Contact Us

Risk acceptance
policy: What is
risk acceptance
in cyber security?

Author: Sue Poremba

Everything in life has some level of risk attached to it, but for the most part, we evaluate the risk, accept it, and move on. If we never did anything unless it was totally risk-free, we would never get out of bed.

Risk acceptance in information security isn't much different. Security professionals recognize there will always be threats against network infrastructure and to sensitive data. Knowing what those risks are allows them to build their security system to make more accurate decisions in a manner that matches their tolerance for certain risks.

What is risk acceptance in cyber security?

To understand risk acceptance in information security, it's important to understand that people are often not very accurate in evaluating risk. So, it is not surprising that when faced with the question, "What is risk acceptance in cyber security?," security teams too often focus on the biggest potential risk and underestimate the impact of human behavior and the way they approach their everyday tasks.

Security professionals accept their systems will be targeted by common cyber risks—malware, data leakage, phishing attacks, credential theft and stuffing, zero-day exploits, and social engineering maneuvers. Ransomware especially weighs heavily on the minds of security teams everywhere as attacks on critical infrastructure and the supply chain continue.

Each of these cyber risks has a different level of acceptance. While no one wants to accept the risk of a ransomware attack, most security and IT decision-makers acknowledge the difficulties of total protection for data leakage or preventing phishing emails. The task is to build a security system that offers the proper level of tolerance for different risks.

Risk acceptance as a cyber security strategy

So, what is risk acceptance in cyber security? To answer the question and build a strategy to address it, you have to start with human behavior. People aren't the best arbitrators of risk, and they tend to create more threats than they prevent. Humans are often the weakest link in any security strategy, and the more employees know about the scope of risk—how their actions impact a company's security posture—the better you can build security awareness and design a strategy that takes into consideration what they know.

Once you understand what is risk acceptance in cyber security, the next step is to understand what your cyber security strategy is protecting. That requires a full asset evaluation and valuation. Not all assets are created equal and will need different risk assessments and acceptance. Determining an asset's value goes beyond simply what the asset is. It also includes areas such as financial impact if the asset is compromised or stolen and the disruption to organizational reputation and business operations.

Once you know what must be protected from risk, it is time to identify where the threats and vulnerabilities are. Recognizing the threat level or weaknesses in the system across the organization in correlation to valuable assets allows the security team to develop a security strategy to address the most common cyber risks, as well as their attack vectors and targets. This is done with a risk profile that offers a threat assessment for each asset and decides what should be considered high profile with high risk protection or low profile where some risk acceptance can be monitored with little to no consequence.

Risk assessment policy: Risk acceptance in information security

A risk acceptance policy should not be implemented at the expense of current cyber security policies or investments, but rather, risk management and risk acceptance in information security should be integrated into the current system. Most of your security investments may already have some level of risk acceptance policy to keep up with business production. Zero trust is a popular cyber defense mechanism that allows for no risk acceptance; this mechanism should be in place primarily to protect high-value assets.

Regular security awareness training that emphasizes your risk acceptance policy and how to assess risk will reinforce human behaviors and educate an otherwise weak security link on how to determine security priorities. No single department or person should be responsible for determining risk acceptance protocols; there should be stakeholders in each department throughout the organization that determines asset value and risk priorities.

Determining a risk acceptance policy—one that defines what is risk acceptance in cyber security, what an acceptable level of risk acceptance is, and how it impacts the organization's entire cyber security posture—will be unique to each company. This is a good time to discard the historical approach to addressing risk and develop a strategy that assigns each asset its unique risk acceptance level. No company can afford a data breach or a ransomware attack, but some areas are more important to protect than others. A risk acceptance policy gives you the platform to focus your limited security resources in the right areas.

Learn more about how Verizon solutions can support risk management and acceptance.