{"id":1078,"date":"2026-03-26T08:09:35","date_gmt":"2026-03-26T07:09:35","guid":{"rendered":"https:\/\/eosgmbh.com\/?p=1078"},"modified":"2026-03-31T15:49:47","modified_gmt":"2026-03-31T13:49:47","slug":"informal-risk-acceptance","status":"publish","type":"post","link":"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/","title":{"rendered":"Informal Risk Acceptance"},"content":{"rendered":"<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column blogcontent is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:710px\">\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Warum_bekannte_Sicherheitsrisiken_bleiben_%E2%80%93_und_was_sie_Ihre_P_L_kosten\"><\/span><strong>Why known security risks remain - and what they cost your P&amp;L<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>I see the same pattern again and again in mandates: a risk is known, a measure is decided, and yet nothing happens for a long time. The reasons are rarely irrational. On the contrary, they seem plausible: implementation is complex, resources are tied up, other issues seem more urgent. However, this is precisely where the problem lies. In fact, in these situations, a decision is not avoided, but made - only implicitly. The risk is not actively accepted, but borne over time.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>I refer to this phenomenon as <strong>Informal risk acceptance<\/strong>. And in many organizations, it is significantly more expensive than it appears at first glance.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><em>Carsten Reffgen<\/em><\/p>\n\n\n\n<p><em>March 2026<\/em><\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained\">\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Warum_bekannte_Sicherheitsrisiken_bleiben_%E2%80%93_und_was_sie_Ihre_P_L_kosten\">Why known security risks remain - and what they cost your P&amp;L<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Die_teuerste_Kategorie_von_Risiken\">The most expensive category of risks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Warum_bekannte_Risiken_fortbestehen\">Why known risks persist<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Ein_typischer_Fall_aus_der_Praxis\">A typical case from practice<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Was_Organisationen_konkret_tun_konnen\">What organizations can do in concrete terms<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Fazit_Die_grosten_Risiken_sind_oft_die_bekannten\">Conclusion: The biggest risks are often the known ones<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Kontakt_und_Vertiefung\">Contact and deepening<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Was_ist_Informal_Risk_Acceptance\">What is Informal Risk Acceptance?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Was_ist_das_EBP_Assessment_der_EOS\">What is the EOS EBP assessment?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/eosgmbh.com\/en\/informal-risk-acceptance\/#Literatur\">Literature<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Die_teuerste_Kategorie_von_Risiken\"><\/span>The most expensive category of risks<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>From a management perspective, risks can be roughly divided into three categories: unknown risks, correctly treated risks - and a third category that is particularly relevant in practice: known risks where the necessary measures are not implemented. These risks in particular do not disappear. They reappear in every report, attract attention and generate costs over time that are rarely recorded systematically.<\/p>\n\n\n\n<p>These costs are not abstract. They manifest themselves concretely in higher insurance premiums, additional audit requirements, restrictions on business decisions or operational risks in the event of an emergency. Many organizations take this state of affairs for granted. In fact, it is the result of repeated decisions.<\/p>\n\n\n\n<p>The key question is therefore not just how great a risk is, but why it persists.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Warum_bekannte_Risiken_fortbestehen\"><\/span>Why known risks persist<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>In the investigation of social engineering attacks, we found a recurring pattern in human decision-making processes. I refer to this as\u00a0<em>Emotion-Bias-Principle (EBP) Effect Model<\/em>. It describes how emotional relief, cognitive plausibility and social legitimacy work together to stabilize decisions - even if they are objectively disadvantageous.<\/p>\n\n\n\n<p>The model is not only used to analyze security contexts, but can also be applied to dealing with risks in general. Under uncertainty, people and organizations tend to prefer decisions that provide orientation and emotional security in the short term - and thus unintentionally reinforce existing risks.<\/p>\n\n\n\n<p>The model thus adds a central dimension to the classic risk assessment: it not only explains,&nbsp;<strong>like<\/strong>&nbsp;risks are assessed, but&nbsp;<strong>Why<\/strong>&nbsp;they persist over time.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Ein_typischer_Fall_aus_der_Praxis\"><\/span>A typical case from practice<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>One example that I regularly see in this or a similar form is postponed network segmentation. The underlying risk is known, the measure is technically undisputed, but the implementation involves considerable effort. As a result, the decision is repeatedly postponed. The reasons remain consistent: too complex, too resource-intensive, not currently prioritized.<\/p>\n\n\n\n<p>Over time, this creates a state that was not actively chosen, but which stabilizes. This is precisely the crucial point: the organization makes a decision without treating it as such. The risk is not formally accepted, but implicitly passed on.<\/p>\n\n\n\n<p>If an incident occurs in such constellations - in the form of a ransomware attack, for example - the consequences are immediate. Instead of being able to isolate individual systems, larger parts of the infrastructure often have to be shut down. The resulting costs and business interruptions often significantly exceed the original effort required.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Was_Organisationen_konkret_tun_konnen\"><\/span>What organizations can do in concrete terms<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Adopting this perspective also shifts the approach to improvement. The key lever lies not primarily in prioritizing individual risks, but in understanding the decision-making logic that leads to their persistence.<\/p>\n\n\n\n<p>A pragmatic first step is to identify risks that appear unchanged in reporting over several cycles. In these cases, not only the level of risk should be considered, but in particular the question of why implementation is not taking place. In many cases, this shift in perspective already provides clarity as to where implicit decisions are being made - and where there are specific starting points for reducing risk and costs.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Fazit_Die_grosten_Risiken_sind_oft_die_bekannten\"><\/span>Conclusion: The biggest risks are often the known ones<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Many organizations assume that their biggest risks are the ones they don't know about. In practice, however, the picture is often different: the biggest risks are those that are known - and yet remain. <\/p>\n\n\n\n<p>In many cases, this is precisely where the greatest leverage for a sustainable improvement in the safety and cost situation lies<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Kontakt_und_Vertiefung\"><\/span>Contact and deepening<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>At EOS, we support organizations in making these decision-making logics visible and changing them in a targeted manner. I developed the underlying EBP model in the analysis of social engineering and transferred it to decision-making processes in risk and security management.<\/p>\n\n\n\n<p>If you have 2-3 risks that have been in your reporting for years, it is worth taking a closer look.<\/p>\n\n\n\n<p>\ud83d\udc49 Arrange a 30-minute executive call and we will analyze your situation together - from a security and P&amp;L perspective.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Was_ist_Informal_Risk_Acceptance\"><\/span>What is Informal Risk Acceptance?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Informal risk acceptance describes the situation in which organizations do not consciously accept known risks, but instead implicitly bear them over time. This form of decision stabilization leads to hidden costs and increased risk exposure.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>If you would like to delve deeper, you will find the underlying analysis in the following working paper:<\/p>\n\n\n\n<p>Reffgen, Carsten (2026): <em>The Stability of Known Risk: Decision Stability and Informal Risk Acceptance under Normative Uncertainty<\/em><\/p>\n\n\n\n<p>DOI: 10.2139\/ssrn.6267599<\/p>\n\n\n\n<p><a href=\"https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=6267599\" target=\"_blank\" rel=\"noopener\">https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=6267599<\/a><\/p>\n<\/div>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Was_ist_das_EBP_Assessment_der_EOS\"><\/span>What is the EOS EBP assessment?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>In the <em>Emotion-Bias-Principle (EBP) Assessment<\/em> we make visible why risks persist in your organization. We analyze how decisions are actually made under uncertainty - and identify the mechanisms that lead to the stable continuation of risks.<\/p>\n\n\n\n<p><strong>This reveals where risks are not decided but borne - and where avoidable costs arise.<\/strong><\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Literatur\"><\/span>Literature<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u00a0Kahneman, D. (2011). <em>Thinking, fast and slow \/ Daniel Kahneman<\/em> (1st ed.). Farrar, Straus and Giroux.<\/p>\n\n\n\n<p>Kahneman, D., Sibony, O., &amp; Sunstein, C. R. (2021). <em>Noise: A flaw in human judgment<\/em>. William Collins.<\/p>\n\n\n\n<p>Lerner, J. S., Li, Y., Valdesolo, P., &amp; Kassam, K. S. (2015). Emotion and Decision Making. <em>Annual Review of Psychology<\/em>, <em>66<\/em>(1), 799\u2013823. https:\/\/doi.org\/10.1146\/annurev-psych-010213-115043<\/p>\n\n\n\n<p>March, J. G., &amp; Olsen, J. P. (1989). <em>Rediscovering institutions: The organizational basis of politics<\/em>. Free press.<\/p>\n\n\n\n<p>Reffgen, C. (2026). <em>The Emotion-Bias-Principle (EBP) Effect Model; An Analytical Framework for Social Engineering as Decision-Making under Uncertainty<\/em>. SSRN. https:\/\/doi.org\/10.2139\/ssrn.6139207<\/p>\n\n\n\n<p>Reffgen, C. (2026). <em>The Stability of Known Risk: Decision Stability and Informal Risk Acceptance under Normative Uncertainty<\/em>. SSRN. https:\/\/doi.org\/10.2139\/ssrn.6267599<\/p>\n\n\n\n<p>Suchman, M. C. (1995). Managing Legitimacy: Strategic and Institutional Approaches. <em>The Academy of Management Review<\/em>, <em>20<\/em>(3), 571. https:\/\/doi.org\/10.2307\/258788<\/p>\n\n\n\n<p>Thornton, P. H., Ocasio, W., &amp; Lounsbury, M. (2012). <em>The institutional logics perspective: A new approach to culture, structure and process<\/em>. Oxford Univ. Press. https:\/\/doi.org\/10.1093\/acprof:oso\/9780199601936.001.0001<\/p>\n\n\n\n<p>Tversky, A., &amp; Kahneman, D. (1974). Judgment under Uncertainty: Heuristics and Biases. <em>Science (New York, N.Y.)<\/em>, <em>185<\/em>(4157), 1124\u20131131. https:\/\/doi.org\/10.1126\/science.185.4157.1124<\/p>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Warum bekannte Sicherheitsrisiken bleiben \u2013 und was sie Ihre P&amp;L kosten Ich sehe in Mandaten immer wieder das gleiche Muster: Ein Risiko ist bekannt, eine Ma\u00dfnahme ist beschlossen, und trotzdem passiert \u00fcber lange Zeit nichts. Die Gr\u00fcnde sind dabei selten irrational. Im Gegenteil \u2013 sie wirken plausibel: Die Umsetzung ist komplex, Ressourcen sind gebunden, andere [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1084,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eos-gmbh"],"acf":[],"_links":{"self":[{"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/posts\/1078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/comments?post=1078"}],"version-history":[{"count":9,"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/posts\/1078\/revisions"}],"predecessor-version":[{"id":1088,"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/posts\/1078\/revisions\/1088"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/media\/1084"}],"wp:attachment":[{"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/media?parent=1078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/categories?post=1078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eosgmbh.com\/en\/wp-json\/wp\/v2\/tags?post=1078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}