(Post 9 of the 12-week Information Security Management blog series)
Choosing the appropriate risk management approach is a critical step in addressing and dealing with risk. If you have been following along, I have already written about approaching cybersecurity with a project management mindset. I have also introduced the concepts of threats, vulnerabilities, and risk and why it is important to identify and evaluate these. I even provided information on what the recent trending threats to small businesses are.
The question now is what to do when you have conducted a risk assessment and identified threats, risks, and vulnerabilities in your organization. The answer to that question that you must now decide how to address those risks. IT risk management is very similar to project risk management, something you might already have some exposure to. Both prescribe multiple approaches to dealing with risk. In information security, there are five commonly accepted approaches to risk management: acceptance, avoidance, transference, mitigation, and termination.
Acceptance
Risk acceptance involves choosing to do nothing to prevent, eliminate, or reduce the potential impacts of risks. Acceptance is the de facto approach to dealing with risk before risk is properly assessed and managed. If an organization is doing nothing to address risk, they are simply accepting risks they may not even know exist.
This approach to addressing risk can be a valid means of risk management, but should only be done smartly. Rather than default to risk acceptance, organizations should to chose which risks to accept and which risks they will not simply accept. This decision should only be made after considering the level of risk posed, how likely it is that the risk will result in loss, how serious the loss might be, and what potential controls could be implemented. Risk acceptance is a reasonable approach when a threat is low risk, would only result in insignificant loss, or when the asset that is threatened offers significant value to your organization but the possible protections to control the risk are unreasonably expensive compared cost of potential loss you might incur.
Risk Avoidance
Risk avoidance, sometimes called defense, involves attempting to eliminate or reduce risk. This is accomplished through implementing measures that can stop a threat from utilizing vulnerabilities all-together. Defensive measures that constitute a risk avoidance approach to risk management involve creation of policies and procedures, security education training and awareness (SETA), and implementation of technological solutions such as firewalls, web proxies, data loss prevention, and intrusion detection and prevention systems (IDPS).
Transference
Transferring risk attempts to shift the burden of risk to someone else. It involves outsourcing or contracting services and capabilities to outside agencies that specialize in those areas. Capabilities like data storage, backups, payment card processing, email, and even directory services can be had through the use of companies who specialize in those capabilities. They can be better equipped and prepared to protect resources that provide the capability and respond to incidents involving them. With a service-level agreement (SLA), they can be held responsible for ensuring the capability is always available, information is properly protected, and requirements to comply with any applicable regulations are met.
Mitigation
Risk mitigation is similar to risk avoidance, but deals with the aftermath of risk. It is an approach that aims to reduce the effects of an exploit, if it were to happen. This is an approach that is normally reserved for risk having devastating impacts on your organization, such as those that involve environmental threats and natural disasters. Mitigation involves the development of three specific documents related to incident planning:
- Incident response plan (IRP) – Processes and procedures for responding to incidents, including actions that will be taken to minimize the impact of an incident on an asset or the organization.
- Disaster recover plan (DRP) – Plan for restoring all business capabilities to normal, should an incident occur.
- Business continuity plan (BCP) – Plan for how your organization intends to continue operations immediately following an incident, preserving core business functions and capabilities until disaster recovery is complete.
Termination
Risk termination is very similar to risk acceptance in that it does not apply any measures to control risk. The key difference is that, with termination, the asset that is related to the risk being addressed is not allowed to continue existing in the environment. This is simply removing the risk entirely.
Termination of risk results in the loss of capabilities. For this reason, it is generally done when the cost to protect an asset is greater than the benefit the asset provides. More specifically, this approach is also normally reserved for when the risk is high enough to cause a moderate to severe impact on the organization if the related vulnerability were to be exploited.
Choosing the Correct Approach
There is no single approach that is best for all risk, collectively. Each organization has many risks that must be considered individually. Each risk will likely call for an approach that is both unique to that specific risk and in accordance with the organization’s willingness to accept risk and commit resources to managing it.