What is a Risk Appetite Statement?

A cybersecurity risk appetite statement is a formal document that outlines an organization's acceptable level of cyber risk. It essentially defines how much risk the organization is willing to tolerate in order to achieve its business goals. A risk appetite can be determined by conducting cyber risk assessments and quantifying the cyber risk data using NIST 800-30 or the FAIR risk methodology.

A cybersecurity risk appetite statement:

• Provides Direction: It clarifies for everyone in the organization the level of cyber risk that is considered acceptable. This helps with decision-making at all levels regarding cybersecurity measures.
• Alignment with Strategy: It ensures the organization's security posture aligns with its strategic objectives.
• Communication Tool: It communicates the organization's cybersecurity philosophy to internal and external stakeholders, such as employees, executives, regulators, and investors. Risk appetite statements should be included when reporting cybersecurity to the Board. 

Learn more: 

• Cyber Risk Appetite Statement Examples
• CISO Board Reporting Template

Return to Cyber Risk Quantification Glossary