5.22 Risk Mitigation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

9 hours 48 minutes
Video Transcription
All right, we've analyzed our risk and we have dollar value for the risk. The next thing that we do is mitigate.
So when I'm mitigating, I'm looking to lessen probability and or impact, right? And really, you know, I'm looking to reduce it to the acceptable level, uh, level.
We don't talk about elimination of risks because you just can't do it. There are certain risks you can avoid. You know, I'm thinking about opening a location in an area with political unrest.
That's too risky. I just don't do it. That's risk avoidance, right? But most the time we look to reduce,
accept or transfer the risk which will talk about on the next slides. Um, actually
jump over here. So when we talk about risk reduction, lesson, probability and or impact
if your lesson probability or impact all the way down to zero, either of those air, both you've avoided the risk,
right? If I lessen the impact of rain on my picnic, then I've avoided it pretty hard to lessen the chance of rain. Right? So that's probably not my best example,
but I decide that this particular server hosting this service is too risky. Based on,
uh, connecting server to the Internet is too risky based on the value of the resource is I just don't connect it to the Internet. That's risk avoidance, right risk transference, service level agreements,
and insurance.
So, with my service level agreement, that's where I get a commitment for reimbursement from the service provider. Should a particular risk materialized? Should I have up time? That's less than 99.9997%
right? And if that happens, the vendor will reimburse me a certain amount of money. So I'm sharing in the potential for law So that service level agreement or a contract that guarantees such and such will happen. And if it doesn't, I get reimbursed.
Also, if I buy insurance, I'm worried about fire. So I fire insurance, right? And if I have a fire, the insurance company pays a portion of my loss risk transfer sharing in the lost potential.
Now there are also risks that we can just accept.
You know what it may just happen. It may just be one of those things that happen, and usually we accept the risk when the residual risk is within tolerable limits,
right so I'm concerned about the risk of fire. Way too much impact. Huge impact if we have a fire, so I will have a good fire policy. We don't store flammables near ignition sources. Comes down a little bit. I trained my people. Good fire safety
comes down a little bit. That's not much. Still left with a Thanh of impact. All right, I buy sprinkler systems. Well, that brings things down significantly. But this is too much risk still. So what do I do? I get fire insurance and fire insurance will take care all the way down to,
you know, a small level of residual risk. And I say, Well, that's about the best I could do
based on cost benefit analysis, Right? So at that point in time, I accept that risk. It's been mitigated to the point that's reasonable. I accept what's left of
all right now. Risk rejection is the bottom bullet point here, and that's not legit. That is not a legitimate risk response. Risk rejection. Is that la la la la la. It won't happen to me kind of idea of, you know, why do I need a home firewall?
I'm hardly on the Internet ever. And who's gonna attack my network?
Right? That's risk rejection. That's a failure of due diligence.
And ultimately, I may find that I'm in a position of liability Should that happen so risk rejection ignores the risk, doesn't And I want to be clear. That's very different from risk, acceptance, risk acceptance. Does the research
risk acceptance? Does the cost benefit analysis
right? Uh, we had a hurricane, not hurricane am
earthquake in D. C.
The heck was that
strange? I'm an East Coast girl. We don't do earthquakes here,
but we did an earthquake, Had a little earthquake thing happened and I immediately went online. Did some research. How often do these earthquakes happen? Because I moved to the D C area shortly before this happened. And then
Okay, when it does happen, what's the impact I look? Att, probability and impact.
They happen once every 10 years. The strength of the earthquakes in the last 100 years haven't exceeded 3.5 on the Richter scale. Based on the research, I accepted the risk, and I did not move my company or my home to a steel reinforced building,
right? It just wasn't worth it. It was a good business decision
if I rejected the risk and I live out in San Diego in just our San Francisco and I was like, What are the chances? Well, in that case, I'll be liable. So risk rejection, Mrs Due diligence, and we're setting ourselves up for liability if we don't use due diligence.
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By