Cyber Risk Guy

Risk, Tolerance, and Capacity

Learn how organizations decide what risks they're willing to accept - like choosing between basic and full-coverage car insurance, but for cybersecurity!

Author
David McDonald
Read Time
8 min
Published
August 9, 2025
Updated
August 9, 2025
COURSES AND TUTORIALS

Think About Buying Car Insurance 🚗

Quick question: When you buy car insurance, do you get the absolute cheapest coverage or the most expensive, full-coverage plan?

Most people choose something in between, right? You balance:

  • How much you can afford to pay for insurance (your capacity)
  • How much risk you’re comfortable with if something bad happens (your tolerance)
  • How much you could handle financially if you had to pay out-of-pocket (your capacity again)

This is EXACTLY how organizations think about cybersecurity! They ask:

  • How much can we spend on security tools and training?
  • How much damage could we survive if we got attacked?
  • What level of risk are we comfortable accepting?

What Is Risk Tolerance? 🎯

Simple definition: Risk tolerance is how much risk you’re willing to accept while trying to achieve your goals.

Even simpler: It’s your comfort level with taking chances.

Real-Life Examples You Already Understand 🏠

High Risk Tolerance People:

  • Skydive for fun (accept physical danger for excitement)
  • Buy cryptocurrency (accept financial loss for potential gains)
  • Start their own business (accept failure risk for independence)

Low Risk Tolerance People:

  • Always buy extended warranties (pay extra to avoid repair costs)
  • Keep money in savings accounts instead of stocks (accept low returns to avoid losses)
  • Triple-check their work (spend extra time to avoid mistakes)

Business Risk Tolerance Examples 💼

🏦 Banks - Very Low Risk Tolerance

  • Why: Customer trust and regulatory requirements
  • Security approach: Spend millions on security, multiple layers of protection
  • Mindset: “We cannot afford ANY successful attacks”

🚀 Startups - Higher Risk Tolerance

  • Why: Limited budgets, need to move fast
  • Security approach: Basic protections, accept some vulnerability
  • Mindset: “We can’t let security slow us down from getting to market”

🏥 Hospitals - Medium Risk Tolerance

  • Why: Life-or-death situations require access, but patient privacy is critical
  • Security approach: Strong privacy controls, but systems must always be available
  • Mindset: “Protect patient data, but never block emergency care”

What Is Risk Capacity? 💪

Simple definition: Risk capacity is the maximum amount of risk you can handle before it seriously hurts you.

Even simpler: It’s how much damage you could survive.

Personal Risk Capacity Examples 💰

High Risk Capacity:

  • Millionaire: Can afford to lose $10,000 on a risky investment
  • Young person: Can recover from career setbacks because they have time
  • Healthy person: Can try extreme sports because they can handle minor injuries

Low Risk Capacity:

  • Living paycheck to paycheck: Cannot afford any financial losses
  • Near retirement: Cannot recover from major investment losses
  • Chronic illness: Cannot handle additional health risks

Business Risk Capacity Examples 🏢

🏪 Small Local Business - Low Risk Capacity

  • Financial: $50,000 cyberattack could bankrupt them
  • Reputation: One bad incident could lose all local customers
  • Recovery: No IT staff to handle security incidents

🏭 Large Corporation - High Risk Capacity

  • Financial: Can absorb millions in losses and recovery costs
  • Reputation: Can weather bad publicity with marketing campaigns
  • Recovery: Dedicated security teams and incident response plans

🎓 University - Medium Risk Capacity

  • Financial: Have some resources but dependent on donations/tuition
  • Reputation: Research reputation is critical but can rebuild over time
  • Recovery: IT staff available but may be overwhelmed by major incidents

Risk Tolerance vs. Risk Capacity: The Key Difference 🤔

Here’s the thing people get confused about: What you’re willing to accept (tolerance) might be very different from what you can actually handle (capacity).

Real Examples of the Mismatch 📊

Example 1: The Overconfident Startup 🚀

  • Risk Tolerance: High - “We’re disrupting the industry, we need to take chances!”
  • Risk Capacity: Low - One major data breach could shut them down permanently
  • Problem: They’re willing to take more risk than they can actually handle

Example 2: The Over-Cautious Enterprise 🏢

  • Risk Tolerance: Low - “We can’t afford any security incidents”
  • Risk Capacity: High - Could survive multiple minor attacks and recover
  • Problem: They’re spending way more on security than they actually need

Example 3: The Balanced Hospital 🏥

  • Risk Tolerance: Medium - “Protect patient data but keep systems available”
  • Risk Capacity: Medium - Can handle some incidents but need to be careful
  • Success: Their willingness to accept risk matches what they can actually handle

How Organizations Figure Out Their Risk Appetite 📋

Risk appetite is combining tolerance + capacity to make smart decisions.

Step 1: Know Your Numbers 💵

Questions organizations ask:

  • How much money do we make per year?
  • How much could a major cyberattack cost us?
  • How long could we survive without normal operations?
  • What would it cost to rebuild our reputation?

Real Example: Small accounting firm

  • Annual revenue: $500,000
  • Major attack cost: Could be $200,000+ (40% of yearly income)
  • Conclusion: Low risk capacity, need strong basic security

Step 2: Know Your Business 🎯

Questions organizations ask:

  • What industry are we in? (Healthcare = more regulation than retail)
  • Who are our customers? (Do they care about security?)
  • What data do we have? (Credit cards = higher risk than email addresses)
  • What are our competitors doing? (Are we a bigger target if we’re successful?)

Step 3: Know Your Constraints 🚧

Questions organizations ask:

  • What do laws and regulations require us to do?
  • What do our cyber insurance policies cover?
  • What do our customers’ contracts require?
  • What industry standards must we follow?

Why This Matters for Your Career 💼

Understanding risk appetite helps you:

As an Employee:

  • Understand why your company makes certain security decisions
  • Know how much security training and procedures to expect
  • Recognize when to escalate security concerns to management

As a Security Professional:

  • Communicate with business leaders in terms they understand
  • Justify security spending based on business risk, not technical features
  • Set realistic expectations about what level of security is achievable

As a Business Owner:

  • Make informed decisions about security investments
  • Balance security costs against business growth needs
  • Set appropriate policies that employees will actually follow

Key Takeaways ✅

Before you move to the next lesson, make sure you understand:

  1. Risk tolerance is about willingness - how much risk you want to accept
  2. Risk capacity is about ability - how much risk you can actually handle
  3. Smart risk appetite balances both - don’t take more risk than you can handle
  4. Different industries have different risk profiles - banks vs. startups vs. hospitals
  5. You make these same decisions in your personal financial and career choices

Ready for Lesson 8? ⚡

Next up: Treating Risk

Now that you understand how much risk organizations can handle, you’ll learn about the four ways organizations deal with risk they’ve identified.

Think of it like dealing with different threats to your house - sometimes you install an alarm system, sometimes you buy insurance, sometimes you just accept that your garden gnomes might get stolen!

You’re building the complete risk management picture: Identify threats & vulnerabilities → Understand risk appetite → Decide how to treat each risk. Almost there! 💪

← Threats, Vulnerabilities, and Attacks Top Treating Risk →

Reader Feedback

See what others are saying about this article

Did you enjoy this article?

Your feedback helps me create better content for the cybersecurity community

Share This Article

Found this helpful? Share it with your network to help others learn about cybersecurity.

Link copied to clipboard!

Share Feedback

Help improve this content by sharing constructive feedback on what worked and what didn't.

Thank you for your feedback!

Hire Me

Need help implementing your cybersecurity program? Let's work together.

Hire Me

Support Me

Help keep great cybersecurity content coming by supporting me on Patreon.

Support on Patreon
David McDonald

I'm David McDonald, the Cyber Risk Guy. I'm a cybersecurity consultant helping organizations build resilient, automated, cost effective security programs.

;