U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management

Published

Author(s)

Stephen Quinn, Nahla Ivy, Matthew Barrett, Larry Feldman, Greg Witte, Robert Gardner

Abstract

This document supplements NIST Interagency Report (IR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks in that context. To support the development of an Enterprise Risk Register, this report describes documentation of various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets. Documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile helps to later prioritize and communicate enterprise cybersecurity risk response and monitoring. This document has been updated to reflect changes in other NIST documentation (IR 8286 series, Special Publication [SP] 800-221/221A, and Cybersecurity Framework 2.0 [CSF]).
Citation
NIST Interagency/Internal Report (NISTIR) - 8286Ar1
Report Number
8286Ar1
NIST Pub Series
NIST Interagency/Internal Report (NISTIR)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.IR.8286Ar1
Local Download

Keywords

cybersecurity risk management, cybersecurity risk measurement, cybersecurity risk register, enterprise risk management (ERM), enterprise risk profile.
Risk management and Cybersecurity and privacy

Citation

Quinn, S. , Ivy, N. , Barrett, M. , Feldman, L. , Witte, G. and Gardner, R. (2025), Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8286Ar1, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=960419 (Accessed January 31, 2026)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created December 17, 2025, Updated January 30, 2026
Was this page helpful?