In this installment of the Risk Management Guide, Shon Harris explains the four ways to deal with identified risk: transfer it, avoid it, reduce it or accept it.
Once a company knows the amount of risk it is faced with, it must decide
Many types of insurance are available to companies to protect their assets. If a company decides that the total or residual risk is too high to gamble with, it can purchase insurance, which transfers the risk to the insurance company.
If the company implements countermeasures, this reduces the risk. If management decides that the action that is incurring the risk does not have a strong business case for its existence, then they can decide to stop that activity altogether. This is referred to as avoiding the risk. The last approach is to accept the risk, which means the company understands the level of risk and the potential cost of damage, and decides to just live with it without implementing any countermeasures. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.
The reason that a company implements countermeasures is to reduce its overall risk to an acceptable level. But no system or environment is 100% secure, which means there is always some risk left over to deal with. This is called residual risk.
Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any type of safeguard or to transfer some of the risk. A company may choose to take on total risk if the cost/benefit analysis results indicate that this is the best course of action. For example, if there is a small likelihood that a company's Web servers can be compromised and the necessary safeguards to provide a higher level of protection cost more than the potential loss in the first place, the company will choose not to implement the safeguard, leaving it with the total risk.
There is an important difference between total risk and residual risk, and which type of risk a company is willing to accept. The following are conceptual formulas:
threats x vulnerability x asset value = total risk
(threats x vulnerability x asset value) x controls gap = residual risk
During a risk assessment, the threats and vulnerabilities are identified. The possibility of a vulnerability being exploited is multiplied by the value of the assets that are being assessed, which results in the total risk. Once the controls gap (protection the control cannot provide) is factored in, the result is the residual risk. Implementing countermeasures is a way of mitigating risks. Because no company can remove all threats, there will always be some residual risk. The question is what level of risk the company is willing to accept.
The information risk management team is responsible for ensuring that any countermeasure that is implemented or when some risk is transferred that the remaining residual risk meets the acceptable risk level set by management. This is not a scientific process that can be carried out through the use of mathematical formulas – it is more subjective in nature.
RISK MANAGEMENT GUIDE
Introduction: Understanding risk
An overview of the risk management process
How to define an acceptable level of risk
How to write an information risk management policy
How to implement an effective risk management team
Information risk management: Defining the scope, methodology and tools
How to conduct a risk analysis
How to deal with risk
About the author
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.
This was first published in April 2006