Risk Tolerance vs Risk Threshold vs Risk Appetite

Risk tolerance vs risk threshold

There are a lot of terms in cybersecurity and three (3) of the top misused terms are:

  1. Risk Tolerance
  2. Risk Threshold
  3. Risk Appetite

Baselining Risk Management Terminology

Before diving into that discussion, it is important to baseline some underlying concepts that come into play when describing "What is meant by managing risk?" Risk management is the coordinated activities which optimize the management of potential opportunities and adverse effects. The alternative to risk management is crisis management. Risk management provides a way of realizing potential opportunities without exposing an organization to unnecessary peril.

What Is A Risk?

In the context of cybersecurity risk management practices, “risk” is defined as:

In the context of this definition of risk, it is important to define underlying components of this risk definition:

One important concept to understand is that risk is variable - it changes and is not static. The implication is that risk ratings are subject to change as the operating environment changes. 

What Is A Threat?

In the context of the cybersecurity risk management practices, “threat” is defined as:

Risk vs Threat

Risks and threats both tie into cybersecurity and data protection controls, but it is important to understand the differences:

If you want to learn for about threats vs vulnerabilities vs risks, we have a page that describes that in greater detail.

Visualizing Risk Tolerance vs Risk Threshold vs Risk Appetite

According to the Project Management Body of Knowledge (PMBOK)™ Guide:

Risk Appetite

Risk appetite is more of a management statement, where it is subjective in nature. Similar in concept to how a policy is a "high-level statement of management intent," an organization's stated risk appetite is a high-level statement of how all, or certain types of, risk are willing to be accepted. Risk appetites exist as a guiderail from an organization's executive leadership to inform personnel about what is and is not acceptable, in terms of risk management. Using a review of current risk status vs target risk appetites can be useful to see how well cybersecurity practices operate to clearly see what practice areas deviate from expectations.

Examples of an organization stating its risk appetite:

It is important to know that in many immature risk programs, risk appetite statements are divorced from reality. Executive leaders mean well when they put out risk appetite statements, but the Business As Usual (BAU) practices routinely violate the risk appetite. This is often due to numerous reasons:

In a mature risk program, the results of risk assessments are evaluated with the organization's risk appetite in mind. For example, if the organization has a "moderate risk appetite" and there are several findings in a risk assessment that are high risk, then action must be taken to reduce the risk, since it cannot be accepted. Accepting a high risk would violate the moderate risk appetite set by management. In reality, that leaves remediation, transfering or avoiding as the remaining three (3) options.

From the previous graphic, when you look at it from a risk appetite perspective, For an organization that wants to follow a "moderate risk appetite," that establishes constraints for allowable and prohibited activities, based on the potential harm to the organization:

risk threshold vs risk tolerance vs risk appetite

It is possible to identify a target risk appetite at a domain level, as well as an organizational level. This can be visualized with a spider / radar diagram, as shown below:

Cybersecurity risk appetite

Risk Tolerance

Unline risk appetite, risk tolerance is objective in nature. While risk appetite is conceptual, risk tolerance is based on objective criteria. Defining objective criteria is a necessary step to be able to categorize risk on a graduated scale. Establishing objective criteria to quantify the impact of a risk enables risk assessments to leverage that same criteria and assist decision-makers in their risk management decisions (e.g., accept, mitigate, transfer or avoid).

From a graduated scale perspective, it is possible to define "tolerable" risk criteria to create a few useful categories of risk:

cybersecurity risk assessment matrix

The objective criteria that goes into defining what constitutes a low, moderate, high, severe or extreme risk includes:

The six (6) categories of IE are:

  1. Insignificant;
  2. Minor;
  3. Moderate;
  4. Major;
  5. Critical; and
  6. Catastrophic.

The six (6) categories of OL are:

  1. Remote possibility;
  2. Highly unlikely;
  3. Unlikely;
  4. Possible
  5. Likely; and
  6. Almost certain.

There are three (3) general approaches are commonly employed to estimate OL:

  1. Relevant historical data;
  2. Probability forecasts; and
  3. Expert opinion.

Risk Threshold

Risk thresholds are directly tied to risk tolerance. As the graphic at the top of the page depicts, there is a threshold between the different levels of risk tolerance. By establishing thresholds, it brings the "graduated scale perspective" to life.

Practical Example

Let's take a look at a theoretical company, ACME, that is experimenting with Artificial Intelligence (AI) to strengthen its products and/or services, ACME's long-standing risk appetite is relatively conservative, where ACME draws a hard line that any risk over moderate is unacceptable. Additionally, ACME has no tolerance for any activities that could harm its customers. 

Given the changes necessary to ramp up both talent and technology to put the apporporate solutions in place to meet ACME's deadlines, there are gaps/deficiencies. When the risk management team assesses the associated risks, the results identify a range of risks from high to extreme. The reason for this is simply due to the higher occurence likelihood of emergent behaviors that potentially could harm individuals (e.g., catastrophic impact effect). The results were objective and tell a compelling story that there is a realistic chance of significant damage to ACME's reputation.

With those results, it is a management decision. What does ACME's CEO / Board of Directors (BoD) do?

If the CEO/BoD proceeds with accepting the risk, is it violating its fiduciary duties, since it is accepting risk it previously deemed unacceptable? Additionally, would ACME be considered negligent for accepting high, severe or extreme risk (e.g., would a rational individual under similar circumstances make the same decision?)?

These are all very real topics that need to be considered and how risk is managed has significant legal and financial implications.

Browse Our Products

  • Cybersecurity Risk Management Program. Use this to build your company's risk management program so that you can perform risk assessments in a professional manner. Microsoft Word document is fully editable for your needs.

    Risk Management Program (RMP)


    Cybersecurity Risk Management Program (RMP) The new version of the RMP for 2022 is aligned with the Secure Controls Framework (SCF) Risk Management Model (SP-RMM) that provides a very flexible approach to risk management. This ties in with the...

    Choose Options
  • Cybersecurity Risk Assessment Template. Use this template to perform risk assessments of your organization that covers natural, man-made and IT security risks. Microsoft Word and Excel documents are fully editable for your needs. NIST 800-171 risk assessment.

    Cybersecurity Risk Assessment (CRA) Template


    Cybersecurity Risk Assessment Template Need to perform an information security risk assessment? This is a pretty common requirement that can seem like an insurmountable obstacle, since most people are not trained on how to perform a risk assessment or...

    Choose Options

Find Out Exclusive Information On Cybersecurity