acceptable risk [English]
n. ~ A level of risk that can be tolerated, typically because the level of harm is not considered significant.
- RFC 4949 (†591 ): A risk that is understood and tolerated by a system’s user, operator, owner, or accreditor, usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss. (See: adequate security, risk, "second law" under "Courtney’s laws".)
- Dorian 2011 (†489 ): Without risk there is no reward. If the risk is low enough, then accept it as a cost of doing business–acknowledging that little to no action is being taken to mitigate that risk. An entity could establish a contingency fund or build a contingency plan to minimize any loss not previously anticipated from these risks. (†745)
- NIST Managing Information Security Risk 2011 (†484 p. 6): Levels of risk, types of risk, and degree of risk uncertainty that are acceptable. (†734)