FAIR model creator Jack Jones recently answered a FAIR Institute member's question about terminology that's one of those easily confused yet critical distinctions in cyber risk management: What's the difference between a security exception (or policy exception) and risk acceptance? Jack's response follows:
Here’s how I view/use those terms:
- Security exception: A condition that is not aligned with formal security expectations as defined by policy, standard, and/or procedure — e.g., a patch isn’t applied.
- Risk acceptance: A formal and documented decision by (hopefully) an appropriate stakeholder to not remediate a level of risk that exceeds an organization’s risk appetite/tolerance.
You would think that these two things always go hand-in-hand and very often they do, but not always.
For example, a security exception is at its heart a question of compliance, which may or may not represent an excessive level of risk — e.g., that missing patch may not represent much risk, or the risk associated with applying the patch is greater than the risk associated with not applying it. In other words a risk acceptance isn’t always necessary due to a security exception (at least if an organization is operating in a risk-based mode versus a compliance mode).
Similarly, you might have a situation that requires risk acceptance even though a security exception doesn’t exist. For example, perhaps an organization’s security policy doesn’t prohibit the use of customer data in development and test environments, yet a risk analysis show that permitting large volumes of sensitive data in those environments represents a significant amount of risk. In this case, no security exception is required, but a risk acceptance may be. In a case like this though, a prudent organization would probably alter its security policies based on this better understanding of the risk implications.
FAIR analysts know how to use quantitative risk analysis to estimate the level of risk in a security exception or to help an organization set its risk acceptance. Some 4,000 FAIR analysts and risk managers and information security officers have joined the FAIR Institute. It's a growing movement that you should join now.
