How Do Organizations Identify and Define “Tolerable” Risk?



Sarah Freeman is Chief Engineer for Intelligence, Modeling and Simulation for MITRE’s Cyber Infrastructure Protection Innovation Center (CIPIC), where she provides U.S. government partners and private sector entities with actionable cyber threat intelligence, developing innovative security solutions for the critical infrastructure within the U.S.

Sarah will be discussing the following topics at the 10th Annual Control Systems Cybersecurity Conference in Nashville, TN on the 19th and 20th September:


  • How do organizations identify/define “tolerable” risk?
  • Past focus on impact on cyber attacks also included discussions are anticipated damage from cyber events
  • An example of this approach is included in Consequence Prioritization (CCE)
  • One advantage to Consequence Prioritization is that it doesn’t try to generate a common criteria for calculating impact. (There are shared attributes, like loss of safety, but these can be individually weighted to align with a given organization’s “pain points”
  • Risk of cyber-attack assumes a knowledgeable, motivated, and capable threat actor
  • Put simply – Without a threat actor, the risk of cyber attack is zero
  • Limited focus of programs, even those with cyber intelligence focuses, rarely develop detailed assessments of adversary capability, sophistication and motivation
  • Little effort is put on differentiating between actor skill levels