Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management



Kevin Stine, Stephen Quinn, Nahla Ivy, Matthew Barrett, Greg Witte, Larry Feldman, Robert Gardner


This document supplements NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks in that context. To support the development of an Enterprise Risk Register, this report describes documentation of various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets. Documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile helps to later prioritize and communicate enterprise cybersecurity risk response and monitoring.
NIST Interagency/Internal Report (NISTIR) - 8286A
Report Number


cybersecurity risk management, cybersecurity risk measurement, cybersecurity risk register, enterprise risk management (ERM), enterprise risk profile.


Stine, K. , Quinn, S. , Ivy, N. , Barrett, M. , Witte, G. , Feldman, L. and Gardner, R. (2021), Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed May 30, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created November 12, 2021, Updated November 29, 2022