NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management

Published

Author(s)

Kevin Stine, Stephen Quinn, Nahla Ivy, Matthew Barrett, Greg Witte, Larry Feldman, Robert Gardner

Abstract

This document supplements NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks in that context. To support the development of an Enterprise Risk Register, this report describes documentation of various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets. Documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile helps to later prioritize and communicate enterprise cybersecurity risk response and monitoring.
Citation
NIST Interagency/Internal Report (NISTIR) - 8286A
Report Number
8286A
NIST Pub Series
NIST Interagency/Internal Report (NISTIR)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.IR.8286A
Local Download

Keywords

cybersecurity risk management, cybersecurity risk measurement, cybersecurity risk register, enterprise risk management (ERM), enterprise risk profile.
Information technology and Cybersecurity and privacy

Citation

Stine, K. , Quinn, S. , Ivy, N. , Barrett, M. , Witte, G. , Feldman, L. and Gardner, R. (2021), Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8286A, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=933223 (Accessed October 22, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created November 12, 2021, Updated November 29, 2022
Was this page helpful?