When an organization encounters a risk, it must take some action to help manage that risk. In this video, learn about the five possible risk management actions: risk avoidance, risk transference, risk acceptance, risk mitigation, and risk deterrence. Plus, learn how organizations can use those strategies to manage risks.
- [Instructor] Once you complete risk assessment for your organization, you're left with a prioritized list of risks that require your attention. Risk Management is the process of systematically analyzing potential responses to each risk and implementing strategies to control those risks appropriately. No matter what type of risk you're managing you have five basic options for addressing the situation. You can perform risk avoidance, risk transference, risk mitigation, risk acceptance, or risk deterrence.
When you avoid a risk, you change your organizations business practices so that you are no longer in a position where that risk can affect your business. For example, imagine that we conducted a risk assessment and found that flooding posed a risk to our organizations data center. If we chose to pursue a risk avoidance strategy for that risk, we might relocate our data center to a facility where there is no risk of flood damage. Transferring a risk attempts to shift the impact of a risk from your organization to another organization.
The most common example of risk tranferrence is an insurance policy. Many organizations are now also considering a purchase of cyber liability insurance to protect against the financial damage caused by hackers and identity theft. It's important to remember however that you can't always transfer a risk completely. For example, you can purchase insurance to cover the financial damage caused by a security breach but no insurance policy can repair your businesses reputation in the eyes of your customers.
In our flood risk example, we might choose to transfer the financial risk of our data center flooding from our organization to an insurance company by purchasing flood insurance. Risk mitigation takes actions designed to reduce the likelihood and or impact of a risk. Most security professionals spend the majority of their time performing risk mitigation activities. If we wanted to mitigate the risk of our data center flooding, we might engage a flood control specialist to install systems designed to divert water away from our facility.
In almost every risk assessment managers find themselves confronted with a very long list of risks. And inadequate resources to avoid, transfer or mitigate all of them. For business reasons, they must accept some of those risks. Risk acceptance should take place only as part of a thoughtful analysis that determines the cost of performing another risk management action outweighs the benefit of controlling the risk. In our flooding scenario, we might conclude that all of the other risk management options are too costly and decide to continue operations in our current facility as is, and deal with the aftermath of a flood should it occur.
The federal government uses a very formal risk acceptance process for information systems known as system authorization. When a new information system is put in place, a senior official must make a management decision to authorize the operation of that system. According to the National Institute for Standards and Technology, this system authorization decision must include explicitly accepting the risk to organizational operations and assets, individuals, other organizations and the nation, based upon the implementation of an agreed upon set of security controls.
The final risk management strategy is risk deterrence. When you deter a risk, you take actions that dissuade a threat from exploiting a vulnerability in your security controls. There's really no way to reason with a flood so there aren't any risk deterrence options for our flooding scenario. If you think about the risk of physical intrusion however there are many ways that you can deter a potential burglar. Fences and guard dogs are great examples. One sight of an imposing barbed wire fence or a snarling dog, in any intruder is likely to move on to a softer target.
One quick exam tip for you, most discussions of risk management actually only discuss four risk management strategies. Risk avoidance, risk transference, risk mitigation and risk acceptance. These discussions consider risk deterrence as an example of risk mitigation.
- Using information classification
- Selecting and implementing security controls
- Conducting ongoing risk management activities
- Comparing adware, spyware, and ransomware
- Dangers posed by advanced persistent threats (APTs)
- Understanding attackers
- Types of attacks, including networking and password attacks
- Social engineering attacks
- Scanning for vulnerabilities
- Business continuity and disaster recovery planning
- Managing vendor relationships