Professional Documents
Culture Documents
Risk management is about identifying risk, assessing the impact on your business if a security
incident occurs, and making the right financial decision about how to deal with the results of
your assessment. It also includes the implementation of a program to continually measure and
assess the effectiveness of existing safeguards in protecting your critical assets. Managing risk is
not a one-time activity; its an ongoing process. Figure 1 shows a Risk Management Cycle
(Just Enough Security).
Figure 1
The first phase in the cycle is the execution of a risk assessment. The objectives of the
assessment are to:
1. Identify critical information assets
2. Discover possible threats to the identified assets
3. Identify vulnerabilities to the discovered threats and the associated probability of
exploitation
4. Calculate the risk associated with each asset
Reject the Risk Rejecting risk is the head-in-the-sand approach. Some managers tend
to ignore difficult challenges with the hope that they will simply disappear. This
approach will rarely result in a successful defense against security incidents.
Accept the Risk A common action to take is to accept the stated risk. For example, if
the controls necessary to eliminate or mitigate key vulnerabilities are a greater financial
burden than the actual risk impact, then its probably a good idea to use the security
budget dollars in other areas.
Transfer the Risk An alternative to accepting higher than reasonable risk when the cost
of controls is too high is to purchase insurance to lower the business impact of an
incident. This is also a common risk management step.
Mitigate the Risk Risk mitigation typically focuses on vulnerability management. The
reasonable and appropriate implementation of administrative, technical, and physical
controls can serve to significantly reduce business risk.
Finally, its important to measure the results of the actions taken. Controls sometimes fail to
work as expected and threats are a moving target. Only continuous vigilance through
measurement and analysis can maintain risk at an acceptable level.
The final word
An important takeaway from this discussion is the understanding that the goal is rarely to reduce
risk to zero. The cost is usually too high. Rather, the goal is to lower risk to a level acceptable
by management and keep it there.