What is risk management?

Risk management is about identifying risk, assessing the impact on your business if a security
incident occurs, and making the right financial decision about how to deal with the results of
your assessment. It also includes the implementation of a program to continually measure and
assess the effectiveness of existing safeguards in protecting your critical assets. Managing risk is
not a one-time activity; its an ongoing process. Figure 1 shows a Risk Management Cycle
(Just Enough Security).

Figure 1
The first phase in the cycle is the execution of a risk assessment. The objectives of the
assessment are to:
1. Identify critical information assets
2. Discover possible threats to the identified assets
3. Identify vulnerabilities to the discovered threats and the associated probability of
exploitation
4. Calculate the risk associated with each asset

Risk can be evaluated using either a quantitative or a qualitative approach. Quantitative

assessments use actual dollar amounts to provide a financially-based risk value. Qualitative
assessments use scoring methods and the experience of employees and consultants to arrive at a
risk score.
The quantitative approach is easier to present to executive management because it deals with
actual numbers. However, it is very resource intensive. Attempting to calculate actual dollar
values for business impact is difficult, if not impossible in many cases. A qualitative assessment
is easier to perform, and although it might not provide hard dollar amounts, it should get you
close enough.
Determining how to manage the identified risk is next. After youve calculated risk scores, they
should be sorted from highest to lowest. This allows you to address the highest risks to your
information assets first. There are essentially four ways to deal with each risk:

Reject the Risk Rejecting risk is the head-in-the-sand approach. Some managers tend
to ignore difficult challenges with the hope that they will simply disappear. This
approach will rarely result in a successful defense against security incidents.
Accept the Risk A common action to take is to accept the stated risk. For example, if
the controls necessary to eliminate or mitigate key vulnerabilities are a greater financial
burden than the actual risk impact, then its probably a good idea to use the security
budget dollars in other areas.
Transfer the Risk An alternative to accepting higher than reasonable risk when the cost
of controls is too high is to purchase insurance to lower the business impact of an
incident. This is also a common risk management step.
Mitigate the Risk Risk mitigation typically focuses on vulnerability management. The
reasonable and appropriate implementation of administrative, technical, and physical
controls can serve to significantly reduce business risk.

Finally, its important to measure the results of the actions taken. Controls sometimes fail to
work as expected and threats are a moving target. Only continuous vigilance through
measurement and analysis can maintain risk at an acceptable level.
The final word
An important takeaway from this discussion is the understanding that the goal is rarely to reduce
risk to zero. The cost is usually too high. Rather, the goal is to lower risk to a level acceptable
by management and keep it there.