now. One other piece I want to mention about risk mitigation
with risk mitigation strategies. Your mitigation should always be driven by cost benefit analysis. Sometimes I like to ask my students I like to say
how much security is enough.
And when I asked that question, we're all kind of trained toe. Have this knee jerk reaction of where you can never have too much security.
If you could never have too much security. How many of you have an armed guard at your house? Out of the front of the door. You got an armed guard who monitors your house day in and day out.
How many of you have a retina scan to get into your home behind that armed guard?
Probably none off you. That would be my guess. I certainly don't. Well, if if you could never have too much security, why not?
Because it's not cost effective. Uh, well, then you can have too much security. And what is too much security to the point where there is no longer a cost benefit?
Every decision you make on the planet
comes with a cost benefit analysis. Every decision you make you do a cost benefit analysis for even if you're not calling it cost benefit analysis.
It's a cost benefit analysis.
it's, Ah, mid November here, kind of cool outside. I was warm and cozy in my bed. I did not want to get up and come to work.
So what I did very quickly was a quick cost benefit analysis.
Okay, I can stay in my bed. I could be cozy. I could get a few more hours sleep, and I can have a date all
but I would be unemployed afterwards,
which, suddenly the cost benefit analysis said
two extra hours sleep. Keep your job and keeping my job one out, as it does win out most states, certainly most days in November, every now and then. A July day taking the day off, maybe, but not for November day.
Cost benefit analysis. It does not always have to be dollar amount if the good outweighs the bad. This is the decision. I'll make
securities Purpose is to support the business, so I have to find a cost effective solution, just like I said. Sometimes it's not cost effective to mitigate a risk, so I accept that risk. I'm not gonna spend $10,000 to protect a $2000 asset.
you put just enough security in place to benefit the company, some people say that sounds like you're cutting corners. Absolutely not. In order to make a good business decision, I have to have started here and gotten an accurate evaluation of my assets.
I have to really understand what my assets were were
uh, properly identify them,
that I'm gonna make a poor decision, I have to know exactly what my assets were worth. If I underestimate their value, I'll be cheap, and I won't protect them as they should. But once I truly understand the value of those assets now I'm going to find that balance between costs and benefits.
You know the trade off,
remember? Sometimes cost is money. Sure, Cost can sometimes be performance.
It could be backwards compatibility. It could be ease of use. You know, when I asked, do you have a retina scanner and iris scanner to get into your house? Part of the reason I wouldn't do that, even if it was cheap. It's inconvenient, You know, I've got 18 bags of groceries in my hand, trying to get into the house.
I'm not gonna Paul's the three minutes to do a retina scan and have that be red
I need in the house, So ease of use is an important consideration. So again, cost benefit analysis sounds very easy. Asset valuation sounds easy. This is a complex process, and it has to be done well. But I just want to stress you. Mitigation always revolves around
Cost benefit analysis. Protect an asset to the degree that's warranted based on the asset value and the value of threats. Vulnerabilities. It's never security for the sake of security. It's always security, driven by an analysis of costs and benefits.
Okay, so those are the elements of risk. The main elements, assessment, analysis and mitigation be comfortable with qualitative versus quantitative analysis. Remember, qualitative, subjective quantitative is more tangible. It's more objective. It's something you can prove and show a paper trail.
And then with risks, I can reduce.
Don't forget that risk when we talk about risk mitigation, Risk reduction is toe lesson. Either the probability well and or the impact. And if we reduce those 20 We've risk that we've done risk avoidance.
Then we have a risk acceptance. The only time to do risk acceptance is when the cost of mitigation is greater than the value of the assets
or the potential for loss
and then risk transference. We're going to share that risk with someone else. Be familiar with those definitions. They definitely come upon the test.