All the risk management measures an organization might take to address cybersecurity threats depend on one critical question: What is the organization’s risk tolerance?
Risk tolerance is a concept borrowed from investment strategy and is part of various risk assessment methodologies. Investors with high-risk tolerance are willing to endure volatility in the stock market and engage in risky investments; those with a low-risk tolerance are more cautious. Financial advisors make recommendations to their clients depending on each client’s tolerance of risk.
The same principles can be applied to cybersecurity risk management.
What Is Risk Tolerance?
A company’s risk appetite refers to the amount of risk to your data and infrastructure that the business is willing (and able) to sustain. Risk tolerance is the degree to which the company is ready to stray from those stated risk appetites to achieve other goals.
While risk appetite is a broad, strategic attitude that governs a company’s risk management activities, risk tolerance is a much more tactical notion that analyzes and compares the risk associated with a given undertaking against the organization’s risk appetite.
Some industries can accept a higher risk tolerance, which means their security will be more relaxed than those with lower risk tolerance. For example, risk tolerance levels will be lower if your company deals with sensitive data or is subject to strict compliance obligations, because the company can’t afford the risk of a compliance violation.
Risk Tolerance vs. Risk Capacity
Risk capacity is another term adopted from the investment world, but it is not the same as risk tolerance. Risk tolerance is the level of risk your company is willing to accept in pursuing specific goals. Risk capacity is the amount of risk you need to get to accomplish your long-term and short-term goals.
In the financial world, high-risk investment strategies can bring higher returns. In cybersecurity, that’s seldom the case. So finding the right balance between risk capacity and risk tolerance will help you meet your goals without subjecting your company to unnecessary threats.
Risk Tolerance Levels
Different types of risk tolerance help organizations determine suitable projects and procedures for their comfort level. We can divide risk tolerance into three categories: aggressive, moderate, and conservative.
Aggressive Risk Tolerance
The benefit of an aggressive (that is, higher) risk tolerance is that you can be more flexible with your cybersecurity measures. That doesn’t mean you can be complacent with your risk management strategy, but you have more discretion to prioritize areas where the most protection is needed. This can save you money in the long run since you’ll have more choice about where your funds are allocated.
Businesses that either don’t process or don’t store much customer data (for example, a janitorial service or a commercial construction firm) can have higher risk tolerance. Your risk tolerance can also be affected by your cloud storage, the number of endpoint devices in your network, and the current configuration of your security framework.
Moderate Risk Tolerance
A moderate risk tolerance means that your company may not be as open to taking risks, but will still evaluate the level of risk versus the benefits of certain actions, establishing mitigation measures to reduce the probability or impact of associated risks.
Conservative Risk Tolerance
Businesses with a conservative or low-risk tolerance must be more cautious with their approach to risk management. Reasons for a lower risk tolerance could be government contracts, access to sensitive information, or trading in data that makes you a particularly attractive target for cyber thieves. Examples include defense contractors, financial firms, hospitals, and higher education.
If your company determines that your risk tolerance is low, you will have no margin for error regarding cybersecurity.
Determining Your Risk Tolerance Level
When determining your organization’s risk profile, you should consider several questions.
What Are Your Goals?
What does your past performance look like, and what does your company hope to achieve in the future? Financial goals, growth objectives, and potential mergers or IPOs are all things to consider while deciding how much risk your company can take.
What Are Your Compliance Requirements?
Do your business dealings fall under the Payment Card Industry Data Security Standard (PCI DSS) or the General Data Protection Regulation (GDPR)? Are you subject to Health Insurance Portability and Accountability Act (HIPAA) or Federal Information Security Management Act (FISMA) laws? If your industry, location, or size dictates compliance with a particular security framework, then that framework must factor into your decision-making.
Who Needs to Participate in the Risk Tolerance Conversation?
Your company won’t be able to determine your risk tolerance accurately without input from departments at all levels. Different team members may have different comfort levels, and it’s essential to solicit information from all of them.
What Are Particular Risks Inherent to Your Industry?
Do you have a complete risk assessment for your industry, and an internal controls strategy to address them? For example, companies accessing or processing medical data are statistically more likely to experience attempted breaches; so they need stronger controls. In addition, your company’s public profile could make you vulnerable to ransomware attacks. Consider the unique ways your company may attract risk, or have compliance obligations to guard against those risks; and then plan accordingly.
Manage Risk With Reciprocity ZenRisk
Regardless of your risk tolerance level, your company needs a consistent strategy for managing risk. If you’re still using outdated tools to track your cybersecurity efforts, ZenRisk has the solutions you need.
ZenRisk is a unified, single-platform solution that allows you to maintain real-time monitoring of the threats that affect your company. By reducing manual effort and streamlining workflows, ZenRisk creates a clear picture of your company’s threat landscape and helps you assess, prevent, and control threats.
Schedule a demo today and see how ZenRisk can improve your company’s risk and compliance program.
