Risk Avoidance, Sharing, and Transfer

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> We just talked about risk mitigation,
00:00
and I was arguing with myself,
00:00
"Do I make risk avoidance
00:00
a separate topic or do I
00:00
just include it with mitigation?"
00:00
Because when we talked about mitigation,
00:00
we said we're going to lessen
00:00
either probability and/or impact.
00:00
We're going to lessen probability and/or impact.
00:00
Well, if I lessen either of those to zero,
00:00
then I've avoided the risk.
00:00
Ultimately what we get with
00:00
risk avoidance is the ultimate of mitigation.
00:00
In some courses they'll just lump
00:00
risk avoidance under the category of mitigation.
00:00
See risks does set this out as a separate risk response,
00:00
which I understand is perfectly fine,
00:00
but I do just want you to understand that risk avoidance
00:00
is really just mitigating
00:00
to the point where you have no risk left.
00:00
What we have to do is we have to either eliminate
00:00
the probability of a risk event or eliminate its impact.
00:00
Now that's tough to do,
00:00
because usually we talk about bringing
00:00
that risk down to an acceptable level.
00:00
We usually just think, "Hey,
00:00
what is the level of acceptance that's set out by
00:00
senior management and how do we get it there?"
00:00
But there are certain risks that are too risky,
00:00
and just reduce isn't enough.
00:00
We don't get the level
00:00
of decreased risk that we're looking for.
00:00
So in that case we decide we're
00:00
going to take our toys and go home,
00:00
and that's what risk avoidance is.
00:00
The problem with risk avoidance means
00:00
that we're not doing something that we had planned to do.
00:00
We're choosing to no longer pursue
00:00
perhaps something that had a business benefit,
00:00
we're going to choose to,
00:00
like for instance, we've got some examples here.
00:00
If you take a look at each of them,
00:00
we're just not going to follow along with an opportunity.
00:00
Relocating a data center from a region
00:00
with significant natural hazards.
00:00
You know what, I'll tell you that if I run
00:00
a company that makes fine crystal and fine China,
00:00
I am not going to take a risk
00:00
of putting this factory on the San Andreas Fault.
00:00
Now, going to be good with China.
00:00
Well, same thing when you're looking at your data,
00:00
we want to make sure that we have
00:00
high availability of our systems,
00:00
and that our data is highly available, and that's if,
00:00
that's not always the critical concern and
00:00
the chief concern of
00:00
folks aligned with certain types of data.
00:00
But if that's the case,
00:00
we know that natural hazards, tornadoes, fires,
00:00
floods, earthquakes can render
00:00
our systems and data unavailable.
00:00
At that point in time we may just
00:00
choose not to open that location.
00:00
We avoid that risk all together.
00:00
We may turn down projects.
00:00
We talked about, in Domain 1,
00:00
some of the criteria that we use to
00:00
determine whether or not we're going to
00:00
undertake a business endeavor.
00:00
One of the first things we said is we
00:00
develop a business case,
00:00
and we look at the pros and cons of undertaking this,
00:00
back with their feasibility study,
00:00
we were trying to figure out,
00:00
is this even something we can pull off?
00:00
Let's say we do our SWOT analysis,
00:00
and we look at strengths and weaknesses,
00:00
we look at opportunities and threats,
00:00
and we find in relation to
00:00
this project our weaknesses
00:00
are greater than our strengths.
00:00
There are more threats than there are than opportunities.
00:00
Well, then I'm not going to choose to
00:00
undertake that project,
00:00
that would be risk avoidance.
00:00
You can put through
00:00
your mind other instances of risk avoidance.
00:00
One thing that I'll say is that,
00:00
in any instance where you are
00:00
looking at a risk
00:00
that might have an impact on human life,
00:00
now we don't necessarily think of that from day to
00:00
day in relation to cybersecurity,
00:00
but that's beginning to be an issue more and
00:00
more as more and more elements become computerized,
00:00
more and more elements become publicly accessible,
00:00
so there are some things that we have the technology to
00:00
do that we're just not
00:00
ready to accept the risks associated with it.
00:00
That would be a time when we avoid a risk.
00:00
If we're always focusing on ease of use,
00:00
sometimes the impact of
00:00
a risk can be much greater than we're willing to accept,
00:00
and sometimes you can even mitigate.
00:00
Technology may be limiting,
00:00
and we may have to avoid a risk because
00:00
the current technology just isn't sufficient.
00:00
Wi-Fi technology has been around for decades.
00:00
But early on the only security mechanism
00:00
to protect Wi-Fi communications was one called WEP.
00:00
WEP stood for Wired Equivalent Privacy.
00:00
WEP provided very poor protection
00:00
of confidentiality of information.
00:00
Numerous organizations had the capacity
00:00
to implement wireless strategies, or Wi-Fi,
00:00
but because the security was so weak at the time,
00:00
it was not worth taking on that risk.
00:00
Still today, in government agencies and secure areas,
00:00
they avoid the risk of Wi-Fi by disallowing it.
00:00
Now with avoidance,
00:00
the problem there is we don't do what we wanted to do.
00:00
In instances where we can mitigate or
00:00
reduce the risk to a degree that's acceptable,
00:00
that's probably going to be our first choice though.
00:00
Now I just want to mention the last risk response that we
00:00
have is sharing the risk or transferring the risk.
00:00
Risk sharing, risk transferring, same thing.
00:00
With risk-sharing and transferring we're sharing
00:00
the loss potential with another organization.
00:00
Think of things like insurance,
00:00
service level agreements, contracts, outsourcing work.
00:00
That's sharing the loss potential with another entity.
00:00
Now a couple of things I want to say about this.
00:00
First thing I want to say is
00:00
you cannot outsource liability.
00:00
Just by hiring a vendor and turning over work to
00:00
them doesn't allow me to
00:00
just wash my hands of the entire risk,
00:00
I am still liable if I'm the data owner.
00:00
For instance, if I'm a healthcare provider
00:00
and I collect patient data,
00:00
well, I'm accountable to be in compliance with HIPAA.
00:00
I think, "Oh, I can't take that on."
00:00
I hire another agency to process forms,
00:00
and their commitment is that
00:00
they're in compliance with HIPAA.
00:00
Yay, that's taken care of.
00:00
Not necessarily.
00:00
If that other organization has a breach,
00:00
and it's determined that they were not in
00:00
compliance with HIPAA, I'm liable.
00:00
It's my responsibility as
00:00
a healthcare provider to make sure we're in compliance.
00:00
You can't pass the buck when it comes to liability.
00:00
The other thing about risk transference,
00:00
we're sharing the loss potential.
00:00
Outsourcing a loan doesn't
00:00
mean that we've transferred a risk.
00:00
It's only when you have in your contracts some form of
00:00
service level agreement or some compensation clause.
00:00
Because when we talk about,
00:00
and this is a phrase that could come up,
00:00
fiduciary risk transference,
00:00
transferring the loss potential, think money.
00:00
It's that service level agreement in
00:00
our contracts that says,
00:00
if this degree of service isn't met,
00:00
then I would be rewarded a certain amount of money,
00:00
not rewarding, but refunded,
00:00
or a certain amount of funds would
00:00
be basically redirected to me as the data owner.
00:00
We hire, we outsource our work,
00:00
and then we expect that vendor
00:00
to give us a service level agreement,
00:00
so that if they fail to meet the terms of
00:00
the contract I get some compensation.
00:00
That's what really makes a transference piece.
00:00
Then the last thing I'll say about risk transference is
00:00
risk transference really doesn't
00:00
lessen probability or impact.
00:00
If I get fire insurance,
00:00
it doesn't lessen the probability
00:00
that I'm going to have a fire.
00:00
It doesn't lessen the impact of me having
00:00
a fire just by having insurance,
00:00
but what it lessens is my point at the loss.
00:00
When we're talking about risk transference,
00:00
we're sharing that loss potential
00:00
with another organization or entity.
Up Next