What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
James Nyamokoh says
The term “acceptable information system security risk” refers to the level of risk that an organization is willing to tolerate while pursuing its business objectives. This is not a static value but a balance between the cost of mitigating a risk and the potential damage from that risk. Typically, senior management, like the Chief Information Officer ( CIO ) or a Risk Management Committee assesses the organizations risk tolerance to determine this level of risk. Organizations assess acceptable risk levels by evaluating the impact of potential threats, vulnerabilities, and their likelihood, then balance these factors against the cost of security measures and business priorities. Standards like ISO/IEC 27000 or frameworks such as the NIST Risk Management Framework (RMF) assist, in structuring this assessment.
Gbolahan Afolabi says
As a senior IT Auditor, what is management’s attitude towards accepting the risk involved in new business ventures? How often do you see an organization bend their risk appetite when trying to compete in business?
James Nyamokoh says
Hi GB,
When it comes to new business ventures, management often has to strike a balance between embracing innovation and exercising caution. In very competitive markets, some companies may stretch their risk limits in pursuit of growth prospects. While it’s important to assess and reduce risks, there are times when businesses knowingly accept risks to seize these opportunities. However, while this flexibility can help them stay competitive, it’s equally important to ensure that these risks don’t jeopardize long-term success of the business.
Nelson Ezeatuegwu says
HI James
Thanks for your wonderful insight! at what point do organizations implements compensating controls, does it goes along with baseline controls or after routine assessment when the baseline is not working as expected?
Aisha Ings says
Acceptable information system security risk occurs when an organization decides not to take steps to mitigate a risk but instead accepts it and is prepared to handle any potential consequences if the risk occurs. This decision is determined by board members and business execs. To determine what level of risk is acceptable, the organization needs to evaluate the risks by conducting risk assessment techniques such as a risk analysis or cost-benefit analysis.
Jocque Sims says
Hello Aisha,
Your post resonates with my thoughts. Without having a stake in the outcome of any company or organization, after deciding to accept any and all consequences resulting from not taking action to mitigate risks, such as not responding to a network vulnerability due to its risk being deemed minor, I wonder if, in today’s information technology (IT) workforce, this has led to more catastrophic consequences that could have been avoided.
Cyrena Haynes says
Acceptable information system security risk refers to the level of risk an organization is willing to tolerate without implementing additional safeguards. This balance is often based on the cost of mitigation versus the potential impact of the threat. The Chief Information Officer (CIO), along with key stakeholders such as senior management and the risk management team, typically determines the acceptable level of risk. Organizations assess acceptable risk by evaluating their risk tolerance, business objectives, and the potential consequences of security incidents.
James Nyamokoh says
Hi Cyrena,
I share your perspective. It’s true that decisions are usually made by the CIO and other important stakeholders involved in the process. This viewpoint aligns well with the concepts discussed in Chapter 34 where risk management frameworks focus on keeping risks within acceptable limits, based on an organization’s goals and day-to-day operations. While I agree that a cost-benefit approach is important, I would argue that risk assessments should adapt as threats evolve, rather than relying on fixed metrics like cost alone. This would help organizations stay ahead of emerging risks. A question to think about: How can organizations keep their risk tolerance flexible enough to handle new and unexpected threats without disrupting their business operations?
Cyrena Haynes says
Hi James,
You are absolutely correct, organizations need to stay ahead of emerging risks. To accomplish this all organizations should adopt an agile risk management framework inclusive of agile decision making. Companies should continuously evaluate and adjust their risk tolerance. There also needs to be a continuous monitoring and assessment of current processes as well as continuous learning/analysis on emerging threats. This can be done through staying abreast of industry news as well as automated detection to understand what threats are most common to the organization. Knowledge of emerging threats can help organizations run simulations and scenario plan on the best course of action if they are attacked by an emerging threat and shorten response timing.
Christopher Williams says
In an organization, senior management or the executive team usually decides the acceptable level of risk for the information system. They often work together with the risk management, information security, and compliance teams to make this decision. Other key people, like business unit leaders and legal advisors, may also give input, as they understand the company’s goals and how risks could affect them.
An organization decides the acceptable level of risk by going through a detailed risk assessment process, which includes these steps: identifying risks, assessing their impact, evaluating how likely they are to happen, analyzing the risks, creating strategies to reduce them, balancing risks with controls, defining the organization’s risk tolerance, and documenting and sharing the findings.
Vincenzo Macolino says
I like how you mentioned that risk acceptance is not just determined by an organizations executives, but is communicated throughout IT and Business Functions. This is key in determining if a risk is worth accepting, as it may have effects that go beyond just governance. Furthermore, you gave a detailed explanation on the process of determining whether a risk should be accepted. What step do you think is the most important?
Christopher Williams says
I believe evaluating the impact is the most critical part. It directly affects how much money will or won’t be spent.
Brittany Pomish says
Similar to Vincenzo’s comment below, I like how you mentioned this isn’t just determined by the executive level. My current professional role is an internal audit manager, and we conduct risk assessments with a variety of stakeholders. The way our company approaches risk assessments is interview based. This way we send risks to multiple stakeholders, at varying levels, and have them rank risks, and note acceptance. That way the individuals “closest to the work” have a say.
Gbolahan Afolabi says
Risk can be defined as the likelihood of a threat multiplied by the impact of the threat onto the organization’s assets, personnel, and operation. It is often expressed as R = L x I.
Organizations can choose to deal with risk in different ways such as ignoring, accepting, transferring or mitigating the risk. An organization may decide to accept risk after determining the likelihood of a given threat and the impact it may potentially have on the organization. When an organization decides to accept an information security risk, it is accepting the impact of a threat on its operations, assets, and personnel. An organization may choose to accept the risk of impact when it deems the cost of mitigating the risk and avoiding impact is higher than the cost of the impact. In regulated industries, it may mean that the profit of conducting business in a specific manner may be higher than incurred fees and fines. Senior management (including the CIO), board members, and legal often work with the risk management office in deciding whether to accept a risk or deal with it through another means. Risk can be managed and assessed by incorporating various standards and frameworks such as COBIT 5 and NIST.
Christopher Williams says
Your explanation of the risk formula R = L x I (Risk = Likelihood x Impact) is a clear way to understand how organizations evaluate risks. By looking at both how likely a threat is and how big the impact would be, businesses can decide whether to act on a risk or not. Sometimes, the cost of fixing a risk might be higher than the damage it could cause, so companies might choose to accept the risk instead of spending resources to mitigate it. This is especially true in industries where fines for certain risks are manageable, and the potential profit outweighs the cost of those risks.
Vincenzo Macolino says
Risk acceptance means that an organization will not take action relative to a particular risk, and they are willing to accept loss if it occurs. In accepting risk, the risk is known, and it is an informed decision by management. More specifically business management decides what risks they are willing to accept with the support of the IT department, or IT support function. Risk acceptance also is communicated to senior management and the board of directors. An organization will determine an acceptance of risk if the cost of mitigating the risk is higher than the cost of the risks impact.
Aisha Ings says
The cost benefit analysis plays a role here by weighing the expenses of reducing the risk against the possible consequences of the risk itself. Opting to embrace risks allows the organization to concentrate its efforts on areas with higher importance while also staying alert and prepared to manage any accepted risks should they become a reality.
Benjamin Rooks says
One thing that your response also reminds me of is the continuous issue of diminishing returns within security. Many of the steps that we can take to mitigate risk are initially low cost, but the more specialized and more secure that we attempt to make a system the more costly it will become.
Ericberto Mariscal says
Acceptable information security risk is the amount or level of risk exposure an organization is willing to accept or allow to meet their goals. Acceptable risks exist as due to the complexity of technology, human behavior and cost, zero risk is not possible. The shareholders/board would determine the acceptable level of information system risk of their organization. The organization will determine what is an acceptable level of risk from a business perspective such a costs vs risk likelihood, and level of impact. The size of the business can be a factor, as a small start-up would not be able to spend nearly as much money on security measures as opposed to a bigger organization.
Vincenzo Macolino says
When looking at risk acceptance, I think we share the same thought that cost has a large impact on whether an organization is willing to accept a risk or not. I like how you gave the example of a small start-up, and how that business would likely have to accept more risk compared to a bigger organization. However, you mentioned that shareholder/board executives would determine the acceptable level of risk that the organization would be willing to take on. Some may argue that risk acceptance is communicated amongst IT and Business Functions, as well as governance.
Ericberto Mariscal says
Hi Vincenzo,
That is a valid point! I do agree that collaboratively different departments like IT, Business, and Legal may certainly voice their opinions and guidance on the acceptable level of risk, however I believe that the final determination lies at an executive level.
Nelson Ezeatuegwu says
“Acceptable information system security risk” Refers to how an organization makes decisions on the level of risk the business is willing to tolerate in relation to information systems. The executive and the senior management works with risk management team to determine what is acceptable level of information risk, organization identifies risk according to defined enterprise thresholds and measures the level of impact to the business with cost of mitigation before deciding on the level of risk to accept.
Neel Patel says
Acceptable information system security risk is the amount of risk an organization is willing to accept in its information systems without pursuing any security measures or preventive actions to reduce it. Risks are almost inevitable, and this concept recognizes it. Senior management and executives are responsible for determining acceptable risk.
For an organization to determine acceptable risk, they will have to assess risk to identify possible threats or vulnerabilities in information systems. Then, they can conduct cost-benefit or risk analyses to influence their decision. Ultimately, the outcome will be dependent on what the organization’s missions, values, and goals are.
Jocque Sims says
An acceptable information systems security risk means that no action is taken relative to a particular risk, and loss is accepted when and/or if it occurs. It should only be accepted by business management in collaboration with the information technology (IT) department or IT support function.
An organization determines acceptable risk through risk analysis. As a response option, after a risk analysis has concluded that the risk exceeds risk tolerance levels, no action is taken relative to the particular risk.
Benjamin Rooks says
Acceptable information security risk is the minimal amount of risk accepted by a business when balancing security with their deliverables. Deciding what is an acceptable amount of security risk is a decision that needs to be made between all levels of the organization. While the final decision ultimately rests on the CIO an experienced CIO should be taking the recommendations of all levels of associates under them. An acceptable level of risk is determined by finding the maximum amount of security controls that can be put in place while still retaining functionality of the business.
Andrea Baum says
Acceptable risk arises because devices connected to the internet, along with employee actions, always carry some degree of vulnerability. Acceptable risk occurs because there is always some degree of vulnerability. Risk analysis evaluates the likelihood of a security incident by examining the relevant threats and vulnerabilities. It then combines this likelihood with the potential impact of the incident to determine the overall system risk. Conducting a risk analysis is essential before deciding how to manage the risk.
Neel Patel says
Hi Andrea!
Your response was thorough and invoked some new thoughts about this concept. I particularly liked when you said risk analysis evaluates the frequency of a security issue by closely monitoring threats. I remember a previous professor from a prior Risk course talking about this topic. A risk matrix can help to place the impact of risk based on frequency and severity. The placement is valued by those who assess risk as they can either decide to ignore it or pursue any mitigation strategies. Thank you for your thoughtful response as it allowed me to make new connections!
Brittany Pomish says
The Vacca textbook defines “information security risk” as the likelihood of an information security event (e.g., breach or failure of safeguard) and its consequences. An organization’s senior management, including the CIO, risk management team, and other key stakeholders, are typically responsible for assessing risks and determining the overall risk tolerance. This involves establishing the acceptable risk level, which is the amount of risk the organization is willing to accept without implementing additional controls.
Senior management conducts a balanced analysis of the probable cost of security measures (additional controls and safeguards) and their effectiveness against the potential detriment of a security event. An organization’s risk assessment should be reevaluated at least annually, with tolerance levels reassessed, as threats and vulnerabilities are constantly evolving.
Andrea Baum says
I agree that senior management plays a crucial role in balancing the cost of security measures with the potential impact of security incidents, ensuring the organization’s resources are used effectively. Additionally, I support the idea that regular risk assessments and adjusting risk tolerance are essential to address the constantly evolving nature of threats and vulnerabilities.