NISTIR 8286A Risk Management Guidance Part 1: Risk Appetite and Risk Tolerance

essidsolutions

Managing risk requires a clear understanding of how much risk the management is willing to accept. Acceptance is different across systems and largely depends on the value of each system for business operations. It also depends on how much the compromise of a system impacts the company’s operations. Defining the management’s risk appetite and tolerance for each system helps security teams efficiently focus on their efforts. This is the first of three articles describing preparation for and execution of risk assessments, including tools for assessing and tracking risk.

Not all systems are of the same value to an organization. In addition, regulatory and other considerations affect the potential business damage due to an attack or other business continuity events (BCEs). Suppose security teams do not work with management to understand how data owners want to protect a system. In that case, it becomes difficult for security analysts to devote limited resources efficiently. This can cause security teams to base the frequency of risk assessments and safeguards on reasons unrelated to data ownerOpens a new window needs.

The Appetite and Tolerance Definition Process

The National Institute of Standards and Technology (NIST) released guidance in November 2021 on managing risk appetite and tolerance in the enterprise. The guidance, NISTIR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk ManagementOpens a new window , begins by integrating the cyber security risk management (CSRM) efforts into enterprise risk management (ERM). This helps ensure data owners’ involvement in risk management before deciding when they are presented with the results of a risk assessment.

Figure 1 shows that the integration of CSRM into ERM is the first step in risk management. It enables the application of established enterprise risk management TTP (tools, techniques, and procedures) to technology the same way they are applied to other non-IT risks. This provides a holistic approach to overall risk management and governance.

Figure 1: NISTIR 8286A Risk Appetite/Tolerance Process

Defining appetite and tolerance

The terms “risk appetite” and “risk tolerance” are often misunderstood. Because of these misunderstandings, security teams might ignore how they apply to recommend system safeguards. Instead, they approach risk management by focusing on simple low, medium, and high metrics. The problem with this is the differences in how management might view low, medium, and high, given the systems involved. 

See More: Supply Chain Attacks: Why Risk Management and Business Continuity Planning are Essential

The NIST defines risk appetite as “…the acceptable level of variance in performance relative to the achievement of objectives.” In other words, management evaluates system risk based on how it compares to a system’s value to achieve business objectives. Risk tolerance is directly related to risk appetite. It is the level of residual risk acceptable based on risk appetite. Risk tolerance is typically set at the program or component level, while risk appetite is set by C-level management.

Table 1 is an example of the relationships between these two concepts. Note how risk tolerance changes based on protected information and the balance between financial return and potential loss due to system or data compromise.

Table 1: Sample Appetite/Tolerance Pairs (from NIST)

As shown, risk appetite and the related tolerance are based on the type of data and systems involved. Rod Farrar describes a more specific way of doing this in his video What is your organization’s risk appetiteOpens a new window .

Farrar starts by defining resource categories. Examples of categories include

  • ePHI
  • Payment card information
  • General website information
  • Employee information
  • Intellectual property (broken down by value for each)
  • Email system

What is considered high risk for one category might only be a moderate risk for another category. These differences are based on the value of the assets, the overall adverse incident impact on the business, and the related financial return considering the residual risk.

For each category, the data owner must answer the following questions.

What level of residual risk am I willing to accept in the pursuit of my objectives?

  1. What are the critical success factors?
    1. What does success look like?
    2. What factors directly affect the success or failure of achieving success?
  2. What does a severe consequence look like based on the compromise of
    1. Confidentiality?
    2. Integrity?
    3. Availability?
  3. What does it almost certainly look like (the expected frequency of occurrence)?

Responses to these questions for each resource category affect the risk matrix used. Note that the answer to question 3 consists of three parts. Risk appetite can differ across the CIA elements based on regulations, business needs, customer perspective, and stakeholder expectations.

See More: Why Cyber Risk Management Is Key To Uncovering Security Holes in Your Network

Use of risk matrices

One way to apply tolerance to risk management recommendations is to use risk matrices. Figure 2 shows a commonly used matrix used in qualitative assessments. The green squares represent a low risk, the yellow shows medium risk, and the red signifies high risk. This matrix does not take into account risk tolerance differences across categories.

Figure 2: Common Risk Matrix

Figure 3 shows two matrices that reflect tolerance-based integrity risk on two different categories.  Note that they both significantly differ from the commonly used matrix in Figure 2.  While matrices can visually portray tolerance, they cannot prioritize and manage risks to information resources across the enterprise.  In Part 2 of this series, I explain how to use risk registers and related tools to prioritize end and manage risk based on appetite and tolerance.

Note that in each of the matrices in Figure 3, we still use a likelihood vertical axis and an impact horizontal axis. The level of impact is considered high or medium changes based on category risk tolerance.

Figure 3: Category Matrix Tolerance Differences

Final thoughts

The tools and procedures defined in this article are not necessarily used after an assessment. Instead, they help senior management, data owners, and security teams step up through identifying what might happen to systems and data in various resource categories.  Once this is done, teams can schedule the appropriate assessments at the frequency needed to meet data owner expectations for each relevant category.  In addition, security teams will seek and recommend the proper safeguards given the tolerance for residual system risk.

How would you describe risk assessments at your organizational level? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA