Risk Management Lifecycle: Risk Response and Mitigation
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Our next step of the risk management life-cycle,
00:00
we're going to focus on response and mitigation.
00:00
This is where we take
00:00
that risk amount that may be unacceptable,
00:00
where we have too much risk
00:00
>> and we try to bring the risk
00:00
>> down to a level that's acceptable by senior management,
00:00
and that's really our main goal.
00:00
We're going to talk about the strategies,
00:00
the ways that we can accomplish this,
00:00
and the way we accomplish
00:00
risk mitigation is through the use of controls.
00:00
Of course, like we mentioned before,
00:00
those controls have to
00:00
have specific objectives associated.
00:00
Third step here, risk response and mitigation.
00:00
We start out by talking about the ways we can respond.
00:00
Risk response, really to me has three big categories;
00:00
reduce, accept, and transfer.
00:00
Now, we also have
00:00
risk avoidance and then there's risk rejection,
00:00
but risk rejection really
00:00
isn't an appropriate risk response.
00:00
If we talk about risk reduction and avoidance,
00:00
what we're trying to do is lessen
00:00
the probability and/or impact of a risk.
00:00
Remember that's what gives me that risk value.
00:00
Probability times impact.
00:00
If I can take the probability of a risk event down,
00:00
or if I can take the severity of a risk event down,
00:00
then I'm lessening the risk.
00:00
Now, risk mitigation is our most common response.
00:00
When I talk about implementing controls like
00:00
firewalls or policies or door locks and security guards,
00:00
those are all types of mitigation.
00:00
I'm lessening probability and/or impact.
00:00
Most times when we see a risk,
00:00
we think, okay, how can we reduce it?
00:00
We reduce it through the use of controls.
00:00
Now, if I were to lessen
00:00
probability and/or impact all the way down to zero,
00:00
then I will have avoided the risk.
00:00
Because probability times impact equals risk.
00:00
If either of those is zero,
00:00
then we have no risk.
00:00
That's not something that is frequently possible.
00:00
I want to say it's not frequently possible,
00:00
but most of the time we look to reduce our risk.
00:00
Because if we avoid the risk,
00:00
then generally we're choosing
00:00
an alternate path than perhaps
00:00
what we had wanted to do in the first place.
00:00
For instance, maybe I'm looking at
00:00
opening up an office in
00:00
an area of civil or political unrest.
00:00
I do my research and I decide, you know what?
00:00
It's just too risky to open an office there right now.
00:00
So I don't. That's what risk avoidance looks like.
00:00
I just don't do what I was considering doing.
00:00
That's not practical in many instances.
00:00
But if there were ever
00:00
an issue where human life could be threatened,
00:00
then yeah, risk avoidance is a 100 percent appropriate.
00:00
But most of the times we're looking to implement
00:00
a control that brings down probability and/or impact.
00:00
Then we look at what's left.
00:00
We look at the residual risk.
00:00
If that residual risk is still
00:00
too high for senior leadership,
00:00
then we add another control.
00:00
We bring the risk down some
00:00
more and then we add another control and
00:00
another control until we have brought
00:00
the residual risk three that's acceptable.
00:00
When we talk about risk acceptance,
00:00
that's the point where we no longer
00:00
>> continue to mitigate.
00:00
>> Sometimes risk reduction though isn't enough.
00:00
I think about fire safety, for instance.
00:00
I can reduce the probability and/or
00:00
impact of fire by having sprinkler systems,
00:00
by training people on fire safety,
00:00
by not storing flammable liquids and things like that,
00:00
but ultimately, there is still
00:00
such a potential of a high impact of fire.
00:00
There could be human life lost,
00:00
there could be loss to property to the facility.
00:00
Because no matter what I do,
00:00
that residual risks still seems very, very high.
00:00
I'm going to have fire insurance.
00:00
I'm going to share
00:00
that loss potential with another organization.
00:00
That's what we're doing when we transfer risks.
00:00
Anytime you think about insurance,
00:00
that's risk transference.
00:00
When we outsource.
00:00
For instance, I've determined
00:00
that I am probably not going to be
00:00
able to develop a software application
00:00
in-house that will meet our needs.
00:00
I decide to hire a vendor.
00:00
Well, that vendor is going to develop the software for
00:00
me and if there are issues with the software,
00:00
I will maybe received some compensation or
00:00
I won't have to pay or whatever the case is.
00:00
But I'm sharing in the
00:00
potential for loss with that vendor.
00:00
When I migrate my data to the cloud,
00:00
the cloud service provider provides me with
00:00
a service level agreement where they
00:00
commit to a certain degree of up-time,
00:00
a certain degree of performance.
00:00
Again, if they don't meet those requirements,
00:00
I'm compensated.
00:00
That's risk transference.
00:00
Now, as I mentioned before though,
00:00
at some point in time,
00:00
there's amount of residual risk that either you
00:00
can't do anything about
00:00
>> or it's just not cost effective.
00:00
>> There's not enough money you can spend to
00:00
100 percent remove the risk
00:00
of fire in a typical business.
00:00
You can make it very, very unlikely,
00:00
but at some point in time,
00:00
there's still that chance.
00:00
Just like I can't secure a system in a way that it could
00:00
never conceivably be compromised.
00:00
We can implement all the security
00:00
that we want to implement,
00:00
but at some point in time,
00:00
it's just not cost effective.
00:00
Like we said, at some degree we mitigate,
00:00
mitigate, mitigate until what's leftover is tolerable.
00:00
It's what we can accept.
00:00
Our main goal is to bring residual risk
00:00
down to the degree that
00:00
>> what's leftover can be accepted.
00:00
>> When we talk about risk acceptance, basically,
00:00
we no longer actively strive to mitigate the risk.
00:00
Now, what that really translates to is at some point in
00:00
time we do nothing and sometimes we start off that way.
00:00
Back in, I guess it's been
00:00
seven or eight years ago in the DC area,
00:00
we had an earthquake.
00:00
Now, I'm a DC girl.
00:00
I'm an East Coast person.
00:00
I never grew up on
00:00
the West Coast where earthquakes are a thing.
00:00
As a matter of fact,
00:00
>> I thought earthquakes were something
00:00
>> West coasters made up just to get attention.
00:00
But here we are,
00:00
in DC and we had an earthquake.
00:00
Now, I can assure you that I did due diligence.
00:00
I went out and I researched
00:00
how often do we have earthquakes in DC?
00:00
It turned out that even though we had had one,
00:00
usually we don't have an earthquake,
00:00
maybe once every 10, 15 years.
00:00
That made me feel a little better.
00:00
Then I wanted to know, well,
00:00
when we have these earthquakes,
00:00
how significant are they?
00:00
The research told me it was a very minimal loss,
00:00
maybe something like three on the Richter scale,
00:00
that was the average.
00:00
Based on probability and impact,
00:00
the fact that they are hardly ever
00:00
earthquakes in DC and when there are,
00:00
they have a very low impact, I said, "You don't what?
00:00
I'm not going to move to a different location.
00:00
I'm not going to take my business and move them into
00:00
a building that is steel reinforced.
00:00
What I'm going to do is accept
00:00
the risk that we may have an earthquake.
00:00
But based on probability and impact,
00:00
a more active mitigation strategy
00:00
>> just isn't warranted."
00:00
>> That's a good business decision.
00:00
That's risk acceptance and
00:00
risk acceptance generally comes when
00:00
the cost of the countermeasure
00:00
is greater than the potential for loss.
00:00
I'm not going to spend $50 to protect a $20 bill.
00:00
Now, there's also a type of risk response
00:00
where you do nothing, called risk rejection.
00:00
Really, you do nothing with risk acceptance,
00:00
you do nothing with risk rejection.
00:00
So what's the difference?
00:00
The difference is due diligence.
00:00
With risk acceptance, I do my homework.
00:00
I make a good business decision based on fact.
00:00
Risk rejection is where I stick my head in
00:00
the sand and say, it's not going to happen.
00:00
Ultimately, when it comes up to,
00:00
when would I be liable?
00:00
I'm much less likely to be found
00:00
liable with accepting a risk
00:00
and being able to demonstrate it was
00:00
a good business decision as opposed to risk rejection.
00:00
We don't want to reject risks,
00:00
accepting risks, however, certainly reasonable.
00:00
When we talk about mitigating our risk,
00:00
we're lessening the probability and/or impact.
00:00
We can do that with reduction.
00:00
Remember the ultimate reduction is avoidance.
00:00
We can transfer and share
00:00
the loss potential or we can accept our risks.
00:00
Remember, risk rejection,
00:00
not an acceptable strategy.
Up Next
Instructed By
Similar Content
