Part 7 - Risk Mitigation

Video Activity

This lesson covers risk mitigation. Proper risk mitigation strategy is the result of strong quantitative analysis. The goal of risk management is to bring the level of risk down to a level which is acceptable by senior management. This lesson also covers ways to reduce risk, acceptance of risk and risk transfer. It is important to remember that avo...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
12 hours 41 minutes
Difficulty
Advanced
CEU/CPE
13
Video Description

This lesson covers risk mitigation. Proper risk mitigation strategy is the result of strong quantitative analysis. The goal of risk management is to bring the level of risk down to a level which is acceptable by senior management. This lesson also covers ways to reduce risk, acceptance of risk and risk transfer. It is important to remember that avoidance and rejection are not acceptable ways of dealing with risk. Participants also learn additional risk terms such as:  Total risk  Residual risk  Secondary risk

Video Transcription
00:04
so risk mitigation leads to or really is that so what of risk management?
00:11
So we figured out the potential for laws. Well, we provide the appropriate mitigation so that the residual risk falls within the range that's acceptable by the business. We're lowering that risk, that potential for loss to a point that's acceptable because at some point in time, we have to accept
00:30
a small degree of risk.
00:32
Or even if we don't have to. It's cost effective, you know, if you go to senior management and say, Well, how long can we have our domain to be down? You know, during a normal business day?
00:44
Usually the response from senior management is none. We can't afford any downtime.
00:49
My response to that is we'll get your checkbook because it will cost a lot of money to give an organization 24 7 up time.
00:58
Now who would spend that kind of money? And Amazon or many online providers were they lose millions of dollars per minutes that they're down. But many organizations, you know, may have a higher tolerance or a higher capability to withstand downtime based on once again cost benefit analysis.
01:18
So when I come back to senior management say we'll get your checkbook cause it's gonna cost millions of dollars to get 24 7 up time.
01:25
They come back and say, Well, what we really meant was two hours downtime,
01:29
right? There's that negotiation process because once again, security costs money and we have to figure out the potential for laws
01:38
versus the cost of the mitigating strategy.
01:40
All right, now, when we do look a risk mitigation, they're generally three basic ways we consider. We think about reduce, accept and transfer
01:49
risk reduction, risk, acceptance in risk transference. So they're very much like they sound when we talk about reducing the risk. We're talking about lessening the probability end or impact of a risk. I can't lessen the probability of rain, but I can bring an umbrella and lessen its impact.
02:09
Right.
02:10
Um, so we're bringing either probability or impactor for lucky. We're bringing probability and impact down again to that tolerable level.
02:22
If I'm to eliminate a risk or avoid a risk, What I'm really doing is lessening probability. Indoor impact down to zero. I've eliminated the risk. I've chosen not to have the picnic outdoors. I'm gonna have it indoors. so I've eliminated the possibility of weather interfering with my
02:40
picnic.
02:43
All right, so that's risk avoidance. Risk avoidance is really extreme risk reduction.
02:49
Now, I'll mention on the skip over acceptance for just a minute. I want to talk about risk transforms. So what risk transfer its means is I'm gonna share that risk with someone else. When we get insurance, fire insurance, for instance, it doesn't lessen the likelihood of having a fire. I mean, they're gonna have a firearm. Not
03:07
it doesn't lessen how much damage is gonna be to the house. The house is going to get damaged to certain degree. Whether or not I have insurance would I am lessening is my portion of the loss. I'm gonna share that loss with the insurance company. So when you hear about insurance, that's risk transfers.
03:23
When you hear about service level agreements and those air really important in the I T world.
03:30
And that's that commitment from a vendor to a certain degree of performance or up time for a product that's transferring the loss. Because if the vendor doesn't meet those agreement levels, then ultimately there's usually some sort of financial compensation. So I'm sharing in that loss. So insurance,
03:50
service level agreements,
03:51
contract modification
03:53
This vendors been late every time we've dealt with him. So we're gonna modify the contract that says for each day late he's gonna return 1% of the value of the contract to us. That's again transferring the risk.
04:09
Okay, So we can reduce the risk. We can transfer a risk or ultimately, we might just accept the risk.
04:15
And we accept the risk when we determine that the potential for loss is less than
04:21
the cost of the counter measure.
04:24
I'm not gonna spend $50 to protect a $20 bill,
04:28
so I'm not going to spend more than the potential for loss to protect a product.
04:32
But again, this is where it's so important. I really understand the value of my asset.
04:38
Because if I make the mistake of thinking, remember that laptop we talked about earlier? If I think that laptops values $300 I won't spend 500 to protect it.
04:47
But if I don't consider all the data that's on air in its value, I don't consider the potential for fines for my industry. Ah, via HIPPA or any of the other regulations and laws and standards. If I don't factor all those many other elements and give value to my asset,
05:06
then I'm gonna make a poor decision.
05:09
But when the cost of mitigation is greater than the potential for laws, we accept a risk.
05:16
Okay? And what do we do when we accept a risk? Honestly, we do nothing.
05:21
We have chosen to allow that risk to exist. We're gonna keep an eye on it. We've documented the risk. We also have a paper trail. As of why we've chosen not to implement a strategy because remember, we don't want to be found liable. We want to make sure that we protect the assets to the degree that's warranted. But ultimately we do
05:42
nothing.
05:43
Now it's worth mentioning that with risk rejection, you do nothing about a risk, but with risk rejection. We don't have that paper trail. We haven't done the investigation. We haven't set up
05:56
a means of evaluating the loss potential. What we've basically done is la la la la la That won't happen to me.
06:02
And that is actually not a good form of risk management. So risk rejection is not allowed. We put it out there because unfortunately, many organizations do risk rejection instead of acceptance. They don't work through and decide we'll deal with this risk later because of the value potential.
06:20
Many times organizations just say, I don't want to hear it.
06:24
We can't deal with this right now. Risk rejection is not allowed.
06:28
Okay, So when we look back through risk mitigation are big three elements. We reduce the risk by lessening probability and or impact
06:38
risk acceptance. We choose not to implement a mitigation strategy because the potential for loss is greater than the cost of mitigation
06:47
or we transfer risk. We find someone else to share in the risk events with us that would include insurance or ah S L. A's
06:58
now few other terms in addition with risk, total risk. And I think I already mentioned these earlier. But just to review total risk is the amount of risk that exists before we implement some sort of control. So it's the total potential value for loss.
07:15
If we don't do anything, how much money will we lose
07:18
if we don't back up our data? That's the total risk.
07:21
Residual risk is what's left over after you've applied a risk mitigation strategy. And sometimes we have to apply multiple mitigation strategies. Yes, I'm going to transfer the risk of fire by having fire insurance. But I'm also going to try to reduce that risk by
07:39
storing flammable material in a safe place, having good policies.
07:44
Ah, having sprinkler systems, those ideas so often we have multiple risk strategies, but eventually there will be some risk that's left over. And that's called residual risk.
07:56
Secondary risk is when one risk response triggers another risk event. We talked about that as well. So the idea here is when we talk about risk, the vulnerabilities and the assets come together. Okay, so let me let me reward that the amount of threats, the amount of vulnerabilities and the value of the asset
08:13
all that is considered to give us the total risk.
08:18
These air just conceptual calculations thes aren't really things that you need to plug values in.
08:24
And then when we talk about the total risk
08:26
and then we add an element of control, copy controls gap. That's what gives us the residual risks. There just a few extra additional terms when it comes to dealing with risk.
08:39
Now, as we wrap up risk management. If you'll recall three main elements of risk and then ongoing monitoring, we have risk assessment where we identify,
08:48
Ah, we identify our assets. And then we also have to evaluate our assets. This is, ah, hard process. It's not easy to look at my company and say our reputation is worth so many $1,000,000. It's very difficult to get a dollar value for intangible assets, but we have to.
09:07
That will then lead us to risk analysis where we prioritize our risks based on their qualitative value. And then they're quantitative value. That quantitative value would then drive me to know how much money to spend or how much money I should spend on risk mitigation.
09:26
Do I reduce the risk to accept the risk? So I transferred.
09:30
How do I dress this risk, Injun in general? And remember, anything that talks about eliminating risk is gonna be wrong. What we have to do is manage risk, reduce risk. We can totally eliminate.
09:45
All right, so we've gone through the definitions in terms we talked about the different types of risk. We'll talk a little bit more about governance and appliance in the next section
Up Next
ISC2 CISSP

Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning.

Instructed By