112 ◾ Information Security Metrics
11.2.8 Acceptable Levels of Risk and Impact
roughout this work, we have discussed the necessity for senior management
to decide on acceptable levels of risk and impact. Information security cannot be
managed effectively and efficiently with this information. It will not be clear what
we are managing to or when we have achieved our objectives. Various approaches
to arriving at this information have been previously mentioned such as utilizing
business access assessment (BIA) to define recovery time objectives that will ulti-
mately define rather precisely acceptable risk when the tradeoffs between shorter
recovery times are balanced against costs of achieving those targets.
Collecting the information discussed