Tolerance helps organizations decide what level of cyber exposure they can live with. Cyber risk tolerance is the level of exposure an organization is willing to accept in pursuit of its objectives. It is related to risk appetite, but usually more specific. In practice, tolerance helps management decide when a risk is acceptable, when mitigation is required, and when escalation is necessary.
What cyber risk tolerance means
Cyber risk tolerance is the level of exposure an organization is willing to accept in pursuit of its objectives. It is related to risk appetite, but usually more specific. In practice, tolerance helps management decide when a risk is acceptable, when mitigation is required, and when escalation is necessary.
Tolerance should be tied to consequence
Meaningful tolerance is usually linked to business outcomes such as downtime, data loss, regulatory breach, financial loss, or customer impact. Generic statements about being 'low risk' are often too vague to guide decisions.
Why tolerance matters for residual risk
No organization can remove all cyber risk. After controls are applied, some residual exposure remains. Tolerance helps determine whether that residual position is acceptable, temporarily tolerated, or outside management comfort.
Tolerances need review
Tolerance is not fixed forever. It can change when strategy changes, dependencies grow, regulation tightens, or incident experience reveals that previous assumptions were weak. Review is part of mature governance.
Frequently asked questions
Is cyber risk tolerance the same as zero tolerance?
No. Zero tolerance is usually unrealistic for most cyber scenarios.
Who sets cyber risk tolerance?
Senior leadership and governing bodies, with informed input from risk and technical teams.
Why do tolerance statements fail?
They fail when they are too generic to support actual decisions.