Security Exception vs. Risk Acceptance: What's the Difference?

Talking Risk Red Black Cartoon BubblesFAIR model creator Jack Jones recently answered a FAIR Institute member's question about terminology that's one of those easily confused yet critical distinctions in cyber risk management: What's the difference between a security exception (or policy exception) and risk acceptance? Jack's response follows: 

Here’s how I view/use those terms:

  • Security exception:  A condition that is not aligned with formal security expectations as defined by policy, standard, and/or procedure — e.g., a patch isn’t applied.
  • Risk acceptance:  A formal and documented decision by (hopefully) an appropriate stakeholder to not remediate a level of risk that exceeds an organization’s risk appetite/tolerance.

You would think that these two things always go hand-in-hand and very often they do, but not always.  

For example, a security exception is at its heart a question of compliance, which may or may not represent an excessive level of risk — e.g., that missing patch may not represent much risk, or the risk associated with applying the patch is greater than the risk associated with not applying it.  In other words a risk acceptance isn’t always necessary due to a security exception (at least if an organization is operating in a risk-based mode versus a compliance mode).

Similarly, you might have a situation that requires risk acceptance even though a security exception doesn’t exist.  For example, perhaps an organization’s security policy doesn’t prohibit the use of customer data in development and test environments, yet a risk analysis show that permitting large volumes of sensitive data in those environments represents a significant amount of risk. In this case, no security exception is required, but a risk acceptance may be.  In a case like this though, a prudent organization would probably alter its security policies based on this better understanding of the risk implications.

Jack explains another confusing pair of terms from cyber risk vocabulary: 'Risk Appetite' vs. 'Risk Tolerance'. What’s the Difference?  

FAIR analysts know how to use quantitative risk analysis to estimate the level of risk in a security exception or to help an organization set its risk acceptance. Some 4,000 FAIR analysts and risk managers and information security officers have joined the FAIR Institute. It's a growing movement that you should join now

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37