Risk Mitigation

Video Activity

This lesson is a review of the risk management process that will cover the main concepts that were taught in this module. Risk assessment is usually the most difficult assessment to conduct. Even though there are many unknowns it is necessary to make an effort to collect the right data. Risk assessment can be done qualitatively or quantitatively. E...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 54 minutes
Difficulty
Advanced
CEU/CPE
4
Video Description

This lesson is a review of the risk management process that will cover the main concepts that were taught in this module. Risk assessment is usually the most difficult assessment to conduct. Even though there are many unknowns it is necessary to make an effort to collect the right data. Risk assessment can be done qualitatively or quantitatively. Each method of risk assessment comes with its own strengths and objectives. Used together qualitative and quantitative risk assessment will result in the most effective information security management policy. Risk mitigation is the process of reducing risk to acceptable levels and maintaining that risk level. You must remember that risk must be managed because it can never be totally eliminated from your data environment. A quantitative analysis leads to the proper risk mitigation strategy:

  • Reduce
  • Accept
  • Transfer
  • Avoidance
  • Rejection

Cost/benefit analysis will help you decide the correct mitigation strategy. Risk transference shares the risk someone else; the use of SLAs or insurance would be an example of risk transference. When we accept a risk in our environment as a result of cost-benefit analysis; we are using the logical solution when the cost of mitigation is higher than the potential for loss.

Video Transcription
00:04
so risk mitigation leads to or really is the so what of risk management.
00:11
So we figured out the potential for loss well. We provide the appropriate mitigation so that the residual risk falls within the range that's acceptable by the business. We're lowering that risk, that potential for lost to a point that's acceptable because at some point in time, we have to accept
00:30
a small degree of risk.
00:32
Or even if we don't have to. It's cost effective, you know, if you go to senior management, say, well, how long can we have our domain to be down? You know, during a normal business day,
00:44
Usually the response from senior management is done. We can't afford any downtime.
00:49
My response to that ISS. We'll get your checkbook because it will cost a lot of money to give an organization 24 7 up time.
00:58
Now who would spend that kind of money and Amazon or many online providers where they lose millions of dollars per minutes that they're down? But many organizations, you know, may have a higher tolerance or higher capability to withstand downtime based on once again cost benefit analysis.
01:18
So when I come back to senior management say we'll get your checkbook cause it's gonna cost millions of dollars to get 24 7 up time.
01:25
They come back and say, Well, what we really meant was two hours downtime, right? There's that negotiation process because once again, security costs money and we have to figure out the potential for loss
01:37
versus the cost of the mitigating strategy. All right, now, when we do look a risk mitigation, they're generally three basic ways we consider we think about reduce except in transfer,
01:49
risk, reduction, risk, acceptance in risk transference. So they're very much like they sound when we talk about reducing a risk. We're talking about lessening the probability end or impact of a risk. I can't lessen the probability of rain, but I can bring an umbrella and lessen its impact.
02:09
Right, So we're bringing either probability or impact or for lucky. We're bringing probability and impact down again to that tolerable level.
02:22
If I'm to eliminate a risk or avoid a risk, what I'm really doing is lessening probability. Indoor impact down to zero. I've eliminated the risk I've chosen. Not at the picnic outdoors. I'm gonna have it indoors. So I've eliminated the possibility of weather interfering with my
02:40
picnic.
02:43
All right, so that's risk avoidance. A risk avoidance is really extreme risk reduction.
02:49
Now, I'll mention on the skip over acceptance for just a minute. I want to talk about risk transference. So what risk transfer its means is I'm gonna share that risk with someone else. When we get insurance, fire insurance, for instance, it doesn't lessen the likelihood of having a fire. I'm either gonna have a firearm. Not
03:07
it doesn't lessen how much damage is gonna be to the house. The house is going to get damaged to certain degree. Whether or not I have insurance
03:15
would I am lessening is my portion of the loss. I'm gonna share that loss with the insurance company. So when you hear about insurance, that's risk transfers.
03:23
When you hear about service level agreements and those air really important in the I T world. And that's that commitment from a vendor to a certain degree of performance or up time
03:35
for a product that's transferring the loss. Because if the vendor doesn't meet those agreement levels, then ultimately there's usually some sort of financial compensation. So I'm sharing in that loss so insurance, service level agreements, contract modification.
03:53
This vendors been late every time we've dealt with him. So we're gonna modify the contract that says for each day late he's gonna return 1% of the value of the contract to us. That's again transferring the risk,
04:08
okay, So we can reduce the risk we can transfer a risk are ultimately we might just accept the risk.
04:15
And we accept the risk when we determine that the potential for loss is less than
04:21
the cost of the counter measure.
04:24
I'm not gonna spend $50 to protect a $20 bill,
04:28
so I'm not going to spend more than the potential for loss to protect a product.
04:32
But again, this is where it's so important. I really understand the value of my asset. Because if I make the mistake of thinking, remember that laptop we talked about earlier? If I think that laptops values $300 that I won't spend 500 to protect it.
04:47
But if I don't consider all the data that's on there and its value, I don't consider the potential for fines from my industry Ah, via HIPPA or any of the other regulations and laws and standards. If I don't factor all those many other elements and give value to my asset,
05:05
then I'm gonna make a poor decision.
05:08
But when the cost of mitigation is greater than the potential for laws, we accept a risk.
05:15
Okay? And what do we do when we accept the risk? Honestly, we do nothing. We have chosen to allow that risk to exist. We're gonna keep an eye on it. We documented the risk. We also have a paper trail. As of why we've chosen not to implement a strategy because remember, we don't want to be found liable.
05:34
We want to make sure that we protect the assets to the degree that's warranted.
05:40
But ultimately we do nothing.
05:42
Now it's worth mentioning that with risk rejection, you do nothing about a risk, but with risk rejection. We don't have that paper trail. We haven't done the investigation. We haven't set up
05:56
a means of evaluating the lost potential. What we basically done is la la la la la That won't happen to me.
06:02
And that is actually not a good form of risk management. So risk rejection is not allowed. We put it out there because Unfortunately, many organizations do risk rejection instead of acceptance. They don't work through and decide we'll deal with this risk later because of the value potential.
06:20
Many times organizations just say, I don't want to hear it.
06:24
We can't deal with this right now. Risk rejection is not allowed.
06:27
Okay? So when we look back through risk mitigation are big three elements. We reduce the risk by lessening probability and or impact
06:36
risk acceptance. We choose not to implement a mitigation strategy because the potential for loss is greater than the cost of mitigation.
06:46
Well, we transfer risk. We find someone else to share in the risk events with us that would include insurance or ah S L. A's
06:58
now few other terms in addition with risk, total risk. And I think I already mentioned these earlier. But just to review total risk is the amount of risk that exists before we implement some sort of control. So it's the total potential value for loss. If we don't do anything, how much money will we lose
07:17
if we don't back up our data?
07:19
That's the total risk.
07:21
Residual risk is what's left over after you've applied a risk mitigation strategy and sometimes we have to apply multiple mitigation strategies. Yes, I'm going to transfer the risk of fire by having fire insurance. But I'm also going to try to reduce that risk by
07:38
storing flammable material in a safe place, having good policies.
07:43
Ah, having sprinkler systems, those ideas so often we have multiple risk strategies, but eventually there will be some risk that's left over. And that's called residual risk.
07:56
Secondary risk is 11 risk response triggers another risk event. We talked about that as well. So the idea here is when we talk about risk, the vulnerabilities and the assets come together. Okay, so let me let me reward that the amount of threats, the amount of vulnerabilities and the value of the assets
08:13
all that is considered to give us the total risk
08:16
these air just conceptual calculations thes aren't really things that you need to plug values in.
08:22
And then when we talk about the total risk
08:26
and then we add an element of control called the controls gap, that's what gives us the residual risk. So just a few extra additional terms when it comes to dealing with risk.
08:37
Now, as we wrap up risk management. If you'll recall three main elements of risk and then ongoing monitoring, we have risk assessment where we identify,
08:48
Ah, we identify our assets. And then we also have to evaluate her assets. This is, ah, hard process. It's not easy to look at my company and say our reputation is worth so many $1,000,000. It's very difficult to get a dollar value for intangible assets, but we have to.
09:07
That will then lead us to risk analysis where we prioritize our risks based on their qualitative value. And then they're quantitative value. That quantitative value would then drive me to know how much money to spend or how much money I should spend on risk mitigation.
09:26
Do I reduce the risk to accept the risk you are transferred?
09:30
How do I dress this risk Injun in general? And remember, anything that talks about eliminating risk is going to be wrong. What we have to do is manage risk, reduce risk we can totally eliminate.
09:43
All right, so we've gone through the definitions in terms. We talk about the different types of risks. We'll talk a little bit more about governance and appliance in the next section
Up Next
Chief Information Security Officer (CISO)

In this CISO certification training, you will learn what other CISO's are focusing their time and attention on. Among the key topics, you will learn how to implement the proven best practices that make for successful cyber security leadership.

Instructed By