Log In
Request Demo Start 30-Day Trial
Back
Glossary Glossary

Risk Tolerance




Risk tolerance in cybersecurity refers to the cyber risk impact an organization can cope with. Organizations typically define their own tolerance level—aggressive for those with a considerable capacity, moderate for those with less, and conservative for those with little to no capacity to withstand the potential consequences of cyber risks.

Organizations can usually quantify their risk tolerance. For example, a software-as-a-service (SaaS) solution provider may determine that it can tolerate 1 to 3 hours of system downtime from a cyber incident. Beyond that, the company may end up losing more customers and revenue than it can handle. 

Table of Contents

Risk Tolerance in Cybersecurity: A Deep Dive

What Are the Levels of Risk Tolerance?

Risk tolerance levels differ from one organization to another, reflecting their unique business objectives and influencing their decision-making process when implementing cybersecurity measures.

We’ve already touched base with the three levels of risk tolerance above. In this section, we’ll dive a little deeper into each.

Aggressive 

Organizations with an aggressive tolerance can take on a considerable level of cyber risk impact in exchange for long-term, high-potential returns. They may prioritize innovation and rapid growth over strict security measures. While this approach can lead to substantial rewards, it also exposes the company to more vulnerabilities.

Moderate

Organizations at this level seek a balance between risk and reward. They typically set specific limits on the risks they can tolerate, reducing the potential for severe negative consequences. This level involves implementing reasonable security measures to protect critical assets while allowing for some level of risk.

Conservative

Organizations with conservative tolerance prioritize cyber risk minimization over maximizing returns. Their main goal is to protect their assets and avoid significant losses, even when it means avoiding risks at the expense of business growth. Companies at this level may implement rigorous security measures, such as strict security policies and frequent security audits.

What Factors Influence an Organization’s Risk Tolerance?

While organizations have different levels of risk tolerance in cybersecurity, the same factors usually affect these levels. Business goals are among the most influential factors.

For instance, organizations that want to grow fast may be more aggressive than those prioritizing stability. Because of innovation and digital adoption, they have a wider attack surface. As a result, they may be more exposed to threats, although they are able to accept some level of their impact as long as they achieve rapid business growth.

Another factor that affects risk tolerance in cybersecurity is the organization’s risk management capability. While all companies are prone to cyber risks, not all are properly prepared to address them. A strong risk management capability equips organizations with the tools and expertise they need to effectively mitigate risks, allowing them to tolerate more risks and maintain a reasonable level of confidence that they can effectively manage their impact.

The organization’s industry can also influence its tolerance level. Those handling much sensitive data typically have conservative risk tolerance levels due to potential legal repercussions and reputational damage. For example, healthcare and financial service providers commonly avoid taking unnecessary risks that could compromise the security of sensitive patient or customer data.

Why Is Defining Your Risk Tolerance Level Essential?

Cybersecurity is not hit or miss. Organizations must make security decisions based on measured assessments, which is why determining one’s risk tolerance level is necessary.

Your tolerance level sets the baseline for assessing and evaluating cyber risks, helping you establish clear boundaries for acceptable risk levels. Organizations with aggressive risk tolerance, for example, may only prioritize critical vulnerabilities found on the CISA KEV Catalog. On the other hand, conservative ones may choose to proactively address all vulnerabilities tagged as high and critical risks.

Risk tolerance also guides security resource allocation. Organizations with lower risk tolerance may allocate more resources to protect critical assets, while those with more aggressive tolerance may prioritize other business objectives.

Defining your risk tolerance lets you communicate your security priorities to stakeholders, including customers and partners. This transparency helps build trust, showing you are open about your security practices and limitations.

What Is Risk Appetite and How Does It Differ from Risk Tolerance?

Risk appetite and tolerance are often used interchangeably in cybersecurity because they are closely related. For example, an organization with a low-risk appetite is most likely to have a conservative risk tolerance level.

To put things in perspective, risk appetite is the willingness of an organization to take risks, while risk tolerance is its capacity to absorb the impact of each risk.

Risk appetite requires more high-level, strategic decisions and sets the tone for how organizations behave toward risks. Meanwhile, risk tolerance is more tactical in that it’s all about the organization’s capability to withstand the impact of risks. It serves as a limit to how much risk an organization can take.

Key Takeaways

  • Risk tolerance in cybersecurity refers to the amount of risk an organization can absorb.
  • Organizational goals, risk management capability, and the organization’s industry influence its level of risk tolerance.
  • Risk tolerance levels can be aggressive, moderate, or conservative.
  • Risk appetite is the organization’s willingness to take risks, while risk tolerance is its capacity to take those risks.

Ready to assess if your current cyber risk status aligns with your risk tolerance? Kickstart your 30-day trial now!