One of the ways risks can be managed is by simply avoiding them. The primary reason for avoiding a risk is when the impact of the risk outweighs the benefit of the asset.

An organization can avoid risk by:

• Eliminating the source of the risk—The company can stop the risky activity. For example, a company may have a wireless network that is vulnerable to attacks. The risk could be avoided by removing the wireless network, which can be done if the wireless network isn’t an important asset in the company.
• Eliminating the exposure of assets to the risk—The company can move the asset. For example, a data center could be at risk because it is located where earthquakes are common. It could be moved to an earthquake-free zone to eliminate this risk, but the cost to move the data center would be high. However, if the risk is unacceptable and the value of the data center is high, it makes sense.

Sharing or transferring risk means shifting responsibility to another party. Transferring risk shifts the entire responsibility or liability. Sharing risk shifts a portion of the responsibility or liability. Organizations can outsource part or all of the activity.

• Insurance—A company can purchase insurance to protect it from a loss. If a loss occurs, the insurance covers it. Many types of insurance are available, including fire insurance.
• Outsourcing the activity—For example, a company may want to host a website on the Internet. The company can host the website with a web-hosting provider. The company and the provider can agree on who assumes responsibility for security, backups, and availability.

Risk is reduced by reducing vulnerabilities. The primary strategy in this process is mitigating risks. Mitigating risks is also known as risk reduction.

Implementing controls, or countermeasures, reduces vulnerabilities. The cost of a control should not exceed the benefit. Determining costs and benefits often requires a CBA, which was covered earlier in this chapter.

Examples of mitigation steps are:

• Alter the physical environment—Replace hubs with switches. Locate servers in locked server rooms.
• Change procedures—Implement a backup plan. Store a copy of backups off-site, and test the backups.
• Add fault tolerance—Use RAIDs for important data stored on disks. Use failover clusters to protect servers.
• Modify the technical environment—Increase security on the firewalls. Add IDSs. Keep antivirus software up to date.
• Train employees—Train technical personnel on how to implement controls. Train end users on social engineering tactics.

Often, the goal is not to eliminate the risk but, instead, to make it too expensive for the attacker. Here are two formulas:

• Attacker’s cost < Attacker’s gain—When this is true, attacking is appealing to the attacker.
• Attacker’s cost > Attacker’s gain—When this is true, the attacker is less likely to pursue the attack.

Cryptography is one of the ways to increase the attacker’s cost. If a company sends data across the network in cleartext, the data can be captured and analyzed. If the company encrypts the data, an attacker must decrypt it before analyzing it. The goal of the encryption isn’t to make it impossible to decrypt the data. Instead, the goal is to make it too expensive or time consuming for the attacker to crack it.

Accepting a risk is another choice. A company can evaluate a risk, understand the potential loss, and choose to accept it, which is commonly done when the cost of the control outweighs the potential loss.

For example, a company hosts a web server used for e-commerce. The web server generates about $1,000 per month in revenue. The server could be protected using a failover cluster. However, estimates indicate that a failover cluster will cost approximately $10,000. If the server goes down, it may be down for only one or two hours, which equates to less than $3 (Revenue per hour = $1,000 × 12 / 365 / 24 = $1.37).

Residual risk is the risk that remains after controls have been applied. Eliminating all risks is not feasible. Instead, steps are taken to reduce the risk to an acceptable level. The risk that’s left is residual risk.

Earlier in this chapter, the following two formulas were given for risk:

Risk = Threat × Vulnerability

Total risk = Threat × Vulnerability × Asset value

The following formula can be used to calculate residual risk:

Residual risk = Total risk − Controls

Senior managers are responsible for losses due to residual risk. They decide whether a risk should be avoided, shared or transferred, mitigated, or accepted. They also decide which controls to implement. Any resulting loss due to their decisions falls on their shoulders.