Module 1: Threat identification and risk analysis(4/4)
Tolerable risk and the ALARP principle
title: "Tolerable risk and the ALARP principle" duration: "30 min"
Not all risk needs to be eliminated
Risk assessment produces a score for each zone × threat scenario. But how do you decide which risks require action and which can be accepted? The answer is tolerable risk — the level of risk the organisation is willing to live with.
Key takeaway
IEC 62443-3-2 §5.5
The asset owner must define a tolerable risk threshold for the system under consideration. Any risk above this threshold must be mitigated or formally accepted with justification.
The ALARP principle
ALARP — As Low As Reasonably Practicable — is borrowed from process-safety engineering (IEC 61508, UK Health & Safety at Work Act). It divides risk into three regions:
Diagram
The three regions
| Region | Risk level | Action required |
|---|---|---|
| Unacceptable | Critical / High | Implement controls immediately. If controls cannot reduce risk below this threshold, the process or configuration must be changed. |
| ALARP | Medium | Implement controls unless the cost is grossly disproportionate to the risk reduction achieved. Document the cost-benefit analysis. |
| Broadly acceptable | Low | No further action required. Monitor and reassess periodically. |
"Grossly disproportionate"
This is the key phrase in ALARP. It does not mean "more expensive than the risk." It means the cost would be so extreme relative to the risk reduction that no reasonable person would expect it.
Worked example
Proportionate: Deploying a $15,000 protocol-aware firewall to protect a zone with a $500,000 consequence exposure. Cost is 3% of potential loss — clearly proportionate.
Grossly disproportionate: Replacing all 200 PLCs at $50,000 each ($10M total) to gain encrypted communication when the same risk can be reduced to acceptable levels by network segmentation ($80,000). The $10M option is grossly disproportionate.
Setting the tolerable risk threshold
The threshold is set by the asset owner's management — not by the cybersecurity team alone. It is a business and safety decision.
Factors to consider
- Regulatory requirements — some sectors have mandated thresholds (e.g. nuclear, aviation).
- Safety policy — the organisation's existing safety-risk appetite (from IEC 61511 or equivalent).
- Insurance requirements — cyber-insurance policies may specify minimum security levels.
- Peer benchmarks — what are similar organisations in the same sector accepting?
- Board risk appetite — documented in the corporate risk-management framework.
Typical thresholds by sector
| Sector | Typical tolerable risk | Rationale |
|---|---|---|
| Nuclear | All risks must be in the broadly acceptable region | Zero-tolerance safety culture |
| Oil & gas | ALARP boundary at Medium; unacceptable at High | Major accident potential |
| Water / wastewater | ALARP boundary at Medium; unacceptable at Critical | Public-health consequences |
| Manufacturing | ALARP boundary at High; unacceptable at Critical | Primarily financial consequences |
| Commercial building | Broadly acceptable up to Medium | Low safety consequences |
Applying ALARP to the risk register
For each risk in the register:
- Compare the risk score to the tolerable risk threshold.
- If above threshold: identify controls to reduce the risk. Re-score after controls are applied.
- If in ALARP region: perform a cost-benefit analysis. Document whether additional controls are proportionate.
- If below threshold: accept the risk. Document the acceptance.
Residual risk
After controls are applied, the remaining risk is residual risk. Residual risk must be:
- Below the tolerable risk threshold, OR
- Formally accepted by management with documented justification.
Formula
Residual Risk = Initial Risk − Risk Reduction from Controls
Analogy
ALARP is like the speed limit on a highway. Below 50 km/h is safe for everyone. Above 130 km/h is unacceptable everywhere. Between 50 and 130, the acceptable speed depends on the road conditions, the vehicle, and the driver — but you must justify your choice.
Key Takeaways
- The asset owner must define a tolerable risk threshold — the boundary between acceptable and unacceptable risk.
- ALARP divides risk into three regions: unacceptable, ALARP (reduce unless grossly disproportionate), and broadly acceptable.
- The threshold is a management decision, not a technical decision — it reflects safety policy, regulatory requirements, and business risk appetite.
- After controls are applied, residual risk must be below the threshold or formally accepted.
- Document everything: the threshold, the cost-benefit analysis, and any risk acceptances.
Knowledge Check
3 questions — test your understanding before moving on.
Q1.What does ALARP stand for and what does it mean?
- As Low As Reasonably Practicable — risk must be reduced unless the cost is grossly disproportionate to the benefit.
- Always Lower All Possible Risks — every identified risk must be fully eliminated.
- Assess Likelihood And Risk Profile — a scoring methodology.
- Automated Logging And Response Protocol — a monitoring standard.
ALARP (As Low As Reasonably Practicable) divides risk into three regions: unacceptable (must reduce), ALARP (reduce unless grossly disproportionate), and broadly acceptable (no action needed). The key test is whether the cost of further reduction is grossly disproportionate to the risk reduction achieved.
Q2.Who sets the tolerable risk threshold in an IEC 62443-3-2 assessment?
- The cybersecurity assessor.
- The equipment vendor.
- The asset owner's management — it is a business and safety decision.
- The system integrator.
The tolerable risk threshold is set by the asset owner's management, not the cybersecurity team alone. It reflects the organisation's safety policy, regulatory requirements, insurance conditions, and board-level risk appetite.
Q3.What must be done with residual risk that remains above the tolerable threshold after controls are implemented?
- Ignore it until the next annual assessment.
- Either implement additional controls or formally accept the risk with management approval and documented justification.
- Transfer it to the equipment vendor.
- Report it to CISA immediately.
Residual risk above the tolerable threshold must either be further reduced by additional controls or formally accepted by management with documented justification, compensating controls, and a review date. It cannot simply be ignored.