Risk acceptance - Cost-effective risk management for IT systems


  • Henrik Karlzén
  • Johan Bengtsson
  • Jonas Hallberg

Publish date: 2018-02-02

Report number: FOI-R--4521--SE

Pages: 55

Written in: Swedish


  • Risk management
  • risk analysis
  • risk acceptance
  • criteria
  • cost
  • benefit
  • economy
  • information security
  • IT systems
  • stakeholders
  • security investment


IT systems must be characterised by the needs of the stakeholders in order to be beneficial. Moreover, the risks associated with the system have to be managed. Risk management, however, tends to focus only on the risks and whether they can be accepted, rather than balancing them with the costs and benefits of the system. In 2017, an R&D project at FOI conducted a study on risk acceptance. The objective of the study was to identify what should influence decisions about whether risks can be accepted for planned IT systems within the Swedish Armed Forces. The work was based on the Swedish Armed Forces' own publications as well as research literature, standards and industry-specific guidelines. The literature revealed that, although the formal risk acceptance decision is taken at the end of the risk management process, the underlying criteria for risk acceptance must characterise the entire risk management process. Risk acceptance decisions must take into account the organisation's business needs, both at the organisational and system-specific levels. It is also necessary to take laws and standards into account as well as the needs of the stakeholders that may be affected by the system. However, the research on risk acceptance is quite immature and many research questions remain to be answered. For instance, understanding threats is a vital part of the risk management process - and of risk acceptance - but how threats should be described is not clearly specified. To clarify the basis on which risk acceptance decisions ought to be taken within the Swedish Armed Forces, overall risk acceptance criteria are needed. In addition, descriptions of how the overall risk acceptance criteria should be adapted within the organisation and how they affect the whole risk management process have to be added to existing instructions. It is also important to realise that technology and needs can change rapidly and that the assessments will never be perfect, so regular follow-ups of analyses and decisions are necessary.