Defining your information security risk tolerance level is the essential step for security professionals looking to mature their security program beyond reactive technological controls. The executive brief outlines our quantified and impact-based approach to defining a risk tolerance level for information security.