Cybersecurity Materiality & Risk Tolerance

Specific to cybersecurity and data protection, the SCF defines material weakness as:

“A deficiency, or a combination of deficiencies, in an organization’s cybersecurity and/or data protection controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.”

In the context of that definition of cybersecurity materiality, it is important to baseline the understanding risk management terminology. According to the PMBOK® Guide:

• Risk Tolerance is the “specified range of acceptable results.”
• Risk Threshold is the “level of risk exposure above which risks are addressed and below which risks may be accepted.”
• Risk Appetite is the “degree of uncertainty an organization or individual is willing to accept in anticipation of a reward.” It is important to note that the risk tolerance and risk appetite are not the same thing. In terms of cybersecurity materiality, risk tolerance matters.

​The concept of materiality is important to understand the health of a cybersecurity and data protection program, where a material weakness crosses an organization’s risk threshold by making an actual difference that exposes systems, applications, services, personnel, the organization or third-parties to unacceptable risk. Materiality designations can help determine what constitutes reasonable assurance that an organization adheres to its stated risk tolerance.

Assurance is defined as the grounds for confidence that the set of intended security and data privacy controls in a system, application or service are effective in their application. Since assurance is relative to a specific set of controls, defects in those controls affect the underlying confidence in the ability of those controls to operate as intended to produce the stated results. Fundamentally, assurance identifies the level of confidence that a stakeholder has that an objective is achieved, that takes into consideration the risks associated with non-conformity (e.g., non-compliance) and the anticipated costs necessary to demonstrate conformity with the specified controls.

When organizations go through some form of certification process, it undergoes a conformity assessment (e.g., ISO 27001, CMMC, SOC 2, PCI DSS, RMF, etc.). Conformity assessments are designed to assure that a particular product, service, or system meets a given level of quality or safety. Instead of a 100% pass criteria, conformity assessments rely on the concept of assurance to establish a risk-based threshold to determine if the intent of the objective(s) has been achieved.​

Context For Cybersecurity Materiality Usage

In legal terms, “material” is defined as something that is relevant and significant:

• In a lawsuit, "material evidence" is distinguished from totally irrelevant or of such minor importance that the court will either ignore it, rule it immaterial if objected to, or not allow lengthy testimony upon such a matter.
• A "material breach" of a contract is a valid excuse by the other party not to perform. However, an insignificant divergence from the terms of the contract is not a material breach.

For those in the Governance, Risk Management & Compliance (GRC) space, materiality is often relegated to Sarbanes-Oxley Act (SOX) compliance. However, the concept of materiality is much broader than SOX and can be applied as part of risk reporting in any type of conformity assessment. Financial-related materiality definitions focus on investor awareness of third-party practices, not inwardly-looking for adherence to an organization's risk tolerance:

• Per the Security and Exchange Commission (SEC), information is material “to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered.”
• Per the Financial Accounting Standards Board (FASB), “if omitting, misstating or obscuring it could reasonably be expected to influence the decisions that the primary users of general purpose financial statements make on the basis of those financial statements, which provide financial information about a specific reporting entity.”

A financial benchmark is commonly used to determine materiality. As an example, from a financial impact perspective, for an item to be considered material, the control deficiency, risk, threat or incident (singular or a combination) should meet one, or more, of the following criteria where the potential financial impact is measured as:

• ≥ 5% of pre-tax income
• ≥ 0.5% of total assets
• ≥ 1% of total equity (shareholder value); and/or
• ≥ 0.5% of total revenue.

Facets of Materiality Considerations 

There is more to the materiality than simply defining it:

• Material Control. When a deficiency, or absence, of a specific control poses a material impact, that control is designated as a material control. A material control is such a fundamental cybersecurity and/or data protection control that:
• It is not capable of having compensating controls; and
• Its absence, or failure, exposes an organization to such a degree that it could have a material impact.
• Material Risk. When an identified risk that poses a material impact, that is a material risk.
• A material risk is a quantitative or qualitative scenario where the exposure to danger, harm or loss has a material impact (e.g., significant financial impact, potential class action lawsuit, death related to product usage, etc.); and
• A material risk should be identified and documented in an organization's "risk catalog" that chronicles the organization's relevant and plausible risks.
• Material Threat. When an identified threat poses a material impact, that is a material threat.
• A material threat is a vector that causes damage or danger that has a material impact (e.g., poorly governed Artificial Intelligence (AI) initiatives, nation state hacking operations, dysfunctional internal management practices, etc.); and
• A material threat should be identified and documented in an organization's "threat catalog" that chronicles the organization's relevant and plausible threats.
• Material Incident. When an incident poses a material impact, that is a material incident.
  • Jeopardize the Confidentiality, Integrity, Availability and/or Safety (CIAS) of a system, application, service or the data that it processes, stores and/or transmits with a material impact on the organization; and/or
  • Constitute a violation, or imminent threat of violation, of an organization's policies, standards, procedures or acceptable use practices that has a material impact (e.g., malware on sensitive and/or regulated systems, emergent AI actions, illegal conduct, business interruption, etc.).
• A material incident is an occurrence that does or has the potential to:
• Reasonably foreseeable material incidents should be documented in an organization's Incident Response Plan (IRP) that chronicles the organization's relevant and plausible incidents, so there are appropriate practices to identify, respond to and recover from such incidents.
• Material Weakness. A material weakness is a deficiency, or a combination of deficiencies, in an organization's cybersecurity and/or data protection controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.
• When there is an existing deficiency (e.g., control deficiency) that poses a material impact, that is a material weakness (e.g., inability to maintain access control, lack of situational awareness to enable the timely identification and response to incidents, etc.).
• A material weakness will be identified as part of a gap assessment, audit or other form of assessment as a finding due to one (1), or more, control deficiencies. A material weakness should be documented in an organization's Plan of Action & Milestones (POA&M), risk register, or similar tracking mechanism for remediation purposes.

Internal vs External Consumption for Materiality Considerations

As shown above in the financial context of materiality, that usage of "materiality" is intended for external, third-party consumption (e.g., investors) to ensure informed decisions are made. The SCF's definition of "cybersecurity materiality" is intended for internal governance practices.  

This intended usage for internal governance practices is meant to mature risk management practices by providing context, as compared to generally-hollow risk management statements that act more as guidelines than requirements, as it pertains to risk thresholds. Cybersecurity materiality is meant to act as a "guard rail" for risk management decisions. 

Use Cases For Cybersecurity Materiality

Use cases for how "cybersecurity materiality" can benefit cybersecurity and data privacy practitioners include, but are not limited to:

• Control assessments - using risk tolerance and risk thresholds provides context about how to report the significance of the findings, where material weaknesses in the controls assigned to systems, applications, services, projects, etc. can take on an enhanced sense of urgency.
• Project/initiative planning - identifying "must have" cybersecurity and data privacy controls early in the development lifecycle can prevent roadblocks that should halt a project/initiative from going live in a production environment, due to material weaknesses. This enables a risk-based justification for funding requirements for necessary people, processes and technologies to ensure the organization's risk tolerance is met.
• Third-party risk assessments - depending on the nature of a third-party's products/services, that entity's deficiencies can directly or indirectly affect the overall security of your organization. To prevent "hand waiving" practices that allow third-party services through without scrutiny, utilizing cybersecurity materiality considerations is a viable way to evaluate if that third-party enables your organization to adhere to its stated risk tolerance.
• Catalyst for change & budget justification - as a responsible party (e.g., CISO, CPO, etc.) for your organization's cybersecurity and data privacy program, being able to identify and designate material weakness can be an immensely beneficial tool for change. If material weaknesses are identified by a CISO (or equivalent role), that requires executive-level support. This may equate to forcing technology changes (e.g., good IT hygiene practices, legacy technology refreshes, terminating unsuitable vendor contracts, etc.), processes changes (e.g., good hiring practices, terminating unsuitable employees, procurement practice changes, embedding cybersecurity and data privacy in project management, etc.) or adequate budget to remediate deficiencies in the cybersecurity and data privacy program.

Defining Risk Appetite

Risk appetites exist as a guiderail from an organization's executive leadership to inform employees about what is and is not acceptable, in terms of risk management.

Risk appetite is primarily a “management statement” that is subjective in nature. Similar in concept to how a policy is a "high-level statement of management intent," an organization's stated risk appetite is a high-level statement of how all, or certain types of, risk are willing to be accepted. Using a review of current risk status vs target risk appetites can be useful to see how well cybersecurity practices operate to clearly see what practice areas deviate from expectations.

Examples of an organization stating its risk appetite from basic to more complex statements:

• "[organization name] is a low-risk organization and will avoid any activities that could harm its customers."
• "[organization name] will aggressively pursue innovative solutions through Research & Development (R&D) to provide industry-leading products and services to our clients, while maintaining a moderate risk profile. Developing breakthrough products and services does invite potential risk through changes to traditional supply chains, disruptions to business operations and changing client demand. Proposed business practices that pose greater than a moderate risk will be considered on a case-by-case basis for financial and legal implications.”

It is important to know that in many immature risk programs, risk appetite statements are divorced from reality. Executive leaders mean well when they put out risk appetite statements, but the Business As Usual (BAU) practices routinely violate the risk appetite. This is often due to numerous reasons that include, but are not limited to:

• Technical debt;
• Dysfunctional management decisions;
• Insecure practices;
• Inadequate funding/resourcing;
• Improperly scoped support contracts (e.g., Managed Service Providers (MSPs), consultants, vendors, etc.); and
• Lack of pre-production security testing.

Defining Risk Tolerance

An organization's risk tolerance is influenced by several factors that includes, but is not limited to:

• Statutory, regulatory and contractual compliance obligations (including adherence to data privacy principles for ethical data protection practices)
• Organization-specific threats (natural and manmade)
• Reasonably-expected industry practices
• Pressure from competition
• Executive management decisions

Risk tolerance is simplified as being one of the following five (5) levels:

1. Low risk;
2. Moderate risk;
3. High risk;
4. Severe risk; and
5. Extreme risk.

Low Risk Tolerance

Organizations that would be reasonably-expected to adopt a low risk tolerance generally:

• Provide products and/or services that are necessary for the population to maintain normalcy in daily life.
• Are in highly-regulated industries with explicit cybersecurity and/or data privacy requirements.
• Store, process and/or transmit highly-sensitive/regulated data.
• Are legitimate targets for nation-state actors to disrupt and/or compromise due to the high-value nature of the organization.
• Have strong executive management support for security and privacy practices as part of “business as usual” activities.
• Maintain a high level of capability maturity for preventative cybersecurity controls to implement “defense in depth” protections across the enterprise.
• Have a high level of situational awareness (cybersecurity & physical) that includes its supply chain.
• Have cyber-related liability insurance.

Organizations that are reasonably-expected to operate with a low risk tolerance include, but are not limited to:

• Critical infrastructure
• Utilities (e.g., electricity, drinking water, natural gas, sanitation, etc.)
• Telecommunications (e.g., Internet Service Providers (ISPs), mobile phone carriers, Cloud Service Providers (CSPs), etc.) (high value)
• Transportation (e.g., airports, railways, ports, tunnels, fuel delivery, etc.)
• Technology Research & Development (R&D) (high value)
• Healthcare (high value)
• Government institutions:
  • Military
  • Law enforcement
  • Judicial system
  • Financial services (high value)
  • Defense Industrial Base (DIB) contractors (high value)

Moderate Risk Tolerance

Organizations that would be reasonably-expected to adopt a moderate risk tolerance generally:

• Have executive management support for securing sensitive / regulated data enclaves.
• Are in regulated industries that have specific cybersecurity and/or data privacy requirements (e.g., CMMC, PCI DSS, SOX, GLBA, RMF, etc.).
• Have “flow down” requirements from customers that require adherence to certain cybersecurity and/or data privacy requirements.
• Store, process and/or transmit sensitive/regulated data.
• Are legitimate targets for attackers who wish to financially benefit from stolen information or ransom.
• Have cyber-related liability insurance.

Organizations that are reasonably expected to operate with a moderate risk tolerance include, but are not limited to:

• Education (e.g., K-12, colleges, universities, etc.)
• Utilities (e.g., electricity, drinking water, natural gas, sanitation, etc.)
• Telecommunications (e.g., Internet Service Providers (ISPs), mobile phone carriers, etc.)
• Transportation (e.g., airports, railways, ports, tunnels, fuel delivery, etc.)
• Technology services (e.g., Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), etc.)
• Manufacturing (high value)
• Healthcare
• Defense Industrial Base (DIB) contractors and subcontractors
• Legal services (e.g., law firms)
• Construction (high value)

High Risk Tolerance

Organizations that would be reasonably-expected to adopt a high risk tolerance generally:

• Are in an unregulated industry, pertaining to cybersecurity and/or data privacy requirements.
• Do not store, process and/or transmit sensitive/regulated data.
• Lack management support for cybersecurity and data privacy governance practices.
• Do not have cyber-related liability insurance.

Organizations that may choose to operate with a high risk tolerance include, but are not limited to:

• Startups
• Hospitality industry (e.g., restaurants, hotels, etc.)
• Construction
• Manufacturing
• Personal services

Severe Risk Tolerance

Organizations that would be reasonably-expected to adopt a severe risk tolerance generally:

• Are in an unregulated industry, pertaining to cybersecurity and/or data privacy requirements.
• Do not store, process and/or transmit sensitive/regulated data.
• Lack management support for cybersecurity and data privacy governance practices.
• Do not have cyber-related liability insurance.

Organizations that may choose to operate with a high risk tolerance include, but are not limited to:

• Startups
• Artificial Intelligence (AI) developers

Extreme Risk Tolerance

Organizations that would be reasonably-expected to adopt an extreme risk tolerance generally:

• Are in an unregulated industry, pertaining to cybersecurity and/or data privacy requirements.
• Do not store, process and/or transmit sensitive/regulated data.
• Lack management support for cybersecurity and data privacy governance practices.
• Do not have cyber-related liability insurance.

Organizations that may choose to operate with a high risk tolerance include, but are not limited to:

• Startups
• Artificial Intelligence (AI) developers

Defining Risk Threshold

Risk thresholds are directly tied to risk tolerance. As the graphic at the top of the page depicts, there is a threshold between the different levels of risk tolerance. By establishing thresholds, it brings the "graduated scale perspective" to life.

Risk thresholds are entirely unique to each organization, based on several factors that include:

• Financial stability;
• Management preferences;
• Compliance obligations (e.g., statutory, regulatory and/or contractual); and
• Insurance coverage limits.

Examples of how risk thresholds are unique to each organization include:

• Defining specific activities / scenarios that could damage the organization’s reputation;
• Defining specific activities / scenarios that could negatively affect short-term and long-term profitability; and
• Defining specific activities / scenarios that could impede business operations.