What is Risk Tolerance?

In a previous post I briefly mentioned risk tolerance. This is an entity’s acceptable amount of risk that they will allow to be present,  or exposure to something harmful before implementing mitigating factors or addressing the danger. Risk tolerance looks very different for large organizations, small businesses, and individuals. Large hospitals for example may choose to have a lower risk tolerance towards the exposure of Private Health Information (PHI) because of the sensitivity of this type of data, the reputational damage to their organization if this should be exposed, and the heavy (and expensive) regulatory requirements and fines that can be imposed on them by the government and governing entities. On the other hand, a small business with two employees who have minimal exposure to the Internet, have all of their data redundantly backed up in cloud storage, and process their payments through a third party may have a higher risk tolerance and less focus on securing their business. The hospital in this scenario takes on all of the risk directly to their organization and their reputation; while the small business passes off that risk to third parties and has processes in place to mitigate the impact should their business be attacked and compromised. 

I was talking to my niece the other day about password managers (yes, I am now old enough to have a niece with whom I can talk to about password managers) and this topic came up. I talked her through how to use a password manager (KeePass, 1Password, Lastpass, etc.) and how simple it was and made my life so much better. It seems complicated when you first hear about it and people are shocked when I say “I don’t know any of my passwords…” BUT in this case the “learning curve” for taking an hour or so to research and learn how to use a password manager and putting existing passwords into the application and shredding your sticky-notes is well worth the effort in the end. 

For my niece, her risk tolerance is high because her online accounts may consist of a few social media accounts, GrubHub, University logins, etc. but as she gets older and is forced to “Create an Account” for every single website she visits, her risk tolerance may be lower as her online footprint grows and she opens up a credit card, applies for a mortgage, puts in payment information for car insurance, etc.

Risk tolerance looks different for everyone. As with vulnerability management, it is not a one-size-fits-all approach. Context means everything as well as the individual’s or organization’s budget, technical knowledge, and online footprint. For my niece, and for you since you are reading this, I would say it is 2023 and it is time for a password manager. The time to be tolerant of sticky-notes and using the same password on every website is a thing of the past. There is a separate post on how much I love password-reuse, seriously it is my favorite.