The IT Law Wiki



An acceptable level of risk is

the level of risk that is tolerable in a given situation. It is determined from: an analysis of threats and vulnerabilities, the sensitivity of data and applications, a cost/benefit analysis, and a study of the technical and operational feasibility of available controls.


An acceptable level of risk is

[a]n authority's determination of the level of potential harm to an operation, program, or activity due to the loss of information that the authority is willing to accept.[1]
a judicious and carefully considered assessment by the appropriate Designated Approving Authority (DAA) that an automatic data processing (ADP) activity or network meets the minimum requirements of applicable security directives. The assessment should take into account the value of ADP assets, threats and vulnerabilities, countermeasures and their efficiency in compensating for vulnerabilities, and operational requirements.[2]


  1. Secretary of the Air Force, Operations Security (OPSEC) (Air Force Instruction 10-701), at 36 (June 8, 2011) (full-text).
  2. OPNAVINST 5239.1A; Draft Comprehensive Information Assurance Dictionary 6 (1995) (full-text).

See also[]