different security incidents. Once the organization has a clear understanding of its risks, it can make informed decisions on what levels of risk to accept and identify appropriate measures to mitigate unacceptable risks. An organization may accept the risk of phishing attacks because the cost of implementing and maintaining a comprehensive phishing prevention solution is too high. However, the organization may also decide to encrypt all sensitive data because the cost of encryption is relatively low, and the potential impact of a data breach is high.
Excellent points. I would also suggest you keep in mind the cost of addressing the risk vs. of not addressing it. Although this is done in the risk assessment, the risk assessment needs to be done on a scheduled basis. No matter how inexpensive the cost may seem on the surface, consider you need the resources to do it and address it.
From what I gleaned from the readings in this week’s texts are several factors. One is the monetary risk appetite and communication between technical and administrative. An immediate risk of this is securing the information system with the achievable and measurable goal of reducing the risk that the information faces to that within acceptable levels. Risk treatment means controlling the risk within an acceptable level. You can either reduce it by applying security measures, it can be shared by outsourcing, or it can be accepted which means that in a sense the organization accepts the impact of the security incident. There are several personnel that can determine the risk level, these personnel are” CIO, Director of IT, Network Engineer/Admin. Risk management constituent process and context establishment help determine the acceptable level of risk but most importantly is the interpretation of the levels be consistent throughout the organization and clearly communicate the differences between the levels to those responsible for providing input to the threat valuation process.
Hey Jeffrey,
Its definitely true that you mentioned that there are several personnel that can determine the risk level. In the end of the day, although a singular individual is possible to make such decisions, its best to consult with the team to determine the best decision for the company. I believe that bouncing ideas with multiple who have different skills and knowledge will positively affect the overall decision.
Acceptable Information System Security Risk is a risk an organization is aware of the consequences, and willing to tolerate the risk. If a risk won’t significantly impact an organization’s operations, the organization can decide to accept the risk while designing or maintaining their network. After auditors and IT team have completed the documentation of risk level, the management such as the CEO, CFO, and CIO would decide the acceptable level of risk based on its impact on the organization’s operations. If a risk doesn’t pose as a threat to an organization’s confidentiality, integrity, and availability, the organization can decide the risk is acceptable.
Well said Akintunde, referring to your last sentence would you consider natural disasters like flood, hurricanes to be an acceptable risk for a company in flood zones? Would you rather suggest that they move out to an entirely different area to avoid the risk of flooding.
Let me know your thoughts.
Hi Chidi,
Thank you for your response and question. To answer your question, I believe there are things to consider when making the decision to relocate or accepting the risk. If my organization has been excelling in the area, I will accept the risk. I will have a backup of the important data in the cloud or a different location, and also get an adequate insurance,
From the Computer and Information Security Handbook, information systems risk management was developed to analyze and assess the factors that affect risk, subsequently treat the risk and continuously monitor and review the security plan.
The term “acceptable information system security risk” refers to the level of risk that an organization can tolerate or label as reasonable in its information security operations. It measures how willing an organization is to accept potential negative outcomes in a bid to keep the business objectives intact. Acceptable risk is a crucial concept in the field of information security because it helps organizations strike a balance between security measures and the cost, convenience, and efficiency of their operations.
Risk decisions are business decisions, and it takes a combination of factors and many stakeholders to determine what is an acceptable level of information system risk. Some key personnel who are involved in making those decisions include the upper management like chief information officer (CIO), CISO, network engineer and IT manager.
Ultimately, determining an acceptable level of risk is a complex process that requires a holistic approach. There must be effective communication between the technical and administrative team; annual risk assessments and continuous monitoring are essential to adapt to changing threats and business conditions, ensuring that the acceptable level of risk remains appropriate over time.
The term acceptable information system security risk is a type of risk that the company or organization is willing to accept because the cost of limiting that risk is higher than the cost of impact of the risk itself.
Within an organization, the decision to decide what would be an acceptable level of information system risk would fall in the hands of upper management, such as CEO, this can also be determined by security specialist – If the company has one.
For an organization to determine the acceptable level of risk, they should evaluate the potential level of threat as well as possibilities of occurrence or reoccurrence. If the total cost evaluation of this is lower than the cost of fixing the risk, it would be an acceptable level of risk.
Acceptable information system security risk represents the level of risk a company is willing to accept regarding a specific situation. Executive management, like the CISO, makes the decision of what is an acceptable level of information system risk as these decisions directly affect the organization’s success. Although the CISO does have the say on what risk is acceptable, it’s best to keep in mind that the CISO will also have to work with their information security team to determine the best decision. In addition, a BIA (Business Impact Analysis) and security assessments are required to determine the level of risk. It’s also the most efficient way to get a better understanding of the risk itself and its impact to the organization.
When it comes to establishing an acceptable level of risk, it primarily depends on the requirements of an organization, and they must ensure that they can maintain optimal operational efficiency when accepting the risk. This means that they will have to consider cost, potential reoccurrence of the risk, weighing out the resources needed to deal with the risk, and if the risk will hold the organization back from their goals and operations.
I like the fact that you indicated the CISO needs to work closely with the information security team to make the final decision concerning the acceptable security risk. In some instances, stakeholders and business partners are also involved in making the decision.
You also stated that cost and reoccurrence of the risk are factors which play a major role in establishing an acceptable level of risk.
Good job
Acceptable information system security risk refers to the level of a security risk that an organization or company is willing to ‘tolerate’ or consider reasonable for the operation of its information systems and the protection of its data and assets. Its the balance found between the security risks the system faces and what is gained from said system, its also acknowledging that its impossible to fully secure a system and completely eliminate all risks, so it refers to the middle ground that is negotiated. No one person or group determines what is an acceptable level of risk, its determined with a collective effort from all levels within the organization from executive leadership, legal and compliance teams, owners and department heads, risk management teams. and security auditors (both internal and external). They can go about determining an acceptable level of risk by following this set of processes (not exclusively but just a general prescription):
Risk Assessment: where they conduct an assessment that ID’s and evaluates potential threats, vulnerabilities and impacts on information systems and assets.
Risk Analysis: Analyze the results of the assessment to understand likelihood and potential of identified risks and consider risk appetite and tolerance
Risk Mitigation: Controls and procedures/policies put in place to mitigate ID’s risks
Risk Acceptance: Leftover risk that can’t be completely eliminated, here’s where the acceptable risk comes in, together they’ll determine of what is left what risk can be deemed as acceptable using the organization’s risk appetite
Monitoring and Review: The organization should continuously monitor its security posture, reassess periodically and adjust risk tolerance as needed for changing circumstances.
The concept of “acceptable information system security risk” is a critical aspect of information security practices. It pertains to situations where organizations are confronted with security risks associated with their information systems. While these risks have been identified, the steps or costs required to mitigate them are often deemed too high and/or the likelihood of the risk occurring is minimal. Business process owners and support from their IT departments, may choose to make an informed decision to accept these risks as a calculated part of their overall risk management strategy.
An organization usually makes this decision by performing a comprehensive risk assessment. During this assessment, organizations evaluate various factors to gauge the acceptability of the security risk. Key elements in this evaluation include the likelihood, frequency, and potential impact of the risk occurring. This can often be quantified using the Risk = Likelihood * Impact formula, which provides a numeric representation of the risk’s severity.
I think you make a great point here, Akiyah. An organization may decide to accept certain risk even after having the full analysis on the impact of said risk to their business. This is something that could put security professionals in a very interesting position. At the end of it all, I think my concern as an aspiring security professional is to understand where liability falls when this is the case. And, from my understanding, this could fall back on the organization based on national IT guidelines but also depends on what kind of breach takes place. Of course, I am still learning as we all are..
Ashley, you raise an important question regarding liability in the event of a security breach. It’s crucial to understand who holds the authority to make daily decisions in such cases. For instance, consider a scenario where a web server has vulnerabilities that need patching, but business managers are eager to urgently roll out a new application.
How to Prevent API Breaches: A Guide to Robust Security
With the growing reliance on web applications and digital platforms, the use of application programming interfaces (APIs) has become increasingly popular. If you aren’t familiar with the term, APIs allow applications to communicate with each other and they play a vital role in modern software development.
However, the rise of API use has also led to an increase in the number of API breaches. These breaches occur when unauthorized individuals or systems gain access to an API and the data it contains. And as victims can attest, breaches can have devastating consequences for both businesses and individuals.
https://thehackernews.com/2023/09/how-to-prevent-api-breaches-guide-to.html
Nowadays when taking on a new venture, you must be aware of the risk of a potential problem. Acceptable information system security risk is the company understanding and that there are potential risk, and they are okay with the results associated with the risk. Risk assessment is not the responsibly of one person or a sole business unit. Of course, senior management has the final sign off but that still does not happen without the input and scrutiny from other stakeholders. Risk assessments and what is an acceptable level of risk are the type of topics steering committees would take up and discuss.