FAIR model creator Jack Jones recently answered a FAIR Institute member's question about terminology that's one of those easily confused yet critical distinctions in cyber risk management: What's the difference between a security exception (or policy exception) and risk acceptance? Jack's response follows:
Here’s how I view/use those terms:
- Security exception: A condition that is not aligned with formal security expectations as defined by policy, standard, and/or procedure — e.g., a patch isn’t applied.
- Risk acceptance: A formal and documented decision by (hopefully) an appropriate stakeholder to not remediate a level of risk that exceeds an organization’s risk appetite/tolerance.
You would think that these two things always go hand-in-hand and very often they do, but not always.
For example, a security exception is at its heart a question of compliance, which may or may not represent an excessive level of risk — e.g., that missing patch may not represent much risk, or the risk associated with applying the patch is greater than the risk associated with not applying it. In other words a risk acceptance isn’t always necessary due to a security exception (at least if an organization is operating in a risk-based mode versus a compliance mode).
Similarly, you might have a situation that requires risk acceptance even though a security exception doesn’t exist. For example, perhaps an organization’s security policy doesn’t prohibit the use of customer data in development and test environments, yet a risk analysis show that permitting large volumes of sensitive data in those environments represents a significant amount of risk. In this case, no security exception is required, but a risk acceptance may be. In a case like this though, a prudent organization would probably alter its security policies based on this better understanding of the risk implications.
Jack explains another confusing pair of terms from cyber risk vocabulary: 'Risk Appetite' vs. 'Risk Tolerance'. What’s the Difference?
FAIR analysts know how to use quantitative risk analysis to estimate the level of risk in a security exception or to help an organization set its risk acceptance. Some 4,000 FAIR analysts and risk managers and information security officers have joined the FAIR Institute. It's a growing movement that you should join now.