Home

How to determine your appetite for cybersecurity risk

David Weldon David Weldon
October 31, 2025
You can develop a strategy to set your cybersecurity risk appetite.
(Credits: Denis---S/Shutterstock)

This article is part of Spiceworks’ Recalibrating Risk Tolerance series investigating the contemporary landscape of cybersecurity risk. You can follow along on our landing page, where we’ll be adding new stories all week.

As cybersecurity threats continue to grow in frequency and intensity, one of the most important steps a company can take in response is to accurately establish its risk appetite. This means determining the amount of cyber risk the company is willing to accept to achieve its strategic goals, and the steps needed to develop a successful program overall.

Simply stated, risk appetite in the context of IT refers to the willingness of a business to leave some of its assets exposed to cybersecurity threats, to what degree it opts to expose them, and what the potential impacts could be. No organization can fully protect all of its assets all the time. IT and business leaders therefore need to be realistic about which data and which systems they choose to best defend.

Establishing a risk appetite is a high-level decision set by senior leadership. It determines how funds are invested in cybersecurity, and how resources are allocated. Formal programs typically have a risk appetite statement, which outlines acceptable levels of risk, for what elements, and how they’re determined. The risk appetite statement should provide a framework for making decisions around cybersecurity, to ensure resources are allocated effectively, and that risk decisions always align with business goals.

Understanding what cybersecurity risk appetite is all about

Information security risk appetite reflects how much cyber-related loss an organization is willing to absorb in pursuit of its business objectives. It’s a quantitative, strategic boundary that should guide risk management decisions around mitigation, transfer, and acceptance, explains Yakir Golan, CEO and co-founder of KovrrOpens a new window , a global firm dedicated to cyber and AI risk quantification. Golan works closely with CISOs, chief data officers, and other business leaders to strengthen how organizations understand and manage both cyber and AI risk at the enterprise level.

RiskTolerance-01-Promo image
For example, Golan says if executives decide that they’re comfortable with a 10% annual likelihood of losing $10 million due to cyber activity, that benchmark becomes the trigger. If risk modeling then shows that the likelihood of losing that amount is significantly higher, it would be a strong indicator that it’s time to act, whether by strengthening controls or reallocating resources. Metaphorically, risk appetite is the line in the sand.

“When expressed in financial terms specifically, risk appetite becomes actionable, effectively communicating to leaders across departments, ‘This is the level of risk that’s aligned with our goals. If it moves beyond the threshold, intervention is required.’ Without one in place, decisions around cyber tend to be inconsistent or reactive, while the presence of one ensures these decisions are justifiable and strategic,” Golan explains.

While an overall risk appetite can exist, it’s most effective when broken down and aligned to specific risks, explains John Paul Cunningham, CISO at security software firm Silverfort. In practice, boards and executives rarely have a single appetite. Instead, they typically have varied tolerances depending on the scenario and risk event.

Why develop a risk appetite strategy?

Developing a risk appetite strategy means knowing how to safeguard the integrity of your organization’s data, including that of its customers and stakeholders, while still enabling innovation, explains Dan Potter, director of cyber drills and resilience at cybersecurity firm ImmersiveOpens a new window (formerly Immersive Labs).

“Every business today wants to harness new technologies like AI, but that can’t come at the expense of trust or resilience,” Pitter says. “A well-defined risk appetite helps you find that balance: the right mix of security, process, controls, and innovation so the business can operate confidently without unnecessary friction.”

It’s important to remember that risk appetite shouldn’t be a binary, set-in-stone statement designed to eliminate all risk, Potter says. Nor should it be so abstract that it doesn’t resonate with the business that it’s meant to protect and enable. It has to evolve as new technologies and threats emerge, and organizations need to bring it to life by validating that it’s still fit for purpose through measurable exercising and preparedness.

“Ultimately, it’s about striking that balance and being able to prove you can manage risk effectively when it matters,” Potter explains. “You can’t remove all risk, but you can understand it, prepare for it, and build the confidence that your teams know how to respond when the pressure is on.”

The difference between risk appetite and risk tolerance

Risk appetite should not be confused with risk tolerance, though the two do complement each other. The National Institute of Standards and Technology (NIST) defines risk appetiteOpens a new window as “The types and amount of risk, on a broad level, [an organization] is willing to accept in its pursuit of value.” While risk appetite is the willingness to take risks, risk tolerance defines the boundaries and standards for assessing and responding to those risks.

NIST notes that an organization may have different levels of risk appetite for different functions and business goals. For example, an organization may have a high risk appetite for pursuing innovative new services, but a low appetite for risks that could disrupt core operations. Or, a startup organization may be willing to take on certain higher risks in order to gain competitive advantage.

Risk appetite strategies typically put an organization into one of three levels:

  • High risk appetite: These companies typically have an aggressive risk tolerance, and are willing to take significant risks in return for potentially high rewards.
  • Moderate or neutral risk appetite. These companies try to balance the risks and rewards by taking calculated risks they feel comfortable with.
  • Low risk appetite, or ‘risk averse’: These companies typically have a conservative risk tolerance and tend to avoid risks that could lead to significant losses, even if potential returns are higher.

A risk appetite assessment is also tied to the risk appetite statement. It helps IT and business leaders distinguish between smart risk-taking that could expose the business to a cyberattack or costly data breach. It guides decisions around such issues as which systems and data deserve the most protection, how fast a company patches in the event of a lapse, and how aggressively it monitors and responds to threats.

How to succeed with a risk appetite strategy

The most effective risk appetite strategies are the ones that minimize interpretation, Golan explains. When thresholds are defined in vague or subjective terms, team leaders are left guessing whether their decisions align with what the business is actually prepared to absorb. However, when risk appetite is expressed in quantitative financial and operational terms, decisions become consistent and explainable.

“Everyone plainly understands what level of risk is acceptable and can therefore act accordingly and defend their choices,” Golan says. “They’re not relying anymore on instinct or convention, but rather on modeled impact that reflects the organization’s true risk-bearing capacity.”

Quantifying cyber risk appetite also makes it easier for CISOs to communicate with boards, Golan says. More than facilitating alignment in the C-suite, the quantitative thresholds help directors understand what’s at stake in business terms, which is especially important as regulations like the SEC disclosure rules, DORA, and NIS 2 push boards to play a more active role in cyber oversight.

Says Golan, “With appetite expressed financially, those conversations become more focused and far more productive.”

David Weldon
David Weldon

David is a freelance editor, writer and research analyst from the Boston area. He has worked in a full-time senior editorial capacity at several leading media companies, covering topics related to information technology and business management. As a freelancer, he has contributed to over 100 publications and web sites, writing white papers, research reports, online courses, feature articles, executive profiles and columns. His special areas of concentration are in technology, data management and analytics, management practices, workforce and workplace trends, benefits and compensation, education, and healthcare. Contact him at [email protected]
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.

Recommended Reads

AI cyberattacks: How hackers used AI to automate espionage
Security

AI cyberattacks: How hackers used AI to automate espionage

When disaster recovery plans fail in real disasters
Security

When disaster recovery plans fail in real disasters

How to balance privacy and security with the need for speed
Security

How to balance privacy and security with the need for speed

Quantum computers will crack your encryption. Now what?
Security

Quantum computers will crack your encryption. Now what?

How to tackle AI sprawl
Software

How to tackle AI sprawl

Ready, fire, aim: Corporate AI strategy ignores the risks
Security

Ready, fire, aim: Corporate AI strategy ignores the risks