NISTIR 8286A Risk Management Guide Part 1: Risk Appetite and Risk Tolerance


Risk management requires a clear understanding of the level of risk management is willing to accept. Acceptance differs between systems and largely depends on the value of each system to business operations. It also depends on the impact of a system compromise on business operations. Defining management’s risk appetite and tolerance for each system helps security teams focus their efforts effectively. This is the first of three articles describing the preparation and execution of risk assessments, including risk assessment and monitoring tools.

Not all systems have the same value to an organization. Additionally, regulatory and other considerations affect potential business damage from an attack or other business continuity events (BCE). Suppose security teams aren’t working with management to understand how data owners want to protect a system. In this case, it becomes difficult for security analysts to effectively allocate limited resources. This can lead security teams to base the frequency of risk assessments and protective actions on reasons unrelated to data owner Needs.

The Process of Defining Appetite and Tolerance

The National Institute of Standards and Technology (NIST) released guidance in November 2021 on managing risk appetite and tolerance in the enterprise. Orientation, NISTIR 8286A Cybersecurity Risk Identification and Estimation for Enterprise Risk Management, begins by integrating cybersecurity risk management (CSRM) efforts into enterprise risk management (ERM). This helps ensure that data owners are involved in risk management before deciding when the results of a risk assessment will be presented to them.

Figure 1 shows that integrating CSRM into ERM is the first step in risk management. It allows established enterprise risk management TTPs (tools, techniques and procedures) to be applied to technology in the same way as they are applied to other non-IT risks. This provides a holistic approach to overall risk management and governance.

Figure 1: NISTIR 8286A Risk Appetite/Tolerance Process

Define appetite and tolerance

The terms “risk appetite” and “risk tolerance” are often misunderstood. Because of these misunderstandings, security teams may be unaware of how they go about recommending system protections. Instead, they approach risk management by focusing on simple low, medium, and high metrics. The problem with this is the differences in how management might view low, mid, and high levels, given the systems involved.

Learn more: Supply chain attacks: why risk management and business continuity planning are essential

NIST defines risk appetite as “…the acceptable level of deviation of performance from the achievement of objectives”. In other words, management assesses system risk based on how it compares to a system’s value in achieving business goals. Risk tolerance is directly related to risk appetite. It is the acceptable level of residual risk according to the risk appetite. Risk tolerance is typically set at the program or component level, while risk appetite is set by C-level management.

Table 1 is an example of the relationship between these two concepts. Note how risk tolerance changes depending on the information protected and the balance between financial return and potential loss due to system or data compromise.

Examples of appetite/tolerance pairs (from NIST)

Table 1: Examples of appetite/tolerance pairs (from NIST)

As noted, the risk appetite and associated tolerance are based on the type of data and systems involved. Rod Farrar describes a more specific way to do this in his video What is your organization’s risk appetite.

Farrar begins by defining categories of resources. Examples of categories include

  • ePHI
  • Payment card information
  • General information on the site
  • Employee Information
  • Intellectual property (broken down by value for each)
  • messaging system

What is considered high risk for one category may be only moderate risk for another category. These differences are based on the value of the assets, the overall negative impact of the incident on the business and the related financial return taking into account the residual risk.

For each category, the data owner must answer the following questions.

What level of residual risk am I willing to accept in pursuit of my goals?

  1. What are the critical success factors?
    1. What does success look like?
    2. What factors directly affect the success or failure of success?
  2. What does a serious consequence look like based on the compromise of
    1. Privacy?
    2. Integrity?
    3. Availablity?
  3. What does it almost certainly look like (the predicted frequency of occurrence)?

The answers to these questions for each resource category affect the risk matrix used. Note that the answer to question 3 consists of three parts. Risk appetite may differ across ICA elements based on regulations, business needs, customer perspective and stakeholder expectations.

Learn more: Why cyber risk management is key to uncovering security vulnerabilities in your network

Use of risk matrices

One way to apply tolerance to risk management recommendations is to use risk matrices. Figure 2 shows a matrix commonly used in qualitative assessments. Green squares represent low risk, yellow medium risk and red high risk. This matrix does not take into account differences in risk tolerance between categories.

Common risk matrix

Figure 2: Common Risk Matrix

Figure 3 shows two matrices that reflect tolerance-based integrity risk in two different categories. Note that they both differ significantly from the commonly used matrix in Figure 2. Although matrices can visually represent tolerance, they cannot prioritize and manage risk to information assets in the enterprise. In Part 2 of this series, I explain how to use risk registers and related tools to prioritize and manage risk based on appetite and tolerance.

Note that in each of the matrices in Figure 3, we always use a vertical likelihood axis and a horizontal impact axis. The level of impact is considered high or medium changes depending on the category’s risk tolerance.

Figure 3: Category matrix tolerance differences

Final Thoughts

The tools and procedures defined in this article are not necessarily used after an assessment. Instead, they help senior management, data owners, and security teams identify what could happen to systems and data across various resource categories. Once done, teams can schedule the appropriate reviews at the frequency needed to meet data owners’ expectations for each relevant category. Additionally, security teams will research and recommend appropriate protections given the residual risk tolerance of the system.

How would you describe risk assessments at your organizational level? Comment below or let us know on LinkedIn, Twitter, Where Facebook. We would love to hear from you!


About Author

Comments are closed.