Information Security Management Metrics ◾ 129
negotiating acceptable RTOs at an acceptable cost provides a direct financial value
of what the organization is willing to spend to address the risk of system failure.
is serves as a clear indicator of risk tolerance based on acceptable impacts. is
approach is, of course, also dependent on the credibility of the prerequisite risk
assessment in terms of the probability of an event and its potential magnitude (i.e.,
whether it can cause system failure).
Defining risk tolerance in measurable terms provides the objectives the security
manager can manage to as well as the reference point for metrics needed to guide
risk management efforts. is can also be useful in that risks that fall below this
mea ...