May 22, 2013

2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence


Risk-avoidance, transference, acceptance, mitigation, deterrence


Risk Avoidance

Risk Avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.

Risk avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to being exposed to the risk. One of the problems with risk avoidance is that it may require you to also avoid activities that may be otherwise beneficial.

Risk avoidance is the most effective countermeasure to risk, however it is often not possible due to organizational requirements and business drivers.

Risk Transference

With risk transference, you share some of the burden of the risk with another entity, such as an insurance company. You do not completely offload the risk, you mitigate it through partnerships. An example policy might pay out if you could prove that all necessary measures to reduce the risk were taken and you still were harmed.

Another example of risk transference is outsourcing to a managed service provider. And you have service level agreements (SLA) that state which party is responsible for managing which risks.

Risk Mitigation

Risk mitigation is accomplished anytime you take steps to reduce the risk. Steps include installing antivirus software, educating users about possible threats, monitoring the network traffic, adding a firewall. In Microsoft's Security Intelligence Report, Volume 9, they list the following suggestions for mitigating risk:
  • Keep security messages fresh and in circulation.
  • Target new employees and current staff members.
  • Set goals to ensure a high percentage of the staff is trained on security best practices.
  • Repeat the information to raise awareness.

In risk mitigation (occasionally referred to as risk reduction), the harm can still occur, but you've reduced the impact it will have.

Risk Deterrence

Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they persist. The easiest way to think of risk deterrence is as a “you hit me and I'll hit you back harder” mentality. This can be as simple as posting prosecution policies on your login pages and convincing potential attackers that you are taking steps to identify intrusion and prosecute it.

Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated.

Risk Acceptance

Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, all the internal parties must know that it exists and how it can affect the organization. It has to be an identified risk for which those involved understand the potential cost/damage and agree to accept it.

Risk acceptance is essentially being fully aware that the risk exists (and that you could be affected by it), then choosing to do nothing about it.

In risk acceptance, the risk must be identified, accepted and then a decision made that no action will be taken. Risk acceptance must be a conscious choice, documented, approved by senior administration, and regularly reviewed.

Related Terms:

  • Risk Appetite – the level of risk tolerance.
  • Exploit – An exploit is a mechanism of taking advantage of an identified vulnerability.
  • Threat – A threat is the potential that a vulnerability will be identified and exploited.
  • Control – Controls act to close vulnerabilities, prevent exploitation, reduce threat potential, and/or reduce the likelihood of a risk or its impact.

Research References:

  1. http://certcities.com/editorial/columns/story.asp?EditorialsID=447
  2. http://www.informit.com/articles/article.aspx?p=1809117&seqNum=2
  3. http://studydroid.com/index.php?page=viewPack&packId=220486
  4. CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  5. CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

No comments:

Post a Comment