12 hours 25 minutes
all right. Other options of dealing with laws maybe to share the risk or risk transferred says it's often referred to. Now. There are a couple of things that are important to understand with risk trance firms.
First of all, by transferring a risk, you're really not necessarily guaranteeing
a reduction in the probability or impact of the risk event.
So what I mean by that is, if I buy a fire insurance for my house, my house is less just every bit is likely to catch on fire. Even though I've bought insurance, right, That doesn't matter.
And if it does catch on fire, I'm gonna have the same amount of damage to my house, whether I have insurance or not.
So what risk transference means is it doesn't mean that you've lesson the probability or impact. What it means is you have, um, you have the potential to share that loss with another entity, right? And that guarantee of share of loss, if you will
comes to us through the country,
the contract or the service level agreement.
So when you look at risk transference, it's about the potential sharing of loss,
and that's driven by, you know, If you look at cloud service providers, you look 1/3 party vendors. Really? The piece that makes it transference is in the contracts that we saw it
all right. Now,
at some point in time, we may find that mitigating the risk or transferring the risk
is more cost is more effort than it's worth.
You know what? I'm not gonna spend set of $50 to protect a $20 bill.
So at some times, we may choose to accept risk
and risk acceptance can look a couple of different ways. In one instance, risk. Acceptance may just be when you have no choice.
You know what? We're two weeks behind. I'm just gonna have to accept the risk that we're gonna finish behind. There may be nothing else I can do about it
other than just go.
I accept that risk.
But other times
when we talk about risk acceptance, usually it's when we talk about choosing to accept a risk. What we're looking at is cost benefit analysis.
We're going back to those quantitative assessments or sometimes even qualitative assessments that we looked at earlier.
And we're looking at our potential for loss. If you'll remember probability Times impact gave us the potential for loss.
And then I measured the potential for los up against the cost of the countermeasure.
And if the cost of the countermeasure is greater than my potential for loss, he doesn't make sense
in order. It doesn't make sense to mitigate, right, cause more than than what I'm gonna lose. So at that point in time, I may choose to accept the loss or to accept the risk. Rather, um, I will mention that,
you know, perhaps, um with with something like an earthquake,
you know, we had an earthquake. I'd only lived in the D C. Area for a couple of months before there was an earthquake in the area. I'm from North Carolina had never been in earthquake before.
So when that happened,
you don't call my tension,
I will tell you that I kind of thought earthquakes were just those things that West Coast people made up to get attention.
Turns out that's not.
what I did, though, is I didn't just go, huh?
I went out and I did some research, and I looked to see historically how many earthquakes hit the Washington D. C area and it wasn't many.
And then I said, Well, when they do hit, what's the impact on the impacts traditionally very low for typical businesses?
And I said, Well, based on the fact that they're very unlikely and even if they do happen,
there's not much impact.
It's not worth
really making a more active plan to deal with earthquakes. I'm not gonna move into a steel reinforced building,
right. I'm going to simply accept the risk
now. The problem is, when I choose to accept the risk, I may need to be able to justify that, right, Because if that earthquake happens
and if my entire business is destroyed and my shareholders come knocking my door going,
why didn't you protect us?
Then I need to be able to go back and have a paper trail that says, This is why I made the decisions that I did. Here's the criteria I used. This was a thoughtful, purposeful business decision
because on the flip side of risk, acceptance is called risk rejection
and risk rejection essentially looks like a lot of my ma la la la I don't think about it. I don't want to talk about
now Of course, if that's your management strategy, you're very likely to end up on the wrong side of law liability.
So the difference between risk acceptance and risk rejection, although they might look the same because you're not really doing anything The differences due diligence with risk acceptance I show due diligence with risk rejection I northern this.
ISACA CISM - Certified Information Security Manager
The ISACA Certified Information Security Manager (CISM) practice test from CyberVista helps students to prepare ...
Certified Information Security Manager
Certified Information Security Manager practice exam helps to prepare for the ISACA CISM certification exam. ...