Level of residual risk to the organization’s operations, assets, or individuals that falls within the defined risk appetite and risk tolerance by the organization.
Level of residual risk to the organization’s operations, assets, or individuals that falls within the defined risk appetite and risk tolerance by the organization.
A risk that is understood and tolerated by a system's user, operator, owner, or accreditor, usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss. (See: adequate security, risk, "second law" under "Courtney's laws".)