Part Two: Assessing Risk

Part Two: Assessing Risk

This module of CISM Foundations covers risk appetite, risk tolerance, and capacity. We'll look at a range of vital risk management factors and how they affect businesses. We'll also cover the concept that the assets, vulnerabilities, threats, and time form a four-dimensional space that we must apply to our risk management practices and security countermeasures. We round off the course by looking at the trade off between the cost of risk mitigation and the value of the assets being protected, to help you calculate how much protection is financially viable for a given asset.

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Understand how risk tolerance can vary from organization to organization
  • Learn about the CIA Triad
  • Learn about knowledge, awareness, urgency, and importance and how they impact risk management
  • Learn how the asset, vulnerability, threat, and time form a four-dimensional space that can be used to decide upon risk management practices and countermeasures
  • Understand how to weigh up the costs of managing risk vs the value of the asset being protected

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


In the previous slides we have discussed how we go about deciding on various factors that must be dealt with, as vitally important aspects of risk management to our business. On this slide, we see that the asset, vulnerability, threat, and time is a four-dimensional space that we must apply to our risk management practices and countermeasures which were decided upon using the previous methods we've discussed.

So let's look closely at these four dimensions. Our first is the asset. These of course are the items of value. And in consideration of their importance we must include the tangible and intangible characteristics of each. 

Our second, are the threats and their potential impacts. To calculate these, we must include both the type of impact and the order of magnitude of that given impact.

Our third are vulnerabilities. Of two types, they include weaknesses and predisposing conditions. Which may in fact give rise to weaknesses or vulnerabilities but may not be weaknesses or vulnerabilities of themselves.

Our final dimension is that of time. The effect that time has is to change the value of an asset, change the seriousness of the threat, change the character of a vulnerability or weakness, or any other aspect of this formula. For example, time may cause a change in the importance of information or it may cause depreciation in a given asset. Thus, the changes the time may cause may produce adjustments and our overall information security program.

Here you see a graphic of the business model for information security. The BMIS model, uses systems thinking to clarify complex relationships within the enterprise to more effectively manage security. The elements and dynamic interconnections that form the basis of the model, established the boundaries of an information security program and model how the program functions and reacts to internal and external change. Thus, the BMIS provides the context for frameworks such as COBIT.

The system needs to be viewed holistically. That is, not merely a sum of its parts but as a functioning integrated whole, in order to be accurately understood in the proper context. This is the very essence of systems theory.

System theory is most accurately described as a complex network of events, relationships, reactions, consequences, technologies, processes, and people that interact in often unseen and sometimes unexpected ways. The success that the systems approach has achieved in other fields bodes well for the benefits that it can bring to the field of security.

Using a systems approach to information security management, will help information security managers address complex and dynamic environments. And will generate a beneficial effect on the collaboration within the enterprise adaptation to operational change, navigation of strategic uncertainty, and intolerance of impact of external factors.

Now let's examine the notion of risk. Looked at one way, risk represents the likelihood that something adverse is going to happen. Such as, a 75% chance that the building is going to catch fire. Which we may regard as a very high risk. Or a 10% of that same thing occurring, which we may regard as a very low risk. Thus in one way, we look at risk as a measurement of the probability or likelihood of a particular event or set of conditions occurring.

There are certain characteristics within this very simple formula that must be considered. We have the characteristic of risk appetite, which is the amount of risk of businesses willing to incur. We have the characteristic of risk tolerance, which though related to risk appetite, represents the amount of deviation from risk appetite that will become either acceptable or unacceptable. So we calculate risk capacity to be equal to risk appetite and risk tolerance, and the relationship that it produces.

Now, let's take a look, an example of how we would calculate the risk tolerance from risk appetite and risk capacity. Here, you have an example of a company that wishes to sell flamethrowers. Inherent in this desire to sell this product, is the risk that in using the product, the customers will themselves catch on fire.

In this particular example, it may be that the chief risk officer is attempting to calculate in anticipation of lawsuits. How much insurance will be needed, or what amount of funds will be set aside to take care of his assumed 7% of customers that may suffer this. So in our calculation, we assume that the risk appetite is 5%. That the risk capacity is 7%. And by taking the difference between the risk capacity and the appetite, we find that the risk tolerance is 2%.

Now risk tolerance doesn't really measure how much risk an organization can withstand all by itself. The formative produces the deviation from risk by dividing the difference between risk capacity and risk appetite to produce the amount of deviation that is tolerable. This calculation produces a figure 40%. This number indicates the true risk tolerance.

Now the risk characteristics will come in various forms. We have our total risk of course. Which means all the risks that exists in a particular context before any analysis or mitigation activity takes place. We have what is called acceptable risk. Which represents the level of allowable exposure, loss or outage defined by management that the enterprise can absorb and continue operating without severe impairment.

Here, you have some examples as calculated by the single loss expectancy or SLE and annualized loss expectancy or ALE calculations. In order for this to be acceptable of course, the SLE and the ALE must be at or below defined thresholds. The examples that you see represent management's decision about what constitutes a level of allowable exposure in each case.

It must be recognized that these thresholds are defined by either historical experience of cause and effect of adverse events, or maybe arbitrary based on management's decision and discretion. What must be recognized in the setting of acceptable risk is that whether based on history or an arbitrary decision, it represents a valid setting of a threshold.

It must also be taken as given that acceptable risk includes the idea of achieving any compliance requirements related to risk. Along with acceptable risk and total risk thresholds is the term residual risk. Residual risk is that level of remaining exposure, loss or outage potential following all effective risk reduction and mitigation efforts.

Here, you see some examples of what would constitute residual risk, bearing in mind that in order to reach this particular level the enterprise has undergone a program of mitigation or in some form of offsetting of risk.

In the examples given, you see that different approaches have been taken to reduce the risk to the level indicated. In one case, training. In another case, the addition of an uninterruptible power supply. And yet another case, a disaster recovery plan change and in the final case, changing a process. And so you see different kinds of approaches can be very effective in bringing the level of risk encountered at the beginning of a project to a level reduced to an acceptable minimum.

It must be recognized, however, that residual risk does not go on addressed simply because it is considered residual. Some additional action must take place to cope with it effectively. In most cases, this forms the basis for establishing continuous monitoring. And on this side, you see a graphic showing the relationship between total risk, acceptable risk, and residual risk.

Now the ideal relationship between these three levels of risk are shown here in the equation in the center of the slide. With this also shows, is that acceptable risk and residual risk have a relationship where either they are equal, or residual risk is less than acceptable risk.

Establishing the relationship between acceptable and residual risk is important because at the level where acceptable risk is achieved, may indicate the maximum level of expenditure to be made in risk reduction. To go beyond this point, may indicate that expenditures and their corresponding reductions in risk, may turn financially negative. That is to say the relationship may become this.

For every dollar spent in reduction, less than a dollar is returned in actual reduction. It means in other terms that we have passed the break even point, and are now moving into negative returns territory. It is at this point therefore, that further expenditure is not warranted. And it is where the decision to install continuous monitoring indeed needs to be considered.

In keeping with the concept of the previous slide, we must us now begin an analysis of our cost trade-offs must be considered. These comparisons are between the Cost to Protect, and the Cost of Loss or Compromise. This comparison serves as the basis for Cost-Benefit Analysis for a given security control.

In this we must consider two critical points, begin at our beginning, operational effectiveness and cost effectiveness. As you have already seen, these factors are included in the economic value add of control. As before, all values must reflect the lifecycle total cost of ownership for each asset and for each control under consideration.

The definition for Cost to Protect is equivalent to the cost of the candidate control to be implemented as defined by its total cost of ownership. In similar fashion, the definition of Cost of Loss or a Compromise is equivalent to the value of the asset at risk and its loss or its compromise. And the definition of the value of asset included here are only the first order effects. This is because second and third order effects are too variable. And would he be dependent upon the given operational context of actual calculation.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.