so risk mitigation leads to or really is the so what of risk management.
So we figured out the potential for laws. Well, we provide the appropriate mitigation so that the residual risk falls within the range that's acceptable by the business. We're lowering that risk, that potential for loss to a point that's acceptable because at some point in time, we have to accept
a small degree of risk.
Or even if we don't have to. It's cost effective, you know, if you go to senior management and say, Well, how long can we have our domain to be down? You know, during a normal business day,
Usually the response from senior management is done. We can't afford any downtime.
My response to that is we'll get your checkbook because it will cost a lot of money to give an organization 24 7 up time.
Now who would spend that kind of money? And Amazon or many online providers were they lose millions of dollars per minutes that they're down. But many organizations, you know, may have a higher tolerance or a higher capability to withstand downtime based on once again cost benefit analysis.
So when I come back to senior management say we'll get your checkbook cause it's gonna cost millions of dollars to get 24 7 up time.
They come back and say, Well, what we really meant was two hours downtime,
right? There's that negotiation process because once again, security costs money and we have to figure out the potential for loss
versus the cost of the mitigating strategy.
All right, now, when we do look a risk mitigation, they're generally three basic ways we consider we think about reduce except in transfer,
risk reduction, risk, acceptance in risk transference.
So they're very much like they sound when we talk about reducing a risk. We're talking about lessening the probability end or impact of a risk. I can't lessen the probability of rain, but I can bring an umbrella and lessen its impact.
Right, Um, so we're bringing either probability or impact, or if we're lucky, we're bringing probability and impact down again to that tolerable love.
If I'm to eliminate a risk or avoid a risk when I'm really doing is lessening probability. Indoor impact down to zero. I've eliminated the risk.
I've chosen, not have the picnic outdoors. I'm gonna have it indoors, so I've eliminated the possibility of weather interfering with my picnic.
All right, so that's risk avoidance. A risk avoidance is really extreme risk reduction.
Now, I'll mention on a skip over acceptance for just a minute.
I want to talk about risk transference. So what risk transfer its means is I'm gonna share that risk with someone else. When we get insurance, fire insurance, for instance, it doesn't lessen the likelihood of having a fire. I mean, they're gonna have a firearm. Not
it doesn't lessen how much damage is gonna be to the house. The house is going to get damaged to certain degree. Whether or not I have insurance would I am lessening is my portion of the loss. I'm gonna share that loss with the insurance company. So when you hear about insurance, that's risk transfers.
When you hear about service level agreements and those air really important in the I T world.
And that's that commitment from a vendor to a certain degree of performance or up time for a product that's transferring the loss. Because if the vendor doesn't meet those agreement levels, then ultimately there's usually some sort of financial compensation. So I'm sharing in that loss. So insurance,
service level agreements,
This vendors been late every time we've dealt with him. So we're gonna modify the contract that says for each day late he's gonna return 1% of the value of the contract to us. That's again transferring the risk.
Okay, So we can reduce the risk. We can transfer a risk. Or ultimately, we might just accept the risk.
And we accept the risk when we determine
that the potential for loss is less than
the cost of the countermeasure. I'm not gonna spend $50 to protect a $20 bill,
So I'm not going to spend more than the potential for loss to protect a product.
But again, this is where it's so important. I really understand the value of my asset.
Because if I make the mistake of thinking, remember that laptop we talked about earlier? If I think that laptops values $300 I won't spend 500 to protect it.
But if I don't consider all the data that's on there and its value, I don't consider the potential for fines from my industry. Ah, via HIPPA or any of the other regulations and laws and standards. If I don't factor all those many other elements and give value to my asset,
then I'm gonna make a poor decision.
But when the cost of mitigation is greater than the potential for laws, we accept a risk.
Okay? And what do we do when we accept the risk?
Honestly, we do nothing. We have chosen to allow that risk to exist. We're gonna keep an eye on it. We documented the risk. We also have a paper trail as of why we've chosen not to implement a strategy because remember, we don't want to be found liable. We want to make sure that we protect the assets to the degree that's warranted.
But ultimately we do
Now it's worth mentioning that with risk rejection, you do nothing about a risk, but with risk rejection. We don't have that paper trail. We haven't done the investigation. We haven't set up
a means of evaluating the loss potential. What we've basically done is la la la la la That won't happen to me. And that is actually not a good form of risk management. So risk rejection is not allowed. We put it out there because unfortunately, many organizations do risk rejection instead of acceptance. They don't
work through and decide
we'll deal with this risk later because of the value potential. Many times organizations just say, I don't want to hear it. We can't deal with this right now. Risk rejection is not allowed.
Okay? So when we look back through risk mitigation are big three elements. We reduce the risk by lessening probability and or impact
risk acceptance. We choose not to implement a mitigation strategy because the potential for loss is greater than the cost of mitigation
or we transfer risk. We find someone else to share in the risk events with us that would include insurance or ah S L. A's
now few other terms in addition with risk, total risk. And I think I already mentioned these earlier. But just to review total risk is thea amount of risk that exists before we implement some sort of control. So it's the total potential value for loss. If we don't do anything, how much money will we lose
if we don't back up our data?
That's the total risk.
Residual risk is what's left over after you've applied a risk mitigation strategy, and sometimes we have to apply multiple mitigation strategies.
Yes, I'm going to transfer the risk of fire by having fire insurance. But I'm also going to try to reduce that risk by storing flammable material in a safe place, having good policies, having sprinkler systems, those ideas so often we have multiple risk strategies,
but eventually there will be some risk that's left over. And that's called residual risk.
Secondary risk is when one risk response triggers another risk event. We talked about that as well.
So the idea here is when we talk about risk, the vulnerabilities and the assets come together. Okay, so let me let me reward that the amount of threats, the amount of vulnerabilities and the value of the assets all that is considered to give us the total risk these air just conceptual calculations thes aren't really
things that you need to plug values in.
And then when we talk about the total risk
and then we add an element of control called the controls gap, that's what gives us the residual risk. So just a few extra additional terms when it comes to dealing with risk.
Now, as we wrap up risk management if you'll recall three main elements of risk and then ongoing monitoring, we have risk assessment where we identify,
Ah, we identify our assets. And then we also have to evaluate her assets. This is, ah, hard process. It's not easy to look at my company and say our reputation is worth so many $1,000,000. It's very difficult to get a dollar value for intangible assets, but we have to.
That will then lead us to risk analysis where we prioritize our risks based on their qualitative value. And then they're quantitative value.
That quantitative value would then drive me to know how much money to spend or how much money I should spend on risk mitigation. Do I reduce the risk to accept the risk? So I transferred. How do I address this risk injury in general? And remember anything that talks about
is gonna be wrong. What we have to do is manage risk, reduce risk we can totally eliminate.
All right, so we've gone through the definitions in terms. We talk about the different types of risk. We'll talk a little bit more about governance and appliance in the next section