CISM Foundations: Module 2
Part One: Risk Appetite, Risk Tolerance, and Capacity

This module of CISM Foundations covers risk appetite, risk tolerance, and capacity. We'll look at a range of vital risk management factors and how they affect businesses. We'll also cover the concept that the assets, vulnerabilities, threats, and time form a four-dimensional space that we must apply to our risk management practices and security countermeasures. We round off the course by looking at the trade off between the cost of risk mitigation and the value of the assets being protected, to help you calculate how much protection is financially viable for a given asset.

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Understand how risk tolerance can vary from organization to organization
  • Learn about the CIA Triad
  • Learn about knowledge, awareness, urgency, and importance and how they impact risk management
  • Learn how the asset, vulnerability, threat, and time form a four-dimensional space that can be used to decide upon risk management practices and countermeasures
  • Understand how to weigh up the costs of managing risk vs the value of the asset being protected

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


We continue now with our next module, Section Four, in which we're going to discover and discuss risk appetite, risk tolerance, and capacity. In every enterprise, security is a need as is managing the systems, and of course, achieving the organization's business objectives. This means that security, while a necessity must be relevant and appropriate to the given context.

In this graphic, we see an environment risk-control continuum. Along this continuum are varying degrees and blends of risk tolerance, risk acceptance, or risk avoidance. Every organization has these factors and must adjust to them due to various causes, such as culture, history, industry, regulatory environment, and other elements.

Starting at the left-hand side we find ourselves in the red. This symbolizes an organization that is comfortable with more risk extent in the environment than others might be included within the same industry. Moving to the far right, we find ourselves in the green. At this end of the spectrum, we find organizations that are quite risk averse seeking to eliminate or reduce risk as much as they reasonably can.

At the left-hand end, the program focus is reactive rather than proactive which is to say that an organization in this part of the spectrum is more comfortable with risk and relies more heavily on reaction than proaction.

At the opposite end of the spectrum, the program focuses more on proactive rather than reactive types of elements, which means to tries as best it can to keep risks from arising through controls rather than relying heavily on reaction or response.

Now, we know that risk tolerances will vary from entity to entity. In the end however, each entity must accomplish its business mission and part of this mission will be to include security and privacy as the organization and its relatively regulatory environment may require. The challenge then is to achieve a balance between accomplishing its mission and seeking to assure that the requirements for security are also met. 

Here we have the graphical representation of the well-known confidentiality, integrity, and availability triad. Each of these characteristics is characteristic of the data or the system that holds it. Each of these characteristics is critical for every business when it comes to managing its operations as well as its compliance posture.

Here you have the well-known CIA Triad. This triad identifies and characterizes the three primary components of any information asset or system in terms of the value and the meaning of what they have to a particular operation, and the characteristics that must be most carefully protected.

Each of these characteristics is critical for every business when it comes to managing its operations as well as its compliance posture.

Confidentiality is the prevention of authorized disclosure to any unauthorized party of any information that is either regulated or deemed sensitive for some other reason, such as might be the case with trade secrets. 

Integrity is to prevention of any unauthorized or authorized but contaminating activity that modifies any information or system aspect that can render the information or the system that it runs in on trustworthy. 

Availability is the characteristic that we protect because it represents the need for access to the information through the prevention of disruption or any loss of service by any means.

It is important to bear in mind that this graphic does not put these characteristics in any specific order. All business employs this in one form or another and it is indication of the priority of the particular quality of a given asset in order of its priority to that business.

Furthermore, it will expand whatever resources are necessary on the given characteristic to protect it from whichever the three sets of disruptions might be as reflected in its particular priority to that particular business. Thus it is that CIA for one business could be AIC, and for another business IAC, a reflection of the order of priorities for that particular business type.

It is a common misconception that the protective program that an organization must perform has to decide its program resources to achieve the CIA qualities in accordance with requirements. Approaching this problem in this fashion gives the impression that the resources must be divided from a 100% initial amount into equal portions to deal with each of the three of these characteristics hoping to attain the levels required.

The fact is, each entity must achieve a level of each of these three characteristics in accordance with its true operational needs and its compliance posture to whatever level is appropriate for each one, rather than seeking to expand 100% divided equally across the three.

It is well understood that each organization will have different requirements, different needs, and different budgets in order to achieve these objectives. What is common, however, is each organization has a finite amount of resource to achieve its objectives, as well as a finite amount of resources to achieve the requirements of each of these three areas. And so, each organization must seek to achieve the balance between operational success and the risk management requirements.

To begin with the process of analyzing the requirements, the operational needs, and how to achieve the balance, we must first determine what we know and what we don't know. Here you see a graphic describing knowledge and awareness.

The difference between knowledge and awareness is that knowledge is what we know and an awareness, knowing that we know it. As odd as that may sound it means that we have a conscious awareness of the knowledge that we possess which gives us the ability to act upon and realize a benefit from it.

So first we must determine what we know and what we don't know. First, we have the known knowns, things that we know and are aware that we know them. Second, we have the known unknowns. These we call assumptions, which are conjectures or ideas that we have about particular situations or things. Third, we have the unknown knowns. These represent elements of knowledge that exists, but have not been captured or have not been consciously recognized and need to be captured. And last we have the unknown unknowns. Put another way, these represent as the common phrase puts it, "We don't know what we don't know."

As you see on this slide, there are actions we must take with each of these elements. Known knowns are to be actualized. Unknown unknowns are to be validated. Known unknowns are to be captured so that they can become actualized. And unknown knowns are to be discovered for purposes of potential actualization or removal.

Following knowledge and awareness comes urgency and importance. In the same manner as with knowledge and awareness, these are things that we know that we are aware of and things that we are not aware of. When it comes to actions, these things that may be urgent and things that may be important but these two characteristics do not always coincide.

So let's take a look at the relationship of urgency and importance. First, we have urgent and important. Together, these two characteristics define a set of conditions that are important and must be dealt with promptly or even immediately. Second, we have things that are urgent but upon examination are found to be unimportant. That is to say, not critical. This category represents potential time-wasters. Third, we have non-urgent and important. This category represents items that are important in a strategic sense but are not urgent at the present moment. And last we have the non-urgent and unimportant.

To our business, these items may also seem to be time-wasters. They may however represent relaxed periods which have their own importance, just not to the business itself. In the end, these four categories, we need to perform some triage, that is, determine what is truly important, deal with it appropriately, avoid time-wasters, perform delegating activities, and dispose of things that are truly time-wasters.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.