- Risk Identification
- Risk Assessment
- Risk Analysis
- Risk Register
- Risk Appetite and Tolerance
- Risk Management Strategies
- Risk Reporting
- Business Impact Analysis
- What Next?
Risk Management Strategies
Risk management involves creating a risk register document that details all known risks and their related mitigation strategies. Creating the risk register involves mapping the enterprise’s expected services and data sets, as well as identifying vulnerabilities in both implementation and procedures for each. Risk cannot be eliminated outright in many cases, but mitigation strategies can be integrated with policies for risk awareness training ahead of an incident. Formal risk management deals with the alignment of four potential strategies to respond to each identified risk:
Avoid: Risk avoidance seeks to eliminate the vulnerability that gives rise to a particular risk. This is the most effective solution, but it often is not possible due to organizational requirements. For example, eliminating email to avoid the risk of email-borne viruses is an effective solution but is not likely a realistic approach.
Transfer: With risk transference, a risk or the effect of its exposure is transferred by moving to hosted providers that assume the responsibility for recovery and restoration. Alternatively, organizations can acquire insurance to cover the costs of equipment theft or data exposure. Insurance related to the consequences of online attacks is known as cybersecurity insurance.
Accept: With risk acceptance, an organization recognizes a risk, identifies it, and accepts that it is sufficiently unlikely or of such limited impact that corrective controls are not warranted. In such cases, this is known as risk exemption. On the other hand, a risk exception is a formal acknowledgment that a system or process is not compliant with an applied standard or policy but has been permitted to operate because the risk is acknowledged and accepted. In essence, an organization agrees to tolerate a higher level of risk than usual due to unique circumstances. In most cases, these are temporary, require mitigating controls be put in place, and are given a timeline for the exception to be re-evaluated. Risk acceptance must be a conscious choice that is documented, approved by senior administration, and regularly reviewed.
Mitigate: Risk mitigation involves reducing the likelihood or impact of a risk’s exposure. Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated. Most risk management decisions focus on mitigation and deterrence, balancing costs and resources against the level of risk and mitigation that will result.
Bruce Schneier, a well-known cryptographer and security expert, was asked after the tragic events of 9/11 if it would be possible to prevent such events from happening again. “Sure,” he replied. “Simply ground all the aircraft.” Schneier gave an example of risk avoidance, albeit one he acknowledged as impractical in today’s society. Consider the simple example of an automobile and its associated risks. If you drive a car, you have likely considered those risks. The option to not drive deprives you of the many benefits the car provides that are strategic to your individual goals in life. As a result, you have come to appreciate mitigating controls such as seat belts and other safety features. You accept the residual risks and might even transfer some of the risk through a life insurance policy. Certainly, when it comes to the risks of the vehicle itself, insurance plays a vital role. Not carrying insurance even carries risk itself because insurance is often required by law. Examples abound of people who have even accepted that risk, making a conscious choice to drive without insurance.
Finally, the choices you make related to risk often result in residual risk. Living in a high-crime neighborhood might spur someone to put bars on their home’s windows. That’s one problem seemingly mitigated. However, in case of a fire, the bars would render common egress points in the home no longer accessible.