Re: Risk Tolerance

[Stefan Wahe <0000009ffd3543ad-dmarc-request () LISTSERV EDUCAUSE EDU>]

David –

This is a good topic to discuss.  You are correct it is difficult to understand a meaningful risk tolerance score for a 
university or for any organization. I typically consider risk tolerance of a campus unit or organization independently. 
 This is primarily due to the differing missions of the different units on campus spanning the components of teaching 
and learning, research, and administrative systems. In the attached document there are two tables that identify our 
risk impact and risk likelihood baseline.  We offer the unit the opportunity to adjust the monetary and availability 
scales based on their threshold to define tolerance an information system outage (availability) or have the ability to 
monetarily address a breach, fines or lost revenue.

I am working on an method to aggerate the results of the individual cybersecurity risk assessment results into an 
overall campus risk score.  This will be used to inform leadership of the score and the reason for an increase or 
decrease in risk to determine their current risk tolerance and seek guidance in prioritization to address the residual 
risk.

My thought is that overall risk tolerance of campus leaders shift in time based on current financial, political, or 
reputational influences that the leaders may be experiencing. Changes in leadership also impacts this.  By setting and 
communicating current risk, we can gage their risk tolerance based on prioritization of implementing and maintaining 
security controls (financial support of people, process and tools).

While not directly answering your question, I hope the information is worthwhile.  Any thoughts or feedback is welcomed.

Thanks – Stefan Wahe


Stefan Wahe, CISSP ------------------
University of Wisconsin-Madison
Office of 
Cybersecurity<https://it.wisc.edu/about/division-of-information-technology/strategic-operations-departments-people/cybersecurity/>
Deputy Chief Information Security Officer
Assistant Director, Governance, Risk Management, and Compliance
HIPAA Security Officer (http://go.wisc.edu/hipaasecurity)
Stefan.Wahe () wisc edu<mailto:Stefan.Wahe () wisc edu>
608-265-1177
[signature_419800592]
--




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of David Eilken 
<david.eilken () DOMAIL MARICOPA EDU>
Reply-To: "david.eilken () domail maricopa edu" <david.eilken () DOMAIL MARICOPA EDU>
Date: Tuesday, August 6, 2019 at 2:26 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Risk Tolerance

All,

I'm looking to better understand an appropriate level of risk tolerance for educational institutions; in particular for 
a large sprawling college that does not do much research (lots of PII, little IP).

I thought it be good to ask two simple questions. First, what do you feel is your org's risk tolerance on a scale of 
1-10. Ten being that you have information security concerns but don't allocate specific budget for it and are 
comfortable accepting high levels of cyber risk.

Second, although the Educause Security Almanac states an average of 3.6% of IT budget is allocated to IS, it would be 
interesting to know if you feel that you have the resources to obtain/maintain a reasonable level of PPT (People, 
Processes, and Technology) for IS that appropriately balances the costs of reducing cyber risks.

As always thanks,
Dave

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: Risk Scoring-Cybersecurity-20190305.docx
Description: Risk Scoring-Cybersecurity-20190305.docx