We have difficulty in deciding when to ACCEPT a risk. Accepting risk has to be a business decision. Here are the steps:

0. Understand the nature of your business in order to determine the acceptable level of risk. An example is if you are an online merchant selling widgets, leakage of customer credit  card information is unacceptable.

1. Quantify the risk in terms of $$.

2. How much $$ the safeguard costs to mitigate the risk? - cost/benefit analysis.

3. Decide the course of action for your risk treatment - this is where you decide if you would accept the risk.

Real world is not always as simple as described in the above 3 steps.

Asset Value=AV

Exposure Factor=EF (% of loss in terms of AV if risk were to be realized)

Single Loss Expectancy (SLE):

SLE=AV*EF

Annualized Loss Expectancy (ALE):

ALE=SLE*ARO ( where ARO is Annualized Rate of Occurrence, say it occurs 0.5 times)

Annual Cost of the Safeguard (ACS)

Tangible Asset

1. If the ACS < ALE then it may not be wise to accept the risk.

2. If the ACS > ALE then it may be wise to accept the risk.

Intangible Asset

1. Brand name.

2. Employee morale and more..

Through research it has been found that a publicized breach of a company results in brand name damage which can affect the stock market capital negatively by 2-4%. Employee morale can affect productivity of employees. This can hurt the growth of the company. Attributing $$ figure for intangibles is a challenge. If you take the step of quantifying the risk it is not as difficult as you think.