January 22, 2012

2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk Avoidance Risk avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.

Risk avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to exposure to the risk. One of the biggest problems with risk avoidance is that you are steering clear of activities you may benefit from.

This is the most effective solution, but often not possible due to organizational requirements.
Risk transference, you do not simply shift the risk completely to another entity, instead you share some of the burden of the risk with someone else, such as an insurance company. A typical policy would pay you a cash amount if all the steps were in place to reduce risk and your system still was harmed.

Risk mitigation is accomplished anytime you take steps to reduce the risk. Steps include installing antivirus software, educating users about possible threats, monitoring the network traffic, adding a firewall. In Microsoft's Security Intelligence Report, Volume 9, they list the following suggestions for mitigating risk:

  • Keep security messages fresh and in circulation.
  • Target new employees and current staff members.
  • Set goals to ensure a high percentage of the staff is trained on security best practices.
  • Repeat the information to raise awareness.

In risk mitigation (occasionally referred to as risk reduction), the harm can still occur, but you've reduced the impact it will have.

Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you. The easiest way to think of risk deterrence is to think of it as a “you hit me and I'll hit you back harder” mentality. This can be as simple as posting prosecution policies on your login pages and convincing them that you have steps in place to identify intrusions and act on them.

Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated.

Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, all the responsible parties must know that it exists and can affect the organization. It has to be an identified risk for which those involved understand the potential cost/damage and agree to accept.

Risk acceptance is essentially being fully aware that the risk exists (and that you could be affected by it), then choosing to do nothing further.

The risk must be identified, accepted and then a decision made that no action will be taken. Risk acceptance must be a conscious choice, documented, approved by senior administration, and regularly reviewed.

Related Terms:

  • Risk Appetite – the level of risk tolerance.
  • Exploit – An exploit is a mechanism of taking advantage of an identified vulnerability.
  • Threat – A threat is the potential that a vulnerability will be identified and exploited.
  • Control – Controls act to close vulnerabilities, prevent exploitation, reduce threat potential, and/or reduce the likelihood of a risk or its impact.

References:

No comments:

Post a Comment