Difference between revisions of "Risk Tolerance"
Jump to navigation
Jump to search
(→Notes) |
|||
(9 intermediate revisions by 2 users not shown) | |||
Line 8: | Line 8: | ||
=== National Definitions === | === National Definitions === | ||
+ | ==== [[Canada]] ==== | ||
+ | {{definition|The willingness of an organization to accept or reject a given level of residual risk. <ref>[https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ll-hzrds-ssssmnt/index-en.aspx#annex_7 All Hazards Risk Assessment Methodology Guidelines 2012-2013, Public Safety Canada]</ref>}}Note: Risk tolerance may differ across an organization, but must be clearly understood by those making risk-related decisions.<br /><br/> | ||
+ | ====[[Kingdom of Saudi Arabia]]==== | ||
+ | {{definition|Risk tolerance: The acceptable variation relative to performance to the achievement of objectives. <ref>[http://www.sama.gov.sa/en-US/Laws/BankingRules/SAMA%20Cyber%20Security%20Framework.pdf Cyber Security Framework Saudi Arabian Monetary Authority Version 1.0 May 2017 ]</ref>}}<br/><br/> | ||
+ | |||
+ | ==== [[Philippines]] ==== | ||
+ | {{definition|Risk Tolerance:<br/>(a) The level of risk an entity is willing to assume in order to achieve a potential desired result;<br/>(b) The defined impacts to an enterprise‘s information systems that an entity is willing to accept. <ref>[http://www.dnd.gov.ph/miss/PDF/downloadables/Cybersecurity%20Glossary%20(Edited).pdf DND GLOSSARY OF CYBER SECURITY TERMS (v.4)]</ref>}}<br/><br/> | ||
====[[United States]]==== | ====[[United States]]==== | ||
=====[[NIST]]===== | =====[[NIST]]===== | ||
{{definition|The level of [[risk]] an entity is willing to assume in order to achieve a potential desired result. <ref name="NISTIR7298"> [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013]</ref>}}<br /> | {{definition|The level of [[risk]] an entity is willing to assume in order to achieve a potential desired result. <ref name="NISTIR7298"> [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013]</ref>}}<br /> | ||
+ | =====[[US-CERT]]===== | ||
+ | {{definition|Risk Tolerance: Thresholds that reflect the organization’s level of risk aversion by providing levels of acceptable risk in each operational risk category that the organization has established. <ref name="USCERT">[https://www.us-cert.gov/sites/default/files/c3vp/csc-crr-method-description-and-user-guide.pdf Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide (2016)]</ref>}}<br /> | ||
===Standard Definition=== | ===Standard Definition=== | ||
Line 16: | Line 25: | ||
{{definition|Organization's or stakeholder's readiness to bear the [[risk]] after [[Risk Treatment|risk treatment]] in order to achieve its objectives <ref>[http://www.iso.org/iso/catalogue_detail?csnumber=44651 ISO Guide 73:2009 Risk management -- Vocabulary]</ref>}} | {{definition|Organization's or stakeholder's readiness to bear the [[risk]] after [[Risk Treatment|risk treatment]] in order to achieve its objectives <ref>[http://www.iso.org/iso/catalogue_detail?csnumber=44651 ISO Guide 73:2009 Risk management -- Vocabulary]</ref>}} | ||
+ | ===Academic Definitions=== | ||
+ | {{Definition|Risk Tolerance refers to a person’s capacity to accept a certain amount of [[risk]]. <ref name="Campbell">[http://www.nsc.org/CambpellInstituteandAwardDocuments/WP-Risk%20Preception.pdf Campbell Institute (2014). Risk perception: Theories, strategies and next steps. ]</ref>. }} | ||
+ | Note: the concept of risk tolerance is linked to the concept of [[Risk Perception]]. | ||
+ | |||
+ | === [[Dictionary]]=== | ||
+ | {{definition|Risicobereidheid: De hoeveelheid en het soort risico dat een organisatie bereid is. <ref>[https://www.cybersecurityalliantie.nl/ecp_images/2021/12/Cybersecurity-Woordenboek-2021_ZonderSpreads.pdf Cybersecurity Woordenboek 2021]</ref>}}<br/><br/> | ||
+ | {{#set:defined by=Dictionary}} | ||
==See also== | ==See also== | ||
* [[Risk]] | * [[Risk]] | ||
* [[Risk Transfer]] | * [[Risk Transfer]] | ||
* [[Risk Mitigation]] | * [[Risk Mitigation]] | ||
+ | * [[Risk Perception]] | ||
* [[Risk Reduction]] | * [[Risk Reduction]] | ||
+ | *[[Subjective Risk]] | ||
==Notes== | ==Notes== | ||
+ | ==References== | ||
<references /> | <references /> | ||
− | + | [[Category:Human Aspects]] | |
− | |||
− | |||
− | |||
[[Category:Risk]] | [[Category:Risk]] | ||
− | {{#set:defined by=ITU-T|defined by=United States|defined by=NIST|defined by=ISO}} | + | {{#set:defined by=ITU-T|defined by=Canada|defined by=Kingdom of Saudi Arabia|defined by=Philippines|defined by=United States|defined by=NIST|defined by=ISO|defined by=US-CERT}} |
+ | {{#set: Showmainpage=Yes}} |
Latest revision as of 11:54, 15 August 2022
Contents
Definitions
European Definitions
Other International Definitions
ITU-T
Risk tolerance means the degree of exposure to security risk acceptable to policy makers/business owners. [1]
National Definitions
Canada
The willingness of an organization to accept or reject a given level of residual risk. [2]
Note: Risk tolerance may differ across an organization, but must be clearly understood by those making risk-related decisions.
Kingdom of Saudi Arabia
Risk tolerance: The acceptable variation relative to performance to the achievement of objectives. [3]
Philippines
Risk Tolerance:
(a) The level of risk an entity is willing to assume in order to achieve a potential desired result;
(b) The defined impacts to an enterprise‘s information systems that an entity is willing to accept. [4]
(a) The level of risk an entity is willing to assume in order to achieve a potential desired result;
(b) The defined impacts to an enterprise‘s information systems that an entity is willing to accept. [4]
United States
NIST
The level of risk an entity is willing to assume in order to achieve a potential desired result. [5]
US-CERT
Risk Tolerance: Thresholds that reflect the organization’s level of risk aversion by providing levels of acceptable risk in each operational risk category that the organization has established. [6]
Standard Definition
ISO Guide 73:2009(en)
Organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives [7]
Academic Definitions
Note: the concept of risk tolerance is linked to the concept of Risk Perception.
Dictionary
Risicobereidheid: De hoeveelheid en het soort risico dat een organisatie bereid is. [9]
See also
Notes
References
- Jump up ↑ ITU Study Group Q.22/1 Report on Best Practices for a National Approach to Cybersecurity: A Management Framework for Organizing National Cybersecurity Efforts, ITU-D Secretariat, Geneva (2008).
- Jump up ↑ All Hazards Risk Assessment Methodology Guidelines 2012-2013, Public Safety Canada
- Jump up ↑ Cyber Security Framework Saudi Arabian Monetary Authority Version 1.0 May 2017
- Jump up ↑ DND GLOSSARY OF CYBER SECURITY TERMS (v.4)
- Jump up ↑ NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013
- Jump up ↑ Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide (2016)
- Jump up ↑ ISO Guide 73:2009 Risk management -- Vocabulary
- Jump up ↑ Campbell Institute (2014). Risk perception: Theories, strategies and next steps.
- Jump up ↑ Cybersecurity Woordenboek 2021