The concept of risk acceptance forms the foundation for business decisions and budgeting of information technology security. If you understand the risk, accept that incidents could and will occur, the amount of resources and money spent to minimize threats becomes justifiable and quantifiable.