Risk management can also be thought of as handling risk. Remembering that risk management is not risk elimination is important. A business that is unwilling to take any risks doesn’t stay in business for long because the cost to eliminate all risks would consume all the profits.
The ultimate goal of risk management is to protect the organization. It helps ensure a business can continue to operate and earn a profit. Risk management includes several steps:
A risk can be avoided, shared or transferred, mitigated, or accepted. Each of these techniques is explained in the following sections.
One of the ways risks can be managed is by simply avoiding them. The primary reason for avoiding a risk is when the impact of the risk outweighs the benefit of the asset.
An organization can avoid risk by:
Sharing or transferring risk means shifting responsibility to another party. Transferring risk shifts the entire responsibility or liability. Sharing risk shifts a portion of the responsibility or liability. Organizations can outsource part or all of the activity.
Risk is reduced by reducing vulnerabilities. The primary strategy in this process is mitigating risks. Mitigating risks is also known as risk reduction.
Implementing controls, or countermeasures, reduces vulnerabilities. The cost of a control should not exceed the benefit. Determining costs and benefits often requires a CBA, which was covered earlier in this chapter.
Examples of mitigation steps are:
Often, the goal is not to eliminate the risk but, instead, to make it too expensive for the attacker. Here are two formulas:
Cryptography is one of the ways to increase the attacker’s cost. If a company sends data across the network in cleartext, the data can be captured and analyzed. If the company encrypts the data, an attacker must decrypt it before analyzing it. The goal of the encryption isn’t to make it impossible to decrypt the data. Instead, the goal is to make it too expensive or time consuming for the attacker to crack it.
A simple failover cluster could include two servers. One server provides the service to users, and the other server acts as a spare. If the online server fails, the spare server can sense the failure and automatically take over.
Accepting a risk is another choice. A company can evaluate a risk, understand the potential loss, and choose to accept it, which is commonly done when the cost of the control outweighs the potential loss.
For example, a company hosts a web server used for e-commerce. The web server generates about $1,000 per month in revenue. The server could be protected using a failover cluster. However, estimates indicate that a failover cluster will cost approximately $10,000. If the server goes down, it may be down for only one or two hours, which equates to less than $3 (Revenue per hour = $1,000 × 12 / 365 / 24 = $1.37).
Residual risk is the risk that remains after controls have been applied. Eliminating all risks is not feasible. Instead, steps are taken to reduce the risk to an acceptable level. The risk that’s left is residual risk.
Earlier in this chapter, the following two formulas were given for risk:
Risk = Threat × Vulnerability
Total risk = Threat × Vulnerability × Asset value
The following formula can be used to calculate residual risk:
Residual risk = Total risk − Controls
Senior managers are responsible for losses due to residual risk. They decide whether a risk should be avoided, shared or transferred, mitigated, or accepted. They also decide which controls to implement. Any resulting loss due to their decisions falls on their shoulders.
3.143.4.181