our final two elements of nest 800-39. We need to figure out how we're gonna respond to risk. And then, of course, we need to plan for ongoing monitoring because you never done with risk management. Risk management will follow you around everywhere you go. So we have to monitor. We have to determine
if our strategies are working.
And if they're not, what can we do about it?
Okay, so when we start our risk response and I think you're going to see this very, um very common is most organizations. Most standards, most documents are gonna essentially say you have four responses you can reduce. You can accept, you can transfer
right. That's what we do with risk. But which of those options we do and how we implement reduction or mitigation or transports whatever is really going to be driven by that risk assessment. So never undervalue the importance of a risk assessment, because how we respond to risk
comes directly from that piece.
All right, so what we want to do, what's our goal with risk response? What were ultimately looking to do is to reduce residual risk to the level that's acceptable by senior management and many times one risk treatment isn't enough. You have to keep responding and responding, responding and responding
until we do have risks mitigated
to a level that's far enough, right? That's that management says okay, we can live with that.
So in addition, we think about responding to risk. We also have to think down the line. We have to think about risks that are left over after one response. So that's called residual risk. I apply risk management strategy. That doesn't mean I've made the risk go away. I've just lessened it.
Well, now we've got so much residual risk. Senior management still isn't happy,
so I mitigate again and then again and again. But I always after mitigation, need to go straight to my residual risk and determined. Is that where we want it
now? The other thing that's really important when we're responding to risks is we think about secondary risks and secondary risks. Sometimes you fix one problem just to cause another. That is how the world works sometimes. As a matter of fact,
I don't know if any of you fancy yourself is being handy around the house but really aren't handy around the house. That probably describes me perfectly.
So you know, sometimes I get these ideas as a matter fact. I'm the type of person that should not even have a tool kit around the house, because just owning a toolkit makes me think
I can fix that. So, um, I had this issue with my toilet, was running upstairs and went out to lows. I was like, Look, the kid to fix your toilets. $8. How hard can it be?
Well, I'm also a little attention, Aly challenged. So, like I goeth from Step 12 Step seven pretty quickly.
And finally, after much weeping and gnashing of teeth, toilet wasn't running anymore. I had achieved.
Later on that night I was downstairs watching television
noise sounds like water dripping,
and I looked at the back wall in the basement downstairs. I swear to you, it was like I had magically installed a water fountain. There's ones that just go down the walls,
you know, I could try to sell. It is an undocumented feature, but I wasn't getting away with that. That's a residual risk. You fix one problem, but she calls something else. And sometimes that residual rescue calls is worse than the original problem. You know, if you install a patch that isn't necessarily a security patch,
and it doesn't really impact your system, except it caused your system to reboot over and over and over again.
That's a secondary risk, causing more problems than we dealt with.
And unfortunately, one of the most horrific examples of secondary risk was
after the events of September 11th. They made the cockpit doors Impenetrable.
Well, if the bad guys can't get in, the good guys can't either.
So just tragically, um, several years back there was a co pilot with severe mental health issues, and he waited till the captain left the cockpit and then barricaded himself inside. And no one could get in there and just,
you know, he crashed the plane. Basically, just awful.
but that's us not thinking far enough down the line. You know, when we talk about threat modeling and risk scenarios, one of the things that we have to think about is use and misuse will hear something that's gonna be great.
I'm gonna have a passwords database, so passwords can be stored. Well, what's the misuse? Those passwords could be compromised.
And most things that have a valid use and even a beneficial use
they could be turned around and used for evil in the wrong hands. Right? So we have to think about those elements. Secondary risks can kill us. So what's our defense risk modeling use and misuse cases?
All right, So when we talk about our responses, um, making sure that what we do in I t is consistent and exists within the risk culture of the organization.
Okay, so, ultimately, we're in line with how the organization prefers to deal with risks. That's how we deal with them in I t.
Ultimately, I t is here to fall in line and ultimately support the needs of the business. Deliver value to the business will talk a lot about value in a little bit.
All right, so you can reduce, which is less in probability or impact.
You can transfer risks using insurance or service level agreements.
You can accept the risk if the cost of mitigation is too high or you can avoid a risk, and that's kind of like risk reduction. You know, if you reduce your risk all the way to zero.
You've avoided the risk, right? So sometimes you just see risk, um, reduction, acceptance, transference, and then sometimes they'll throw in avoidance as well. But I really lump avoidance under reduction, because if you reduce it to zero, that's what you're doing.
Make sure you know you don't eliminate risks.
You can reduce him. You can even avoid particular risks. But we don't think in terms of avoiding risks, right, that just that are eliminating risks, that just doesn't happen.