Risk Response and Mitigation
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Our next step of the risk management life cycle,
00:00
we're going to focus on response and mitigation.
00:00
This is where we take
00:00
that risk amount that may be unacceptable,
00:00
where we have too much risk and we try to bring
00:00
the risk down to a level that's
00:00
acceptable by senior management.
00:00
That's really our main goal.
00:00
We're going to talk about the strategies,
00:00
the ways that we can accomplish this,
00:00
and the way we accomplish
00:00
risk mitigation is through the use of controls.
00:00
Of course, like we mentioned before,
00:00
those controls have to
00:00
have specific objectives associated.
00:00
Third step here, risk response and mitigation.
00:00
We start out by talking about the ways we can respond.
00:00
Risk response, really,
00:00
to me has three big categories,
00:00
reduce, except, and transfer.
00:00
Now, we also have risk avoidance,
00:00
and then there's risk rejection,
00:00
but risk rejection really
00:00
isn't an appropriate risk response.
00:00
If we talk about risk reduction and avoidance,
00:00
what we're trying to do is lessen
00:00
the probability and/or impact of a risk.
00:00
Remember, that's what gives me
00:00
that risk value, probability times impact.
00:00
If I can take the probability of a risk event
00:00
down or if I can take the severity of a risk event down,
00:00
then I'm lessening the risk.
00:00
Now, risk mitigation is our most common response.
00:00
When I talk about implementing controls like
00:00
firewalls or policies or door locks,
00:00
and security guards,
00:00
those are all types of mitigation.
00:00
I'm lessening probability and/or impact.
00:00
Most times, when we see a risk,
00:00
we think, how can we reduce it?
00:00
We reduce it through the use of controls.
00:00
Now, if I were to lessen
00:00
probability and/or impact all the way down to zero,
00:00
then I will have avoided the risk
00:00
because probability times impact equals risk.
00:00
If either of those is zero,
00:00
then we have no risks.
00:00
That's not something that is frequently possible.
00:00
I will say it's not frequently possible,
00:00
but most of the time,
00:00
we look to reduce our risk.
00:00
Because if we avoid the risk, then generally,
00:00
we're choosing an alternate path and perhaps,
00:00
what we had wanted to do in the first place.
00:00
For instance, maybe I'm looking at
00:00
opening up an office in
00:00
an area of civil or political unrest.
00:00
I do my research and I decide, you know what,
00:00
it's just too risky to open an office
00:00
there right now, so I don't.
00:00
That's what risk avoidance looks like.
00:00
I just don't do what I was considering doing.
00:00
That's not practical in many instances.
00:00
But if there were ever an issue where human life could be
00:00
threatened then risk avoidance
00:00
is 100 percent appropriate.
00:00
But most of the times,
00:00
we're looking to implement a control that
00:00
brings down probability and/or impact.
00:00
Then we look at what's left.
00:00
We look at the residual risk.
00:00
If that residual risk is
00:00
still too high for senior leadership,
00:00
then we have to add another control
00:00
and we bring the risk down some more.
00:00
Then we add another control and another control
00:00
until the point where what's residual,
00:00
the residual risk is to
00:00
a degree that's acceptable to senior leadership.
00:00
When we talk about risk acceptance,
00:00
that's the point where we no longer continue to mitigate.
00:00
Sometimes, risk reduction, though, isn't enough.
00:00
I think about fire safety, for instance.
00:00
I can reduce the probability and/or
00:00
impact of fire by having sprinkler systems,
00:00
by training people on fire safety,
00:00
by not storing flammable liquids and things like that,
00:00
but ultimately, there is still
00:00
such a potential of a high-impact of fire.
00:00
There could be human life lost,
00:00
there could be lost property to
00:00
the facility because no matter what I do,
00:00
that residual risks still seems very high.
00:00
I'm going to have fire insurance.
00:00
I'm going to share
00:00
that loss potential with another organization.
00:00
That's what we're doing when we transfer risks.
00:00
Anytime you think about insurance,
00:00
that's risk transference when we outsource.
00:00
For instance, I've determined
00:00
that I'm probably not going to be able to
00:00
develop a software application in-house that'll
00:00
meet our needs so I decide to hire a vendor.
00:00
Well, that vendor is going
00:00
to develop the software for me.
00:00
If there are issues with the software,
00:00
I'll maybe receive some compensation or I
00:00
won't have to pay or whatever the case is,
00:00
but I'm sharing in the
00:00
potential for loss with that vendor.
00:00
When I migrate my data to the Cloud,
00:00
the Cloud service provider provides me with
00:00
the service level agreement where they
00:00
commit to a certain degree of uptime,
00:00
a certain degree of performance and again,
00:00
if they don't meet those requirements, I'm compensated.
00:00
That's risk transference. Now,
00:00
as I mentioned before, though,
00:00
at some point in time,
00:00
there's amount of residual risk that either you
00:00
can't do anything about or it's
00:00
>> just not cost-effective.
00:00
>> There's not enough money you can spend to
00:00
100 percent remove the risk
00:00
of fire in a typical business.
00:00
You can make it very unlikely,
00:00
but at some point in time,
00:00
there's still that chance.
00:00
Just like I can't secure a system in a way that it could
00:00
never conceivably be compromised.
00:00
We can implement all the security
00:00
that we want to implement,
00:00
but at some point in time,
00:00
it's just not cost-effective.
00:00
Like we said, at some degree,
00:00
we mitigate until what's leftover is tolerable.
00:00
It's what we can accept.
00:00
Our main goal is to bring residual risk
00:00
down to the degree that what's leftover can be accepted.
00:00
When we talk about risk acceptance, basically,
00:00
we no longer actively strive to mitigate the risk.
00:00
Now, what that really translates
00:00
to is at some point in time, we do nothing.
00:00
Sometimes, we start off that way.
00:00
Back in, I guess it's been
00:00
seven or eight years ago in the DC area,
00:00
we had an earthquake.
00:00
Now, I'm a DC girl.
00:00
I'm an East Coast person.
00:00
I never grew up on
00:00
the West Coast where earthquakes are a thing.
00:00
As a matter of fact, I thought earthquakes for something
00:00
west coasters made up just to get attention.
00:00
But here we are in DC and we had an earthquake.
00:00
Now, I can assure you that I did due diligence.
00:00
I went out and I
00:00
researched how often do we have earthquakes in DC?
00:00
It turned out that even though we'd had one,
00:00
usually, we don't have an earthquake,
00:00
maybe once every 10-15 years.
00:00
That made me feel a little better.
00:00
Then I wanted to know, well,
00:00
when we have these earthquakes,
00:00
how significant are they?
00:00
The research told me it was a very minimal loss,
00:00
maybe something like three on the Richter scale,
00:00
that was the average.
00:00
Based on probability and impact,
00:00
the fact that there are hardly ever
00:00
earthquakes in DC and when there are,
00:00
they have a very low impact,
00:00
I said, you know what?
00:00
I'm not going to move to a different location.
00:00
I'm not going to take my business and move them into
00:00
a building that is steel reinforced.
00:00
What I'm going to do is accept
00:00
the risk that we may have an earthquake.
00:00
But based on probability and impact,
00:00
a more active mitigation strategy just isn't warranted.
00:00
That's a good business decision.
00:00
That's risk acceptance.
00:00
Risk acceptance generally comes when the cost of
00:00
the countermeasure is greater
00:00
than the potential for loss.
00:00
I'm not going to spend $50 to protect a $20 bill.
00:00
Now, there's also a type of risk response
00:00
where you do nothing called risk rejection.
00:00
Really, you do nothing with risk acceptance,
00:00
you do nothing with risk rejection.
00:00
What's the difference? The difference is due diligence.
00:00
With risk acceptance, I do my homework,
00:00
I make a good business decision based on fact.
00:00
Risk rejection is where I
00:00
stick my head in the sand and say,
00:00
it's not going to happen.
00:00
Ultimately, when it comes up to,
00:00
when would I be liable?
00:00
I'm much less likely to be found
00:00
liable with accepting a risk
00:00
and being able to demonstrate it was
00:00
a good business decision as opposed to risk rejection.
00:00
We don't want to reject risks,
00:00
accepting risks, however, certainly reasonable.
00:00
When we talk about mitigating our risk,
00:00
we're lessening the probability and/or impact.
00:00
We can do that with reduction.
00:00
Remember, the ultimate reduction is avoidance.
00:00
We can transfer and share
00:00
the loss potential or we can accept our risks.
00:00
Remember, risk rejection,
00:00
not an acceptable strategy.
Up Next
Similar Content
