Risk Language
Risk tolerance can be defined at the enterprise level, but OMB offers a bit of discretion to an organization, stating that risk tolerance is “generally established at the program, objective, or component level” which can include the organization levels depicted in Figure 1. Risk tolerance is always interpreted and applied by the receiving custodians of the risk management discipline (e.g., cybersecurity, legal, privacy) and usually interpreted at the organizational or system level [4].11 For example, a statement of risk appetite might be: “Email service shall be available during the large majority of a 24 hour period.” An associated risk tolerance statement for this defined appetite is narrower, stating: “Email services shall not be interrupted more than five minutes during core hours.”
The COSO ERM Framework further describes these terms and differentiates between actual residual risk and target (desired) risk [8]: ● “Inherent risk is the risk to an entity in the absence of any direct or focused actions by management to alter its severity.” ● “Target residual risk is the amount of risk that an entity prefers to assume in the pursuit of its strategy and business objectives, knowing that management will implement, or has implemented, direct or focused actions to alter the severity of the risk.” ● “Actual residual risk is the risk remaining after management has taken action to alter its severity. Actual residual risk should be equal to or less than the target residual risk
Table 3: Response Types for Negative Cybersecurity Risks Type Description Accept Accept cybersecurity risk within risk tolerance levels. No additional risk response action is needed except for monitoring. Transfer For cybersecurity risks that fall outside of tolerance levels, reduce them to an acceptable level by sharing a portion of the consequences with another party (e.g., cybersecurity insurance). While some of the financial consequences may be transferrable, there are often consequences that cannot be transferred, like loss of customer trust. Mitigate Apply actions (e.g., security controls discussed in Section 3.5.1) that reduce the threats, vulnerabilities, and impacts of a given risk to an acceptable level. Responses could include those that help prevent a loss (i.e., reducing the probability of occurrence or the likelihood that a threat event materializes or succeeds) or that help limit such a loss by decreasing the amount of damage and liability. Avoid Apply responses to ensure that the risk does not occur. Avoiding a risk may be the best option if there is not a cost-effective method for reducing the cybersecurity risk to an acceptable level. The cost of the lost opportunity associated with such a decision should be considered as well
3.5.1 Applying Security Controls to Reduce Risk Exposure In general, people, processes, and technology combine to provide risk management controls that can be applied to achieve an acceptable level of risk. Examples of controls include: ● Preventative: Reduce or eliminate specific instances of a vulnerability ● Deterrent: Reduce the likelihood of a threat event by dissuading a threat actor ● Detective: Provide warning of a successful or attempted threat event ● Corrective: Reduce exposure by offsetting the impact of consequences after a risk event ● Compensating: Apply one or more controls to adjust for a weakness in another control