Risk Mitigation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> After looking at risk acceptance,
00:00
let's go ahead and move into
00:00
another option for risk response
00:00
which is risk mitigation.
00:00
That's really the strategy that most people
00:00
think about when they think about dealing with risks.
00:00
If the risk exists and
00:00
the amount of risk is not acceptable,
00:00
we have to do something about that.
00:00
One of the most common strategies
00:00
is to mitigate the risk.
00:00
When we do use that term,
00:00
what we're looking to do is to reduce
00:00
either the probability or impact of a risk or both.
00:00
With probability, I can't lessen
00:00
the likelihood or probability that it's going to rain.
00:00
I can lessen the impact of rain if I bring an umbrella.
00:00
That's risk mitigation.
00:00
Or I can't lessen
00:00
the impact that malware is going to have on the system,
00:00
but I can lessen the probability of getting infected with
00:00
malware by having anti-malware software
00:00
and doing regular scans.
00:00
Sometimes I can lessen both.
00:00
Sometimes it's one or another.
00:00
But ultimately, I'm trying
00:00
to bring the amount of risk down.
00:00
Once again, my goal is to bring the amount of risk down
00:00
to the degree that's acceptable so that residual risks,
00:00
if my mitigation strategy,
00:00
my first mitigation strategy doesn't work,
00:00
I'll try something else that may
00:00
lower my risk but it's still not acceptable.
00:00
Well, mitigate some more, add additional controls.
00:00
We'll talk about compensating
00:00
controls in just a little while.
00:00
But those are the controls you add when
00:00
you need additional protection from risks.
00:00
We add compensating controls.
00:00
Risk comes down.
00:00
Finally, we get to the point that's acceptable.
00:00
That amount of residual risk is acceptable,
00:00
so we no longer mitigate.
00:00
Now lots of examples of mitigation.
00:00
When it comes right down to it though,
00:00
when we mitigate, we're implementing controls.
00:00
Our controls are going to be either technical,
00:00
administrative, or physical controls.
00:00
Again, lessening probability and or impact.
00:00
We have to make sure that we have
00:00
a mature risk management process in place.
00:00
Because if we're not properly identifying our assets,
00:00
if we don't truly understand the value of those assets.
00:00
If we don't do
00:00
good research to determine probability and impact.
00:00
If we don't have a strategy
00:00
for addressing certain types of risks.
00:00
Then what's going to happen is we're going to apply
00:00
more controls that are unnecessary.
00:00
Which means we're spending more money than we should.
00:00
Or even worse we're applying fewer controls.
00:00
We're not spending enough money
00:00
to truly protect the asset.
00:00
That goes into the idea that a lot of
00:00
times you may look at an asset and think,
00:00
well, it's a relatively low-value asset.
00:00
Now I've got a laptop.
00:00
How much can that be worth?
00:00
Well, today my laptop's about
00:00
worth like I probably get 100 bucks if I sold it.
00:00
But that's not where the value comes in.
00:00
Our risk management process has to start
00:00
with identifying our assets and determining their value.
00:00
A well thought out process has to be involved.
00:00
Then we figure out threats and vulnerabilities,
00:00
we come up with the value for risks.
00:00
All I'm really saying here is if you don't
00:00
have solid risk management processes in place,
00:00
we're going to make mistakes with how we mitigate.
00:00
We're going to spend too much money.
00:00
We certainly don't want to spend not
00:00
enough to provide adequate protection.
00:00
Usually, risk mitigation is where we
00:00
bring in our controls just like I said.
00:00
Those controls, we're going to focus primarily on
00:00
administrative controls and technical controls,
00:00
but don't underestimate the importance
00:00
of physical controls as well.
00:00
We're going to really focus on policies and
00:00
procedures which we've already looked at
00:00
in governance in Chapter 4.
00:00
Domain 4 we're going to focus in on technical controls.
00:00
We don't really talk a ton about physical controls here,
00:00
but I just wanted to stress you can't forget those.
00:00
Again, what are we trying to do?
00:00
Reduce residual risk to
00:00
a degree that's acceptable to senior management.
Up Next