Difference between revisions of "Risk Tolerance"

From CIPedia
Jump to navigation Jump to search
(United States)
Line 16: Line 16:
 
=====[[NIST]]=====
 
=====[[NIST]]=====
 
{{definition|The level of [[risk]] an entity is willing to assume in order to achieve a potential desired result. <ref name="NISTIR7298"> [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013]</ref>}}<br />
 
{{definition|The level of [[risk]] an entity is willing to assume in order to achieve a potential desired result. <ref name="NISTIR7298"> [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013]</ref>}}<br />
 +
=====[[US-CERT]]=====
 +
{{definition|Risk Tolerance: Thresholds that reflect the organization’s level of risk aversion by providing levels of acceptable risk in each operational risk category that the organization has established. <ref name="USCERT">[https://www.us-cert.gov/sites/default/files/c3vp/csc-crr-method-description-and-user-guide.pdf Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide (2016)]</ref>}}<br />
  
 
===Standard Definition===
 
===Standard Definition===

Revision as of 08:58, 13 September 2017

Definitions

European Definitions

Other International Definitions

ITU-T

Risk tolerance means the degree of exposure to security risk acceptable to policy makers/business owners. [1]


National Definitions

Canada

The willingness of an organization to accept or reject a given level of residual risk. [2]

Note: Risk tolerance may differ across an organization, but must be clearly understood by those making risk-related decisions.

Philippines

Risk Tolerance:
(a) The level of risk an entity is willing to assume in order to achieve a potential desired result;
(b) The defined impacts to an enterprise‘s information systems that an entity is willing to accept. [3]



United States

NIST
The level of risk an entity is willing to assume in order to achieve a potential desired result. [4]


US-CERT
Risk Tolerance: Thresholds that reflect the organization’s level of risk aversion by providing levels of acceptable risk in each operational risk category that the organization has established. [5]


Standard Definition

ISO Guide 73:2009(en)

Organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives [6]

Academic Definitions

Risk Tolerance refers to a person’s capacity to accept a certain amount of risk. [7].

Note: the concept of risk tolerance is linked to the concept of Risk Perception.

See also


Notes