Calculating Cyber Risk Appetite

Zach Dressander
May 28, 2024

As you evaluate and consider methods to improve your business’s or your clients’ security posture, it’s important to first understand risk appetite. Risk appetite measures how much risk your business can stomach before the potential outcomes of said risks outweigh the cost savings of leaving them unaddressed.

To help you determine risk appetite, we’ve created a calculator you can use to see where you stand and what you need to do to protect yourself.

Calculating Risk Appetite

1. Define Risk Categories

First, you need to understand what exactly is at risk. Identify and list the key risk categories relevant to your business. These can include common drivers like:

  • Operations
  • Finances
  • Strategies
  • Compliance
  • Business reputation

You will also need to list down any others specific to the business based on industry, customer base, future goals, and more.

2. Assess Risk Impact

Next, define how any interruptions to your categories will affect your business and its ability to operate. Assign a rating, 1-5, to represent the potential impact of each risk category, with 1 being minimal, and 5 being critical.

3. Assess Risk Likelihood

With impact established, now it’s time to estimate how often each risk category may be affected. Using a similar scale to before, assign a rating, 1-5, to represent the likelihood a risk category will be interrupted, with 1 being rare and 5 being frequently.

4. Calculate Risk Score

These two scores above consist of your organization’s overall risk score. You find it by multiplying the impact score by the likelihood score for each risk category. (Risk score = Impact x Likelihood)

5. Define Baseline Risk Appetite Levels

The next step is to determine risk appetite levels for each risk score range. Building off the 5-point scales from previously, your levels will range from 1 to a maximum of 25. This step will largely depend on your business objectives, industry regulations, stakeholder expectations, and the severity of specific risk categories. For example, you might assign:

  • A low-risk appetite of 1-10 for no-tolerance, critical categories
  • A medium-risk appetite of 11-18 for standard categories
  • A high-risk appetite of 19-25 for low severity categories.

Again, this is largely dependent on your specific business, so feel free to tailor the ranges based on your understanding of the business at large.

6. Determine Total Risk Score Level

Sum up the risk scores from step 4 across all risk categories to obtain your organization’s total risk score. This represents the overall potential risk you face, including both severity and frequency.

7. Interpret Overall Risk Appetite

Compare the total risk score level against the defined risk appetite levels in step 5 to determine the business's overall risk appetite.

If your risk score level outweighs your baseline risk appetite, you have a low risk appetite and should consider investing in improving your approach to security starting with PPT (people, processes, and technology).

If the opposite was the case, with your appetite outweighing your risk score, you have a high risk appetite and can continue operating as you are, or even seek out ways to streamline. It must be noted, however, that just because your organization feels it can take on more risk, it is not safe from cyberattacks.

8. Review and Adjust

Now that you have established your scores and compared them to the baseline, you have determined your risk appetite. The job is not done, however. As your business evolves and changes, so will your risk categories and tolerance. Adjust the risk appetite levels and scoring criteria to reflect your business as it changes, as you may find yourself less tolerant of risk as you mature the business and its security posture.

Risk Category Impact Likelihood Risk Score (I x L) Baseline Risk Appetite
Total

Next Steps

With this calculator, businesses can quantitatively assess and calculate their risk appetite based on the assigned scores for impact and likelihood. The approach helps provide a clearer understanding of the organization's risk tolerance levels and facilitates informed decision-making regarding risk management strategies and resource allocation.

If you’ve found that your risks outweigh your tolerance for them, Todyl can help. Our product is backed by decades of cybersecurity experience, so you can effectively address your risk vectors and defend them from new and evolving threats. Contact us to learn more.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Threat breakdown: Remote access and credential dumping
5 key elements of effective MDR providers: Beyond just detection and response
Streamlining zero trust security with JumpCloud and Todyl

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.