To understand risk acceptance in information security, it's important to understand that people are often not very accurate in evaluating risk. So, it is not surprising that when faced with the question, "What is risk acceptance in cyber security?," security teams too often focus on the biggest potential risk and underestimate the impact of human behavior and the way they approach their everyday tasks.
Security professionals accept their systems will be targeted by common cyber risks—malware, data leakage, phishing attacks, credential theft and stuffing, zero-day exploits, and social engineering maneuvers. Ransomware especially weighs heavily on the minds of security teams everywhere as attacks on critical infrastructure and the supply chain continue.
Each of these cyber risks has a different level of acceptance. While no one wants to accept the risk of a ransomware attack, most security and IT decision-makers acknowledge the difficulties of total protection for data leakage or preventing phishing emails. The task is to build a security system that offers the proper level of tolerance for different risks.