Risk management is the process of identifying, analyzing, prioritizing and responding to risks. There are five standard risk response options:
Risk may be avoided by eliminating the cause of the risk, such as eliminating business processes or shutting down systems that can’t be secured. Avoidance is used when organizations are unwilling to accept, transfer, mitigate, or deter the risk. While certainly the most effective way of reducing risk, it is not always practical.
The burden of risk (i.e., the loss) can be transferred to another entity. Most often, this is done by purchasing insurance, but outsourcing can also be a way of transferring risk. When outsourcing, it is important to remember that you can transfer the burden of risk, but not legal responsibility. Transference is sometimes referred to as risk sharing.
Examples of IT-Related Insurance:
- Computer Crime – covers loss of property, including monetary and intellectual property incurred due to computer crime.
- Software Design Errors and Omissions – professional liability coverage covering loss due to design errors.
- Property – covers loss of property (i.e., buildings and contents, including computing equipment) due to theft, fire, or other covered events.
Prior to acceptance of the risk, the organization must acknowledge and understand the impact (i.e., consequences). This may be the appropriate response when the cost of mitigation is greater than the loss incurred. Each organization has a level of risk it is willing to accept, referred to as risk appetite or risk tolerance. It is important to note that some risks cannot be accepted due to law or regulation (e.g., HIPAA, GLBA, FISMA).
Risk response options other than avoidance usually result in some risk remaining. The organization is typically forced to accept this residual risk.
Risk mitigation involves applying controls that limits impact (consequences) or reduces likelihood. Examples include applying security patches and hotfixes and installing/updating anti-malware software. Risk analysis must be performed to ensure that the cost of the mitigation does not exceed the impact from loss.
Risk can be deterred by applying controls that discourage threats from occurring. Examples of controls include security policies and procedures, physical security controls and accountability controls such as individual user accounts and audit logs.
Both deterrent and mitigation techniques are needed to reduce overall risk.